France has long been the most vocal European advocate for digital sovereignty, and it has now translated rhetoric into a binding timetable. Under a new directive, public administrations must migrate sensitive workloads and critical systems to cloud platforms that satisfy strict sovereignty requirements by 2027.
The policy builds on France’s existing “cloud at the centre” doctrine and its national security-visa for trusted cloud providers. What is new is the deadline and the breadth: this is no longer guidance but an obligation with a date attached, and it covers a wide swathe of the public sector.
What ‘sovereign’ actually means here
The directive does not simply require European data centres. It requires that the operator be legally insulated from non-European jurisdiction — meaning that no foreign government can compel access to the data through extraterritorial law. This is the crux of the sovereignty argument and the reason that a US hyperscaler’s EU region does not automatically qualify.
In practice, qualifying providers must demonstrate European ownership or robust legal structures, EU-based operations and staff, and certified security. The bar is deliberately high, and it favours providers whose entire corporate structure sits within European reach.
When the operator of your cloud is subject to a foreign government’s data-access laws, ‘data stored in Europe’ is not the same as ‘data beyond foreign reach’. The French directive targets exactly that gap.
Who benefits
The immediate winners are European cloud providers with the scale and certifications to absorb public-sector demand. Companies such as OVHcloud, Scaleway and Exoscale are positioned to capture workloads that previously defaulted to hyperscalers. Specialist French and European integrators that can manage migrations also stand to gain.
The mandate also strengthens the business case for open-source platforms that can be operated by any compliant provider. Self-hostable collaboration and storage tools — Nextcloud chief among them — offer a path to sovereignty that does not depend on a single vendor at all.
The private-sector ripple effect
Although the directive targets government, its gravitational pull will reshape the wider market. Suppliers that sell to the public sector must now meet sovereignty criteria, and many will standardise on compliant infrastructure across their whole business rather than maintain two stacks. Regulated industries — health, finance, defence — are watching closely and will likely follow.
There is also a demonstration effect. When the state migrates at scale, it de-risks the choice for everyone else: reference architectures emerge, integrators gain experience, and European providers prove they can handle serious workloads. Each public migration makes the next private one easier.
Migration is the hard part
Setting a deadline is straightforward; meeting it is not. Public-sector IT estates are notoriously complex, full of legacy systems, bespoke integrations and undocumented dependencies. A realistic migration programme has to sequence carefully:
- Inventory systems and classify data by sensitivity
- Prioritise the most sensitive and most portable workloads first
- Re-platform onto open, portable formats to avoid swapping one lock-in for another
- Run parallel operations during transition to manage risk
- Build internal skills so the new estate can be operated, not just installed
Lessons for businesses everywhere
Even organisations with no public-sector ties should read the directive as a signal. Sovereignty requirements are spreading through procurement chains, and the providers and patterns being validated by government today will become the safe default tomorrow. Building portability and jurisdictional awareness into IT decisions now is cheaper than retrofitting them under deadline pressure later.
The smartest approach mirrors the public-sector playbook: start with new workloads, prefer open standards, treat jurisdiction as a hard requirement, and grow internal expertise alongside the migration.
The certification landscape
Behind the mandate sits a machinery of certification that determines which providers qualify. France’s national cybersecurity agency has developed a security visa for trusted cloud, setting requirements that go well beyond technical security to cover the legal and corporate structure of the provider. The point is to guarantee not merely that data is protected, but that no foreign authority can lawfully compel access to it.
This legal dimension is what makes the certification distinctive. A provider can run impeccable security and still fail to qualify if its corporate parent is subject to extraterritorial data-access laws. Conversely, a provider with European ownership and EU-only operations clears the highest bar. The effect is to draw a sharp line between ‘hosted in Europe’ and ‘sovereign’, and to reward the latter.
At the EU level, parallel efforts to define a common cloud security certification scheme have wrestled with exactly this sovereignty criterion, with member states divided over how strict to be. France’s national approach effectively sets a high-water mark that the wider European conversation is now reacting to.
A European domino effect
France rarely moves alone for long on sovereignty. Its mandate is likely to catalyse similar requirements elsewhere, as other governments observe a workable template and face the same pressures. Germany, Italy and others have their own sovereign-cloud initiatives, and a French precedent makes it politically easier for them to impose hard deadlines of their own.
For pan-European providers, this prospect is enormously attractive: a patchwork of national mandates aggregates into a continent-wide market for sovereign infrastructure. For buyers operating across borders, it argues for choosing providers that can satisfy the strictest national requirement, since that choice will likely satisfy the others too. The smart money is preparing for sovereignty requirements to become the European norm rather than a French exception.
Conclusion
France’s 2027 mandate is the clearest sign yet that sovereign cloud has moved from aspiration to obligation. It guarantees a wave of demand for European-controlled infrastructure and sets a template that other member states are likely to copy.
For the European cloud industry, this is the moment it has been waiting for: a large, motivated, deadline-driven customer that values exactly what European providers are built to offer. For everyone else, it is a preview of where the whole market is heading.
Browse our complete directory of European services to find privacy-first, GDPR-compliant alternatives that keep your data in Europe.