A CISO at a hospital network, a CIO at a government ministry, a CFO at a mid-size bank — all now ask their ERP vendor the same question: “Is your cloud offering compatible with our data residency obligations?” The answer, often vague, conceals a more complex reality.
The European sovereign cloud market has been fundamentally reshaped between 2024 and 2026. Two French reference certifications now coexist, Germany has its own standard, and the EU is building a common framework that remains unfinished. Meanwhile, ERP offerings from major US vendors are still predominantly hosted on AWS, Azure or Google Cloud — all subject to the reach of US extraterritorial law.
This guide maps the certifications available by country and sector, the ERP vendors that genuinely offer sovereign hosting, and the concrete trade-offs you must accept to get there.
Why sovereign cloud is becoming mandatory in regulated sectors
The regulations that create the obligation
Several European and national regulations are converging to force certain organisations to choose their cloud provider with care.
The French “cloud au centre” doctrine (2021). A French government decree of August 2021 established a clear principle for public administrations: all new digital projects must by default use cloud. For systems processing sensitive data, ANSSI’s SecNumCloud qualification becomes mandatory. The directive is unambiguous: commercial cloud offerings must hold SecNumCloud qualification for data whose compromise could harm public order, national security, or public health (source: numerique.gouv.fr). Local authorities choosing an ERP for financial management or HR fall directly within this scope.
NIS 2 (Europe, December 2022, transposed 2024). The updated Network and Information Security directive substantially widens its scope. It now covers “essential entities” across eighteen sectors — from energy and transport to healthcare and digital infrastructure. These entities must demonstrate that their IT suppliers, including ERP cloud hosts, meet high security standards. The cloud provider is no longer a silent subcontractor: it is part of the audit surface.
DORA (Europe, in force January 2025). The Digital Operational Resilience Act imposes documented digital resilience requirements on financial institutions (banks, insurers, asset managers, payment service providers) across their entire IT supplier chain. An ERP hosted on a non-European cloud represents a concentration risk that DORA now requires to be measured, monitored, and reduced. DORA assessments conducted in 2025 have exposed the fragility of ERP hosting arrangements historically chosen for convenience.
Defence and security procurement requirements. For contractors in the defence industrial and technology base — whether working on French programmes under the Loi de Programmation Militaire, UK MoD supply chains, or NATO-aligned programmes across Europe — the requirements for securing sensitive information systems are stricter still. An ERP hosting data linked to defence contracts must, in many cases, be hosted in-country with operational isolation guarantees.
The US CLOUD Act risk
The Foreign Intelligence Surveillance Act (FISA) and the CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allow US authorities to demand access to data held by American companies, regardless of where that data is physically stored. AWS, Azure and Google Cloud are American companies. Even if your ERP instance is hosted in a datacentre in Paris or Frankfurt, your data remains legally accessible to US authorities through their parent companies.
This is not a theoretical concern for legal teams and CISOs. It is the primary reason why “sovereign cloud” goes beyond simple geographic data localisation: it also requires operational and legal independence from extraterritorial legislation.
On-premises is no longer the default answer
For years, the response to sovereignty constraints was simple: keep the ERP on servers in your own datacentre. This approach has its merits, but it carries hidden costs that are increasingly difficult to justify: operational maintenance, backups, redundancy, security patching, and the absence of mobility for distributed teams.
Sovereign cloud offers a third path: retaining the legal and operational guarantees of European hosting while benefiting from the elasticity and economies of scale of cloud. The question is no longer “cloud vs on-premises” but “which cloud, with what guarantees.”
Key European certifications: what they actually guarantee
SecNumCloud (France, ANSSI): the most demanding certification
The SecNumCloud qualification, issued by France’s National Agency for Information Systems Security (ANSSI), is the highest French standard for cloud providers. Version 3.2, in force since 2022, adds specific requirements on immunity from extraterritorial legislation: a SecNumCloud-qualified provider cannot be compelled to share your data with foreign authorities.
The qualification covers physical and logical infrastructure security, operational processes, data localisation in France or the EEA, and the nationality of staff with system access. It is on this last point that “trusted cloud” offerings (such as Bleu or S3NS in their initial design) have had to differentiate themselves from simply localised offerings.
SecNumCloud-qualified providers in 2026:
- OVHcloud: qualification obtained on several offerings (Bare Metal Pod, VMware on SecNumCloud, SNC Cloud Platform with IaaS/PaaS/Containers/managed databases/IAM, SAP HANA on VMware). The qualified catalogue does not cover the full OVHcloud service range (source: ovhcloud.com/fr/secnumcloud/).
- S3NS, Thales subsidiary (Google Cloud technology): SecNumCloud 3.2 qualification obtained late 2025 on the PREMI3NS offering, which covers 30 cloud services with a roadmap to 150 (source: s3ns.io).
HDS (France): mandatory for all healthcare data hosting
The Hébergeur de Données de Santé (Health Data Hosting) certification is distinct from SecNumCloud. It is mandatory for any organisation hosting personal health data collected during prevention, diagnosis, or care activities. This certification is issued by bodies accredited by the French accreditation body Cofrac, and is valid for three years with annual surveillance audits.
The regulatory framework was updated in April 2024 with a new decree that opened the HDS accreditation scheme (source: esante.gouv.fr). In practice: a private healthcare facility, clinic, hospital group, or medical software vendor that has data hosted by a third party must verify that the host holds HDS certification for the relevant scope.
For ERPs deployed in healthcare (administrative management, HR, and finance at a hospital or care home), HDS certification of the cloud host is a non-negotiable legal prerequisite.
BSI C5 (Germany): the reference standard across the Rhine
The Cloud Computing Compliance Criteria Catalogue (C5) from Germany’s Federal Office for Information Security (BSI) is the German equivalent of SecNumCloud, in a different format. Where SecNumCloud is a qualification issued directly by ANSSI, C5 is a catalogue of requirements against which independent auditors issue attestations (Testate). Companies publish these attestations; the BSI consolidates the list.
C5:2020 is the current reference version. A C5:2026 revision is underway according to the BSI. Over a hundred attestations have been granted to national, European and global cloud providers to date, making it the most widely adopted cloud standard in Europe after ISO 27001 (source: bsi.bund.de).
For a German company in a regulated sector, a European business with German subsidiaries, or any ERP hosting data subject to Germany’s Federal Data Protection Act (BDSG), the BSI C5 attestation from the provider is the reference signal to request in any tender process.
ISO 27001 and EUCS: the European baseline under construction
ISO 27001 is an implicit prerequisite in all cloud RFPs for regulated sectors. It certifies the implementation of an Information Security Management System (ISMS), but does not address the question of sovereignty or immunity from foreign legislation.
The European Union Cloud Certification Scheme (EUCS), developed by ENISA (the EU Agency for Cybersecurity), aims to harmonise cloud certifications across the EU with three levels (Basic, Substantial, High). The final EUCS version is expected in 2026. Once operational, it could serve as a common reference for cross-border procurement, reducing the current fragmentation between SecNumCloud, BSI C5 and their Italian (ACN), Spanish (ENS) or Dutch equivalents.
Summary table: certification by sector and country
| Certification | Country | Sectors concerned | Sovereignty level |
|---|---|---|---|
| SecNumCloud 3.2 | France | Defence, public sector, sensitive healthcare, state finance | Maximum (extraterritorial immunity) |
| HDS | France | All hosting of health data | Legally mandatory |
| BSI C5 | Germany | Public sector, finance, critical industry | Audit reference (private attestation) |
| ISO 27001 | Europe | All sectors (baseline) | Organisational security only |
| EUCS (High) | Europe (2026) | Critical sectors, cross-border | Under construction |
Sovereign cloud providers across Europe
OVHcloud: the only European hyperscaler with SecNumCloud for ERP workloads
OVHcloud is currently the provider with the most mature SecNumCloud-qualified cloud infrastructure for ERP workloads. The “SAP HANA on VMware” offering in the SecNumCloud zone allows SAP customers to run their HANA database in an ANSSI-qualified environment. The SNC Cloud Platform also provides a cloud-native experience (IaaS, managed databases, containers, IAM/KMS) within the qualified perimeter.
Its strengths: European infrastructure, French datacentres, European operational staff, mature infrastructure catalogue. Its limits: the SecNumCloud-qualified catalogue is narrower than OVHcloud’s full offering, and advanced managed services (AI/ML in particular) are less rich than on AWS or Azure. For an ERP that needs stable IaaS and managed databases, it is a concrete and available option.
Bleu: Microsoft Azure under French operation (qualification pending)
Bleu is a company created in January 2024 by Orange and Capgemini, operating under a Microsoft Azure technology licence. The model rests on strict separation: the technology is American (Azure), but operation, teams and governance are entirely French — and therefore outside the reach of the CLOUD Act.
This is precisely the distinction between “trusted cloud” (US technology, EU operation) and “sovereign cloud” (technology AND operation 100% European). Bleu is targeting SecNumCloud qualification, which requires ANSSI to verify that the French operational model is genuinely airtight. Qualification was expected during 2025–2026 at the time of writing. Until it is formally obtained, Bleu cannot be presented as a SecNumCloud offering.
For a CIO seeking to host Microsoft Dynamics 365 within a legally protected framework, Bleu represents the most plausible trajectory. It has not yet arrived.
S3NS / PREMI3NS: SecNumCloud 3.2 obtained late 2025
S3NS is a Thales subsidiary (100% French capital control) operating Google Cloud technology in a sovereign environment. Its PREMI3NS offering obtained ANSSI’s SecNumCloud 3.2 qualification in late 2025, making it the second qualified offering available in France after OVHcloud.
As of mid-2026, PREMI3NS offers 30 services, with a roadmap to 150 to reach parity with Google Cloud Platform. Available services include BigQuery (analytics), GKE (Kubernetes), managed databases and IaaS. Vertex AI Model Garden (generative AI) was being launched during 2026 according to the published roadmap. For an ERP requiring analytics power or an embedded AI model within a SecNumCloud perimeter, S3NS opens possibilities that OVHcloud alone could not provide.
T-Systems / SAP Sovereign Cloud (Germany)
T-Systems (Deutsche Telekom subsidiary) operates a “SAP Sovereign Cloud” in partnership with SAP, aimed at German customers in defence, public sector and critical industry. This model allows companies subject to BSI C5 requirements or data classification restrictions to access SAP S/4HANA in an environment operated locally by a German entity.
The functional scope of this sovereign offering is not identical to a standard S/4HANA instance: certain modules or cloud-native capabilities (including some of SAP Joule’s AI features) are not yet available in sovereign variants. This is a trade-off that customers accept in exchange for operational guarantees.
Outscale (Dassault Systèmes subsidiary)
Outscale is a French IaaS offering operated by a Dassault Systèmes subsidiary. It is positioned for defence and industrial sectors, with security certifications adapted to sensitive data. Its cloud service catalogue remains infrastructure-focused, without the breadth of hyperscalers. For industrial or defence ERPs seeking a French IaaS alternative, Outscale is worth investigating.
ERP vendors that genuinely offer sovereign hosting
SAP: OVHcloud in France, T-Systems in Germany
SAP S/4HANA Cloud can be hosted on OVHcloud (SecNumCloud zone) via the SAP HANA on VMware offering. For SAP customers in France who must comply with the “cloud au centre” doctrine, this is the available path today. It is an IaaS-managed hosting arrangement, not an SAP SaaS “turnkey” offering, which means relying on an integrator for implementation and updates.
In Germany, the SAP / T-Systems partnership provides a more integrated offering for customers subject to BSI C5 constraints or classified data requirements, with the functional trade-offs described above.
In the UK, SAP customers subject to MOD security requirements or UK NCSC Cloud Security Principles typically combine UK-based hosting (UK regions of hyperscalers or dedicated sovereign environments) with contractual security schedules.
Microsoft Dynamics 365: awaiting Bleu
Microsoft Dynamics 365 on a SecNumCloud-qualified host is not available in mid-2026 outside a custom IaaS arrangement on OVHcloud. The natural offering will be Bleu, when its SecNumCloud qualification is obtained. In the meantime, organisations that absolutely need Dynamics 365 within a French sovereign framework must either accept a hybrid architecture (non-sensitive modules on standard cloud, sensitive data on-premises or on qualified IaaS) or wait.
For UK and German Dynamics 365 customers, localised Azure regions combined with contractual data residency commitments and NCSC/BSI C5 attestations are the current path, absent a full sovereign wrapper.
Odoo: OVHcloud hosting possible, certification limited
Odoo, in its Community and Enterprise editions, can be hosted on OVHcloud, including in SecNumCloud zones for IaaS. Odoo SA does not operate its own SecNumCloud-qualified SaaS hosting. For SMEs and mid-market companies wanting Odoo with sovereignty guarantees, the solution runs through a certified partner host or self-hosted on OVHcloud SecNumCloud.
Public sector ERP: native sovereign options in France, Germany and the UK
In France, Berger-Levrault and Civitas — historical ERP vendors for local government — host their solutions in environments compliant with the “cloud au centre” doctrine. For a municipality or public body seeking an HR or financial ERP, these vendors offer the most direct compliance path for French regulatory requirements.
In Germany, Fabasoft and specialized SAP partners serve public administrations under BSI C5 requirements. In the UK, Access Group (Financials, People) and Unit4 serve local authorities and public bodies under Crown Commercial Service frameworks, with data residency commitments aligned to UK NCSC guidance.
The trade-offs to resolve before signing
The real cost premium of sovereign cloud
SecNumCloud or BSI C5 offerings are structurally more expensive than standard hyperscaler equivalents, for two reasons: lower economies of scale (the qualified customer base is smaller) and the ongoing cost of certification audits and maintenance. The market cites infrastructure premiums, but figures vary considerably across services and volumes — asking providers directly, in euros or pounds per vCPU/month and per TB of storage, is the only reliable approach.
This premium must be weighed against the cost of non-compliance. For a NIS 2 essential entity, sanctions can reach €10 million or 2% of global turnover. For a healthcare facility hosting data without HDS certification, CNIL sanctions and the personal criminal liability of its executives are real risks. The question is not “does sovereign cloud cost more?” but “what will non-compliance cost?”
The functionality gaps in sovereign offerings
This is the trade-off that is hardest for CIOs accustomed to hyperscaler capabilities. Sovereign offerings do not always cover the full advanced services catalogue:
- Embedded generative AI modules (SAP Joule, Microsoft Copilot for Finance) are often unavailable in sovereign variants in 2026.
- Advanced data analytics services may be absent or in a reduced version.
- Native integrations with third-party SaaS platforms (Salesforce, Workday) may require specific architectures to remain within the certified perimeter.
S3NS, with its roadmap to 150 services including Vertex AI, represents a promising evolution. But as of mid-2026, the catalogue remains partial. For a CIO, the concrete question is: “which features of my ERP rely on cloud services that are not available in the qualified zone?” This analysis must be conducted module by module before any decision.
Trusted cloud vs sovereign cloud: a critical distinction
Confusion between these two concepts is frequent and costly. The clear distinction:
Trusted cloud: technology from a US vendor (Microsoft, Google), hosted and operated by a European entity under licence. The source code and algorithms remain US property. Protection against the CLOUD Act rests on operational airtightness, validated (or not) by a SecNumCloud certification.
Sovereign cloud: technology AND operation 100% European. OVHcloud is the most complete example: platform code is developed in Europe, operational teams are European, governance is French. S3NS, in its Thales/Google model, sits between the two depending on the perimeter considered.
For defence markets or Restricted classification data, only sovereign cloud with European technology meets the requirements. For a ministry or local authority with sensitive but unclassified data, a trusted cloud holding SecNumCloud qualification is often sufficient.
Checklist: 8 questions to ask a provider before signing
Before contracting ERP hosting in a regulated context, ask these questions in writing and require documented answers:
- Do you hold SecNumCloud qualification for the specific offering concerned (not a different catalogue item)?
- Are you HDS-certified for this scope (if health data is involved)?
- Are your operational teams exclusively European nationals? What are the procedures for remote access?
- Do you have shareholders or parent companies subject to extraterritorial legislation (CLOUD Act, FISA)? How is the operational separation guaranteed?
- Which ERP features are not available in your qualified zone? The exhaustive list, not general statements.
- What is the data portability timeline if we wish to change provider? Are there exit fees?
- Where are your backups located and are they also within the qualified perimeter?
- How do you document compliance for our NIS 2 / DORA audits? Will you provide auditable attestations?
A provider that answers all eight points with precise documents is a serious provider. One that responds with commercial brochures deserves heightened scrutiny.
Articulating the strategy: hybrid as the realistic answer
For most organisations, a 100% sovereign ERP in every country of operation is not realistic in 2026. A company with operations in France, Germany, the Netherlands and Spain will have to navigate different local regulations and sovereign offerings of uneven maturity across markets.
The hybrid strategy, often presented as a temporary compromise, is in reality the structural answer: the most sensitive data (defence, health, classified personal data) in qualified zones; less critical modules (non-sensitive reporting, analytics, SaaS integrations) on standard clouds with appropriate contractual protections. This architecture requires an upfront data classification exercise — one that is often neglected — but it is precisely this that determines which parts of the ERP must go through a qualified provider.
To go further on ERP security and resilience, see our complete guide on ERP cybersecurity, our analysis of DORA and its implications for financial sector ERPs, and our NIS 2 checklist for preparing an ERP audit.
