After seven years of legal and political back-and-forth, France’s Health Data Hub has chosen Scaleway to host the country’s health data. This institutional decision, combined with the DGSI’s recommendation to exclude certain foreign SaaS providers and the European €180 million sovereign cloud plan, draws an unprecedented alignment. For healthcare institutions, public bodies and industries subject to NIS2, one question remains: is sovereign hosting enough, or is it time to rethink the entire data processing chain?
Seven years for a decision
The Health Data Hub was created in 2019 to centralise and make better use of French health data for research purposes. From its launch, hosting was awarded to Microsoft Azure without a public tender, just as the U.S. CLOUD Act was gaining momentum. The choice immediately drew legal challenges from the CNIL, the Council of State, patient associations and the National Council of the Order of Physicians, all united around a single question: is entrusting highly sensitive medical data to a company subject to U.S. extraterritorial law compatible with the GDPR?
The institutional answer, slow in coming, is now clear. In April 2026, Scaleway became the official host of the platform. The French group, certified SecNumCloud and subject to French law alone, succeeds Microsoft Azure and concretely validates a model the texts have been calling for over the years: a trusted cloud, qualified by the ANSSI, impervious to foreign jurisdictional injunctions.
This shift is not an isolated event. It fits into an institutional sequence that is accelerating.
An unprecedented institutional alignment
Three signals, near-simultaneous, converge in spring 2026.
The DGSI (France’s domestic intelligence service) officially recommends that French companies ban certain foreign SaaS solutions for economic security reasons. The recommendation, rare from this service, explicitly targets American and Asian providers whose access to data may be compelled by a foreign authority.
The European Commission allocates €180 million to sovereign cloud, marking a concrete shift from rhetoric to action. This funding, modest at the scale of hyperscaler investments, has signal value: it confirms the existence of a deliberate European industrial strategy, no longer limited to regulation.
The CNIL signed a partnership with the French National Authority for Health (HAS) on 10 March 2026, covering sensitive data in the healthcare and medico-social sector. At the same time, the public consultation of the European Data Protection Board (EDPB) on Data Protection Impact Assessments (DPIAs) is open until 9 June 2026. Healthcare institutions are explicitly identified as priority adopters of the new requirements.
For the first time, the regulator, economic intelligence, the Commission and a public health infrastructure operator are sending the same message in the same time window: data sovereignty is no longer an option, it is an operational obligation.
The figures that frame the context
- 763 cybersecurity incidents recorded in the French health sector in 2025.
- 63% of healthcare and life sciences organisations are piloting or deploying agentic AI.
- €180 million allocated by the European Commission to sovereign cloud.
- 9 June 2026: deadline for the EDPB public consultation on DPIAs.
- 7 years: time elapsed between the initial Health Data Hub award to Azure and its migration to Scaleway.
Sovereign hosting is necessary, not sufficient
The migration of the Health Data Hub to Scaleway resolves an essential question: that of the jurisdiction applicable to data at rest. A server operated in France by a French operator under French law cannot be compelled to deliver its data to a foreign authority without going through recognised judicial cooperation channels.
But health data does not spend its life at rest. It is ingested, transformed, joined with other sources, anonymised, analysed, projected into indicators, sometimes exposed to artificial intelligence models. At each of these stages, it is read, copied, recombined. And at each stage, the question of sovereignty arises again. If processing relies on an API, an analytics engine or an AI model operated by an entity subject to the CLOUD Act, the protection provided by sovereign hosting evaporates at the moment of processing.
This is where the real shift of 2026 plays out. Sovereignty of hosting is a necessary condition. It is not a sufficient one. Institutions that consider the matter settled with the choice of Scaleway or OVHcloud discover, in practice, that a significant portion of their data value chain remains dependent on foreign vendors through orchestration, transformation and analytics layers.
Sovereignty is not measured by where data sleeps. It is measured by the entire chain through which data becomes usable.
What regulatory pressure concretely imposes
For hospital information system departments, regional hospital groupings, medical research laboratories and healthcare industries, the convergence of NIS2, DORA, the GDPR and the AI Act translates into three operational obligations.
Native traceability. Every transformation of a piece of data must be reconstructible, timestamped, attributable. Traditional ETL pipelines, which stack processing layers without unified traceability, are becoming regulatory liabilities. The CNIL episode of 739 reports during the 2026 municipal elections, 63% of which were linked to non-compliant prospecting, demonstrated how quickly an absence of traceability turns against data controllers.
Compliance by design. Compliance added after deployment depends on the goodwill of the vendor and the stability of their roadmap. Compliance by design is a property of the architecture itself: anonymisation at source, absence of intermediate storage, GDPR rules embedded in the processing engine. The nuance is invisible until an audit takes place. It becomes decisive on the day of inspection.
Documented resilience. NIS2 and DORA require a demonstration of resilience, not a declaration. This means being able to quickly reconstitute flows, dependencies, points of failure. McKinsey summarises it in a recent report: four steps of data capability consolidation must precede any large-scale agentic deployment. Orchestration is no longer a secondary technical project. It is a compliance prerequisite.
Three questions every healthcare CIO should ask
1. Where is my data stored, but more importantly where is it processed? The choice of host is visible. The choice of orchestration layer is much less so. Data that transits through a foreign analytics engine does not benefit from the sovereignty of its host.
2. Are my technology partners shielded from extraterritorial injunctions? A European subsidiary of an American group ultimately remains subject to the law of its parent company. Effective sovereignty requires a fully European chain of dependencies, verifiable from infrastructure to application layer.
3. Is my compliance native to the architecture or added on top? The EDPB’s DPIA consultation closes on 9 June 2026. Institutions that are now anticipating a processing architecture compatible with DPIAs are taking the lead over those who will wait for the publication of the final guidelines to react.
The Health Data Hub’s migration from Azure to Scaleway is not an end. It is a beginning. Sovereign hosting resolves the jurisdictional question. The processing question remains. Institutions that rely on a European orchestration layer, with no intermediate storage and native traceability, are not simply taking a legal precaution: they are preparing for 2027 compliance, the kind that cannot be caught up in a hurry.
Discover how iD4Connect addresses these challenges in healthcare →