Digital Sovereignty: Why You Should Host Your Data in France
Digital sovereignty has moved in just a few years from an abstract concept to a strategic imperative. Faced with the dominance of American hyperscalers and successive revelations about foreign surveillance programmes, France and Europe have built one of the most protective regulatory frameworks in the world. For organisations handling sensitive data, the choice of hosting is no longer trivial: it is a decision that affects compliance, reputation, and client trust.
SecNumCloud: ANSSI's sovereign shield
The SecNumCloud framework, developed by France's National Agency for Information Systems Security (ANSSI), forms the cornerstone of the country's digital sovereignty strategy. This qualification imposes some of the strictest security requirements globally and includes a decisive criterion: immunity from non-European extraterritorial legislation.
In concrete terms, to obtain SecNumCloud qualification, a cloud provider must not be more than 25% owned by non-European shareholders. This rule effectively excludes the European subsidiaries of American giants (AWS, Azure, Google Cloud) from qualification, even when they host data on French soil.
Since 2024, SecNumCloud has become mandatory for public procurement involving sensitive data. Government agencies, local authorities, and public institutions must now use qualified providers for all processing of health data, judicial data, or classified information.
SecNumCloud qualification goes beyond technical security criteria. It incorporates a fundamental legal dimension: ensuring that hosted data cannot be seized or accessed by non-EU authorities.
Qualified French hosting providers
The ecosystem of sovereign French hosting providers has strengthened considerably in recent years. Several players have obtained or are in the process of obtaining SecNumCloud qualification:
- OVHcloud: Europe's leading cloud provider, OVHcloud was among the first to achieve SecNumCloud qualification. The company operates its own data centres in France and across Europe, with an entirely European chain of control.
- Scaleway (Iliad Group): this French hosting provider offers a comprehensive cloud infrastructure with data centres in Paris and Amsterdam. Scaleway has positioned itself as a credible sovereign alternative for organisations of all sizes.
- S3NS (Thales + Google): this joint venture between Thales and Google Cloud aims to offer Google Cloud services under French sovereign control. Encryption keys are managed exclusively by Thales, and the ownership structure meets SecNumCloud requirements.
- Outscale (Dassault Systemes): a subsidiary of Dassault Systemes, Outscale offers a sovereign cloud with SecNumCloud qualification, particularly suited to sensitive government and industrial sectors.
HDS: the reinforced health data certification
For health data, France has an even more demanding specific framework: the Health Data Hosting (HDS) certification. Updated in April 2024, this certification imposes enhanced requirements for the security, availability, and confidentiality of health data.
HDS-certified providers must renew their certification by May 2026 under the updated framework. This renewal introduces stricter controls on data location and access conditions, progressively aligning HDS certification with SecNumCloud principles.
The case of the Health Data Hub perfectly illustrates the sovereignty stakes in the healthcare sector. This national health data platform, originally hosted on Microsoft Azure, must migrate to a sovereign host by the end of 2026. This migration, mandated by France's Council of State and the CNIL, acknowledges that hosting by an American provider is incompatible with protecting the health data of French citizens.
France: Europe's data protection champion
France occupies a unique position in Europe when it comes to digital sovereignty. Its regulatory framework is among the most protectionist on the continent, driven by strong political will and a tradition of protecting individual freedoms embodied by the CNIL since 1978.
At the European level, the debate surrounding the EUCS (European Union Cybersecurity Certification Scheme) for cloud services highlights tensions between different national approaches. France is actively lobbying for the highest EUCS certification level to include sovereignty criteria similar to those in SecNumCloud, excluding providers subject to extraterritorial laws. Other countries, influenced by lobbying from American hyperscalers, are pushing back.
France's stance is not disguised protectionism: it is a pragmatic response to legal reality. The American CLOUD Act allows US authorities to demand access to data held by American companies, regardless of where that data is stored in the world. Without sovereignty over hosting, the protection offered by GDPR remains theoretical.
Hosting your data in France with a French provider not subject to extraterritorial legislation is not an ideological choice. It is the only way to legally guarantee that your data will not be accessible to foreign authorities without your consent.
The concrete risks of non-sovereign hosting
Organisations that continue to host sensitive data with non-sovereign providers expose themselves to several well-documented risks:
- Legal risk: GDPR non-compliance for data transfers outside the EU, with potential fines reaching 4% of global annual turnover from data protection authorities.
- Unauthorised access risk: foreign surveillance laws (CLOUD Act, FISA Section 702, Chinese intelligence law) allow governments to access data without the organisation or data subjects being informed.
- Reputational risk: clients and partners are increasingly sensitive to where their data is located. An incident involving foreign access can permanently erode trust.
- Public procurement exclusion risk: the SecNumCloud requirement is progressively closing public sector contracts to non-qualified providers.
ZeroTrustTransfer: conceived and hosted in France
ZeroTrustTransfer embodies this vision of digital sovereignty applied to file transfer. Built by Kioroeya, a French company, and hosted entirely on infrastructure located in France, ZeroTrustTransfer guarantees that your data never leaves French territory.
Beyond location, ZeroTrustTransfer's zero-knowledge architecture means that even Kioroeya has no access to the contents of your files. AES-256 end-to-end encryption takes place directly on your device, and decryption keys are never transmitted to our servers. This is sovereignty in its most complete form: your data stays in France, and only you and your recipients can access it.
In a landscape where digital sovereignty is becoming a selection criterion for public procurement and a competitive advantage in the private sector, choosing a French, sovereign file transfer tool is a strategic investment. Discover ZeroTrustTransfer and take back control of your data.