GRC, Cloud, and Sovereignty: companies facing a strategic choice

In the era of digital transformation, companies are widely adopting Governance, Risk, and Compliance (GRC) solutions in SaaS mode. These tools offer agility, automated controls, centralized data, and streamlined regulatory compliance.

However, behind these apparent benefits lies a strategic issue: where is this sensitive data hosted, and under which jurisdiction does it fall?

The majority of GRC solutions on the market today rely on cloud infrastructures operated by American providers (AWS, Azure, Google Cloud). However, this exposes European companies to significant legal, regulatory, and geopolitical risks.

Our expert explains the risks of hosting a GRC solution in the American cloud and sheds light on sovereign alternatives. 
 

American Cloud and Extraterritorial Law:  an underestimated legal risk

The Cloud Act vs RGPD

Adopted in 2018, the Cloud Act authorizes U.S. authorities to access data stored by any company subject to U.S. law, regardless of the physical location of the servers. This provision directly conflicts with the General Data Protection Regulation (GDPR), which mandates strict protection of personal data and severely restricts its transfer outside the European Union.

This is far from a theoretical debate:

• In 2020, the Schrems II ruling invalidated the Privacy Shield framework, ruling that U.S. law does not provide a level of protection equivalent to the GDPR, particularly due to surveillance programs like PRISM and UPSTREAM;
• In 2019, Microsoft was compelled by a U.S. federal court to hand over emails stored in Ireland as part of a judicial investigation;
• Edward Snowden’s revelations confirmed the ability of U.S. intelligence agencies to leverage their privileged relationships with tech giants (GAFAM) to access strategic information.

GRC Data: Among the Most Sensitive Within the Company

GRC solutions host highly detailed mappings of a company’s critical processes, including:

• Delegation of authority matrices;
• Internal fraud scenarios;
• Security incidents and remediation plans;
• Regulatory non-compliance cases;
• Compliance decisions involving sensitive third parties (suppliers, partners, etc.);
• Audits, internal investigations, whistleblower alerts, and more.

All of this information reveals the strategic vulnerabilities of the organization. Hosting such data in a potentially hostile jurisdiction poses a major reputational, legal, and operational risk.
 

Digital Sovereignty: an imperative in regulated sectors

The Public Sector Facing Security Requirements

Ministries, local authorities, national agencies, and hospitals are subject to a range of sovereign standards:

• General Security Framework (Référentiel Général de Sécurité – RGS)
• Military Programming Law (Loi de Programmation Militaire – LPM)

The use of non-SecNumCloud certified clouds is often prohibited in public procurement contracts

Banks, Insurance, and Asset Management: What Regulatory Framework?

The financial sector is governed by:

• The European Banking Authority (EBA) guidelines on cloud services;
• The Digital Operational Resilience Act (DORA) on digital resilience;
• Requirements from Basel III, CRD IV, DPS2 and NIS2

These regulations mandate traceability, operational controls, and strict data localization. Such requirements are difficult to reconcile with hosting under non-EU jurisdictions.
 

Defense, Aerospace, and Operators of Vital Importance (OIV): Sovereignty Is Non-Negotiable

For Operators of Vital Importance (OIV) or Essential Service Operators (OSE), sovereignty is not optional. The Military Programming Law (LPM) and the Network and Information Security 2 (NIS 2) make the use of sovereign solutions essential to ensure the strategic independence of critical infrastructures.
 

What alternatives are available for French companies?

Turning to other solutions

Some companies or groups with exclusively European operations, trading in euros and facing little to no American competition, can safely opt for Anglo-American solutions without significant risk.

Prioritizing Certified Sovereign Solutions

For regulated players, priority should be given to platforms that are:

• Hosted in France or within the European Union;
• SecNumCloud certified
• Operated by European providers, outside of non-EU jurisdictions.

Only this approach ensures compliance with the GDPR, DORA, and the State’s Cloud doctrine.
 

A market still under development

However, the offering is still maturing:

• Legacy on-premises solutions are often outdated or acquired by foreign groups;
• Tools developed with Excel or PowerPoint quickly show their limitations;
• French startups sometimes struggle to cover all business needs

Hosting a GRC solution on an American cloud is not a neutral choice. Beyond functionalities, companies must consider the regulatory, legal, and geopolitical risks involved.

In an environment of increasingly strict regulations, sovereignty is becoming a strategic lever for compliance and resilience.

Aware of these challenges, RSM has chosen a secure and operational sovereign alternative.
In partnership with Empowered Systems, a spin-off from Thomson Reuters/Refinitiv, we offer a GRC platform that is: 

Hosted on a SecNumCloud-certified cloud;
Covering risk management, compliance, internal control, and audit;
Proven in the most demanding sectors, particularly finance.


The solution is now listed in the AMRAE SIGR overview, validating its functional robustness and compliance with European standards.