Sovereign cloud: Europe steps up its defences (but everyone is going their own way)
It was France that realised that its citizens’ data was accessible to the US government and agencies. Protecting data sovereignty is becoming a strategic issue for Europe: European countries are adopting different approaches, but with a single objective
by P.Sol.
March 2024, Paris. The French Ministry of Health discovers that the health data of millions of citizens, hosted on the European Health Data Hub platform, is technically accessible to the US authorities. The service provider is Microsoft Azure, which is subject to the Cloud Act, the US law that allows US judges to order access to data held by US companies, wherever the servers are located. The loophole is the notorious FISA (Foreign Intelligence Surveillance Act), which allows the government and federal agencies to access the databases of US operators without restriction.
The story hit the headlines. The Council of State was called upon to address the issue, privacy organisations protested, and the government promised to migrate to European providers ‘as soon as possible’. Two years on, that promise has reshaped the EU’s entire cloud strategy. And France, Germany and Italia have taken three different approaches to prevent a repeat of the situation.
Sovereignty or nothing
Paris has learnt the hard way. Following the Health Data Hub scandal, the Élysée Palace has adopted the principle of the “cloud de confiance”: sensitive government data must be stored on infrastructure that is immune to any non-European jurisdiction.
The key is the SecNumCloud certification, issued by ANSSI. Technical compliance alone is not enough: the provider must demonstrate that it is not subject to foreign laws that permit unauthorised access. For American hyperscalers, the only way in is through joint ventures in which the French hold a majority stake.
And so Bleu — the alliance between Orange, Capgemini and Microsoft — and S3ns, the partnership between Thales and Google, were born: American technology, but with encryption keys and governance in French hands. The price? Complexity and high costs, as the Court of Auditors highlighted in a recent report. But for Paris, sovereignty is non-negotiable.


