Glossary of cloud sovereignty.

French national cybersecurity agency (Agence nationale de la securite des systemes d'information). Develops the reference frameworks (SecNumCloud) and qualifies sovereign providers.

World's largest cloud provider (Amazon subsidiary). Over 200 services, 33 regions, around 32 per cent of the IaaS-PaaS market. Subject to US law.

Microsoft's public cloud, second worldwide market share (around 23 per cent). Strong integration with the Microsoft 365 and Active Directory ecosystem.

Dedicated physical server rented without a hypervisor layer, as opposed to shared VMs. Offers stable performance, useful for databases and sensitive workloads.

Capgemini-Orange joint venture aiming to distribute in France an Azure-based cloud offering, under French governance and qualifiable for SecNumCloud. Response to the cloud-au-centre doctrine requirements.

Model in which the customer generates and holds the encryption keys, the provider has no access. HYOK variant: the key never leaves the customer's infrastructure.

US law of 2018 (Clarifying Lawful Overseas Use of Data Act). Authorises US authorities to require a provider subject to their jurisdiction to deliver data stored anywhere in the world.

Cloud service operated under a European jurisdiction without capitalistic or contractual dependency on a foreign power. Framed in France by the SecNumCloud qualification.

French data protection authority (Commission nationale de l'informatique et des libertes). Enforces the GDPR in France.

Property guaranteeing that data is accessible only to authorised persons. Based on encryption, access management and classification.

Isolated execution unit sharing the host machine's operating system kernel. Docker and Kubernetes are the de facto standards. Lighter than a VM but weaker isolation.

Cloud service provider. Encompasses IaaS, PaaS, SaaS and mixed combinations.

Physical hosting centre housing servers and network equipment. Classified by Uptime Institute redundancy level (Tier I to IV).

Methodology that applies DevOps principles to data management: automated pipelines, tests, observability, governance.

French interministerial digital directorate. Body that drives the digital transformation of the State and publishes the cloud-au-centre doctrine.

Digital Operational Resilience Act, European regulation of 2022 that imposes on financial actors a level of operational resilience and control over critical ICT providers.

Data Protection Officer. Mandatory GDPR role for most organisations processing personal data. Independence and reporting to the highest level required.

Processing data as close as possible to its source (sensor, gateway, regional datacenter) rather than in a central cloud. Reduces latency and bandwidth consumption.

European Health Data Space. European regulation creating a common space of health data with primary purposes (care) and secondary purposes (research, regulation).

European Union Agency for Cybersecurity. Notably leads the work on the future EUCS cloud certification scheme.

European Cybersecurity Certification Scheme for Cloud Services. European certification scheme in finalisation, structured in three assurance levels.

Capacity of a law to produce effects beyond the borders of the adopting State. The CLOUD Act and FISA 702 are emblematic examples for US law.

Architecture that federates several (often sovereign) clouds under a common orchestration, with interoperability standards. GAIA-X promotes this approach.

Cloud financial governance practice: cost visibility, allocation per team, continuous optimisation, finance-tech-business dialogue.

Section of the US Foreign Intelligence Surveillance Act that authorises targeted surveillance of non-US foreigners outside the USA via US-subjected providers.

European initiative (launched in 2019) aiming to federate a European cloud infrastructure around common standards of sovereignty, portability and transparency.

Google's public cloud. Third worldwide market share (around 11 per cent), strong on data and AI workloads (BigQuery, Vertex AI, Kubernetes).

All the rules, procedures and bodies that steer an organisation's cloud choices: procurement, security, compliance, architecture, data.

Mandatory French certification to host personal health data. Delivered after audit by an accredited body.

Tamper-resistant hardware module used to generate, store and use cryptographic keys. Indispensable for serious BYOK or HYOK.

Architecture combining public cloud, private cloud and on-premise infrastructure, with consistent orchestration and data plane between the segments.

Cloud provider operating a global infrastructure at very large scale: AWS, Azure, GCP. Three actors concentrate around two thirds of the world market.

Cloud model delivering virtualised compute, storage and network on demand. The customer manages OS, middleware and applications.

Documented capacity of a service to refuse or to not be legally compelled to transmit data to a foreign authority. Central criterion of SecNumCloud.

International standard for information security management. Baseline required by most public and regulated markets, but does not cover sovereignty requirements.

Law applicable to an entity, determining which authorities can issue injunctions on its operations and data. Read in conjunction with the capital chain.

Cryptographic key management service offered by CSPs. BYOK and HYOK variants depending on the degree of control retained by the customer.

Open-source container orchestrator (CNCF). De facto standard for microservices deployment, supported by all hyperscalers and the majority of European clouds.

Effective physical location of primary data, replicas, logs and metadata. To be distinguished from the displayed region, which may hide secondary flows.

Strategy distributing workloads across several CSPs to reduce dependency, optimise costs and leverage the strengths of each actor.

European directive of 2022 (Network and Information Security 2). Strengthens cybersecurity obligations for essential and important entities. National transposition in progress.

US National Security Agency. Intelligence agency that relies notably on FISA Section 702 (PRISM and Upstream programmes) for its operations on foreign communications.

Open-source cloud infrastructure platform. Technical base of several European clouds (OVHcloud, Scaleway, Cloud Temple). Alternative to proprietary stacks.

Subsidiary of Dassault Systemes. First French provider qualified SecNumCloud on the IaaS perimeter.

Top European provider by IaaS market share. Listed in Paris, French governance, dedicated offer qualified SecNumCloud.

Cloud model delivering managed runtime environments (databases, runtimes, message queues). The customer focuses on application code.

Procedures and infrastructures enabling continuity of critical operations in case of a major incident. Distinct from the DRP, which covers disaster recovery.

GDPR processing replacing direct identifiers with reversible pseudonyms under separate management. Does not remove the personal character of the data.

Certification issued by ANSSI. Three historical levels (Essential, Advanced, High), now unified in the 3.2 reference framework with a requirement of extraterritorial immunity and European capital control.

Geographic zone grouping several availability zones operated by a CSP. Selecting an EU region is a necessary but not sufficient condition for sovereignty.

Capacity to leave a provider without prohibitive cost: open standards, documented export formats, no proprietary lock-in. Criterion of the NextHop scoring framework.

General Data Protection Regulation (EU, 2016). Unified European framework for the processing of personal data. Sanctions up to 4 per cent of worldwide turnover.

Application delivered as a service, the customer manages neither the infrastructure nor the application. Microsoft 365, Salesforce, Google Workspace are emblematic.

Subsidiary of the Iliad group. European cloud based in Paris with own datacenters in France and the Netherlands. IaaS-PaaS offering on open-source stack.

CJEU ruling of July 2020 that invalidates the Privacy Shield. Explicitly cites FISA 702 as incompatible with European data protection standards.

ANSSI reference framework and qualification for sovereign cloud services. Version 3.2 published in 2022, imposes extraterritorial immunity and European capital control.

Capacity of an actor (State, organisation, individual) to control its digital infrastructures, its data and its dependencies. Six dimensions in the NextHop scoring framework.

Highest level of Uptime Institute classification for a datacenter. Fault-tolerant architecture (2N+1), target availability 99.995 per cent.

French concept (then European via Cloud de Confiance) designating a cloud service whose sovereignty and security are attested by a recognised qualification (SecNumCloud, EUCS High).

Technique allowing several isolated operating systems to run on the same hardware via a hypervisor (KVM, VMware ESXi, Hyper-V).

Virtual network isolated within a cloud region. Allows defining one's own subnets, routing rules and firewalls, as in a private datacenter.

Subset of a cloud region (one or several close datacenters). Multi-AZ redundancy is the basis of a high-availability architecture.