TL;DR
- The EU Cybersecurity Act recast (CSA2), proposed January 2026, would reinstate a formal sovereignty tier in the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) — one that requires EU headquarters, EU data localisation, and immunity from non-EU law.
- France is actively leading the push to reinstate these requirements, which were dropped under diplomatic pressure in the March 2024 EUCS draft.
- If adopted, no US-parented cloud provider including those operating partner-managed sovereign enclaves, would qualify for the highest EUCS tier.
- French enterprises in regulated sectors should audit their GRC tool supply chain now, before certification requirements harden into procurement mandates.
- If your GRC platform is hosted or controlled outside the EU, consider platforms that already support air-gapped and EU-hosted deployments, such as 6clicks.
- Join the virtual series GRC that works where others can't (EU and UK sessions) to explore what sovereign GRC infrastructure means in practice.
The EU is redrawing the line on cloud sovereignty — and US-parented GRC tools may not make the cut
The proposed recast of the EU Cybersecurity Act (CSA2), advanced in January 2026, would formally introduce a sovereignty certification tier that US-parented cloud providers are structurally unable to achieve. If you are a French enterprise relying on a US-headquartered Governance, Risk, and Compliance (GRC) platform, this is not a distant regulatory risk: it is a procurement decision you may need to revisit now.
Who this is for: CISOs, Data Protection Officers (DPOs), and heads of compliance at French enterprises in financial services and critical infrastructure navigating NIS2, DORA, and the evolving EU cloud certification landscape.
Why CSA2 matters right now for French enterprises
The European Union Cybersecurity Certification Scheme for Cloud Services has been in development since 2020. A controversial draft published in March 2024 removed the sovereignty tier following pressure from the United States government and US technology companies, effectively allowing US cloud providers to retain access to European public sector and critical infrastructure contracts at all tiers.
France never accepted that outcome. France's national cybersecurity agency, ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), and the French government have consistently argued that genuine sovereignty requires more than contractual assurances: it requires that a provider's parent company be immune from extraterritorial legal orders, including the US CLOUD Act.
The CSA2 proposal, tabled in January 2026, signals that France's position is gaining ground. If the sovereignty tier is formally adopted into the EUCS framework, it would create a two-track European cloud market: providers with EU-native governance and data residency on one track, and everyone else on the other.
For GRC specifically, this matters enormously. GRC platforms sit at the heart of an organisation's compliance evidence, risk data, and audit trails. If the platform itself cannot be certified as sovereign, using it to demonstrate compliance with NIS2 or DORA becomes a structural contradiction.
(Source: European Union Agency for Cybersecurity (ENISA), EUCS documentation; French government position papers on EUCS sovereignty tier, 2024 and 2025.)
What the CSA2 sovereignty tier would actually require
Under the proposed sovereignty tier, a qualifying cloud provider must:
- Be headquartered in the European Union.
- Be free from legal obligations to a non-EU government specifically, immune from orders under foreign surveillance or data access legislation such as the US CLOUD Act.
- Store and process all data exclusively within the EU.
- Operate with governance structures that cannot be overridden by a non-EU parent company.
This is not a documentation requirement. It is a structural one. A US-parented company operating a European subsidiary cannot satisfy point 2 or point 4, regardless of contractual commitments or local data centre presence.
Why partner-operated sovereign enclaves do not qualify
Several major US cloud providers have responded to European sovereignty concerns by launching partner-operated cloud models. Microsoft operates Bleu in France (with Capgemini and Orange) and Delos Cloud in Germany. Google has similar arrangements.
These models are a commercial acknowledgement that US-parented providers cannot deliver true operational sovereignty internally. However, they do not resolve the legal immunity requirement. The underlying intellectual property, licensing, and legal exposure remain tied to the US parent. Under a strict CSA2 sovereignty tier reading, these structures would not qualify.
(Source: Julien Simon, "Two sovereign clouds, one legal wall," Medium, 2026.)
How NIS2 and DORA amplify the CSA2 exposure for French enterprises
NIS2 is already in force
The NIS 2 Directive (EU) 2022/2555 has been in force since January 2023, with member state transposition required by October 2024. French enterprises in essential and important sectors including energy, financial market infrastructure, banking, health, and digital infrastructure, are now subject to mandatory risk management measures, supply chain security obligations, and incident reporting requirements.
Supply chain security under NIS2 explicitly covers ICT service providers, including GRC platforms. An organisation that cannot demonstrate the sovereignty and security of its GRC tooling may find itself unable to satisfy NIS2 audit requirements.
DORA adds a financial services layer
The Digital Operational Resilience Act (DORA) applies directly to financial entities and their critical ICT third-party providers from January 2025. For French banks, insurers, investment firms, and payment institutions, DORA requires:
- Full contractual visibility over ICT third-party providers.
- The right to audit those providers.
- Demonstrable data localisation and access controls.
A GRC platform that cannot provide audit rights or demonstrate EU data residency is not DORA-compliant as a third-party ICT provider. Combined with CSA2's proposed sovereignty tier, the regulatory trajectory is clear: EU-certified, EU-native GRC infrastructure is moving from a differentiator to a requirement.
What French enterprises should do before CSA2 is adopted
1. Audit your GRC supply chain
Map every tool in your governance, risk, and compliance stack. For each tool, document:
- Where data is stored and processed.
- Where the provider is headquartered.
- Whether the provider or its parent is subject to non-EU extraterritorial law.
- What your contract says about audit rights, data access, and termination.
This audit should be conducted now, before CSA2 adopts binding certification tiers. If your regulator asks about supply chain security under NIS2 today, you need these answers.
2. Identify certification exposure
If you are in a sector likely to be required to procure EUCS-certified tools — public sector, defence, critical infrastructure, regulated financial services — begin mapping which of your current tools would fall short of the proposed sovereignty tier. Transition timelines for enterprise GRC platforms are measured in quarters, not weeks.
3. Evaluate sovereign-native alternatives
Not all GRC platforms are structurally equal. Sovereign GRC Infrastructure — platforms designed from the outset to support air-gapped, EU-hosted, OT, legacy, and hybrid deployments, exists now. These platforms can connect to environments that standard cloud GRC tools cannot reach, and they can be deployed on your terms, not the vendor's.
The phrase "Deploy on your terms. Not ours." is not a marketing position. For French enterprises under NIS2 and DORA, it is an operational and legal requirement taking shape in regulation.
How 6clicks helps French enterprises navigate CSA2 and sovereign GRC
6clicks is built as Sovereign GRC Infrastructure across three layers:
- Sovereign Infrastructure: 6clicks supports EU-hosted, air-gapped, and hybrid deployments. Your data stays where your regulations require it to stay. The platform can be deployed in environments that US SaaS-only competitors cannot reach.
- GRC Core: Pre-built frameworks covering NIS2, DORA, ISO 27001, and EU-specific regulatory requirements. Both manual and automated evidence collection are first-class functions — the platform does not assume your environment is fully automated.
- Agentic Connectivity: AI-assisted compliance automation that operates within sovereign deployment options, not as a dependency on external cloud inference. This is not generic artificial intelligence (AI) as a service — it is agentic automation designed for organisations that cannot send sensitive compliance data to a public cloud.
GRC that works where others can't is not a slogan for 6clicks. It is a description of environments, air-gapped government networks, OT systems in critical infrastructure, legacy estate in regulated financial services, where the platform is already operating.
French enterprises that need to demonstrate NIS2 and DORA compliance, and that anticipate CSA2 sovereignty tier requirements, can book a GRC Maturity Working Session to assess their current posture against the emerging regulatory landscape: https://go.6clicks.com/grc-maturity-working-session-france
Frequently asked questions
The EU Cybersecurity Act (CSA) was originally adopted in 2019 and established the EU Agency for Cybersecurity (ENISA) as a permanent agency while creating a framework for voluntary EU-wide cybersecurity certification schemes. The CSA2 recast, proposed in January 2026, would update this framework to introduce a formal sovereignty certification tier within the EUCS. No binding enforcement date has been set, but France's active advocacy means the proposal has real political momentum within the EU Council.
Under the proposed sovereignty tier definition, no. The requirement for immunity from non-EU extraterritorial law cannot be satisfied by a provider whose parent company is subject to US federal legislation such as the CLOUD Act. Partner-operated sovereign cloud models (such as Bleu in France or Delos Cloud in Germany) are commercial workarounds, but they do not resolve the structural legal exposure of the US parent. ENISA's own technical guidance has consistently flagged this distinction.
NIS2 does not currently mandate a specific cloud certification tier. However, its supply chain security obligations require French entities in essential and important sectors to assess and manage the risk posed by their ICT providers — including GRC platforms. If CSA2 adopts a sovereignty tier and it is referenced in NIS2 implementing acts or French national transposition measures, sovereign certification could become a de facto supply chain requirement. The direction of travel is clear even before that step.
If your GRC platform is provided by a company headquartered outside the EU, or if its infrastructure runs on US-parented hyperscaler cloud services, it is likely to fall short of the proposed EUCS sovereignty tier. The key questions are: Where is the provider legally domiciled? Is it subject to non-EU extraterritorial data access law? Where is your GRC data stored and processed? Can you audit the provider independently?
Sovereign GRC Infrastructure means a platform that can be deployed in your environment, under your data residency requirements, without dependence on a foreign-controlled cloud. It includes support for air-gapped networks, on-premises or EU-hosted deployments, OT and legacy system integration, and compliance evidence management that does not require data to leave your controlled environment. Platforms like 6clicks are designed for this from the ground up, not retrofitted from a public SaaS architecture.
Next step: join the virtual series on GRC that works where others can't
For EU and UK compliance and security leaders, 6clicks is running the virtual series GRC that works where others can't, a programme built specifically for organisations navigating sovereign GRC requirements under NIS2, DORA, and the evolving EUCS landscape.
Register for the EU and UK sessions to explore:
- How sovereign GRC infrastructure differs from standard cloud GRC tools.
- What NIS2 and DORA supply chain obligations mean for your GRC stack.
- How to assess your current posture and close the gaps before CSA2 tightens.
Register now or book a GRC Maturity Working Session tailored to your French regulatory obligations: go.6clicks.com/grc-maturity-working-session-france
Always audit-ready. Deploy on your terms. Not ours.
.png?width=282&height=526&name=GRC%20that%20works%20where%20others%20can%E2%80%99t%20(1).png)
