France has chosen Scaleway, the French cloud provider owned by Iliad, to host its national Health Data Hub from 2026, bringing a definitive end to four years of legal and political wrangling over the platform’s reliance on Microsoft Azure. The decision marks one of Europe’s most significant public-sector rejections of a US hyperscaler on data sovereignty grounds—and a potential turning point for how governments weigh the risks of extraterritorial data access laws.
The Concrete Shift: France’s Health Data Hub Finds a New Home
The Health Data Hub (HDH) is a flagship digital health project launched in 2019 to centralize anonymized medical data from France’s national health system, enabling large-scale research and AI development. Until now, it has operated entirely on Microsoft Azure infrastructure, with data stored in Azure’s Paris region.
That arrangement is set to change. According to French government announcements, the contract to host the HDH will migrate to Scaleway, a cloud provider owned by telecommunications group Iliad and headquartered in France. The transition is scheduled for 2026, giving the parties a multi-year window to plan a careful migration of sensitive datasets and the platform’s applications.
Scaleway, which operates data centers in France and other European locations, already promotes itself as a “sovereign cloud” alternative—offering services that comply with European data protection rules and claiming that customer data remains under French law without exposure to foreign surveillance acts. The company also runs a “cloud de confiance” initiative, aligning with French government strategies to reduce dependency on US tech giants for critical infrastructure.
Details of the procurement remain thin, including the contract’s financial value and the exact technical architecture Scaleway will provide. But the direction of travel is clear: France is moving its most sensitive health data pool onto infrastructure that it asserts is legally insulated from the reach of the US Cloud Act.
Why You Should Care About This Cloud Migration
For the average Windows user or IT professional, this move may seem like a distant, niche government procurement story. Its implications, however, extend far beyond French healthcare.
For CIOs and compliance officers: The HDH exit signals that even longstanding, technically well-established cloud deployments can be unwound when sovereignty risks become politically untenable. Organizations managing sensitive data—health, financial, defense—should note that the “it’s too hard to migrate” argument loses force when governments themselves lead the way. If you’re locked into a hyperscaler contract, it’s worth revisiting your exit strategy and evaluating sovereign cloud options as potential future alternatives.
For Microsoft and its ecosystem: Azure’s loss of such a high-profile government deal is more than a financial blow—it’s a reputational signal. Microsoft has invested heavily in “EU Data Boundary” commitments and plans to store and process all European data within the EU even for technical support interactions. Yet France’s action suggests that for the most sensitive workloads, those steps may not be enough. Partners and customers running on Azure might see this as a reminder to ensure contractual protections against extraterritorial access.
For French citizens and patients: The tangible impact is privacy assurance. With a French cloud provider subject only to EU and French law, the risk of US authorities accessing health data via the Cloud Act decreases—at least in theory. However, the practical effect for an individual patient is invisible; research projects using the HDH will continue, and data access will still be tightly regulated. The main shift is the legal jurisdiction controlling the physical infrastructure.
For the broader cloud market: This sets a precedent. Other EU member states, already grappling with similar sovereignty concerns, may see France’s move as a template. We could witness a ripple effect where more public-sector workloads move away from US hyperscalers to local or European providers, accelerating the growth of “sovereign cloud” platforms.
A Long-Festering Privacy Dispute
The Health Data Hub’s journey from Microsoft embrace to Scaleway shift has been messy and public.
The HDH was conceived as a French answer to similar data repositories in the US and UK. It launched in December 2019 on Microsoft Azure, a choice justified at the time by Azure’s advanced analytics and AI capabilities. But almost immediately, privacy advocates, opposition politicians, and France’s own data protection authority, CNIL, raised alarms.
The core worry: data stored in Azure, even in French data centers, could be subject to access requests by US intelligence agencies under the US CLOUD Act of 2018. Although Microsoft initially claimed that its Azure service was immune because the data belonged to the French government and not Microsoft, this argument collapsed under legal scrutiny. CNIL concluded that Azure’s architecture did not prevent a US parent company from being compelled to hand over data held overseas.
Microsoft responded with a series of proposed safeguards: customer-held encryption keys, a partnership with French IT firm Capgemini to act as a local proxy for data management, and eventually the 2023 launch of “EU Data Boundary” solutions. In 2022, the company even announced it would store and process all European personal data within the EU by the end of 2023—a commitment that remains in progress.
For French authorities, however, those assurances were not enough. In 2021, the government asked the HDH board to explore alternatives and prepare a migration plan. The process dragged on, with stakeholders debating the technical feasibility of moving petabytes of data and complex machine learning pipelines to a new provider. A consortium including Thales and Google was also reportedly considered, but ultimately Scaleway won the contract.
The 2026 migration date reflects the complexity: transferring the entire platform while maintaining ongoing research operations is a major engineering feat. It also gives Scaleway time to build out the necessary infrastructure and services to match what researchers have grown accustomed to on Azure.
Action Items for Organizations and IT Decision Makers
If you’re an IT manager or compliance lead, here are practical steps to consider in light of this development:
- Audit your cloud deployments for sovereignty risk. Identify workloads that involve personal data, especially health, financial, or government-related information that could attract extraterritorial access demands. Determine if your current provider offers sufficient contractual and technical safeguards.
- Evaluate sovereign cloud alternatives. Providers like Scaleway, OVHcloud, Deutsche Telekom/T-Systems, and others now offer “sovereign” regions that claim legal insulation from US law. Understand the difference between marketing claims and verifiable technical controls—look for solutions that have been audited by national cybersecurity agencies (e.g., ANSSI’s “SecNumCloud” certification in France).
- Build a migration roadmap, even if you don’t plan to move now. France’s experience shows that a regulated migration can take years. Should your circumstances change—new legislation, a corporate restructuring, or a change in risk appetite—having a tested exit strategy reduces panic and cost.
- Re-negotiate contracts with data jurisdiction clauses. Push for clear language on where data can be stored, processed, and accessed, and demand commitments that any compelled disclosure requests will be challenged in court.
- Monitor regulatory developments. The EU Data Act, the European Data Protection Board’s guidance on the CLOUD Act, and national laws will continue to evolve. Stay informed; your compliance obligations may shift with new rulings.
For individual users and patients, there’s no immediate action to take; your data remains protected under GDPR regardless of the cloud host. But you can take comfort in the fact that your government is actively reducing foreign surveillance risks for sensitive datasets.
The Broader Outlook for Sovereign Clouds
Scaleway’s win is a milestone in the European sovereign cloud movement, but it’s unlikely to be the last such defection. Expect more EU governments and regulated industries to follow suit, creating a patchwork of regional data silos. This balkanization could increase costs for multinational organizations that must maintain multiple cloud relationships but may also spur innovation in cross-provider portability and interoperability.
For Microsoft, the challenge is acute. Azure is still the backbone for millions of European enterprise workloads, and the company will ramp up its sovereignty offerings, perhaps seeking equivalency certifications that satisfy national regulators. Ultimately, the market is speaking: when data is too sensitive to risk, even the biggest names must prove their trustworthiness—or get left behind.