Sovereignty & compliance: hosting your security in France

Digital sovereignty is the ability of an organization (or a state) to control its data, infrastructure and digital tools without dependency on extraterritorial jurisdiction.

Until 2018, this was a theoretical subject. The US CLOUD Act, signed in March 2018, made it operational overnight: any data stored by a company subject to US law can be requested by US authorities, regardless of physical location.

In other words: your data can be physically hosted in France and still fall under US law if the vendor is American.

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) allows US authorities to request data from any service provider under US jurisdiction, regardless of where data is stored. There is no obligation to notify the affected client.

Three practical consequences for a French company:

1. 1Even if your cloud provider promises "French datacenters", the data remains accessible to a foreign jurisdiction.
2. 2Even if your contract is governed by French law, US extraterritorial law prevails for a US-jurisdiction provider.
3. 3You'll probably never know a request was made — gag orders are the norm.

We talk a lot about sovereignty for personal data, health data, financial data. We talk much less about application security data. That's a mistake.

AppSec data is literally a map of your weaknesses. It contains:

• The detailed list of your known vulnerabilities, with severity
• Exploitable attack paths in your code
• The architecture of your applications and dependencies
• A complete inventory of repositories and their organization
• Secrets leaked into CI/CD pipelines (which may not have been rotated)
• Your MTTR metrics — i.e. how long it takes you to fix things

Several certifications govern the technical sovereignty of cloud hosts and editors.

SecNumCloud (France)

ANSSI's reference framework for cloud services. The most demanding certification in Europe. It requires that the editor be immune from extraterritorial law (no non-EU capital control above 24%).

EUCS (European Union Cybersecurity Scheme)

A European scheme currently being finalized. Aims to unify cloud cybersecurity requirements across the Union. Whether sovereignty is required at the highest level is still debated.

C5 (Germany)

German BSI reference, roughly equivalent to SecNumCloud. Recognized in the EU but does not impose capital sovereignty.

The NIS2 directive, transposed into French law in 2024, requires essential and important entities to actively manage their digital supply chain risk. Concretely:

• Risk assessment of each critical supplier (including cybersecurity vendors)
• Consideration of the supplier's security policy and subcontractors
• Consideration of the quality of products and services supplied
• Consideration of the supplier's secure development practices
• Documentation and regular review of this assessment

Choosing a vendor under extraterritorial jurisdiction thus becomes a documented risk requiring justification. For many critical entities, this risk is simply disqualifying.

Digital Operational Resilience Act, applicable since January 2025. Covers the financial sector (banks, insurers, asset managers, fintechs). Notable requirements:

• A complete register of critical ICT providers
• Reinforced due diligence before contracting
• A documented exit strategy for each critical provider
• Regular operational resilience testing, including the supplier dimension

For a financial institution, the choice between a sovereign editor and an extraterritorial one becomes a governance subject for ICT risk, not an isolated technical decision.

Transfers of personal data to the US remain legally fragile since Schrems II (2020). The Data Privacy Framework signed in 2023 provides a temporary basis, but its legal lifespan is uncertain. A third invalidation by the CJEU is regularly anticipated by lawyers.

Choosing a European vendor today for sensitive data means protecting yourself against the risk of emergency migration tomorrow.

• Is the editor a European company? (registration, headquarters)
• Is its capital majority European? (not >24% non-EU per SecNumCloud)
• Are its executives EU residents?
• Is infrastructure hosted in the EU — with a sovereign host?
• Does the editor contractually commit to refuse extraterritorial requests?
• Is source code controlled by the editor (no dependence on US-controlled components for sensitive parts)?
• What is the governance in case of acquisition by a non-EU actor?
• Is the editor SecNumCloud certified, or in the process of being certified?

Cyber Coach was designed from day one as a sovereign platform. It's not a marketing argument — it's an architectural and capital constraint.

• French company, headquartered in France, 100% French capital
• 100% hosting in France, with a sovereign host
• Infrastructure immune to the CLOUD Act by construction
• NIS2, DORA and GDPR compliance by design
• Contractual commitment to refuse any extraterritorial request
• French technical team, no offshore support
• SecNumCloud certification roadmap

« Application security data is the map of our weaknesses. From day one, we chose to entrust it only to infrastructure we fully control, with no foreign legal intermediary. »