Sovereign cloud in France in 2026 — where do we stand?
SecNumCloud, EUCS, European hyperscalers, proprietary datacenters. 2026 panorama of the French sovereign cloud market, the three real sovereignty criteria, and what it changes for an SMB or mid-market firm.
“Sovereign” alone doesn’t mean much
The word “sovereign” is overused. For a European organisation in 2026, it should cover three cumulative dimensions:
- Legal sovereignty — the company operating the cloud is not subject to extraterritorial laws (US Cloud Act, Chinese surveillance laws).
- Technical sovereignty — datacenters, operators and hardware supply chain are European.
- Data sovereignty — your data never leaves the European territory, including product telemetry and support.
A US hyperscaler with a European datacenter only ticks the third box — and even that, often imperfectly.
The certifying frameworks in 2026
SecNumCloud (ANSSI)
The French reference framework for sovereign cloud. Twenty-six technical and legal requirements. A few actors carry the qualification: Outscale (Dassault Systèmes), Cloud Temple, OVHcloud (on a limited scope), NumSpot. The qualification guarantees legal and technical sovereignty, but still limits the service catalogue available.
EUCS (European Cloud Scheme)
The future European framework, partially derived from SecNumCloud. “High” level expected for critical workloads. The 2024-2025 debate on whether US hyperscalers could reach the “High” level was settled — legal sovereignty remains required.
Health Data Host (HDS)
Specific to the health sector. Twenty-two certified actors in France in 2026. Hexceos is one of them. Covers hosting, managed services and backup of identifying health data.
The real options for an SMB or mid-market firm
Three credible architectures today:
Option A — Qualified sovereign cloud
You host with Outscale, Cloud Temple, OVH SecNumCloud or a proprietary French datacenter (like ours). The service catalogue is more restricted than a hyperscaler, DevOps tooling less rich, but sovereignty is total.
Option B — Hybrid cloud with BYOK-encrypted hyperscaler
Your sensitive workloads stay sovereign; your non-sensitive workloads can stay on AWS/Azure/GCP with BYOK (Bring Your Own Key) and strict separation. Legal sovereignty stays partial but data is technically isolated.
Option C — Full hyperscaler with reinforced contracts
You stay on a hyperscaler with EU-only contracts, CLOUD Act notification clauses, independent audits. This is most of the market today. It is not true sovereignty, but it is risk reduction acceptable to many regulated actors.
Our reading of the market
For critical production workloads of an organisation subject to NIS2 (essential entity), HDS, or holding a public service mandate, option A has become the expected standard. For peripheral workloads, option B suffices.
Option C is losing ground for regulated actors but remains dominant in total value across the wider market.
What concretely changes in 2026
- The price gap between qualified sovereign cloud and hyperscalers has narrowed (typically 10 to 20% difference vs 50% three years ago).
- The catalogue of managed services (databases, analytics, AI) is starting to catch up with hyperscalers, without yet matching them.
- French government and regulated entities increasingly mandate SecNumCloud contractually.
In short
If your activity is regulated, you should have moved to option A or be in active migration. If it is not, option B is a balanced trade-off today. Option C is a risk whose valuation increases each year.
Our cloud accompaniment covers all three options depending on your situation — we are not dogmatic about architecture, we are dogmatic about documenting the risk.
Written by the Hexceos cloud architecture team.