The Court of Auditors delivered a report on the digital sovereignty of the State, in which it describes in one hundred pages a France which has put the word “sovereignty” at the heart of its technological discourse, without however succeeding in making it a practice. Behind doctrines and laws, the administration remains dependent on technologies that it does not control, isolated in a Europe that shares neither its urgency nor its approach.
A sovereignty established as a principle… but never as a system
For ten years, France has made digital sovereignty an element of language as much as an axis of public policy. Cloud Doctrine at the Centerlaw SREN, SecNumCloud : so many pillars supposed to guarantee control of its data and its infrastructures. But the report from the Court of Auditors draws a disarming observation: “The ambition displayed by France in terms of digital sovereignty is struggling to be satisfied due in particular to the preeminent position of American companies and the legislation applicable to them.”
Critical infrastructures, from messaging to health data, still rely on American service providers. The Court notes that “the State’s civil information systems are particularly exposed” to intrusions and dependent on operators subject to foreign laws. She also observes that “there is no State strategy opposable to ministries”, the DINUM having “no budgetary authority”, while “the ministries have their own IT budgets and no cross-functional management of their digital investments is organized”. Result: the State’s “sovereign” clouds (Nubo and Pi) “remain little used” and “their interministerial use peaks at 5%”.
A strategic state… without industrial capacity
One of the strongest contradictions in the report lies in a State which has defined what digital sovereignty should be, without having put in place the means to embody it. The Court notes “a moderate investment”: 55 million euros in nine years for the Nubo cloud, in a State which devotes around 3 billion euros per year to its digital sector. She underlines that these public clouds “remain unattractive, due to lack of a critical size”, and that it would be necessary “to initiate their convergence so that they reach a critical size and make them more efficient”.
In the private sector, the report recalls that “the cloud market in Europe is 70% dominated by three American players (Amazon Web Services, Microsoft Azure and Google Cloud)”, while the share of European suppliers “fell from 27% to less than 16% between 2017 and 2021”. On a national scale, the Court identifies around ten scattered players (OVHcloud, Outscale, Docaposte, Cloud Temple, Whaller, Index Éducation) “which have not yet reached the level of investment nor the depth of service of hyperscalers”. And he added, bluntly: “Technological autonomy is a difficult objective to ensure in the field of materials and components”. In other words, without adequate industrial policy, sovereignty remains a discourse of experts.
Europe, passive arbiter of its dependence
One of the most severe findings in the report concerns the European scale. While France pleads to have its security standards recognized, in particular certification SecNumCloud, as a reference standard, the European Commission “did not raise any objection” to the French decree implementing the SREN law, but “did not recognize the SecNumCloud qualification at the European level”. The Court notes that “the French position on European EUCS certification appeared isolated” and that “European exchanges have not resumed since”, the Commission having removed the “High+” level inspired by SecNumCloud under pressure from American lobbies and the German government.
The diagnosis is that “France has pleaded to introduce a higher level of security inspired by the SecNumCloud qualification (…) France’s approach has until now remained isolated within the European Union”. In other words, Europe talks about free movement of data, France talks about legal immunity, two incompatible logics at this stage.
Sovereignty as a defensive discourse
Behind the doctrine, the Court reveals an ambiguity, namely that French sovereignty is thought of as a shield, and notes that security remains the only prism: “The general framework of State information systems is based on three texts essentially devoted to digital security”, without addressing “the question of interoperability and portability of technologies”. She speaks of “still insufficient consideration of the issue of sovereignty” and of a strategy reduced to “general considerations” not translated into daily governance.
The doctrine Cloud at the centerrevised in 2023, has restricted its scope, so only data combining two criteria “of particular sensitivity” and the violation of which would be “likely to cause an attack on public order, public security, health or the protection of intellectual property”, must be hosted in a sovereign cloud. “This definition circumscribes the notion of sensitive data,” notes the Court, transforming sovereignty into an exception instead of a standard.
Health, symbol of political failure
The case of the Health Data Hub is the symbol of this divide between ambition and reality. Designed to structure national medical data, the project was hosted on Microsoft Azure “out of pragmatism” to meet deadlines. Five years later, the Court observed that “this transitional solution triggered numerous blockages and legal appeals (…) which ultimately hindered the establishment of the platform and, above all, its ability to meet the needs of researchers”. And added: “An initially less efficient, but sovereign, platform would probably have allowed for less disruptive deployment and more widespread use.”
Migration to qualified infrastructure SecNumCloud is not expected before the end of 2026, seven years after its launch. In the meantime, “the CNIL maintains its position”: data must be “hosted by entities falling exclusively under EU jurisdictions”.
A sovereignty to be reconstructed, not to be regulated
What the report reveals is that digital sovereignty is not a legal matter but a political one. It requires an industrial vision, investment capacity, interministerial coordination and coherent European diplomacy. The Court calls for “integrating an encrypted digital sovereignty strategy into the DINUM roadmap” and “defining the convergence trajectory of interministerial clouds”.
Implicitly, it reminds us that the State must choose its role: operator, capable of pooling its infrastructures, or structured client, capable of imposing its standards. Today, he is neither.
If we summarize the whole thing: the United States imposes its law, the European Union discusses compliance, France publishes circulars.
From doctrine to strategy
The magistrates of the Court of Auditors deliver a harsh diagnosis, recalling that France speaks of sovereignty, but still acts like a captive client. Anne Le Hénanff, new Minister of Artificial Intelligence and Digital Technology, wants to reverse this balance of power. By defending, alongside our colleague Sylvain Rolland in The Tribunethe idea of a “reflex of European preference”, Anne Le Hénanff attempts to move sovereignty from the defensive field to that of production. But between rhetoric and implementation, the gap remains abysmal. The minister inherits a fragmented administrative apparatus, a public cloud that is at a standstill, and a Europe that confuses autonomy and conformity.
Finally, if the report of the Court of Auditors and the minister’s roadmap converge on the same point, digital sovereignty will not be won in texts, but in investment and consistency of execution. The promise must still survive the test of reality…
