Choosing to host your ERP in the cloud is no longer just a matter of cost or performance. It has become a question of sovereignty. When a US vendor operates your management system, your financial data, product specifications, and payroll files potentially fall under the CLOUD Act or FISA laws—two extraterritorial regulations that allow US authorities to access this data without prior notification and without going through a European judge.
Faced with this risk, Europe and member states are building demanding certification frameworks. SecNumCloud in France, EUCS at the European level, and cloud-first doctrine for government: these mechanisms are reshaping the rules for any cloud ERP project. This guide details what these certifications mean in practice, which providers hold them, and how to integrate digital sovereignty into your ERP strategy.
Why Digital Sovereignty Directly Concerns Your ERP
An ERP centralizes the most sensitive data of any enterprise: accounting, payroll, purchasing, inventory, customer files, commercial margins. It is, in fact, the heart of the information system. When this system is hosted by a cloud provider subject to foreign jurisdiction, the question of effective control over this data arises.
Extraterritorial Risk: CLOUD Act and FISA
The CLOUD Act, adopted in 2018, allows US authorities to compel any technology provider based in the United States (or having a US subsidiary) to provide data stored on its servers, including those located in Europe. The connection to the United States is sufficient to activate the law: headquarters, subsidiary, or infrastructure managed by a US entity.
The FISA law (Foreign Intelligence Surveillance Act), in its section 702 renewed in 2024, authorizes mass collection of data from non-US persons stored on US servers, without individual judicial warrant.
Concretely, if your ERP runs on AWS, Azure, or Google Cloud in their standard configuration, your data remains accessible to US authorities, even if the servers are physically in Europe. The GDPR prohibits this type of unregulated transfer, but the CLOUD Act provides no mechanism for notifying the data owner. It is this legal collision that makes the sovereignty question unavoidable for European CIOs.
What This Changes for an ERP Project
For an SME or mid-market company, the consequences are concrete:
- GDPR compliance risk. A data transfer to a provider subject to the CLOUD Act may constitute a GDPR violation. Sanctions go up to 4% of global revenue.
- Intellectual property risk. Product specifications, cost prices, supplier margins are strategic assets. Their exposure to a non-European state third party is a real business risk.
- Contractual risk. Certain clients (defense, healthcare, public sector) already require sovereign hosting in their specifications. Being unable to meet this requirement closes markets.
SecNumCloud 3.2: The French Shield
What It Is
SecNumCloud is a qualification issued by ANSSI (National Agency for the Security of Information Systems). In its version 3.2, it imposes over 360 criteria distributed across 14 themes covering technical, organizational, operational, and legal security.
The distinctive point of version 3.2: the requirement for immunity to non-European extraterritorial laws. A SecNumCloud qualified provider must be operated exclusively by European legal entities, with capital held majority by European players, and operations managed from EU territory by European personnel. This de facto excludes any submission to the CLOUD Act or FISA.
Who Is Qualified Today
In April 2026, the landscape of SecNumCloud qualified providers has significantly expanded:
| Provider | Status | Specialty |
|---|---|---|
| OVHcloud | Qualified | Hosted Private Cloud offering, Gravelines/Roubaix/Strasbourg datacenters (OVHcloud SecNumCloud) |
| Outscale (Dassault Systèmes) | Qualified | First operator qualified SecNumCloud 3.2 |
| Cloud Temple | Qualified | Sovereign hosting specialist |
| S3NS (Thales + Google) | Qualified | PREMI3NS offering qualified late 2025, covers IaaS, CaaS and PaaS simultaneously |
| Worldline | Qualified | Cloud services for financial sector |
| Bleu (Orange + Capgemini) | In progress | J0 milestone validated, qualification targeted H1 2026, Microsoft Azure services |
| NumSpot | In progress | Consortium Docaposte, Dassault Systèmes, Bouygues Telecom |
| Scaleway | In progress | J0 validated without reservation |
In total, about ten providers are qualified or in the process of qualification, for a European sovereign cloud market estimated at 12.4 billion euros in 2026 according to Markess by Exaegis, growing 34% compared to 2025.
What SecNumCloud Changes for Your ERP
If your ERP is hosted by a SecNumCloud qualified provider, you benefit from concrete guarantees:
- Extraterritorial immunity. No non-European authority can legally compel the provider to deliver your data.
- Enhanced GDPR compliance. The qualification covers localization and personal data protection requirements.
- Restricted access. Operations are managed 24/7 exclusively by European personnel, based in the EU.
- ANSSI audit. The provider is regularly audited by the national cybersecurity agency.
The additional cost is real: count 15 to 35% more than standard cloud hosting, depending on service complexity. But this cost compares to the value of protected data and potential fines in case of non-compliance.
Cloud-First Doctrine: The French Government Signal
Since 2021, the cloud-first doctrine of the French government imposes cloud as the default hosting mode for new digital projects of the State. In its updated version of May 2023, it specifies that any system processing data of particular sensitivity must mandatorily use a SecNumCloud qualified offering.
Article 31 of the SREN law (Securing and Regulating Digital Space) inscribes this obligation in law. In 2024, public procurement of cloud services on the UGAP inter-ministerial market reached 51.6 million euros, up 50%.
Why this matters for the private sector: this doctrine creates a ripple effect. Companies working with the public sector (defense, health, education, local authorities) must align with these requirements to win contracts. And good practices from government gradually spread to mid-market companies and large SMEs concerned about their compliance.
EUCS: The European Certification Project
Where the Scheme Stands
EUCS (European Cybersecurity Certification Scheme for Cloud Services) is the project for European-scale cloud certification, led by ENISA. Its objective: create a common certification framework for all member states, with three assurance levels (basic, substantial, high).
The process has been at a standstill for more than four years. The latest draft, dated March 2024, removed the sovereignty requirements (EU headquarters, data localization) that appeared in previous versions. This removal, pushed by several member states (Ireland, Sweden, Netherlands) and US hyperscalers, provoked an outcry from France, Germany, and several European business associations.
Consequence for Companies
In the absence of a finalized EUCS, SecNumCloud certification remains the de facto standard for companies operating in France. For companies operating in several European countries, there is no mutually recognized cloud certification yet. Each country applies its own rules, which complicates cloud governance for multi-site ERPs.
The most likely scenario: EUCS will finally be adopted in 2026 or 2027, probably without strict sovereignty requirements at the “high” level. France will maintain SecNumCloud as a more demanding national layer. Companies that anticipate by aligning now with SecNumCloud will be compliant regardless of the final EUCS result.
Hosting Your ERP on Sovereign Cloud: Concrete Options
SAP S/4HANA on Sovereign Cloud
SAP has offered since 2023 a partnership with OVHcloud and Sopra Steria to deploy S/4HANA on SecNumCloud infrastructure. This offering targets public sector actors and companies subject to sovereignty obligations.
In parallel, SAP relies on Bleu for its trusted cloud in France, with Microsoft Azure services distributed by the Orange-Capgemini joint venture. Bleu’s SecNumCloud qualification is expected in the first half of 2026.
S3NS: Google Cloud SecNumCloud Qualified
The PREMI3NS offering from S3NS (Thales subsidiary) is the first to simultaneously cover IaaS, CaaS and PaaS layers under SecNumCloud 3.2 qualification. With 15 new services planned for H1 2026 and the arrival of Vertex AI in H2 2026, it is the most complete option for companies wanting to combine Google Cloud services and sovereignty.
European ERP and Native Sovereign Hosting
Some European vendors natively offer hosting in their domestic markets, without resorting to hyperscalers:
- Sage UK: hosting options in UK datacenters for Sage X3 and Business Cloud
- Unit4: EU-based hosting for ERP solutions
- Access Group: UK cloud offerings for mid-market ERP
- Exact (Netherlands): sovereign hosting options for European customers
For these vendors, the sovereignty question is different: the issue is not the CLOUD Act (they are not subject to US jurisdiction), but the certification of their hosting providers, which is not systematic.
Open Source ERP: The Reversibility Card
Open source ERPs like Odoo, Dolibarr or ERPNext offer a structural advantage in terms of sovereignty: the code is auditable, and the company can freely choose its hosting provider. Deploying an Odoo Enterprise on a SecNumCloud cloud (OVHcloud, Outscale) gives total control over the chain: open code, qualified hosting, localized data.
This is a compelling argument for organizations that want to control their end-to-end technological dependence. For more details, consult our open source ERP comparison.
Decision Grid: What Level of Sovereignty for Your ERP?
Not all companies have the same sovereignty needs. The right level depends on your sector, your customers, and your regulatory exposure.
| Profile | Recommended Level | Justification |
|---|---|---|
| SME, non-sensitive data | Standard cloud + GDPR | Extraterritorial risk is low. Prioritize value for money. |
| SME, defense or healthcare subcontractor | SecNumCloud mandatory | Imposed by prime contractor. Non-negotiable. |
| Industrial mid-market, sensitive IP | Sovereign cloud recommended | Protection of specifications, cost prices, manufacturing secrets. |
| Public sector, OES, DSP | SecNumCloud mandatory | Cloud-first doctrine + NIS 2 directive. |
| Multi-country EU group | SecNumCloud + EUCS watch | Anticipation of European certification. |
For organizations subject to the NIS 2 directive, the sovereign cloud question fits into a broader cybersecurity framework. Consult our analysis of the NIS 2 directive and its impacts on ERPs.
Five Questions to Ask Your ERP Vendor
Before signing a cloud ERP contract, ask these questions to your vendor or integrator:
- Where is my data physically hosted? Demand a precise answer: country, datacenter, infrastructure provider name.
- Is your hosting provider SecNumCloud qualified? If yes, ask for the ANSSI qualification number. If no, ask why and what alternative certification is proposed.
- Are you subject to the CLOUD Act or FISA? A “no” without nuance deserves verification: a US subsidiary, majority US shareholding or hosting with a US hyperscaler is sufficient.
- Can I export all my data in a standard format? Reversibility is a pillar of sovereignty. An ERP that locks your data is not sovereign, even if hosted domestically.
- What is the plan in case of regulatory change? EUCS, enhanced GDPR, sector requirements evolve. Your vendor must have a clear roadmap.
To structure these exchanges, our guide on ERP requirements documents integrates a section dedicated to security and compliance requirements.
Key Takeaways
Digital sovereignty is not an abstract concept reserved for political debates. For a CIO or CFO managing an ERP project, it is a concrete selection criterion that impacts the choice of vendor, hosting provider, and deployment model.
SecNumCloud 3.2 is currently the most demanding standard in Europe. The European EUCS, when finalized, will probably not replace it but complement it. Companies that integrate sovereignty into their ERP decision grid now avoid a costly migration project in two or three years.
To deepen security issues related to your ERP, consult our ERP cybersecurity guide and our GDPR and ERP compliance analysis. To validate an adoption hypothesis, start with a 3-month POC on 1 target process (purchasing, accounting, CRM). Typical budget: €15,000 to €30,000. Result: Go/No-Go decision with concrete figures, not with an Excel sheet of commercial promises.
