The European Union has launched an ambitious effort to strengthen the security of its digital space. Through the NIS2 and CER Directives, as well as the Cyber Resilience Act, it is promoting a more demanding, consistent and controlled approach to security.
This trajectory, supported and advanced by SPAC Alliance and its members, is nonetheless running up against a major obstacle on a subject that sits at the core of our security: the cloud.
Without an appropriate and enforceable legal framework, cloud-hosted data and services may remain exposed to the risk of extraterritorial access where the operator falls under a non-European legal regime.
There can be no sovereign cloud without a sovereign legal framework.
Even sensitive data remains exposed
The facts: the leaders of the European market, three US technology giants accounting for 65% of the market, are subject to extraterritorial legal obligations, foremost among them the US CLOUD Act, which may compel access to data wherever it is hosted around the world.
The risk: data hosted by these providers remains exposed, even when servers are highly secure, located in Europe and operated by European teams working for local subsidiaries.
At European level, there is still no harmonised and clearly readable guarantee of legal protection for the most sensitive cloud data.
Several European providers such as OVHcloud rely on specific certifications and legal frameworks, including French law and SecNumCloud certification, to protect hosted data both technically and legally. Another initiative has also emerged, with eleven major European players joining forces within an alliance to develop suitable solutions: ESTIA (European Sovereign Tech Industry Alliance).
However, our position remains that the only effective response must be European, clear and definitive. While current work on the cloud is relevant from a security standpoint, the same cannot yet be said for sovereignty.
EUCS: a European certification scheme
The first European response is the EUCS, a common cybersecurity certification scheme for cloud services. Its value is real. It will help harmonise the assessment of offers, establish a common reference framework across Europe and improve market clarity. In that sense, EUCS addresses a concrete need: providing a common language to assess the security level of a cloud service (basic, substantial or high).
But this does not resolve the core issue. The debate has shown that it is possible to certify the cybersecurity of an offer without clearly settling the question of the effective legal protection of the data it hosts. In other words, Europe is moving forward on the assessment of technical security, but without defining in a sufficiently clear way the level of protection expected against extraterritorial constraints, even for the most sensitive use cases.
This is precisely what the approach inspired by SecNumCloud highlighted: for certain use cases, trust cannot rest solely on technical or organisational measures. It must also take into account the operator’s governance, its degree of control and its potential exposure to non-European legal regimes. Several countries therefore supported the addition of a security level, “high+“, which would incorporate sovereignty-related criteria into the certification framework.
At the beginning of 2026, this “high+” level was ultimately not retained.
CADA: supporting a sovereign European offering
The question of sovereignty also arises through another European issue: our actual ability to be autonomous. At the beginning of 2026, a preparatory briefing from the European Parliamentary Research Service pointed out that this lack of legal clarity is holding back both the supply of and demand for fully secure solutions. The document outlines the direction taken by the Cloud and AI Development Act (CADA).
With the CADA, we move into the industrial and strategic sphere. The objective is to increase Europe’s storage and computing capacity in order to meet growing needs driven by AI as well as critical hosting use cases.
It is built around three pillars:
- Advancing research and innovation
- Creating the right conditions for investment in and deployment of data centres
- Ensuring highly secure EU-based cloud and AI computing capacity
It could become the political vehicle through which this sovereignty requirement is explicitly reintroduced at European level.
We will therefore remain attentive to ensuring that CADA defines a clear and demanding level of legal protection for critical cloud services.
Positive point: the Cloud Sovereignty framework published at the end of 2025, and cited in the CADA briefing, describes a level of security that combines technological, operational and legal safeguards aligned with market expectations.
Cloud: a common issue for physical security and cybersecurity
For SPAC Alliance, this clarification is essential. It directly affects the security of functions that already rely heavily on the cloud across both physical security and cybersecurity environments.
The cloud is already involved in functions directly tied to the chain of trust: identity management, access control, rights assignment and revocation, remote administration, event logging, supervision and equipment management.
In this context, uncertainty around the legal framework applicable to these services constitutes a security vulnerability in its own right.
European sovereignty over cloud services remains a major issue if we are to guarantee security that is consistent, transparent and under control.
