Data Sovereignty in the European Union

Data has stopped being a byproduct of business and become a strategic asset. Medical records, contracts, tax registries, journalists’ sources, the digital twin of a manufacturing line: their value depends on who can access them, under which rules, and under which law.

Data sovereignty answers that question. In plain terms: it defines which law applies to a piece of data, and ultimately who can compel its disclosure. In a world where cloud infrastructure crosses borders, this is not a theoretical issue. A customer file hosted in Frankfurt can still fall under US law if the provider is a subsidiary of a US-based group.

This guide explains the legal framework in France and across the EU, outlines the concrete risks for European and international businesses operating in Europe, and sets out practical levers to regain control.

Definition of data sovereignty?

Data sovereignty is the principle that data is subject to the laws of the country where it is collected, processed, or stored. It is not primarily a technical concept. It is a legal one. It answers a simple question: which state has authority over this data?

The term took its current shape with the entry into force of the EU General Data Protection Regulation (GDPR) on 25 May 2018. The regulation protects the personal data of people in the EU, wherever that data is physically located. That extraterritorial reach marked a turning point. EU law travels with the data, even when it crosses the Atlantic.

After Brexit, the UK incorporated the GDPR into domestic law as the UK GDPR, effective from 1 January 2021, alongside the Data Protection Act 2018. The two regimes remain closely aligned, but they are now separate.

The three components of sovereignty

• Legal component: which law applies to the data, which authorities can compel its disclosure, and under which conditions.
• Technical component: where the data is physically stored, how it is encrypted, who holds the keys.
• Contractual component: which clauses govern portability, reversibility, secure deletion, and subprocessor access.

An organisation that masters these three components retains control of its information assets. Missing any one of them weakens the whole chain. Strong encryption does not protect against a lawful order if the keys are held by an entity subject to a foreign jurisdiction.

Data sovereignty, residency, and localisation: three different concepts

The three terms are often used interchangeably. They are not synonyms, and the difference has real legal consequences.

Concept	Data sovereignty	Data residency	Data localisation
Nature	Legal	Geographic	Regulatory
Question	Which law applies to the data?	Where are the servers located?	Must the data stay within the country?
Example	GDPR, CLOUD Act, FISA Section 702	A data centre in Ireland or Frankfurt	Health Data Hub, classified defence data
Follows the data?	Yes	No, strictly physical	Often tied to sovereignty

A concrete example

A European company stores its customer data with a provider headquartered in the United States, on servers located in Frankfurt. The residency is German. Localisation may be GDPR-compliant. But sovereignty remains American. Under the CLOUD Act, US authorities can compel access to this data, even though it has never left European soil.

That dissociation is precisely what led to the French “Cloud au centre” doctrine and the emergence of the SecNumCloud certification.

Why data sovereignty has become strategic

GDPR compliance and personal data protection

The EU regulation imposes strict controls on personal data processing. A business transferring data to a jurisdiction offering weaker protection risks fines of up to 4% of worldwide annual turnover. European data protection authorities have challenged transfers deemed non-compliant. The Court of Justice of the European Union confirmed this line in the Schrems II ruling of 16 July 2020 (case C-311/18), which invalidated the Privacy Shield.

Since then, the EU-US Data Privacy Framework (adopted on 10 July 2023) has provided a new adequacy decision for transfers to the US. The UK followed with the UK-US Data Bridge, effective from 12 October 2023, extending the same framework to UK-to-US transfers. Both mechanisms remain subject to legal scrutiny.

National security and operational resilience

Critical infrastructure (energy, water, healthcare, defence, finance) handles data whose compromise would affect the continuity of state functions. A French Senate report published in July 2022 estimated that around 80% of French citizens’ and businesses’ data is stored on servers subject to the extraterritorial reach of the CLOUD Act. The figure, widely cited, captures the scale of the issue.

Economic autonomy and geopolitical risk

Recent tensions have shown that dependence on foreign providers is not neutral. Sanctions, export restrictions, the risk of remote service interruption: these scenarios are no longer hypothetical. In January 2026, Vincent Strubel, director general of France’s ANSSI cybersecurity agency, reminded stakeholders that cloud sovereignty also covers service availability, not just data confidentiality. That point is often overlooked.

On 12 June 2025, a French Council of Ministers communication structured the national digital sovereignty strategy around four priorities: mapping dependencies, protecting data through SecNumCloud, investing in the French and European ecosystem, and promoting open-source software. In January 2026, the French National Assembly established a parliamentary inquiry into digital dependencies.

The French and European legal framework

The regulatory landscape has densified. Below are the texts that shape data sovereignty today.

• EU GDPR (General Data Protection Regulation), in force since 25 May 2018. It applies whenever data concerns an EU resident, regardless of where it is processed. Article 48 specifies that a foreign authority’s order compelling a transfer cannot be recognised without a prior international agreement.
• UK GDPR and Data Protection Act 2018, effective in the UK since 1 January 2021. The regime mirrors the EU GDPR with UK-specific adjustments.
• CLOUD Act (Clarifying Lawful Overseas Use of Data Act), signed into US law on 23 March 2018. It authorises US authorities to compel US-based companies to disclose data, regardless of where it is physically stored. It conflicts directly with Article 48 of the GDPR. The US-UK CLOUD Act Agreement entered into force on 3 October 2022, and the US-Australia agreement on 31 January 2024.
• FISA Section 702 (Foreign Intelligence Surveillance Act). The NSA is authorised to collect data belonging to non-US persons transiting through US infrastructure. Explicit target: mass surveillance.
• EU-US Data Privacy Framework, adequacy decision of 10 July 2023, intended to secure data transfers from the EU to the US following the invalidation of the Privacy Shield. Still contested.
• UK-US Data Bridge, effective from 12 October 2023, extending the EU-US Data Privacy Framework to UK-to-US transfers.
• EU Data Act, applicable since September 2025. It enforces data portability and interoperability between cloud service providers.
• NIS 2 Directive, which strengthens security obligations for operators of critical infrastructure.
• DORA (Digital Operational Resilience Act), applicable since 17 January 2025. This EU regulation sets operational resilience requirements for the financial sector, including obligations concerning cloud providers.

The “Cloud au centre” doctrine and the SecNumCloud certification

France formalised its response through the “Cloud au centre” strategy, set out in a circular dated 8 November 2018 and reinforced in 2021. The doctrine requires public administrations to host sensitive data on SecNumCloud-qualified offerings or equivalent.

SecNumCloud is the certification framework published by ANSSI, the French national cybersecurity agency. Version 3.2, in force since March 2022, covers nearly 1,200 requirements, including strict criteria protecting against extraterritorial laws. In practice, a SecNumCloud-qualified provider guarantees that no non-European authority can legally compel access to the hosted data.

The official list of qualified providers is maintained by ANSSI and consulted before any contractual commitment. The list continues to grow. In late December 2025, qualification was extended to a hybrid offering combining a French operator with US cloud technology, which reopened the debate on the very definition of sovereignty.

Two readings coexist. ANSSI takes an operational view: as long as the effective control of data and operations rests with a European actor, sovereignty is established. Others argue for a stricter definition based on full technological independence, both hardware and software. The question is not settled.

Concrete challenges for European organisations

For a European business or public administration, data sovereignty plays out on four fronts.

Choosing a cloud provider aligned with national doctrine

SecNumCloud remains the most demanding benchmark for sensitive data. The official list maintained by ANSSI should be consulted before any contractual commitment. ISO 27001 or HDS (French health data hosting certification) are not enough: they do not cover extraterritorial immunity. A provider can be ISO 27001 or HDS certified and remain subject to the CLOUD Act.

Securing the software layer that processes data

Hosting is only one layer. Search engines, translation tools, AI assistants, analytics platforms: these process the data at its most granular level. A non-sovereign online translation tool can expose as much data as a poorly chosen data centre, and sometimes more. Online translations are among the most frequently cited examples when illustrating this risk.

Governing generative AI and autonomous agents

Prompts sent to hosted generative AI services may be logged, used to improve the service, or even used to train the models, depending on the provider’s terms of service. Using them in a sovereign setting requires control over the model, the training data, and the inference logs. European software vendors now offer deployment options on infrastructure controlled by the customer.

Maintaining resilience against service disruption

Recent export restrictions have shown that a provider can suspend services for geopolitical reasons. SecNumCloud addresses this concern through its requirement for operational autonomy. A non-European technology vendor must not hold any lever allowing it to shut down a service or target specific customers.

Technical solutions for data sovereignty

No single solution guarantees the sovereignty of an information system. The answer lies in combining several building blocks, calibrated to the sensitivity of the data in scope.

ANSSI-qualified cloud hosting

SecNumCloud 3.2 qualified providers guarantee hosting under European jurisdiction with immunity from extraterritorial laws. The official list is maintained by ANSSI on its website and should be consulted before any contractual engagement, since it is updated regularly.

On-premises or isolated deployment

Keeping infrastructure within the organisation’s own perimeter remains the strictest option. It is suited to classified defence data or restricted-distribution information. Air-gapped deployment, fully disconnected from the internet, prevents network-based exfiltration. This setup is typically used for the most sensitive systems, particularly in regulated sectors.

Encryption under exclusive customer control

BYOK (Bring Your Own Key) and HYOK (Hold Your Own Key) schemes allow an organisation to keep control of cryptographic keys. In BYOK mode, the keys remain accessible to the cloud provider that manages the infrastructure. In HYOK mode, the keys stay exclusively within the customer’s environment. Without access to those keys, a provider subject to the CLOUD Act cannot provide the data in clear text to authorities making a lawful request. Encryption then becomes a legal safeguard as well as a technical one.

European-edited software

For the application layers that process the data (search, analytics, translation, generative AI), European software vendors offer alternatives to non-European solutions. The decisive criterion is not only capital origin, but also the ability to deploy the software on customer-controlled infrastructure, to control the training data of AI models, and to avoid technical dependencies on ecosystems subject to extraterritorial law.

Certifications and labels to verify

Several frameworks coexist, with distinct scopes:

• SecNumCloud 3.2 covers cloud hosting and includes extraterritorial immunity.
• ISO 27001 is an international information security management standard. It does not address extraterritorial immunity.
• HDS (Hébergeur de données de santé, French certification for health data hosting) does not protect against the CLOUD Act. A US provider can be HDS-certified.
• “Cloud de confiance” label corresponds to a SecNumCloud-qualified offering backed by reinforced legal safeguards.
• ANSSI qualification (basic, standard, enhanced levels) applies to security products such as encryption, messaging, and detection tools.

The right choice depends on the use case. A practical approach is to map data processing activities by sensitivity level, then align each layer (hosting, software, key management) with the appropriate framework.

FAQ: all about data sovereignty

01

What is data sovereignty?

Data sovereignty is the principle that data is subject to the laws of the country where it was collected, processed, or stored. It is a legal concept that determines which authority can compel its disclosure, regardless of where the servers are physically located.

02

What is the difference between data sovereignty and data residency?

Data residency is geographic: it refers to the country where the servers are physically located. Data sovereignty is legal: it determines which law applies to the data. Data can reside in Germany and still be subject to US law if the provider is a subsidiary of a US-based group.

03

Does the CLOUD Act apply to data stored in the EU?

Yes, whenever the cloud provider is a US company or a subsidiary of a US-based group. US authorities can compel the disclosure of the data, even when it is hosted on European soil. To address this risk, the SecNumCloud certification includes explicit requirements for extraterritorial immunity.

04

Is the UK GDPR the same as the EU GDPR?

The two regimes are closely aligned but legally separate since 1 January 2021. The UK GDPR mirrors the EU GDPR, supplemented by the Data Protection Act 2018. The UK has also signed its own adequacy arrangement with the US, known as the UK-US Data Bridge, effective since 12 October 2023.

05

What is the ANSSI SecNumCloud qualification?

SecNumCloud is the qualification framework issued by ANSSI for cloud service providers. Version 3.2, in force since March 2022, covers nearly 1,200 technical, organisational, and legal requirements. It notably includes protection against extraterritorial laws such as the CLOUD Act and FISA.

06

Does GDPR compliance guarantee data sovereignty?

The GDPR protects the personal data of European residents, but it does not, on its own, guarantee sovereignty. A provider can be fully GDPR-compliant and still be subject to the CLOUD Act. Sovereignty requires full legal control, which goes beyond the scope of personal data protection.

07

How can a European business ensure data sovereignty?

Several levers work together: choose SecNumCloud-qualified cloud providers for sensitive data, select European software vendors or on-premises deployments, encrypt data with keys under exclusive customer control, and formalise contractual clauses covering portability, reversibility, and secure deletion.