Glossary · EU Sovereign Cloud

Cloud de Confiance (Trusted Cloud (French sovereign cloud certification))

French government certification scheme launched in 2021 designating cloud providers that meet sovereignty and security requirements for sensitive public-sector and operator-of-vital-importance workloads.

## What Cloud de Confiance actually is Cloud de Confiance ("Trusted Cloud") is a French government policy and certification framework introduced in **2021** to designate cloud providers that satisfy a tightened set of sovereignty and security requirements. It exists to give French public administrations, hospitals, defense agencies, and operators of vital importance (*opérateurs d'importance vitale* — OIVs) a legal and operational basis for using cloud services on sensitive workloads without exposure to extraterritorial foreign law. The framework is administered jointly by **ANSSI** (the French cybersecurity agency) and the French government's digital arm (DINUM, secrétariat général pour l'investissement). The technical baseline is **SecNumCloud** — ANSSI's qualification for cloud services. ## What Cloud de Confiance requires To qualify, a provider must satisfy multiple stacked criteria: ### 1. SecNumCloud qualification The provider's cloud platform must hold ANSSI's SecNumCloud qualification — a high-assurance security standard going beyond ISO 27001 / ISO 27017. ### 2. Immunity from extraterritorial law The provider must be structured so that **no non-EU law** (notably the US [CLOUD Act](/en/glossary/cloud-act/), FISA Section 702, or Chinese national-security obligations) can compel disclosure of customer data. In practice this requires majority European ownership and European corporate control. ### 3. Data residency in the EU Customer data and metadata must be stored and processed exclusively in the EU. ### 4. Operational sovereignty Personnel with administrative access must be EU residents subject to EU law. ## Certified providers (as of 2026) The set of providers that have achieved Cloud de Confiance status remains deliberately small. Notable certifications: - **S3NS** — the Thales / Google Cloud joint venture (Thales is majority shareholder; operates Google Cloud Platform technology under French legal control) - **Bleu** — Capgemini / Orange joint venture using Microsoft Azure technology under French control (launched commercially 2024-2025) - **OVHcloud** — for specific qualified offerings (the historic French hyperscaler) - **Outscale** (Dassault Systèmes) — early SecNumCloud qualified - **Numspot** — Docaposte / Bouygues / Dassault / Banque des Territoires joint venture (launched 2024) - Various smaller providers for specialized services The hyperscaler joint ventures (S3NS, Bleu) are the most operationally significant — they let French government and OIVs use Google or Microsoft cloud technology while satisfying sovereignty law. ## Why Cloud de Confiance matters ### 1. It made hyperscaler technology legally usable for sovereign workloads The S3NS and Bleu joint ventures showed that the technology stack can be decoupled from the legal control structure. French agencies can use familiar Google/Microsoft tools without exposure to CLOUD Act. ### 2. It set the regulatory pattern adopted across Europe Germany's BSI C5, Italy's ACN scheme, Spain's ENS, and the broader EU's [EUCS](/en/glossary/eucs/) draft all owe structural debt to the Cloud de Confiance / SecNumCloud approach. ### 3. It defined "real" sovereignty Cloud de Confiance distinguishes between *marketing sovereignty* (AWS "sovereign cloud regions" with US-domiciled control) and *legal sovereignty* (provider structurally immune to foreign law). This distinction now propagates across EU procurement. ### 4. It clarified the public-sector roadmap The French "doctrine cloud au centre" mandates that new public-sector cloud projects use Cloud de Confiance for sensitive data. This is a concrete procurement pipeline for certified providers. ## Cloud de Confiance vs adjacent schemes | Scheme | Country | Focus | Status | |--------|---------|-------|--------| | Cloud de Confiance | France | Sovereignty + security | Operational since 2021 | | BSI C5 | Germany | Security baseline | Operational | | EUCS | EU | Pan-EU cloud cybersecurity | In development | | ENS | Spain | Public-sector security | Operational | | ACN | Italy | National cyber framework | Operational | | SecNumCloud | France | Technical security baseline | Operational | SecNumCloud is the technical foundation; Cloud de Confiance is the broader sovereignty wrapper around it. ## What Cloud de Confiance means in practice ### For French public-sector buyers Cloud de Confiance is increasingly mandatory for sensitive workloads. Procurement language references it directly. ### For European businesses generally The certified providers are credible options regardless of nationality. A French SaaS company hosting on S3NS or OVHcloud is signaling sovereignty alignment. ### For US hyperscalers The S3NS / Bleu pattern is the template for participating in regulated European cloud — *cede majority legal control to European partner, license technology stack*. This is unattractive to most US hyperscalers commercially. ### For other European cloud providers Cloud de Confiance creates a legitimate competitive moat against hyperscalers in regulated French segments. ## What 2026-2027 brings - **Continued S3NS / Bleu rollout** as the JV operating models mature - **Extension to AI workloads** — Cloud de Confiance principles applied to AI infrastructure under EU AI Act - **Coordination with EUCS** — if EUCS is finalized, Cloud de Confiance will likely map to the highest assurance level - **More joint ventures** as US providers attempt to participate via French partners - **Numspot maturation** — the all-French JV is positioning as the most sovereign-pure option ## Practical implications For most European tech buyers: - **If you're a French public-sector entity**: this directly affects you - **If you serve French public-sector customers**: Cloud de Confiance providers become strategic - **If you're evaluating cloud sovereignty broadly**: this is the most mature European framework — study it - **If you operate elsewhere in Europe**: similar national frameworks are emerging; Cloud de Confiance is the template For everyday SaaS choices, this is background context. For sovereign-cloud strategy, it's foundational.

Related EU alternatives on BetterInEurope

Related glossary terms

← Back to glossary