Atos Group: a strategic transformation in the cybersecurity market (part 1)

Product & services review

A dual pillar + umbrella architecture, rare in the industry

The cybersecurity market has been undergoing creeping consolidation for a decade, particularly by US giants, but few players can claim the unique combination offered by the Atos Group. This structural duality is based on two complementary pillars that form an organized ecosystem that is rare in the industry. On top of this, an umbrella of sovereignty provides the whole with unprecedented coherence.

First pillar: Eviden Technologies, the hardware and cryptographic heritage

The Eviden brand, formally launched in 2022, embodies a credible European alternative to the American and Asian cybersecurity giants. This historical dimension confers institutional legitimacy on governments and sovereign organizations, which increasingly favor solutions whose chain of control remains European. Total local control of the IP (intellectual property) of hardware solutions reinforces the position of global sovereignty.

Eviden Technologies draws on its long-standing expertise in hardware security technologies, inherited from state and strategic markets. This division capitalizes on two fundamental areas:

Data Protect Eviden has developed recognized expertise in securing mobile devices, a market where reliability and certification are paramount. This technological foundation gives it deep industrial legitimacy in digital identity management and access protection.

HSMs (Hardware Security Modules): Eviden offers a range of hardware security modules, including the Trustway Proteccio™ solution, which is at the heart of its cryptographic key management and sensitive data protection offerings. These devices, certified to the most stringent standards, provide a trusted infrastructure for critical business and government operations. Moreover, with the recent integration of Cosmian technologies, Eviden now has a comprehensive and sovereign cryptographic stack which includes HSM, KMS and Confidential Computing

More informations on “Identity security solutions and services”

Second pillar: Atos CyberSecurity Services, the advanced AI-augmented MSSP

Atos’ managed services division is a major player in the European MSSP (Managed Security Service Provider) market. With more than 6,500 dedicated experts and a global network of 17 security operations centres (SOCs), Atos Cybersecurity Services offers comprehensive coverage of incident detection, prevention and response needs. Systematic but controlled use of AI, from the processing of routine alert signals to analysis, improves response times during incidents. A partnership with Qevlar AI, a start-up in the SOC world, has been announced to further reduce investigation time and increase the time spent on detection engineering, threat hunting and remediation.

This operational dimension is distinguished by:

24/7 monitoring capability on a European and global scale (ISAE3402 and ISO 27001 level)
Expertise (FIRST, Crest, TF-CSIRT) in advanced threat detection and incident response
A recognized position in major events, such as the Paris 2024 Olympic and Paralympic Games

All managed cybersecurity services, from risk audits to compliance projects, are accompanied by significant consulting expertise.

The uniqueness of product-service convergence

The rarity of this architecture lies in the synergy between in-depth technological expertise (HSM, cryptography, secure components) and the operational excellence of managed services. Although Atos/EVIDEN does not appear to strongly link its products and services in a mandatory bundle, the proximity of its long-standing technological solutions undeniably shines through in its service offerings, and the teams work very closely together.

Where most players specialize in either product supply or services, Atos/Eviden has a unique profile based on its history and service capabilities.

Post-quantum cryptography: a challenge in terms of regulatory anticipation but also technology

European regulatory authorities have taken a stand. The ANSSI (Agence nationale de la sécurité des systèmes d’information) in France and the BSI (Bundesamt für Sicherheit in der Informationstechnik) in Germany have set a clear path: post-quantum cryptography (PQC) will become mandatory from 2030 for critical and sensitive systems.

Eviden anticipated this transition as early as 2023 by integrating post-quantum algorithms into its Trustway Proteccio™ HSM, in partnership with CryptoNext Security, a French pioneer in next-generation cryptography. This collaboration illustrates a proactive rather than reactive approach.

In October 2024, Eviden took a further step forward by launching its PQC HSMaaS (Post-Quantum Cryptography Hardware Security Module as a Service) offering, a sovereign solution enabling organizations to test and gradually deploy quantum-resistant algorithms without disrupting their existing infrastructures.

Anti-platform means “Best of Suite”: a differentiating strategy

In a market dominated by platformisation, where major software vendors attempt to lock their customers into proprietary ecosystems, Atos Group has deliberately chosen a radically different approach: “Atos/Eviden will not take a platform approach,” explains Pierre-Yves Jolivet, CEO of Eviden and Head of Cybersecurity.

A philosophy of openness and integration

“Our customers have implemented a number of solutions that work rather well. With a platform agnostic and open approach we help them to optimize their cybersecurity costs, which is at their focus.” explains Guenter Koinegg, VP Cybersecurity.

Atos Group and its two pillars (Technology/Services) will be more agile in integrating with existing large accounts and will be able to better integrate with existing large accounts and better leverage completely heterogeneous architectures.

The umbrella of sovereignty: better understanding needs and their technical implications

“Geopolitical instability is here to stay.” explains Pierre-Yves Jolivet.

Digital sovereignty has become a political and strategic imperative in Europe, but its operational translation often remains unclear. Atos Group has developed a pragmatic approach, structured around a “sovereignty umbrella”.

The first part of this umbrella is based on tangible commitments. Atos Group emphasises compliance with the qualification requirements imposed by national authorities (ANSSI in France, BSI in Germany, etc.).

This approach involves:

Certification of its products according to national standards (CSPN, CC EAL, etc.)
Total and local control of the intellectual property of solutions
A consulting and architecture approach for sovereign AI

These commitments determine access to public procurement and critical organizations, which require formal guarantees rather than declarations of intent.

Realistic segmentation of needs: Controlled and Disconnected

“We believe that the majority of sovereign cloud consumption will be based on simpler and less expensive models than the Full Qualified Trusted Cloud.” explains Pierre Brun-Murol, Global CTO

Atos Group has observed a significant trend: contrary to the discourse that presents the “Trusted Cloud” (SecNumCloud 3.2 qualified in France and C5 in Germany) as the only solution, the real needs of businesses are mainly focused on two other categories:

Controlled Cloud: The majority of enterprise workloads do not require the highest level of sovereignty, but nevertheless require increased control over data location, administrative access, and regulatory compliance. The Controlled Cloud offers a balance between flexibility, cost, and partial sovereignty.
Disconnected Cloud: Complete isolation remains the only acceptable guarantee for the most sensitive environments (strategic research, medical data, critical industrial systems). These infrastructures are not connected to any public cloud and benefit from maximum physical and logical protection.

A graduated rather than binary approach

Atos Group therefore offers a control matrix called the “Atos Sovereign Control Toolbox” with four levels of sovereignty for cloud projects. This gradation allows organizations to precisely scale their investments according to the actual criticality of each system, rather than applying a single, potentially inappropriate policy.

The topic of sovereignty, discussed in the infrastructure section, also requires Atos Group to define their stance on how to control data in circulation or storage; the combination of Eviden’s authentication (Evidian), encryption (KMS, HSM), and PKI solutions offers a comprehensive technological approach. It is particularly here that the convergence of technical solutions for data security (encryption), access (IAM), tools (cards), and infrastructure-agnostic managed services makes perfect sense.