Is France still the master of its data? As the election of the new U.S. president raises questions, the dominance of American cloud providers remains overwhelming. Yet, France has launched an ambitious policy to lay the groundwork for a sovereign cloud. Let’s take a closer look at this bumpy road.

As the United States takes center stage in the media with its presidential election results, one question becomes particularly pressing: Is France a digital protectorate of the United States?

Some might say yes, given the seemingly disastrous state of its sovereignty in the cloud. Paris entrusted Amazon Web Services (AWS) with the data of 530,000 companies that applied for state-guaranteed loans (PGE) in the wake of the COVID crisis, as well as part of EDF’s data concerning nuclear plant maintenance. And its health data? Managed by Microsoft! These are just a few examples involving essential state services that have made headlines in recent years.

And let’s not even mention the thousands of businesses—whether strategic or not—that use the high-performance, competitive services of hyperscalers without always considering the watchful eye of our allies across the Atlantic. Altogether, AWS, Microsoft Azure, and Google hold a staggering 70% share of the French cloud market (including public and private clients), according to the Markess by Exægises firm.

In the same vein, the cybersecurity of all ministries—except the Ministry of Armed Forces—will once again be handled by a Franco-Canadian alliance, Wavestone/CGI. Is this a blow to French digital sovereignty? At least on the surface, especially since, as reported by InCyber, a 100% French consortium was in the running for this €500 million contract, awarded in August 2024.

AWS, Azure, and Google: 70% of France’s Cloud Market

The French consortium, comprising Capgemini, Thales, Atos, and Headmind Partners, seemed more aligned with the “national acceleration strategy for cybersecurity” included in Emmanuel Macron’s “France 2030” investment plan. Yet, as in many cases, price was the determining factor, with the Wavestone/CGI alliance bidding 30% lower than the French offer, continuing its services initiated in 2019.

Authorities, however, seek to reassure on these issues. For instance, Pascal Allizard, senator (LR) from Calvados, raised concerns in July 2020 over AWS hosting data collected by the public investment bank (BPI) related to state-backed loans. “This technical solution worries both businesses and economic intelligence specialists, as it could allow access to strategic data, such as the complete financial health of a French company,” he wrote. In a written response, the Ministry of Finance replied in February 2021 that “BPIfrance data hosted by this provider is not accessible to the host, as it is fully encrypted with a private BPIfrance key, itself stored at BPIfrance.” It also pointed out that “the U.S. Privacy Shield, which applies only to data hosted on U.S. soil, does not apply to data hosted in Paris.”

Strategic Data at the Mercy of the U.S.?

This remark, however, is moot since the Privacy Shield (a 2016 agreement allowing European companies to transfer personal data to the U.S., recognizing that U.S. legislation offered the same guarantees as European law) was invalidated by the European Court of Justice… on July 16, 2020, the same day Senator Allizard’s question was filed. Moreover, the Ministry neglected to mention the Cloud Act, which allows U.S. intelligence services to access data stored by American companies anywhere in the world. This leaves us hoping that BPI’s encryption can withstand the computing power and expertise of the numerous “three-letter” U.S. agencies (CIA, FBI, NSA, etc.).

Around the same time, during the COVID crisis, Microsoft Azure was entrusted with managing the health data of French citizens. The idea was ambitious: centralizing a database of 67 million people could boost French medical research, foster AI development in healthcare, and enable virtual clinical trials or even detect “weak signals” in the population. However, it also risked exposing highly personal and confidential data to foreign actors under the Cloud Act and the Foreign Intelligence Surveillance Act (FISA), which governs physical and electronic surveillance in the U.S. and abroad.

Awakening of France’s Trusted Cloud

In response to the invalidation of the Privacy Shield, the CNIL (France’s data protection authority) and the Council of State required the Health Data Hub to be hosted by an entity fully subject to EU jurisdiction. Olivier Véran, then-Minister of Health, promised compliance “within 12 to 18 months, or in any case within a maximum of two years.” The tender to replace Azure is still awaited.

To be fair, the concept of a sovereign cloud was unclear at the time: should it involve entirely French infrastructure or at least partly European? What legal, technical, and operational criteria should it meet? While it seemed instinctive to avoid American actors (like letting the wolf into the sheepfold), the reliable and objective criteria necessary for launching public or private tenders were lacking.

It was only in 2021 that France clarified this with its “cloud at the center” doctrine, aimed at securing all new public IT projects involving sensitive or sovereign data. Updated in May 2023, this strategy requires “trusted cloud” certification, which mandates compliance with GDPR and SecNumCloud, France’s highest cybersecurity standard (or an equivalent European qualification). This certification is essential for storing and processing sensitive data, including health data, as well as for operators of vital importance (OIV) and essential services (OSE).

Permanent Exceptions

However, the latest SecNumCloud standard (version 3.2) specifies that certified clouds must be immune to extraterritorial laws like the Patriot Act, Cloud Act, or FISA. This excludes American hyperscalers by default and establishes the foundations of a truly sovereign cloud, at least at the European level. Providers headquartered outside the EU or those with non-European capital ownership are no longer eligible for certification.

In the meantime, these rules only apply to new projects. Existing programs, such as state-guaranteed loans, the Health Data Hub, and others initiated before the update, remain under contracts with American providers.

The circular does state that “for ongoing projects, a temporary exception may be granted at the discretion of the relevant minister and with the Prime Minister’s approval, but not beyond 12 months after an acceptable cloud offering becomes available in France.” However, with the subjective notion of an “acceptable cloud offering,” it’s clear that the government does not intend to overhaul ministries and other critical organizations overnight.

U.S. Technologies in Sovereign Clouds?

French providers are working hard to earn the “trusted cloud” label to benefit from public contracts, as their American competitors did over two decades ago.

Five providers have already certified some of their services under SecNumCloud, which is awarded on an offering-by-offering basis. Outscale, Cloud Temple, Wordline, and OVHCloud have certified IaaS (Infrastructure as a Service) offerings. Oodrive and Whaller received certification for SaaS (Software as a Service) solutions. OVH aims to certify its entire catalog to stand out in an increasingly crowded market. Other players like Orange Business, SFR Business Free Pro, and NumSpot are also seeking IaaS certification.

Toward Sovereign AI

Meanwhile, S3NS (backed by Thales) and Bleu (a Capgemini-Microsoft joint venture) aim to certify their IaaS and PaaS (Platform as a Service) offerings. Both rely on U.S. technology—Google for S3NS and Microsoft for Bleu—but maintain full control of their solutions. Their servers are located in France, meeting the prerequisites for certification. S3NS hopes to secure its certification by summer 2025, while Bleu expects to qualify in late 2025, enabling its clients to use Microsoft 365 or Azure services within a “trusted cloud.”

Beyond storage and decentralized services, cloud applications are increasingly driven by artificial intelligence, particularly Large Language Models (LLMs). Outscale now offers an AI-as-a-Service solution based on its SecNumCloud-certified infrastructure and Mistral’s language model. Similar initiatives are underway at Orange, HPE, OVH, and others, at various stages of development.

For now, the state continues its “cloud at the center” policy. Yet for every trusted cloud solution, such as digitized voter registration or healthcare systems like the Carte Vitale app, how many projects still fall into the hands of American hyperscalers?

Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.