Definition
Sovereign Cloud
Sovereign Cloud refers to cloud infrastructure operated under the legal jurisdiction of a specific country or region, with data residency, operational control and ownership structures designed to be immune to extraterritorial legal demands (notably the US CLOUD Act).
In the European context, the concrete examples are SecNumCloud (FR, certified by ANSSI), S3NS (FR / Google joint venture, target SecNumCloud), Bleu (FR / Capgemini / Orange / Microsoft joint venture, target SecNumCloud), STACKIT (DE / Schwarz Group), GAIA-X-aligned providers and the European Cloud Sovereignty Framework SEAL-3 designation. True sovereignty requires three layers: data residency, operational control (operators are EU citizens, subject to EU law), and ownership (the operating entity is not a subsidiary of a non-EU parent).
Why it matters
- ✓For French banks under ACPR, public-sector entities under UGAP and HDS-certified healthcare hosts, sovereign cloud is a procurement requirement, not a preference.
- ✓EU AI Act, NIS2 and DORA cross-reference sovereign-cloud requirements when classifying ICT third-party risk.
- ✓On-premise is the strictest form — the customer's own datacentre, no third-party operator at all.