Sovereign French NTP: Why It Matters
Time synchronization has become an invisible critical dependency: DNSSEC, TLS certificates, 2FA, legal traceability of logs, MiFID II and NIS2 compliance all rely on a trustworthy clock. When that time source is operated outside Europe, or outside any controlled contractual frame, the entire chain of trust silently inherits an extra-territorial dependency.
This page describes the sovereign time infrastructure operated by RDEM Systems — servers hosted in Paris-Equinix datacenters, announced on our own BGP AS, reachable over authenticated NTS and native dual-stack IPv4/IPv6 — and its concrete relevance for administrations, OIV/OES operators, and fintechs subject to demanding regulatory frameworks.
Why Time Sovereignty Is a State-Level Matter
Network time is one of the deepest and least-discussed dependencies in any IT system. A drifting clock does not stop a service: it silently invalidates the security guarantees you assumed were intact.
- DNSSEC — zone signatures and RRSIG records carry validity windows (inception, expiration). A client whose clock is manipulated may accept replayed signatures or reject valid ones.
- TLS certificates — sufficient time skew makes expired or not-yet-valid certificates pass validation, opening the door to MITM attacks on encrypted sessions.
- Legal traceability of logs — retention obligations and the evidentiary value of logs (GDPR, NIS2, criminal procedure code) require reliable, tamper-resistant timestamps. Without that, the chain of evidence collapses.
- MiFID II / RTS 25 — market operators must demonstrate UTC synchronization within 100 µs, with documented traceability. This is a recurring object of AMF / ESMA audits.
- TOTP authentication (2FA) — one-time codes depend on synchronized clocks on both sides. Drift — accidental or induced — can lock users out of critical systems.
The question of where the time source lives, and under whose jurisdiction, follows directly. When the rest of the stack is hardened against a network attacker, it is consistent for the time source to meet the same bar: operated by a known entity, bound by the law applicable to the customer, and technically verifiable by third parties.
RDEM Architecture — AS206014, French ASN in-house
The RDEM Systems NTP/NTS infrastructure is built on an end-to-end controlled architecture: a French BGP autonomous system operated directly, Stratum 2 servers spread across several Equinix Paris sites, and a resilience site in Frankfurt. All of this is publicly verifiable.
BGP autonomous system run by RDEM Systems SAS. Our French ASN, with public records on PeeringDB and bgp.tools.
Routers reachable through the public BGP looking-glass — verify RDEM peering live.
Servers deployed at Equinix PA3, PA4, PA5 and TH2 — four distinct Paris sites for regional resilience.
One server in Germany for geographic resilience outside the Paris zone, on the same AS.
Physical server presence
Native dual-stack IPv4 / IPv6
The entire pool is reachable natively over IPv4 and IPv6. The IPv6 stack is not a tunnel or a gateway: IPv6 prefixes are announced over BGP by AS206014 in the same way as IPv4 prefixes. French administrations subject to the IPv6 directive (DINUM/ARCEP) and operators meeting the general interoperability framework can reference this source without any technical workaround.
NTS: Cryptographic Security Across the Stratum Chain
Plain NTP is sent in the clear over UDP, with no authentication. A MITM attacker can impersonate a server or modify responses, which is not acceptable for the use cases above. NTS (Network Time Security, RFC 8915) adds the missing layer: cryptographic authentication via TLS 1.3 without encrypting the time payload itself, preserving accuracy.
The entire RDEM pool is NTS-enabled. This is still rare: fewer than a hundred public NTS servers exist worldwide, only a fraction of which are in France. The dedicated page covers Chrony configuration and verification: Enable NTS on Chrony in 5 minutes.
Public-Sector and Regulated Use Cases
The set of organizations that have a direct interest in a sovereign time source extends well beyond central administrations alone.
| Entity type | Time-related stake |
|---|---|
| Central and decentralized administration | Public e-service timestamping, PSSI-E traceability, RGS alignment |
| Local authorities | Audit logs, TLS certificates on citizen portals, electronic signature |
| OIV (operators of vital importance) | French Military Programming Law (LPM) — supervision and event correlation |
| OES (operators of essential services) / NIS2 | Incident notification, timestamped journaling, supply-chain control |
| Fintechs and market operators | MiFID II / RTS 25 — UTC within 100 µs for trading, AMF/ESMA audit |
| Hosters and network operators | Contractual compliance, time SLAs, signed RBAC logs |
Compliance — RGS, ANSSI, NIS2, GDPR Logs
The table below summarizes the main frameworks that, directly or indirectly, demand a controlled time source. None of them names a specific provider; all of them put the burden on the data controller to demonstrate the reliability and traceability of timestamping.
| Framework | Time-related requirement |
|---|---|
| RGS (Référentiel Général de Sécurité, France) | RGS B.2 — reliable log timestamping. RGS A.5 — signature and proof. |
| ANSSI recommendations | Logging technical note: redundant synchronized time sources, isolation, drift supervision. |
| NIS2 (directive transposed 2024-2025) | Article 21 — cyber risk management measures, including traceability, timestamping and supply-chain control. |
| GDPR — logs | Article 32 — integrity and traceability of processing. Incorrect timestamps undermine evidentiary value. |
| MiFID II / RTS 25 | UTC ≤ 100 µs for high-frequency trading, documented traceability of NTP/PTP sources. |
| PCI-DSS v4 | Requirement 10.4 — clock synchronization across the cardholder-data perimeter. |
Third-party verifiability
A sovereign infrastructure is measured by what a third party can verify without the operator's cooperation. For AS206014, every element is public:
- BGP announcement visible on every public looking-glass (RIPE, Hurricane Electric)
- PeeringDB record — peering policy, datacenter presence
- Public BGP looking-glass operated by RDEM — direct routing-table lookup
- NTP Pool score on ntppool.org/a/rdem-systems — independent accuracy measurement
- Listed in the NTS community repository jauderho/nts-servers
Public-Sector FAQ
What is a sovereign NTP server?
An NTP server is considered sovereign when the entire chain — operator, BGP autonomous system, datacenter, contractual jurisdiction — falls under a European entity bound by national law, with no dependency on a non-European operator for routing or hosting. RDEM Systems operates NTP and NTS on its own AS206014 (a French entity) from Paris-Equinix datacenters and a secondary site in Frankfurt.
Does France's RGS framework require a sovereign NTP server?
The Référentiel Général de Sécurité does not name a specific NTP service, but it requires reliable timestamping and traceability of audit logs (RGS B.2 and A.5). In practice, a controlled time source legally located in France makes it easier to demonstrate compliance, especially for public e-services and administrations subject to PSSI-E.
Why does NIS2 make NTP sovereignty more important?
NIS2 (transposed in France from 2024-2025) extends cybersecurity obligations to thousands of essential and important entities. Requirements include incident traceability, reliable log timestamping and supply-chain control. A time infrastructure operated by an EU-law entity, on a clearly identified AS and datacenters, simplifies demonstrating that control.
Does MiFID II impose specific NTP synchronization requirements?
Yes. MiFID II / RTS 25 requires trading-system clocks to be synchronized to UTC within 100 µs for high-frequency operators, with documented traceability. NTS (RFC 8915) provides cryptographic proof that the source used is authentic, which limits impersonation risk and simplifies the audit.
What is AS206014 and why does it matter?
AS206014 is the BGP autonomous system run directly by RDEM Systems. It is referenced on PeeringDB, bgp.tools and bgp.he.net. Operating one's own AS means not depending on a third party for routing: the IP prefix is announced directly by RDEM, providing full network traceability and resilience against transit-operator decisions.
Are RDEM servers reachable over IPv6?
Yes. The entire NTP/NTS pool is native dual-stack IPv4 + IPv6. This is a prerequisite for French administrations subject to the IPv6 directive (ARCEP/DINUM reference) and for operators meeting the general interoperability framework requirements.
Can a sovereign NTP/NTS infrastructure be outsourced?
Yes. RDEM Systems offers Essential / Pro / Critical managed-server plans with 24/7 on-call coverage — including time-drift monitoring, security maintenance, TLS/NTS certificate management and compliance reporting. Useful for public-sector IT teams or MiFID II fintechs that want to industrialize time reliability without staffing a dedicated team.
- Enable NTS on Chrony in 5 minutes — client-side configuration and verification
- NTP stratum levels — the 16 levels and typical accuracy
- Our NTP infrastructure — technical detail of the stack
- RDEM ASN record — AS206014 and peering policy
- NIS2 and backup compliance — for the immutability layer of journals
Free NTP Tools
Three independent tools to diagnose your time synchronization: