TL;DR
- The EU Cybersecurity Act recast (CSA2), proposed in January 2026, could reinstate a formal sovereignty tier within the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS), potentially requiring EU headquarters, EU data localisation, and protection from non-EU legal access.
- France is pushing to restore EUCS sovereignty requirements that were removed from later drafts of the scheme.
- If adopted, the proposed sovereignty tier could exclude US-parented cloud providers from the highest EUCS sovereignty classification.
- French enterprises in regulated sectors should audit their GRC tool supply chain now, before certification requirements harden into procurement mandates.
- If your GRC platform is hosted or controlled outside the EU, consider platforms that already support air-gapped and EU-hosted deployments, such as 6clicks.
- Join the virtual series GRC that works where others can't (EU and UK sessions) to explore what sovereign GRC infrastructure means in practice.
The EU is redrawing the line on cloud sovereignty, and US-parented
GRC tools may not make the cut
The proposed recast of the EU Cybersecurity Act (CSA2), advanced in January 2026, could formally introduce a sovereignty certification tier that many US-parented cloud providers may be structurally unable to achieve. If you are a French enterprise relying on a US-headquartered Governance, Risk, and Compliance (GRC) platform, this is not a distant regulatory risk: it is a procurement decision you may need to revisit now.
Who this is for: CISOs, Data Protection Officers (DPOs), and heads of compliance at French enterprises in financial services and critical infrastructure navigating NIS2, DORA, and the evolving EU cloud certification landscape.
Why CSA2 matters right now for French enterprises
The European Union Cybersecurity Certification Scheme for Cloud Services has been in development since 2020. A March 2024 draft removed the proposed sovereignty requirements for the highest certification level after extensive debate among Member States, industry groups, and cloud providers, making it easier for US hyperscalers to qualify for EU cloud certifications and compete for sensitive public sector and critical infrastructure cloud contracts.
France never accepted that outcome. France's national cybersecurity agency, ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), and the French government have consistently argued that true cloud sovereignty requires more than contractual assurances, including protection from extraterritorial legal obligations such as those arising under the US CLOUD Act.
The CSA2 proposal, tabled in January 2026, signals that France's position is gaining ground. If formally adopted into the EUCS framework, the proposed sovereignty tier could further divide the European cloud market between providers with EU-native governance structures and those operating under non-EU parent ownership.
For GRC specifically, this matters enormously. GRC platforms sit at the heart of an organisation's compliance evidence, risk data, and audit trails. If the platform itself cannot be certified as sovereign, using it to demonstrate compliance with NIS2 or DORA becomes a structural contradiction.
(Source: European Union Agency for Cybersecurity (ENISA), EUCS documentation; French government position papers on EUCS sovereignty tier, 2024 and 2025.)
What the CSA2 sovereignty tier would actually require
Under the proposed sovereignty tier, a qualifying cloud provider must:
- Be headquartered in the European Union.
- Demonstrate independence from non-EU legal authority, including exposure to foreign surveillance or data access laws such as the US CLOUD Act.
- Store and process sensitive customer data within the EU.
- Operate with governance and control structures that are not subject to override by a non-EU parent company.
This is not simply a documentation requirement. It is fundamentally a structural one. Under the proposed sovereignty criteria, a US-parented company operating a European subsidiary may still struggle to satisfy requirements relating to extraterritorial legal exposure and independent governance, regardless of contractual commitments or local data centre presence.
Why partner-operated sovereign enclaves do not qualify
Several major US cloud providers have responded to European sovereignty concerns by launching partner-operated cloud models. Microsoft operates Bleu in France (with Capgemini and Orange) and Delos Cloud in Germany. Google has similar arrangements.
These models are designed to strengthen operational sovereignty through European governance, local operations, and stricter access controls. However, some analysts argue that they do not fully resolve concerns around extraterritorial legal exposure because the underlying technology, intellectual property, and corporate control remain linked to US parent companies. Under stricter interpretations of the proposed EUCS sovereignty criteria, this legal exposure could remain a point of contention.
(Source: Julien Simon, "Two sovereign clouds, one legal wall," Medium, 2026.)
How NIS2 and DORA amplify the CSA2 exposure for French
enterprises
NIS2 is already in force
The NIS 2 Directive (EU) 2022/2555 has been in force since January 2023, with member state transposition required by October 2024. French enterprises in essential and important sectors including energy, financial market infrastructure, banking, health, and digital infrastructure, are now subject to mandatory risk management measures, supply chain security obligations, and incident reporting requirements.
Supply chain security under NIS2 explicitly covers ICT service providers, including GRC platforms. An organisation that cannot demonstrate the sovereignty and security of its GRC tooling may find itself unable to satisfy NIS2 audit requirements.
DORA adds a financial services layer
The Digital Operational Resilience Act (DORA) applies directly to financial entities and their critical ICT third-party providers from January 2025. For French banks, insurers, investment firms, and payment institutions, DORA requires:
- Full contractual visibility over ICT third-party providers.
- The right to audit those providers.
- Demonstrable data localisation and access controls.
A GRC platform that cannot provide audit rights or demonstrate EU data residency is not DORA-compliant as a third-party ICT provider. Combined with CSA2's proposed sovereignty tier, the regulatory trajectory is clear: EU-certified, EU-native GRC infrastructure is moving from a differentiator to a requirement.
What French enterprises should do before CSA2 is adopted
1. Audit your GRC supply chain
Map every tool in your governance, risk, and compliance stack. For each tool, document:
- Where data is stored and processed.
- Where the provider is headquartered.
- Whether the provider or its parent is subject to non-EU extraterritorial law.
- What your contract says about audit rights, data access, and termination.
This audit should be conducted now, before CSA2 adopts binding certification tiers. If your regulator asks about supply chain security under NIS2 today, you need these answers.
2. Identify certification exposure
If you operate in sectors likely to face stronger sovereign cloud or EUCS-related procurement expectations — public sector, defence, critical infrastructure, and regulated financial services — begin mapping which of your current tools would fall short of the proposed sovereignty tier. Transition timelines for enterprise GRC platforms are measured in quarters, not weeks.
3. Evaluate sovereign-native alternatives
Not all GRC platforms are structurally equal. Sovereign GRC Infrastructure — platforms designed from the outset to support air-gapped, EU-hosted, legacy, and hybrid deployments, exists now. These platforms can connect to environments that standard cloud GRC tools cannot reach, and they can be deployed on your terms, not the vendor's.
The phrase "deploy on your terms, not ours" is not a marketing position. For French enterprises under NIS2 and DORA, it is an operational and legal requirement taking shape in regulation.
How 6clicks helps French enterprises navigate CSA2 and sovereign
GRC
6clicks is built as Sovereign GRC Infrastructure across three layers:
- Sovereign Infrastructure: 6clicks supports EU-hosted, air-gapped, and hybrid deployments. Your data stays where your regulations require it to stay. The platform can be deployed in environments that US SaaS-only competitors cannot reach.
- GRC Core: Complete GRC modules with pre-built frameworks covering NIS2, DORA, ISO 27001, and EU-specific regulatory requirements. Both manual and automated evidence collection are first-class functions — the platform does not assume your environment is fully automated.
- Agentic Connectivity: AI-assisted compliance automation that operates within sovereign deployment options, not as a dependency on external cloud inference. This is not generic artificial intelligence (AI) as a service; it is agentic automation designed for organisations that cannot send sensitive compliance data to a public cloud.
It's GRC that works where others can't.
French enterprises that need to demonstrate NIS2 and DORA compliance, and anticipate CSA2 sovereignty tier requirements, can book a GRC Maturity Working Session to assess their current posture against the evolving regulatory landscape: https://go.6clicks.com/grc-maturity-working-session-france
Frequently asked questions
The EU Cybersecurity Act (CSA) was originally adopted in 2019 and established the EU Agency for Cybersecurity (ENISA) as a permanent agency while creating a framework for voluntary EU-wide cybersecurity certification schemes. The CSA2 recast, proposed in January 2026, could strengthen the role of sovereignty requirements within the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS), including discussion of a formal sovereignty-focused certification tier. No binding enforcement date has been set, but France's active advocacy suggests the proposal has meaningful political momentum within parts of the EU policy landscape.
Under the proposed sovereignty criteria, likely not. The requirement for protection from non-EU extraterritorial legal exposure may be difficult to satisfy for providers whose parent companies remain subject to US legislation such as the CLOUD Act. Partner-operated sovereign cloud models, such as Bleu in France or Delos Cloud in Germany, are designed to strengthen operational sovereignty, but some analysts argue they do not fully eliminate the structural legal exposure associated with US parent ownership. Discussions surrounding EUCS sovereignty requirements have consistently highlighted this distinction between operational control and legal jurisdiction.
NIS2 does not currently mandate a specific cloud certification tier. However, its supply chain security obligations require French entities in essential and important sectors to assess and manage the risk posed by their ICT providers — including GRC platforms. If CSA2 adopts a sovereignty tier and it is referenced in NIS2 implementing acts or French national transposition measures, sovereign certification could become a de facto supply chain requirement.
If your GRC platform is provided by a company headquartered outside the EU, or if its infrastructure runs on US-parented hyperscaler cloud services, it is likely to fall short of the proposed EUCS sovereignty tier. The key questions are: Where is the provider legally domiciled? Is it subject to non-EU extraterritorial data access law? Where is your GRC data stored and processed? Can you audit the provider independently?
Sovereign GRC Infrastructure means a platform that can be deployed in your environment, under your data residency requirements, without dependence on a foreign-controlled cloud. It includes support for air-gapped networks, on-premises or EU-hosted deployments, OT and legacy system integration, and compliance evidence management that does not require data to leave your controlled environment. Platforms like 6clicks are designed for this from the ground up, not retrofitted from a public SaaS architecture.
Next step: join the virtual series on GRC that works where others
can't
For EU and UK compliance and security leaders, 6clicks is running the virtual series GRC that works where others can't, a programme built specifically for organisations navigating sovereign GRC requirements under NIS2, DORA, and the evolving CSA2 proposal.
Register for the EU and UK sessions to explore:
- How sovereign GRC infrastructure differs from standard cloud GRC tools.
- What NIS2 and DORA supply chain obligations mean for your GRC stack.
- How to assess your current posture and close the gaps before CSA2 tightens.
Register now or book a GRC Maturity Working Session tailored to your French regulatory obligations: go.6clicks.com/grc-maturity-working-session-france
Always audit-ready. Deploy on your terms, not ours.
