The phrase "data sovereignty" has been thrown around since at least 2015, but the legal landscape underneath it has shifted dramatically in the past 24 months. If you're operating a French or European business and your customer data sits on US-headquartered cloud infrastructure, you need to know what changed and what it means.
The Cloud Act, briefly
The US Clarifying Lawful Overseas Use of Data Act (the Cloud Act), passed in 2018, is a US federal law that compels US-based companies to hand over data they "possess, custody, or control" — regardless of where that data physically resides — when served with a US warrant or subpoena. The law explicitly applies extraterritorially, meaning a US judge can order Microsoft, Amazon, or Google to produce data hosted in their European datacenters, and those companies must comply.
The intent of the law was reasonable on its face: clarify legal procedures for cross-border investigations of crimes like child exploitation and terrorism. The practical effect, however, was to create a one-way mirror. EU companies hosting data with US providers can have their data accessed by US authorities without the EU company even being notified, let alone given an opportunity to contest in court.
Schrems II and what it really did
In July 2020, the Court of Justice of the European Union (CJEU) issued the Schrems II ruling, which invalidated the EU-US Privacy Shield framework that had been the legal basis for transferring personal data from the EU to the US. The court found that US surveillance laws — specifically Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333 — were incompatible with the GDPR's privacy guarantees.
The fallout was immediate but slow-moving. Standard Contractual Clauses (SCCs) became the primary legal mechanism for transferring data, but the CJEU made clear that SCCs alone weren't sufficient — companies relying on them had to do their own assessment of whether the destination country's surveillance laws would override the contractual protections. For US transfers, that assessment has been increasingly difficult to make in good faith.
The 2023 EU-US Data Privacy Framework (DPF) attempted to address Schrems II's concerns, but in 2024-2025, multiple legal challenges have begun to question whether DPF actually solves the underlying problem. As of early 2026, the DPF is still in force, but several major European data protection authorities have issued guidance recommending that companies pursue alternative arrangements where possible.
What changed in 2025-2026
Three concrete shifts are worth understanding:
The "Buy European Tech" act, passed in late 2025, requires French public-sector entities and operators of essential services (OES) to demonstrate that critical workloads are hosted on infrastructure not subject to extraterritorial third-country laws. In practice, this means EU sovereign cloud or self-hosted, not Amazon EU regions.
SecNumCloud 3.2, ANSSI's cloud security qualification framework, was updated in April 2025 to require sovereignty verification — meaning the operator must be controlled by EU entities and not subject to non-EU legal compulsion. Several US providers' "sovereign cloud" partnerships with European operators (think Bleu by Capgemini and Orange, or S3NS) are still working through this verification process.
NIS2 enforcement began in October 2024 across all EU member states. Among many other obligations, NIS2 requires "essential" and "important" entities to assess and document the supply chain risk of their cloud providers. Hosting customer data with a Cloud Act-subject provider is a documentable risk that must be managed and disclosed to authorities.
Practical implications for businesses
If you're a French SaaS company processing customer data, here's the question you should be able to answer in writing: "Can my cloud provider be compelled by a non-EU court to hand over our customer data without our consent and without our notification?" If the answer is yes, you have a sovereignty risk. Whether that risk is acceptable depends on what you're hosting and who your customers are.
For health data (HDS-regulated), public-sector workloads, and operators of essential services, the risk is no longer acceptable in 2026. The choices are: a French sovereign provider (like FranceVPS), an EU-only provider with no US affiliations, or self-hosted on bare metal.
For general SaaS not regulated by sector-specific rules, the risk is still legally tolerable — but increasingly, customers are asking about it during procurement. We've seen a notable shift in the past 18 months: enterprise prospects who would not have asked about data residency in 2023 now include it in their initial RFI questionnaires.
What sovereignty actually requires
"Sovereign" isn't a single checkbox. A genuinely sovereign cloud provider needs:
- EU incorporation and EU control — the corporate parent must be EU-headquartered and not majority-owned by non-EU entities. Critical: not a subsidiary of a US, UK, or Chinese company.
- Physical infrastructure in EU territory — datacenters, network equipment, and operational staff must be EU-based.
- EU-only legal compulsion paths — the operator must not be subject to extraterritorial laws of non-EU countries (like the Cloud Act).
- Subprocessor sovereignty — every subprocessor handling customer data must meet the same sovereignty bar. A "sovereign French cloud" that uses Stripe-US for billing has a sovereignty leak.
- Encryption keys held outside non-EU influence — if the operator can be compelled to hand over keys, the encryption is theatrical.
This is the bar we built FranceVPS to meet. We're EU-incorporated (French), we own and operate our datacenters, our subprocessors are all EU-based, and our operational team is on French soil. None of these are "extras" — they're the foundation.
What to do this quarter
If sovereignty is becoming a topic in your business, three concrete steps:
- Inventory your data flows. List every cloud provider, every SaaS tool, every payment processor, and every analytics vendor your business uses. For each, document the corporate parent's jurisdiction.
- Classify your data. Not all data needs sovereign hosting. Customer PII, health data, public-sector data, and trade secrets do. Aggregate analytics, marketing site assets, and public documentation typically don't.
- Migrate the high-risk data first. You don't need to do a wholesale migration — moving the workloads that handle regulated or sensitive data to sovereign infrastructure addresses 80% of the risk for 20% of the migration cost.
The legal landscape will continue to shift, but the direction is clear: more sovereignty requirements, not fewer. Building on infrastructure that already meets the highest bar means you're not redoing this work in 18 months.