arckit-fr-marche-public
$
npx mdskill add tractorjuice/arc-kit/arckit-fr-marche-publicGenerate compliant French public procurement documents from project context.
- Creates Dossier de Consultation des Entreprises using Code de la Commande Publique standards.
- Scans projects for ARC artifacts and external reference documents before drafting.
- Extracts functional, non-functional, and security requirements to ensure validity.
- Outputs structured documentation ready for legal review and regulatory alignment.
SKILL.md
.github/skills/arckit-fr-marche-publicView on GitHub ↗
---
name: arckit-fr-marche-public
description: "[COMMUNITY] Generate French public procurement documentation aligned with code de la commande publique, UGAP catalogue, and DINUM digital standards"
---
> ⚠️ **Community-contributed command** — not part of the officially-maintained ArcKit baseline. Output should be reviewed by qualified DPO / RSSI / legal counsel before reliance. Citations to ANSSI / CNIL / EU regulations may lag the current text — verify against the source.
You are helping an enterprise architect generate **French public procurement documentation** (Dossier de Consultation des Entreprises) aligned with the Code de la Commande Publique, UGAP, and DINUM digital doctrine requirements.
## User Input
```text
$ARGUMENTS
```
## Instructions
> **Note**: Before generating, scan `projects/` for existing project directories. For each project, list all `ARC-*.md` artifacts, check `external/` for reference documents, and check `000-global/` for cross-project policies. If no external docs exist but they would improve output, ask the user.
### Step 0: Read existing artifacts from the project context
**MANDATORY** (warn if missing):
- **REQ** (Requirements) — Extract: functional requirements (FR-xxx) for procurement scope, non-functional requirements (NFR-xxx), integration requirements (INT-xxx), data sovereignty and security requirements
- If missing: warn that procurement documentation requires defined requirements to produce a valid requirements statement
**RECOMMENDED** (read if available, note if missing):
- **RISK** (Risk Register) — Extract: vendor risks, technology risks, lock-in risks, sovereignty risks
- **SECNUM** (SecNumCloud Assessment) — Extract: cloud qualification requirements, recommended providers, data classification that drives sovereignty clauses
- **DINUM** (DINUM Standards Assessment) — Extract: mandatory DINUM standards (RGAA, RGS, RGI) to include as contract requirements
**OPTIONAL** (read if available, skip silently):
- **PRIN** (Architecture Principles, 000-global) — Extract: open source policy, cloud strategy, technology standards
- **DATA** (Data Model) — Extract: data categories (health data → HDS clause, personal data → GDPR/DPA clause)
### Step 0b: Read external documents and policies
- Read any **external documents** in `external/` — extract previous procurement files, UGAP framework references, legal notices, budget documents
- Read any **global policies** in `000-global/policies/` — extract procurement policy, open source policy, data classification policy
- If procurement-related external documents found, use them to pre-populate threshold analysis and budget constraints.
### Step 1: Identify or Create Project
Identify the target project from the hook context. If the project doesn't exist:
1. Use Glob to list `projects/*/` directories and find the highest `NNN-*` number
2. Calculate the next number (zero-padded to 3 digits)
3. Slugify the project name
4. Use the Write tool to create `projects/{NNN}-{slug}/README.md` and `projects/{NNN}-{slug}/vendors/README.md`
5. Set `PROJECT_ID` and `PROJECT_PATH`
### Step 2: Read Source Artifacts
Read all documents from Step 0. Extract key information for the procurement file:
- Total estimated value (from requirements or user input)
- Data categories (drives sovereignty and certification clauses)
- Security classification level (drives RGS requirements)
- Cloud involvement (drives cloud doctrine assessment)
### Step 3: Procurement Template Reading
**Read the template** (with user override support):
- **First**, check if `.arckit/templates/fr-marche-public-template.md` exists in the project root
- **If found**: Read the user's customized template
- **If not found**: Read `.arckit/templates/fr-marche-public-template.md`
### Step 4: Threshold Analysis
Before generating the document, determine the applicable procedure:
| Threshold | Procedure | BOAMP | JOUE | Min. Period |
|-----------|-----------|-------|------|-------------|
| < €40,000 | Below-threshold (no formal procedure required) | No | No | Informal |
| €40,000 – €215,000 (supplies/services) | MAPA (Marché à Procédure Adaptée) | Yes | No | 15 days |
| > €215,000 (supplies/services) | Open call for tenders (Appel d'Offres Ouvert) | Yes | Yes | 35 days |
| > €5.38M (works) | Open call for tenders | Yes | Yes | 35 days |
Show threshold determination to the user before generating the full document.
### Step 5: Generate Procurement Documentation
**CRITICAL**: Use the **Write tool** to create the procurement document.
1. **Detect version**: Check for existing `ARC-{PROJECT_ID}-MARPUB-v*.md` files:
- No existing file → VERSION="1.0"
- Existing file → minor increment for updates, major for procedure change
2. **Auto-populate Document Control**:
- Document ID: `ARC-{PROJECT_ID}-MARPUB-v{VERSION}`
- Status: DRAFT
- Created Date: {current_date}
- Review Cycle: On-Demand
- Classification: OFFICIAL as default
3. **Section 1: Threshold Analysis and Recommended Procedure**
- Estimated value (extract from user input or requirements)
- Applicable threshold and recommended procedure from Step 4
- BOAMP/JOUE publication requirement
- Minimum consultation period
- Cloud doctrine compliance (if cloud services involved — circular 6264/SG)
4. **Section 2: Requirements Statement**
- Subject of the contract: concise description from user input
- Functional requirements: extract relevant FR-xxx from REQ artifact
- Technical requirements: extract relevant NFR-xxx (security, accessibility, interoperability)
- Sovereignty and security requirements table:
- Data hosting in France/EU (State Cloud Doctrine)
- SecNumCloud qualification (if sensitive data — from SECNUM artifact)
- HDS certification (if health data detected in DATA or REQ)
- RGS v2.0 compliance
- RGI v2.0 interoperability
- RGAA 4.1 accessibility (for public digital services)
- RGESN ecodesign (recommended)
5. **Section 3: Award Criteria**
- Suggested weighting: Technical value (60%), Price (30%), Execution conditions (10%)
- Sub-criteria breakdown with sovereignty/security sub-criterion (15% of technical value)
- Technical scoring grid (0–3 scoring with descriptions)
- Note: total must equal 100% — flag if user specifies different weights
6. **Section 4: Security and Sovereignty Clauses**
- Security annex (mandatory): RGS v2.0, PSSIE, ANSSI IT hygiene guide (42 measures)
- If OIV/OSE: LPM/NIS sector-specific orders
- Data localisation clause: EU territory, no extraterritorial law access
- Reversibility clause: DINUM reversibility requirements (plan, open formats, migration period, exit costs)
- Open source clause: if applicable per State Cloud Doctrine Point 3
- GDPR/DPA clause: mandatory if personal data processed — Article 28 requirements
7. **Section 5: UGAP Catalogue**
- Guide user to check ugap.fr for current framework agreements
- Provide category table with typical UGAP-accessible provider types:
- Sovereign cloud IaaS (Outscale, OVHcloud, NumSpot)
- Application development (major IT service firms)
- Cybersecurity (PRIS-qualified providers)
- Managed services
8. **Section 6: Indicative Timeline**
- Mermaid Gantt chart from today's date:
- Preparation phase: file drafting + legal validation (3-4 weeks)
- Publication: BOAMP/JOUE (1 day)
- Consultation period: per procedure type
- Evaluation: 2-3 weeks
- Award and contracting: 3-4 weeks
9. **Section 7: ANSSI-Qualified Security Provider Selection**
If the procurement includes cybersecurity services (audit, incident response, SOC/detection), include selection criteria requiring ANSSI qualification:
| ANSSI Qualification | Scope | When to Require |
|--------------------|--------------------|----------------|
| PASSI (Prestataires d'Audit de Sécurité des SI) | Penetration testing, technical audits | Any IS security audit or pentest |
| PRIS (Prestataires de Réponse aux Incidents de Sécurité) | Incident response, forensics | IR retainer or OIV/OSE obligation |
| PDIS (Prestataires de Détection des Incidents de Sécurité) | SOC, threat detection, SIEM management | Managed detection services |
| PDCS (Prestataires de Cybersécurité pour les Collectivités) | Local authority-specific cybersecurity | Collectivités territoriales only |
- For OIV/OSE systems: require PASSI qualification for any IS audit; PRIS for incident response services — both are mandatory under the sectoral arrêté or NIS2 obligations
- Include qualification requirement in the technical specifications (CCTP), not just as selection criterion
- Qualification lists are published on ssi.gouv.fr — advise buyers to verify currency at contract signature
- ANSSI qualifications are not certifications: they require reassessment — confirm current validity in tender evaluation
10. **Section 8: Digital State Doctrine Compliance**
- DINUM checklist: cloud-first, RGI, RGAA, RGESN, open source, GDPR/DPA
- PSSIE and RGS target level
- Cross-reference DINUM artifact conclusions if available
Before writing the file, read `.arckit/references/quality-checklist.md` and verify all **Common Checks** pass.
Write the document to:
```text
projects/{project_id}/ARC-{PROJECT_ID}-MARPUB-v{VERSION}.md
```
### Step 6: Summary Output
```text
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Procurement File Generated
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📄 Document: projects/{project_id}/ARC-{PROJECT_ID}-MARPUB-v{VERSION}.md
📋 Document ID: {document_id}
📅 Created: {date}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 Procurement Parameters
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Estimated Value: {amount}
Applicable Threshold: {threshold}
Recommended Procedure: {procedure}
BOAMP Publication: {Yes / No}
JOUE Publication: {Yes / No}
Min. Consultation Period: {X days}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🛡️ Mandatory Clauses Included
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Security annex (RGS v2.0, PSSIE)
✅ Data localisation clause (EU territory)
✅ Reversibility clause (DINUM standards)
{✅ GDPR/DPA clause (personal data detected)}
{✅ HDS certification clause (health data detected)}
{✅ SecNumCloud clause (sensitive data + cloud)}
{✅ Open source clause (if applicable)}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📦 Requirements Linked
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
{N} functional requirements extracted
{N} technical requirements (NFR-xxx) included
Next steps:
1. Review and complete UGAP catalogue references (ugap.fr)
2. Legal team validation of contract clauses
3. {If tenders received: Run $arckit-evaluate for scoring}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
```
## Important Notes
- **Threshold accuracy**: The estimated contract value must exclude VAT (hors taxes). Include all option periods in the estimate — the total lifetime value determines the applicable threshold.
- **UGAP catalogue**: UGAP framework references must be verified at ugap.fr before use in official procurement — agreements are updated regularly.
- **Legal validation**: This document generates a draft procurement file. It must be reviewed by the contracting authority's legal team and procurement officer before publication.
- **Cloud Act clause**: The data localisation clause explicitly addresses extraterritorial laws (Cloud Act, FISA). This is a DINUM requirement for any cloud procurement involving sensitive data.
- **Use Write Tool**: Procurement files are typically 3,000–6,000 words. Always use the Write tool.
## Key References
| Document | Publisher | URL |
|----------|-----------|-----|
| Code de la commande publique | Légifrance | https://www.legifrance.gouv.fr/codes/id/LEGITEXT000037701019/ |
| UGAP — Union des Groupements d'Achats Publics (framework catalogue) | UGAP | https://www.ugap.fr/ |
| BOAMP — Bulletin Officiel des Annonces des Marchés Publics | DILA | https://www.boamp.fr/ |
| TED / JOUE — EU procurement journal (above EU thresholds) | EU Publications Office | https://ted.europa.eu/ |
| ANSSI-qualified security providers (PASSI, PRIS, PDIS) | ANSSI | https://cyber.gouv.fr/qualification-des-prestataires-de-services |
| DINUM digital doctrine — standards for public IS procurement | DINUM | https://www.numerique.gouv.fr/services/cloud/doctrine/ |
| Procurement thresholds (updated annually) | DAJ / Légifrance | https://www.economie.gouv.fr/daj/marches-publics |
> **Note for reviewers**: French public procurement is governed by the Code de la commande publique (transposing EU Directives 2014/24 and 2014/25). UGAP is a French central purchasing body — pre-competed framework agreements that public buyers can call off without running a full tender. BOAMP is the mandatory French publication journal for procurement notices above €40,000 (JOUE/TED required above EU thresholds). PASSI, PRIS, and PDIS are ANSSI qualification schemes for security service providers — requiring PASSI-qualified auditors and PRIS-qualified incident responders is mandatory for OIV and recommended for all sensitive IS.
## Success Criteria
- ✅ Procurement document created at `projects/{project_id}/ARC-{PROJECT_ID}-MARPUB-v{VERSION}.md`
- ✅ Threshold analysis completed with recommended procedure
- ✅ BOAMP/JOUE publication requirements determined
- ✅ Requirements statement linked to REQ artifact (FR-xxx, NFR-xxx)
- ✅ Sovereignty and security requirements table populated
- ✅ Award criteria with weighting defined (total = 100%)
- ✅ Security and sovereignty clauses included (data localisation, reversibility, GDPR/DPA)
- ✅ HDS clause included if health data detected
- ✅ SecNumCloud clause included if sensitive data and cloud
- ✅ UGAP catalogue guidance provided
- ✅ Indicative timeline Gantt chart generated
- ✅ DINUM digital doctrine checklist completed
## Example Usage
```text
$arckit-fr-marche-public Generate procurement documentation for a digital identity platform for a French ministry, estimated value €2.5M, handling personal data, requires SecNumCloud, RGAA compliance mandatory
$arckit-fr-marche-public Procurement file for 001 — cybersecurity services contract, €800K, MAPA procedure, existing UGAP framework available
$arckit-fr-marche-public Create procurement file for a French regional health authority digital platform, health data in scope, HDS certification required, estimated €3.5M over 3 years
```
## Suggested Next Steps
After completing this command, consider running:
- `$arckit-evaluate` -- Score vendor responses against the award criteria defined in this document *(when Tenders received and ready for evaluation)*
- `$arckit-traceability` -- Link procurement requirements back to functional and non-functional requirements