Key takeaways

The majority of GRC solutions on the market today rely on cloud infrastructures operated by American providers
However, this exposes European companies to significant legal, regulatory, and geopolitical risks
Our expert explains the risks associated with choosing to host a GRC solution in the American cloud

In the era of digital transformation, companies are widely adopting Governance, Risk, and Compliance (GRC) solutions in SaaS mode. These tools offer agility, automated controls, centralized data, and streamlined regulatory compliance.

However, behind these apparent benefits lies a strategic issue: where is this sensitive data hosted, and under which jurisdiction does it fall?

The majority of GRC solutions on the market today rely on cloud infrastructures operated by American providers (AWS, Azure, Google Cloud). However, this exposes European companies to significant legal, regulatory, and geopolitical risks.

Our expert explains the risks of hosting a GRC solution in the American cloud and sheds light on sovereign alternatives. 
 

American Cloud and Extraterritorial Law:  an underestimated legal risk

The Cloud Act vs RGPD

Adopted in 2018, the Cloud Act authorizes U.S. authorities to access data stored by any company subject to U.S. law, regardless of the physical location of the servers. This provision directly conflicts with the General Data Protection Regulation (GDPR), which mandates strict protection of personal data and severely restricts its transfer outside the European Union.

This is far from a theoretical debate:

  • In 2020, the Schrems II ruling invalidated the Privacy Shield framework, ruling that U.S. law does not provide a level of protection equivalent to the GDPR, particularly due to surveillance programs like PRISM and UPSTREAM;
  • In 2019, Microsoft was compelled by a U.S. federal court to hand over emails stored in Ireland as part of a judicial investigation;
  • Edward Snowden’s revelations confirmed the ability of U.S. intelligence agencies to leverage their privileged relationships with tech giants (GAFAM) to access strategic information.


GRC Data: Among the Most Sensitive Within the Company

GRC solutions host highly detailed mappings of a company’s critical processes, including:

  • Delegation of authority matrices;
  • Internal fraud scenarios;
  • Security incidents and remediation plans;
  • Regulatory non-compliance cases;
  • Compliance decisions involving sensitive third parties (suppliers, partners, etc.);
  • Audits, internal investigations, whistleblower alerts, and more.

All of this information reveals the strategic vulnerabilities of the organization. Hosting such data in a potentially hostile jurisdiction poses a major reputational, legal, and operational risk.
 

Digital Sovereignty: an imperative in regulated sectors

The Public Sector Facing Security Requirements

Ministries, local authorities, national agencies, and hospitals are subject to a range of sovereign standards:

  • General Security Framework (Référentiel Général de Sécurité – RGS)
  • Military Programming Law (Loi de Programmation Militaire – LPM)

The use of non-SecNumCloud certified clouds is often prohibited in public procurement contracts


Banks, Insurance, and Asset Management: What Regulatory Framework?

The financial sector is governed by:

These regulations mandate traceability, operational controls, and strict data localization. Such requirements are difficult to reconcile with hosting under non-EU jurisdictions.
 

Defense, Aerospace, and Operators of Vital Importance (OIV): Sovereignty Is Non-Negotiable

For Operators of Vital Importance (OIV) or Essential Service Operators (OSE), sovereignty is not optional. The Military Programming Law (LPM) and the Network and Information Security 2 (NIS 2) make the use of sovereign solutions essential to ensure the strategic independence of critical infrastructures.
 

What alternatives are available for French companies?

Turning to other solutions

Some companies or groups with exclusively European operations, trading in euros and facing little to no American competition, can safely opt for Anglo-American solutions without significant risk.

Prioritizing Certified Sovereign Solutions

For regulated players, priority should be given to platforms that are:

  • Hosted in France or within the European Union;
  • SecNumCloud certified
  • Operated by European providers, outside of non-EU jurisdictions.

Only this approach ensures compliance with the GDPR, DORA, and the State’s Cloud doctrine.
 

A market still under development

However, the offering is still maturing:

  • Legacy on-premises solutions are often outdated or acquired by foreign groups;
  • Tools developed with Excel or PowerPoint quickly show their limitations;
  • French startups sometimes struggle to cover all business needs


Hosting a GRC solution on an American cloud is not a neutral choice. Beyond functionalities, companies must consider the regulatory, legal, and geopolitical risks involved.

In an environment of increasingly strict regulations, sovereignty is becoming a strategic lever for compliance and resilience.


Aware of these challenges, RSM has chosen a secure and operational sovereign alternative.
In partnership with Empowered Systems, a spin-off from Thomson Reuters/Refinitiv, we offer a GRC platform that is: 

Hosted on a SecNumCloud-certified cloud;
Covering risk management, compliance, internal control, and audit;
Proven in the most demanding sectors, particularly finance.


The solution is now listed in the AMRAE SIGR overview, validating its functional robustness and compliance with European standards.
 

Les experts RSM accompagnent les entreprises de tous les secteurs dans l'évaluation et la maîtrise des risques de fraude et d’escroquerie. Nous avons la capacité de vous proposer des solutions rapides et efficace en matière de prévention : diagnostic flash, formation des collaborateurs, sécurisation des processus.

Découvrez notre offre Risk Advisory.

Empowered, une entreprise de logiciels de premier plan reconnue de longue date pour son expertise en matière de contrôles internes, de gestion des risques et d’audit, a annoncé aujourd’hui un partenariat stratégique avec RSM France. Cette collaboration vise à redéfinir l’accompagnement des entreprises en matière de Gouvernance, Risques et Conformité (GRC), en associant des solutions numériques robustes à une expertise métier approfondie. 

Le partenariat s’appuie sur les solutions numériques avancées et hautement configurables d’Empowered — qui permettent de simplifier les processus d’audit, de renforcer les dispositifs de gestion des risques et de garantir une conformité rigoureuse — et sur l’expérience reconnue de RSM France en matière de conseil. Ensemble, les deux entreprises entendent établir une nouvelle référence en matière de mise en œuvre intégrée de la GRC, au service de l’excellence opérationnelle et d’une croissance durable, dans un environnement cloud souverain SECNUMCLOUD.