Data sovereignty: What pathways to reclaiming our independence?

In less than two decades, the shift to the Cloud has profoundly reconfigured French and European organisations. To fully harness the benefits of virtual infrastructure, CIOs have modernised information systems, accelerated collaborative practices, and unlocked new Data analytics and processing capabilities. In doing so, a structural dependency has gradually taken hold, driven by the growing adoption of hyperscaler Cloud services. European organisations, now acutely aware of this dependency, are asking what alternatives exist to restore their Digital Sovereignty.

With the introduction of Generative AI into the enterprise, Data is no longer simply stored; it is processed, exploited, and potentially reused. By whom? How? As soon as an external Generative AI model is called upon, any traceability of the Data becomes complex, while contractual clauses provide no absolute or verifiable guarantees regarding processing, retention, or potential reuse of that Data.

A Silent Yet Massive Dependency

Today, three American players (AWS, Microsoft Azure and Google Cloud) capture nearly 70% of the European Cloud market in 2025, according to Synergy Research Group. Add to this the major SaaS solutions (Salesforce, Workday, ServiceNow, M365) and Generative AI models (OpenAI, Anthropic, Google Gemini) all operated by US-incorporated entities. This outsourcing is not the result of a deliberate choice to relinquish sovereignty; it is the outcome of pragmatic adoption, driven by legitimate imperatives: competitiveness, performance, cost variabilisation, and faster time to market. These individually rational decisions have, in aggregate, made these dependencies structural : a phenomenon further amplified by the emergence of Generative AI within organisations.

“Sovereign Cloud”: The Legal Reality Behind the Commercial Promises

To meet the sovereignty expectations of their European customers, hyperscalers have developed offerings marketed as “sovereign”: data zones localised in Europe, partnerships with national players. Whilst these initiatives are welcome, they should not obscure an adverse legal context.

The American Cloud Act (an extension of the Patriot Act) applies to every US-incorporated company, without exception. US authorities can compel any American company to hand over Data, without notifying the clients concerned and without regard to where the Data is hosted. Legal sovereignty is determined not by the location of servers, but by the registered headquarters of the provider. A European label affixed to an American infrastructure changes nothing about the applicable law.

Generative AI: A Risk Amplifier

The rise of Generative AI has significantly accelerated the Data sovereignty challenge. Every interaction with an AI assistant, every document transmitted to an agent, every query sent to an external LLM is liable to route sensitive Data through foreign infrastructures.

Organisations have integrated AI through two channels. The first: approved tools, funded and deployed by the organisation itself for its employees. The second, unregulated: Shadow AI. These spontaneous and invisible uses occur when employees turn to Generative AI tools outside any defined framework — uploading contracts, strategic presentations, client Data. The users themselves are the primary vulnerability. According to a Software AG study (2024), 50% of employees use AI tools not approved by their organisation. This Shadow AI phenomenon compounds three risks:

• Uncontrolled access rights: discretionary AI usage, operating outside the framework set by the organisation
• No oversight of outgoing Data
• A lack of awareness around sovereignty issues

In the face of these risks, the European regulatory framework nonetheless imposes clear obligations: DORA requires financial entities to manage the risks associated with their digital service providers, while NIS2 extends these requirements to a broader scope of organisations and public bodies. Shadow AI, by its very nature, falls outside both frameworks.

Promising European Alternatives

Several European players (OVHcloud, Scaleway, Outscale) are distinguishing themselves by offering alternative solutions, underpinned notably by France’s SecNumCloud certification (France’s national Cloud security certification) from ANSSI — the only framework providing genuine protection of Digital and IT Sovereignty against external interference. This certification is not a marketing label: it is a legal and technical guarantee that applies across the entire chain, from hosting to Data processing.

On the AI front, Mistral AI has established itself as a reference player and presents a credible alternative to the major American and Chinese models. At the national level, France has reached a symbolic milestone with Albert, the first Sovereign LLM deployed by the government, hosted on national infrastructure and trained on French public Data.

These initiatives remain limited in scope, but they signal an emerging trajectory towards alternative, Sovereign AI adoption.

In the Age of AI, Data Is a Strategic Asset to Protect

The challenge is not to repatriate an entire Information System to France or Europe, but to master one’s Data and its usage, in proportion to its sensitivity.

In practical terms, six workstreams enable organisations to implement a coordinated response:

The implementation of these workstreams cannot, however, deliver results without a shared foundational layer of measures: on one side, tangible technical controls (access management, monitoring of transfers to external services); on the other, a governance framework embodied in an AI Charter that is binding on all employees and partners, and regularly updated in line with technological developments.

Beyond mere compliance, it is precisely this combination of technical rigour and shared governance that underpins credible Sovereignty. In an increasingly competitive market, the temptation to push AI to its limits is real: extracting more value, accelerating decisions, automating analysis. CIOs who wait for regulation to force their hand will cede ground to those who have already turned Sovereignty into a competitive advantage. Tomorrow, Digital trust will be a primary selection criterion — for partners, clients, and talent alike.

Beyond the Cloud: Energy as a Pillar of Sovereignty

Data Sovereignty may not be decided solely within terrestrial data centres. Generative AI is intensifying demands on computing power and energy: data centres already account for 1 to 2% of global electricity consumption, a figure set to double by 2030 according to the IEA.

A handful of pioneers are seriously considering a paradigm shift: relocating part of the computing infrastructure into space. In low Earth orbit, solar energy is continuous, thermal dissipation is natural, and mega-constellations (Starlink, OneWeb, Eutelsat) are opening unprecedented transmission capacities to ground stations. Players such as Axiom Space, alongside initiatives led by the ESA, are beginning to explore these architectures for critical use cases. For IT leadership, the signal is clear: tomorrow’s Digital Sovereignty will be built at the intersection of Data mastery, energy autonomy, and infrastructure control, wherever that infrastructure may be.