Key takeaways

The majority of GRC solutions on the market today rely on cloud infrastructures operated by American providers
However, this exposes European companies to significant legal, regulatory, and geopolitical risks
Our expert explains the risks associated with choosing to host a GRC solution in the American cloud

In the era of digital transformation, companies are widely adopting Governance, Risk, and Compliance (GRC) solutions in SaaS mode. These tools offer agility, automated controls, centralized data, and streamlined regulatory compliance.

However, behind these apparent benefits lies a strategic issue: where is this sensitive data hosted, and under which jurisdiction does it fall?

The majority of GRC solutions on the market today rely on cloud infrastructures operated by American providers (AWS, Azure, Google Cloud). However, this exposes European companies to significant legal, regulatory, and geopolitical risks.

Our expert explains the risks of hosting a GRC solution in the American cloud and sheds light on sovereign alternatives. 
 

American Cloud and Extraterritorial Law:  an underestimated legal risk

The Cloud Act vs RGPD

Adopted in 2018, the Cloud Act authorizes U.S. authorities to access data stored by any company subject to U.S. law, regardless of the physical location of the servers. This provision directly conflicts with the General Data Protection Regulation (GDPR), which mandates strict protection of personal data and severely restricts its transfer outside the European Union.

This is far from a theoretical debate:

  • In 2020, the Schrems II ruling invalidated the Privacy Shield framework, ruling that U.S. law does not provide a level of protection equivalent to the GDPR, particularly due to surveillance programs like PRISM and UPSTREAM;
  • In 2019, Microsoft was compelled by a U.S. federal court to hand over emails stored in Ireland as part of a judicial investigation;
  • Edward Snowden’s revelations confirmed the ability of U.S. intelligence agencies to leverage their privileged relationships with tech giants (GAFAM) to access strategic information.


GRC Data: Among the Most Sensitive Within the Company

GRC solutions host highly detailed mappings of a company’s critical processes, including:

  • Delegation of authority matrices;
  • Internal fraud scenarios;
  • Security incidents and remediation plans;
  • Regulatory non-compliance cases;
  • Compliance decisions involving sensitive third parties (suppliers, partners, etc.);
  • Audits, internal investigations, whistleblower alerts, and more.

All of this information reveals the strategic vulnerabilities of the organization. Hosting such data in a potentially hostile jurisdiction poses a major reputational, legal, and operational risk.
 

Digital Sovereignty: an imperative in regulated sectors

The Public Sector Facing Security Requirements

Ministries, local authorities, national agencies, and hospitals are subject to a range of sovereign standards:

  • General Security Framework (Référentiel Général de Sécurité – RGS)
  • Military Programming Law (Loi de Programmation Militaire – LPM)

The use of non-SecNumCloud certified clouds is often prohibited in public procurement contracts


Banks, Insurance, and Asset Management: What Regulatory Framework?

The financial sector is governed by:

These regulations mandate traceability, operational controls, and strict data localization. Such requirements are difficult to reconcile with hosting under non-EU jurisdictions.
 

Defense, Aerospace, and Operators of Vital Importance (OIV): Sovereignty Is Non-Negotiable

For Operators of Vital Importance (OIV) or Essential Service Operators (OSE), sovereignty is not optional. The Military Programming Law (LPM) and the Network and Information Security 2 (NIS 2) make the use of sovereign solutions essential to ensure the strategic independence of critical infrastructures.
 

What alternatives are available for French companies?

Turning to other solutions

Some companies or groups with exclusively European operations, trading in euros and facing little to no American competition, can safely opt for Anglo-American solutions without significant risk.

Prioritizing Certified Sovereign Solutions

For regulated players, priority should be given to platforms that are:

  • Hosted in France or within the European Union;
  • SecNumCloud certified
  • Operated by European providers, outside of non-EU jurisdictions.

Only this approach ensures compliance with the GDPR, DORA, and the State’s Cloud doctrine.
 

A market still under development

However, the offering is still maturing:

  • Legacy on-premises solutions are often outdated or acquired by foreign groups;
  • Tools developed with Excel or PowerPoint quickly show their limitations;
  • French startups sometimes struggle to cover all business needs


Hosting a GRC solution on an American cloud is not a neutral choice. Beyond functionalities, companies must consider the regulatory, legal, and geopolitical risks involved.

In an environment of increasingly strict regulations, sovereignty is becoming a strategic lever for compliance and resilience.


Aware of these challenges, RSM has chosen a secure and operational sovereign alternative.
In partnership with Empowered Systems, a spin-off from Thomson Reuters/Refinitiv, we offer a GRC platform that is: 

Hosted on a SecNumCloud-certified cloud;
Covering risk management, compliance, internal control, and audit;
Proven in the most demanding sectors, particularly finance.


The solution is now listed in the AMRAE SIGR overview, validating its functional robustness and compliance with European standards.
 

RSM experts support companies across all sectors in assessing and managing risks of fraud and scams. We have the ability to offer you fast and effective prevention solutions, including rapid diagnostics, employee training, and process security.

Discover our Risk Advisory service.

Empowered, a leading software company long recognized for its expertise in internal controls, risk management, and audit, today announced a strategic partnership with RSM France. This collaboration aims to redefine how companies are supported in Governance, Risk, and Compliance (GRC) by combining robust digital solutions with deep industry expertise.

The partnership leverages Empowered’s advanced and highly configurable digital solutions—which simplify audit processes, strengthen risk management frameworks, and ensure rigorous compliance—and RSM France’s well-established advisory experience. Together, the two companies intend to set a new standard for integrated GRC implementation, driving operational excellence and sustainable growth within a SECNUMCLOUD sovereign cloud environment.