In 2026, digital sovereignty is no longer a simple political doctrine debate or a line in a compliance report. It has become an operational reality imposed on the agenda of each CIO. Between the launch of the AWS European Sovereign Cloud, alliances such as Bleu or S3NS, and concrete challenges illustrated by the Health Data Hub case, the market is undergoing a historic mutation. Analysis of a major technological and legal rupture for your critical architectures.
Understanding the impasse: why sovereignty has become the priority issue for CIOs
The time is no longer for reflection, but for the management of a systemic risk. For companies managing strategic assets, the question is no longer only « where is my data? », but « under which jurisdiction does it fall? ».
The conflict of jurisdictions: the illusion of data residency
For a decade, the standard response to the need for digital sovereignty was data residency: « My data is in Paris, so it is protected. » This vision is now obsolete. The US Cloud Act has established an extra-territoriality that ignores physical borders. As soon as a provider is subject to American law, its data (and especially its metadata) is potentially accessible, regardless of its geographical location.
For companies managing critical assets, the risk is not only information leakage, but the loss of legal control. In the event of a conflict of laws, the provider will find it impossible to simultaneously respect the European GDPR and American injunctions. For an ESN like MARGO, the advice is clear: residency is a necessary condition, but largely insufficient.
NIS2 and the SREN Law: the shift towards legal obligation
The year 2025-2026 marks the effective entry into force of two legislative pillars that transform the landscape:
It considerably widens the scope of entities concerned (EE and EI). It imposes direct responsibility on management bodies and requires total mastery of the digital supply chain.
This French text carves into law the « Cloud at the Center » doctrine. For State services and entities managing sensitive data, recourse to a cloud qualified SecNumCloud is no longer a recommendation, it is a strict compliance requirement.
The 2026 dilemma: performance vs autonomy
CIOs face a complex arbitrage. On one side, the urgency of innovation: the deployment of generative AI, Big Data and quantum computing requires the ultra-performing managed services of hyperscalers. On the other, the imperative of legal security: not exposing the company’s informational heritage to foreign jurisdictions. This dilemma creates a « strategic vacuum » that the new trust models are trying to fill today.
The emergence of hybrid models: why local-hyperscaler alliances?
Faced with the legal impasse of the Cloud Act, a question was posed bluntly to European companies: can we do without hyperscalers? In 2026, the market’s response is a pragmatic « no », but accompanied by drastic conditions. It is the era of rational alliances.
The pragmatic observation: the innovation wall
Why have « pure » European champions, despite their excellence in IaaS (Infrastructure), struggled to curb American hegemony? The answer lies in one word: depth of service. A modern Data Science or agentic AI project is no longer content with raw servers. It requires complex managed services (managed Kubernetes, Data Warehousing, LLM as a Service) that American giants have spent decades and billions of dollars to package. For an ESN, advising a sovereign solution that suffers from functional delay is not a viable option for our clients’ competitiveness.
The « Translated Trust » model: deciphering the alliances
To resolve this dilemma, the market has seen the birth of unprecedented joint ventures consisting of isolating the American software stack in a European legal « bubble »:
- S3NS (Thales & Google Cloud): the certified pioneer. In December 2025, S3NS obtained the SecNumCloud 3.2 qualification for its Premi3ns offer. Here, Thales is not a simple reseller: he is the operator. Google’s services (BigQuery, Vertex AI) are steered by Thales teams in French datacenters, with total control over encryption keys.
- Bleu (Orange, Capgemini & Microsoft): the giant in approach. Titanic project aiming to offer the entire Microsoft universe (Azure and Microsoft 365) under a 100% French banner. The objective is to meet the massive needs of hospitals and ministries that cannot afford to rewrite decades of processes based on the Microsoft ecosystem, while guaranteeing total immunity from US law.
The case study of the Health Data Hub: when theory hits the ground
If there is one file that crystallizes all tensions, it is the Health Data Hub (HDH). This monumental project has become the mirror of the paradoxes of our digital sovereignty.
The analysis of a paradox: 10 million files under the American banner
In January 2026, the observation is stinging: despite repeated injunctions from the CNIL and government migration commitments, the HDH data (and that of the EMC2 project) still rests on the Microsoft Azure infrastructure.
Why this status quo when the Conseil d’État itself recognizes that access by American authorities « cannot be totally excluded »? The answer is technical: at the instant T, no sovereign alternative offered the required level of functionalities (log management, granular encryption, GPU power for medical AI). It is the paradox of the « choice by default »: legal security was temporarily sacrificed on the altar of technological viability.
The migration « gap »: the reality of complex architectures
The delay of the HDH — whose complete migration towards a SecNumCloud environment is now only hoped for by summer 2026 — teaches us a fundamental lesson:
- Adherence to managed services: the more a project uses specific PaaS services, the higher the « exit cost ». Migrating means rewriting thousands of lines of infrastructure code (Terraform, Ansible).
- The challenge of volume and performance: with more than a petabyte of data, the HDH requires scalability that only hyperscalers had natively mastered until now.
- The requirement of continuity: the switch towards a sovereign environment can only be done at iso-performance and iso-security.
The HDH case proves that a digital sovereignty strategy must be anticipated from the design phase. Waiting for production to ask the question of jurisdiction leads inevitably to a migratory impasse.
The response of AWS: the choice of technical autarky
It is in this fragmented landscape that Amazon Web Services launched in January 2026 the AWS European Sovereign Cloud (ESC). Unlike the Bleu or S3NS alliances, AWS bets on technical autarky and structural isolation.
Isolation by « partition » vs isolation by partnership
The AWS ESC inaugurates a new Partition named aws-eusc, totally watertight compared to the global commercial partition.
- Unprecedented European governance: AWS has set up AWS European Sovereign Cloud GmbH, a structure under German law led by Europeans and supervised by an independent advisory council composed exclusively of EU citizens.
The three pillars of autarky according to AWS
- 100% local operations: only EU residents, located in the EU, manage the infrastructure. AWS even announces a transition towards exploitation assured exclusively by EU citizens.
- Sovereignty of metadata: all metadata (IAM roles, configurations, logs) are kept exclusively within the EU. No « rebound » towards the USA is technically possible.
- Resilience and access to code: in case of a major rupture, empowered employees have independent access to a replica of the source code necessary to maintain services.
The technological lock: the Nitro system
The real « game changer » is material. The Nitro system delegates security functions to dedicated chips. By its design, Nitro physically forbids any administrative access to client data, even for AWS employees. This is the hammer argument: sovereignty by design.
However, one question remains: should one privilege SecNumCloud certification, obtained via local partnerships, or the technical autarky proposed by offers like the AWS European Sovereign Cloud? In practice, this opposition is largely theoretical. Digital sovereignty is no longer thought of as a binary choice, but as a reasoned segmentation of workloads.
Certain loads, subject to strict regulatory constraints or manipulating ultra-sensitive data, will continue to require a SecNumCloud qualified environment. Others, innovation, data or AI oriented, will be able to draw part from technical autarky and the functional depth of the ESC, provided that legal and operational guarantees are mastered.
The stake for CIOs is therefore not to choose a single « sovereign cloud », but to design hybrid and governed architectures, capable of orchestrating several sovereign environments according to the level of risk, business criticality and performance objectives.
Conclusion: towards a mastered sovereign hybridization
The launch of the AWS European Sovereign Cloud marks a major step. For French companies, it is an additional opportunity to benefit from the elasticity of AWS while strengthening their compliance posture face to GDPR or NIS2.
However, the choice of an infrastructure does not replace human expertise. Digital sovereignty is no longer an option that one ticks, it is a data governance strategy that influences each technological brick.
At MARGO, we accompany our clients to navigate in this complexity: choose the adapted availability zones, orchestrate interoperability between partitions and guarantee that the architecture really serves the business strategy.
👉 Contact our experts
