IPCEI CIS: Europe’s €3.3 Billion Sovereign Cloud Program
The Important Project of Common European Interest for Cloud Infrastructure and Services (IPCEI-CIS) — approved by the European Commission in December 2023 — is Europe’s formal industrial policy response to US hyperscaler dominance of critical digital infrastructure. France is the program’s leading beneficiary, with OVHcloud, Thales, Orange, and Capgemini among the French participants receiving combined public support exceeding €500 million. The program sits at the intersection of France 2030’s digital sovereignty objectives and a broader European reckoning with data dependency on American-controlled infrastructure.
The European Cloud Dependency Problem
By 2023, Amazon Web Services, Microsoft Azure, and Google Cloud controlled approximately 65-70% of European cloud infrastructure spending. For commercial applications — startups building on AWS, banks using Azure, retailers on Google Cloud — this dominance creates no inherent problem. US cloud providers offer superior products at competitive prices, and European businesses benefit from this competition.
The problem is structural and specific to certain workload categories:
Government and public sector data: Tax records, health data, electoral systems, defense logistics, and social security databases. The 2018 US Cloud Act allows US law enforcement and intelligence agencies to compel US cloud providers to produce data held on their infrastructure — including data stored in European datacenters — without going through traditional international judicial assistance channels. A French government agency storing sensitive data on AWS Paris is, in principle, exposed to US government access demands.
Critical national infrastructure: Energy grid management systems, financial settlement platforms, telecoms backbone. The concentration of this infrastructure in US-controlled cloud creates a single-point-of-failure risk for European digital sovereignty.
Strategic industrial data: Airbus aircraft design files, Thales defense system specifications, nuclear plant operating parameters, pharmaceutical clinical trial data. This data is not classified, but its accessibility to foreign intelligence services via cloud provider legal process is a genuine national security concern.
R&D and innovation data: Early-stage research data, patent filings, competitive intelligence. Hosting breakthrough research on cloud infrastructure subject to US jurisdiction creates IP exposure that European companies and governments are increasingly unwilling to accept.
IPCEI-CIS addresses these concerns by building European-owned and European-law-compliant cloud infrastructure capable of hosting sensitive workloads.
IPCEI-CIS: Structure and Scope
IPCEI Cloud Infrastructure and Services was approved December 5, 2023.
Structure:
- 7 EU member states: Germany, France, Hungary, Italy, Netherlands, Poland, Spain
- €3.3 billion total public funding (note: some sources report €1.2B for direct IPCEI portion; €3.3B includes national program co-investments)
- Approximately €4.5 billion private investment catalyzed
- 19 direct corporate participants
- 110+ indirect participants
- Value chain: cloud hardware infrastructure → software platforms and operating systems → connectivity and networking → managed cloud services → cybersecurity
Strategic goal: Reduce Europe’s dependence on US hyperscalers for sensitive workloads, specifically by building cloud infrastructure certified under EU and national sovereignty standards, and by developing European-origin alternatives to proprietary US platform services (databases, container orchestration, identity management).
France’s IPCEI-CIS Participants
OVHcloud — The Primary French Beneficiary
OVHcloud (Roubaix, listed on Euronext Paris since 2021) is Europe’s largest cloud provider measured by server count — 43 datacenters globally, 400,000+ dedicated servers, operations across 4 continents. Founded in 1999 by Octave Klaba with a single server in his family home in Roubaix, OVHcloud has grown to €800 million+ in revenue while remaining a European-controlled company with no US parent.
OVHcloud’s IPCEI-CIS funding — estimated at €200-300 million across national and EU contributions — funds three specific capability developments:
SecNumCloud qualified infrastructure: OVHcloud’s sovereign cloud product, specifically engineered to meet ANSSI’s (France’s national cybersecurity agency) SecNumCloud qualification. SecNumCloud requires: provider majority-controlled by EU-law entities (no Cloud Act exposure), physical data residency in France/EU, no compellable data transfer to non-EU authorities, end-to-end encryption with customer-held keys, independent security audits.
Edge cloud deployment: Distributed infrastructure bringing cloud compute physically closer to sensitive users (hospitals, nuclear plants, military bases) to reduce latency and maintain local data control even for cloud-managed workloads.
Cloud interoperability: Open-source cloud management tools enabling European enterprises to switch between sovereign cloud providers without lock-in — creating a genuine market for European cloud competition rather than replicating US vendor lock-in patterns.
Thales — Defense and Government Sovereign Cloud
Thales (Paris, €18 billion revenue, 81,000 employees) contributes to IPCEI-CIS through two complementary programs:
S3NS (Thales + Google joint venture): A dedicated sovereign cloud service offering Google Cloud infrastructure under a structural legal separation designed to satisfy French SecNumCloud requirements. S3NS operates as an independently governed French entity; Google licenses its technology but cannot access customer data. The controversy: some French privacy advocates argue that structural separation from Google US is insufficient, that data residency in France does not eliminate Cloud Act risk if the provider’s technology stack is Google-proprietary.
Thales CipherTrust: Encryption key management for sensitive cloud workloads — the core technology enabling organizations to use US cloud infrastructure for some workloads while maintaining European control over encryption keys that protect sensitive data. CipherTrust is the enabling technology for a “trusted cloud” model where US infrastructure can be used at lower-sensitivity tiers.
Defense cloud: Thales’ direct IPCEI participation includes sovereign infrastructure for NATO-adjacent defense workloads — the classified end of the spectrum where AWS GovCloud (US-only) cannot be used for European military systems.
Orange Business — Public Sector Cloud
Orange Business Services (Paris, subsidiary of Orange SA, France’s former national telecoms monopoly) contributes to IPCEI-CIS through its enterprise cloud platform and managed services:
Flexible Engine: Orange’s OpenStack-based cloud platform, developed in partnership with Huawei — a controversial choice given European security concerns about Chinese technology vendors. IPCEI-CIS support is directed at the OpenStack components independent of any Huawei contribution.
Orange sovereign cloud for healthcare: France’s health data infrastructure — the Health Data Hub, electronic health records, hospital information systems — requires sovereign cloud. Orange Business is a primary provider of SecNumCloud-qualified managed services for French public hospitals.
Critical infrastructure cloud: Orange provides cloud and networking services for French government ministries, local authorities, and regulated industries. IPCEI-CIS funding supports next-generation secure infrastructure for these critical customers.
Capgemini — Cloud Services and Integration
Capgemini (Paris, €22 billion revenue, 340,000+ employees) is Europe’s largest IT services and consulting firm. Its IPCEI-CIS participation covers:
Sovereign cloud migration: Helping European enterprises and public sector organizations migrate sensitive workloads from US hyperscalers to sovereign cloud infrastructure — a professional services market that IPCEI-CIS creates demand for.
Sovereign AI inference: Building AI-powered enterprise services (document processing, customer service automation, code generation) running exclusively on European sovereign infrastructure, compliant with EU AI Act and data sovereignty requirements.
Cloud-native application development: European-origin frameworks for developing applications that are architecturally neutral between cloud providers — reducing vendor lock-in for European enterprises.
SecNumCloud: France’s Sovereign Cloud Standard
SecNumCloud is the technical and legal framework that gives France’s cloud sovereignty program its practical meaning. The standard — created by ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) — is more rigorous than any EU-level certification:
Ownership requirement: The cloud provider must be majority-owned and controlled by entities subject exclusively to EU law. No US parent company, no exposure to US jurisdiction via ownership.
Operational independence: No employee of the cloud provider can be compellable by a non-EU authority to produce customer data. Employee nationality restrictions in sensitive roles.
Technical controls: End-to-end encryption, customer key management, air-gapped infrastructure for highest-sensitivity workloads, independent penetration testing.
Governance: ANSSI can audit any SecNumCloud provider at any time. Qualification is renewable annually based on continued compliance.
Current SecNumCloud-qualified providers: OVHcloud (qualified), Outscale/Dassault Systèmes (qualified), Thales/S3NS (qualification pending — the outcome is expected to set the precedent for technology-licensed “trusted cloud” models).
The French government increasingly mandates SecNumCloud for sensitive workloads: health data (Référentiel Sécurité HDS), defense-adjacent procurement, and intelligence-adjacent government systems.
The Gaia-X Ecosystem
IPCEI-CIS participants are co-builders of Gaia-X — the Franco-German initiative to create European data sharing standards and a federated cloud ecosystem. Gaia-X’s vision: data sovereignty maintained regardless of which underlying cloud provider hosts data, through open protocols and certification standards.
Gaia-X has been criticized for governance complexity and slow implementation, but its core data sovereignty frameworks are operationally embedded in IPCEI-CIS technical requirements. France and Germany remain its primary political champions.
The Geopolitical Tension
France 2030’s cloud sovereignty program creates an explicit tension with Choose France’s foreign investment narrative. Microsoft’s €4 billion commitment in 2023, Amazon’s €1.2 billion, and Google’s €1 billion are among France 2030’s most celebrated investment wins — yet these commitments fund the US hyperscaler dominance that IPCEI-CIS exists to counterbalance.
The resolution is tiered: US cloud is appropriate — and encouraged — for commercial, innovation, and non-sensitive workloads. European sovereign cloud is required for specific sensitive categories. The two markets coexist. Most French AI startups run on AWS or Azure; French nuclear plant operational data runs on OVHcloud/SecNumCloud.
The strategic implication: IPCEI-CIS is not an attempt to displace US cloud providers from the French market. It is an attempt to ensure that the most sensitive 10-15% of cloud workloads — those where US Cloud Act exposure would be genuinely damaging — have a viable European alternative.
2026 Status and Outlook
| Metric | Status (March 2026) |
|---|---|
| OVHcloud SecNumCloud products | Operational across compute, storage, managed services |
| S3NS qualification | In review (ANSSI evaluation ongoing) |
| European cloud market share | ~13% of EU cloud revenue (European providers) |
| EUCS (EU certification scheme) | Finalized 2025, less strict than SecNumCloud |
| French public sector cloud mandate | Progressive rollout, 2026-2028 |