Johan Linåker

Senior Researcher at RISE Research Institutes of Sweden and Adjunct Assistant Professor at Lund University

4 minute read

Countries across Europe are ramping up their efforts to adapt to the changing geopolitical climate, preparing for uncertainties that the near future might bring. Dependencies on non-European cloud providers are substantial and require proactive action both top-down and bottom-up. Top-down includes policy and legislation setting the stage by, for example, enabling demand and guiding buyers in making informed decisions. Bottom-up includes, for example, growing the necessary capabilities and supply needed. EuroStack highlights the need for both aspects through their “Buy and Sell European” principles.

In this post, I would like to highlight how governments can take decisive action on this by expanding on France’s national cloud strategy, which provides a comprehensive model and example of both enabling demand and supply. The strategy takes point from Article 16 of the 2016 Digital Republic Law, which legally mandates that administrations “ensure that they maintain control, sustainability and independence over their information systems.”

The strategy is built around a clear response to the intertwined challenges of digital sovereignty, administrative modernisation, and industrial competitiveness, and provides a consolidated vision through an integrated, three‑pillar framework first formalised in 2021 and refined under subsequent plans.

The Cloud of Trust and Security Certification

At the heart of the strategy lies the Cloud of Trust, coordinated by ANSSI—the French cybersecurity agency—which defines and enforces the security and compliance standards that cloud providers must meet to serve public and sensitive domains. The SecNumCloud certification forms the operational mechanism through which “trusted” status is granted, ensuring legal and technological protection from extraterritorial jurisdictions. The certification is based on the recommendations by ANSII on hosting sensitive information systems in the cloud.

This effort balances a strong security framework with pragmatic economic goals, as certified European vendors gain access to public markets and benefit from increased interoperability with EU cloud certification schemes such as the upcoming EUCS. The model creates a credible alternative to non‑European hyperscalers by embedding both cybersecurity assurance and public procurement incentives into the framework.

The certification scheme is not without critisism. Some from the French vendor ecosystem refer it as a major barrier to entry for SMEs and less resourceful, and by extent digital sovereignty at large as it hinges on the need of growing a capable European SME and vendor ecosystem. DINUM has also acknowledged the process as long and complex, which can take up to two years to complete, but considers it powerful in enabling buyers to make the right choices.

Other criticism includes cases where vendor offerings with clear ties to American hyperscaler technology has passed the certification. “Bleu” and “S3NS” are two flagship “sovereign cloud” initiatives in France. Bleu is a French cloud service provider formed as a joint venture between Capgemini, Orange, and Microsoft, while S3NS is a Paris-based company, majority-owned and controlled by Thales, in partnership with Google Cloud. Anecdotally, former ANSSI director Guillaume Poupard has admitted, these systems would collapse if the US providers withdrew their technology.

The Cloud‑First Doctrine and Industrial Acceleration

The Cloud‑at-the-centre doctrine, managed by DINUM (Direction Interministérielle du Numérique), mandates that all new public digital projects adopt cloud‑based infrastructures and practices, encouraging the adoption of DevOps and agile development within the French administration. Its purpose extends beyond infrastructure modernisation to fostering a cultural shift towards continuous innovation and digital service transformation.

Complementing this, the industrial acceleration strategy—led by the Ministry for the Economy’s Directorate‑General for Enterprise (DGE)—supports domestic as well as European cloud providers through targeted funding, public‑private investment (~€1.8 billion), simplified procurement, and collaboration mechanisms designed to expand the European cloud industry’s footprint, and to compete for demand currently occupied by non-European cloud providers.

Flexible Procurement Practices

Adding to the national cloud strategy is France’s national cloud procurement model, which is designed to align public‑sector modernisation with industrial development and sovereignty objectives. To simplify and secure access to trusted cloud services, the government established a centralised cloud brokerage system managed under DINUM, ANSSI, and the Directorate‑General for Enterprise. This platform allows administrations to select from a pre‑qualified catalogue of providers, including SecNumCloud-certified vendors such as OVHcloud and Outscale, as well as others undergoing evaluation.

Procurement through this channel minimises administrative overhead and standardises contracting, giving agencies a rapid path to deployment without issuing individual tenders. Simultaneously, the SecNumCloud certification—administered by ANSSI—serves as a regulatory filter: only cloud services meeting strict cybersecurity, data localisation, and European ownership standards may be procured for sensitive workloads. This combination of trusted certification and streamlined purchasing ensures that procurement not only drives cloud adoption but also strategically supports national objectives for digital sovereignty and European industrial competitiveness.

Role of Open Source

Open source technologies play a structural and strategic role in the national cloud strategy, underpinning its goals of sovereignty, interoperability, and long‑term sustainability. In contrast to proprietary ecosystems that foster dependence on foreign suppliers, open source software offers transparency, auditability, and collective control over critical technological components.

DINUM supports public administrations through the development and provisioning of open source‑based solutions, as well as providing guidance on where to find, how to assess the health and security of, and how to adopt these technologies. This kind of support is critical for growing knowledge, awareness, and capabilities to procure services that align with overarching goals of strengthening strategic autonomy and promoting interoperability, both in France and across Europe.

Thanks to Stéfane Fermigier for contributing to the framing of this post.

Categories:

Updated:

You May Also Enjoy

How Denmark is Waking Up to the Challenge of Digital Sovereignty

5 minute read

Society’s institutions and our everyday lives have, for a long time (and increasingly) been transforming from physical to digital, where services, interactions, and communication now transcend the two worlds, which are becoming ever more integrated. Interestingly (and unfortunately), public policy and leadership have not kept pace, which, in the long term, poses a threat to security and, by ext...