The French government has selected Scaleway, a domestic cloud provider owned by Iliad, to host its national Health Data Hub starting in 2026, replacing Microsoft Azure. The decision marks the culmination of a years-long struggle over digital sovereignty and US law enforcement access, and it strips Microsoft of one of Europe’s most strategically sensitive public-sector cloud contracts.

The Health Data Hub is a platform designed to aggregate anonymized health data from across France’s public health system—hospital stays, medical procedures, reimbursement records, and eventually genomics—into a single research-friendly repository. Since its launch in 2019, it has been embroiled in political and legal fights precisely because its initial choice of Azure put it under potential US jurisdiction via the CLOUD Act. After multiple temporary fixes, France is now severing that link for good.

Why the Health Data Hub became a lightning rod

The Health Data Hub was pitched as the crown jewel of France’s artificial-intelligence strategy for healthcare. By pooling real-world data from 67 million citizens, it would allow public researchers and private partners to train AI models, improve diagnostics, and streamline clinical trials. The project’s ambitions were vast, but so was the backlash.

Privacy advocates and European regulators immediately flagged that storing such data with Microsoft, a US-headquartered company, exposed it to extraterritorial surveillance. Under the 2018 CLOUD Act, US authorities can compel US-based tech firms to hand over data stored anywhere in the world. Even though data at rest was encrypted and held in Azure data centers in France, critics argued that administrative access, cryptographic key management, and support processes could still be exploited.

The French data protection authority (CNIL) issued early warnings, and in 2020 the Conseil d’État—France’s highest administrative court—ordered the government to find a solution that would shield the data from US legal reach. France struck a temporary deal with Microsoft to implement additional legal and technical safeguards, including a third-party trust model, but the arrangement was never considered permanent. Parliamentarians, health-sector unions, and European Data Protection Supervisor Wojciech Wiewiórowski continued to press for a European cloud provider.

The Scaleway solution: sovereign by design

Scaleway, founded in 1999 and acquired by Xavier Niel’s Iliad group in 2018, is a pure-play European cloud operator. It runs its own data centers in France (and elsewhere in Europe), develops its own orchestration software, and holds the coveted SecNumCloud 3.2 qualification from ANSSI, France’s cybersecurity agency. That certification mandates strict controls over data locality, administrative access, and immunity from non‑EU laws—criteria that Amazon, Microsoft, and Google have struggled to meet without joint ventures or elaborate legal carve-outs.

Scaleway will build a dedicated, air-gapped Health Data Hub environment that physically isolates the platform from any infrastructure governed by US law. All operations—patching, monitoring, and disaster recovery—will be performed by vetted French citizens on French soil, under continuous audit by ANSSI. The contract, valued at several tens of millions of euros over its lifetime, also includes a requirement for geo‑redundancy across at least two French regions, ensuring that even a regional outage cannot force a failover to non‑EU jurisdictions.

Microsoft’s long quest to win European trust

Losing the Health Data Hub is a symbolic and commercial blow for Microsoft, which has invested heavily in convincing European governments that its cloud can be “sovereign.” In 2021, the company launched Microsoft Cloud for Sovereignty, a set of policy-driven controls, encryption keys held in customer-managed hardware security modules, and transparency logs. It also created a “EU Data Boundary” that promised to store and process customer data within the EU by 2022, with professional services data migrating inside the boundary by the end of 2023.

For the Health Data Hub, Microsoft reportedly proposed an enhanced version of its existing safeguards, including a “confidential clean room” architecture that would allow researchers to query sensitive datasets without ever seeing raw data. But French negotiators ultimately decided that no contractual addendum could override the CLOUD Act’s legal obligations. A Microsoft spokesperson declined to comment on the specifics of the decision but noted that the company remains committed to meeting European sovereignty requirements through ongoing investments.

The setback may prompt Microsoft to accelerate its hybrid-sovereign partnerships, such as the one it already operates with Deutsche Telekom in Germany or with Orange in France. Yet it also exposes a fundamental tension: as long as US law applies to the parent company, no fully owned US hyperscaler can offer absolute legal sovereignty on its own.

How the EU’s regulatory arc is bending away from US clouds

The Health Data Hub migration is not an isolated event. It mirrors a broader European push to untangle critical digital infrastructure from non‑EU jurisdictions, driven by three overlapping regulatory currents:

  • EUCS (European Cybersecurity Certification Scheme for Cloud Services). The ongoing revision of the scheme will likely require high‑assurance services to be immune from non‑EU law, effectively creating a “sovereign tier” that only European-headquartered providers can fill.
  • GAIA‑X. The EU-backed initiative to build a federated, interoperable data infrastructure has moved slowly, but its conceptual framework—emphasizing data sovereignty, portability, and open standards—has influenced national procurement criteria.
  • EHDS (European Health Data Space). Once enacted, this regulation will create a legal framework for cross‑border sharing of health data for research, innovation, and policy. National implementations, like France’s, will be templates for how others handle the tension between openness and sovereignty.

Other European countries are watching closely. Belgium’s Health Data Authority is architecting its own platform and has explicitly ruled out non‑European cloud providers for certain processing tiers. Germany’s statutory health insurers are moving claims data onto locally operated OpenStack infrastructure. Even the European Commission’s own cloud initiatives, such as the EU Digital COVID Certificate gateway, have been built on European cloud stacks where possible.

Practical migration challenges: moving 70 petabytes of health data

Technically, migrating a platform of this scale is a multi‑year effort. The Health Data Hub already holds over 70 petabytes of structured and unstructured data, sourced from SNIIRAM (the national health insurance claims database), PMSI (hospital discharge summaries), cancer registries, and an expanding catalogue of research cohorts. Any migration must preserve strict pseudonymization, keep research projects running, and satisfy a user base of more than 200 accredited public‑interest projects.

Scaleway will need to replicate the data-lake architecture originally built on Azure Data Lake Storage Gen2, Azure Databricks, and Synapse Analytics. The provider is expected to leverage its existing big‑data services—including its managed Kubernetes, object storage, and Apache Spark on Kubernetes—together with open‑source analytics frameworks to avoid lock‑in. The government’s tender requires a like‑for‑like replacement of all analytical tools, with a strong preference for open‑source and open‑standard stacks such as MinIO, Trino, and MLflow.

The cutover window is planned for late 2025 into mid‑2026, with full network isolation tests and a parallel-run phase to ensure data integrity. French officials have promised that every step will be audited by both CNIL and ANSSI, and that research continuity will be maintained through a gradual workload migration rather than a hard switchover.

What this means for health‑data startups and researchers

For the hundreds of academic teams and private‑sector partners using the Health Data Hub, the move to a sovereign cloud is a mixed blessing. On one hand, it provides long‑term legal certainty that their projects won’t be derailed by sudden jurisdictional rulings. On the other, it forces them to rewrite data pipelines and retrain on a new analytics stack.

Scaleway has already begun engaging with research consortia to understand their tooling requirements. Some popular Azure‑native services—such as Azure Machine Learning—will have to be replaced by open equivalents. The provider has signaled it will offer “compatibility bridges” for common data formats and SQL dialects, but researchers will still face a learning curve.

Startups that spun out of the Health Data Hub ecosystem, particularly those in medical imaging and natural‑language processing on clinical notes, are anxious about potential service disruptions. Industry association France Biotech has called for a government‑funded transition support program, similar to the aid packages provided when the platform first launched.

The new European cloud procurement playbook

Procurement lawyers say the Health Data Hub contract will serve as a template for how governments can legally require sovereign clouds without breaching WTO government‑procurement rules. The French tendering authority, DSI (Direction des Services Informatiques), structured the call such that the “imperative requirement” of immunity from foreign law is framed as a technical security measure rather than a nationality exclusion, circumventing challenges under the GPA (Agreement on Government Procurement).

The approach has already been replicated: the French tax authority (DGFiP) is using similar criteria in tenders for a new data‑analytics platform, and the defence ministry’s “Artemis” cloud is being built on a SecNumCloud‑certified infrastructure by Thales and Capgemini.

For US hyperscalers, the writing is on the wall: to compete for Europe’s most sensitive workloads, they must either form joint ventures that cede operational control to European entities—as AWS is doing with its “European Sovereign Cloud” in Germany—or accept a secondary role providing foundational technology to European integrators.

Microsoft’s strategic recalibration

In the wake of the Health Data Hub loss, Microsoft is expected to double down on its country‑specific sovereign‑cloud partnerships. The company already works with T‑Systems in Germany on a sovereign cloud that places encryption keys in the hands of a German trustee. In France, a similar model with Orange Business Services could emerge, although Orange has also been building its own sovereign‑cloud platform, Bleu, together with Capgemini.

Microsoft may also pivot to a hybrid‑sovereign narrative, emphasizing that it can deliver “technical sovereignty” even if legal sovereignty remains elusive. Its confidential‑computing capabilities, built on AMD SEV‑SNP and Intel TDX, allow data to remain encrypted during processing—a feature that could satisfy some regulators’ requirements without changing the legal domicile of the cloud provider.

Analysts at Forrester and Gartner have noted that the Health Data Hub decision will accelerate “sovereign cloud” as a procurement checkbox across the EU. Microsoft is still likely to retain the vast majority of less‑sensitive government workloads, but the high‑stakes, high‑visibility health sector may increasingly be served by local champions.

Scaleway’s rise and the consolidation of European cloud

For Scaleway, the Health Data Hub contract is a watershed. The company has long positioned itself as a “cloud for developers” with a strong focus on ARM‑based bare‑metal servers and open‑source tooling, but it lacked the large‑scale public‑sector reference that its competitors OVHcloud and Outscale (Dassault Systèmes) had secured. With a marquee health data project now in its portfolio, Scaleway is likely to see increased interest from other European national health authorities and cross‑border research organizations.

The win also cements Iliad’s strategy of building a vertically integrated European cloud stack. Alongside Scaleway, Iliad owns the European IP‑transit network Core‑Backbone and has invested in underwater cables like Dunant and Amitie. Together, these assets can offer end‑to‑end sovereign connectivity and storage without touching non‑EU networks—a compelling proposition for Europe’s post‑Schrems II legal landscape.

What happens next

The full migration is slated for completion by mid‑2026, but the first projects are expected to move onto Scaleway infrastructure in late 2025. In the interim, the Health Data Hub will continue operating on Azure under the existing interim legal shield, which expires when the new platform goes live.

European watchdogs will scrutinize every step. The European Data Protection Board has already signaled it intends to use the French project as a benchmark for evaluating whether member states are meeting their obligation to keep sensitive data out of third‑country hands. Success could inspire a wave of similar migrations; failure would be a cautionary tale about the difficulty of disentangling from hyperscaler ecosystems.

France’s Health Data Hub project, once a symbol of transatlantic friction, is about to become a real‑world test of whether Europe can build a cloud infrastructure that is both world‑class and genuinely sovereign. The outcome will shape not just the future of health research, but the entire EU cloud market for years to come.