OVHcloud EU Alternative 2026 — SecNumCloud, CLOUD Act Immunity & IaaS Data Sovereignty
Post #3 in the sota.io EU Cloud Infrastructure Providers Series
OVHcloud SAS (Roubaix, France, founded 1999, Euronext IPO 2021) is the largest EU-headquartered cloud infrastructure provider by physical server count — and holds France's highest cloud security qualification: SecNumCloud from ANSSI (Agence nationale de la sécurité des systèmes d'information). In our five-dimension CLOUD Act risk framework, OVHcloud scores 1/25 versus AWS's 23/25.
That single point reflects a practical reality: OVHcloud operates data centres in Canada, the United States, and Singapore alongside its European core. For EU-only deployments, the effective exposure is 0/25. This post dissects why, identifies three named risk patterns DevOps teams must understand, and provides a service-by-service AWS-to-OVHcloud migration reference.
The Five-Dimension CLOUD Act Risk Framework
We evaluate every provider on five equal dimensions (0–5 per dimension, lower = less exposure):
| Dimension | OVHcloud (EU DCs) | AWS | Azure | GCP |
|---|---|---|---|---|
| Legal Jurisdiction | 0 | 5 | 5 | 5 |
| Corporate Structure | 1 | 5 | 4 | 4 |
| Data Access Agreements | 0 | 4 | 4 | 3 |
| Metadata Processing | 0 | 5 | 5 | 5 |
| Employee Access Controls | 0 | 4 | 4 | 4 |
| TOTAL | 1/25 | 23/25 | 22/25 | 21/25 |
Legal Jurisdiction (0/5): OVHcloud SAS is incorporated under French commercial law (Code de commerce). French courts — not US district courts — have jurisdiction. The US CLOUD Act (18 U.S.C. § 2713) applies to "providers of electronic communication service or remote computing service" that are US persons or US-incorporated entities. OVHcloud is neither. French law governs, CNIL (Commission Nationale de l'Informatique et des Libertés) regulates, and the Conseil d'État adjudicates disputes.
Corporate Structure (1/25): The one-point deduction reflects OVHcloud's global DC footprint. OVH Groupe SAS (parent) is French. OVHcloud SAS (operational entity) is French. However, OVHcloud US, LLC exists as a Delaware-registered subsidiary to operate the Hillsboro, Oregon DC. Under the CLOUD Act's extraterritorial principle, a US-incorporated subsidiary operating US infrastructure could theoretically receive US government data demands for data held in that subsidiary's custody — even if the customer chose EU regions. For EU-only region deployments, this risk is ring-fenced. For mixed-region deployments, it requires contractual clarification.
Data Access Agreements (0/5): OVHcloud's Data Processing Agreement (DPA) explicitly incorporates Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c), and for SecNumCloud-qualified services, the ANSSI qualification framework prohibits non-French-law data access without explicit customer consent. The French Blocking Statute (Loi n° 68-678 du 26 juillet 1968, as amended by Loi n° 80-538) further criminalises compliance with foreign discovery orders without diplomatic routing — making US-government data demands legally impossible to honour without French Ministry of Justice authorisation.
Metadata Processing (0/5): OVHcloud's EU DCs process metadata (API calls, billing events, access logs) within France and EU jurisdictions. Unlike US hyperscalers whose global control planes route all management-plane traffic through US data centres, OVHcloud's API gateway for EU regions is hosted in Gravelines and Strasbourg. No metadata transits US infrastructure for EU-only accounts.
Employee Access Controls (0/5): SecNumCloud qualification (OVHcloud earned this for its Hosted Private Cloud offer) mandates that personnel with privileged access to customer data must hold French security clearances (habilitation). Non-EU nationals require explicit customer approval for access. This exceeds any comparable US hyperscaler control.
OVHcloud vs. the EU Cloud Infrastructure Series
| Provider | HQ | Legal Entity | CLOUD Act Score | SecNumCloud |
|---|---|---|---|---|
| OVHcloud | Roubaix, FR | OVHcloud SAS | 1/25 | ✅ ANSSI Qualified |
| Scaleway | Paris, FR | Scaleway SAS | 1/25 | ❌ Not certified |
| Hetzner | Gunzenhausen, DE | Hetzner Online GmbH | 0/25 | ❌ Not certified |
| AWS | Seattle, WA | Amazon.com Inc. | 23/25 | ❌ |
| Azure | Redmond, WA | Microsoft Corp. | 22/25 | ❌ |
| GCP | Mountain View, CA | Alphabet Inc. | 21/25 | ❌ |
OVHcloud's SecNumCloud certification is the only CLOUD Act-immune option that also satisfies ANSSI's highest security standard — relevant for French public sector, NIS2 Essential Service Operators, and any EU organisation processing data classified as "diffusion restreinte."
Three Named Risk Patterns
Pattern 1: French Blocking Statute Shield Pattern
Mechanism: The Loi de blocage (1968/1980) makes it a criminal offence under French law to communicate economic, commercial, industrial, financial, or technical documents or information to foreign authorities without going through French diplomatic channels. Any US DOJ or FBI request for OVHcloud customer data must route through the MLAT (Mutual Legal Assistance Treaty) process between the US Department of Justice and the French Ministry of Justice — a process that takes 6–18 months and requires French judicial authorisation.
SecNumCloud Layer: For SecNumCloud-qualified OVHcloud services, the ANSSI qualification framework adds a second shield: any foreign access request must be disclosed to ANSSI, which can intervene to protect national security interests. This creates a dual-authority barrier (Loi de blocage + ANSSI oversight) that has no equivalent in UK, German, or Dutch cloud law.
Practical implication for DevOps teams: When evaluating OVHcloud for regulated workloads (healthcare, finance, defence supply chain), document this dual-barrier in your GDPR Art. 32 security analysis. The French Blocking Statute is a structural legal control, not a contractual clause — it cannot be waived by a DPA addendum.
Pattern 2: Sovereign Namespace Isolation Pattern
Mechanism: OVHcloud's core product — dedicated servers (Bare Metal) — provides physical isolation impossible to replicate in shared-tenancy hyperscaler environments. When you rent an OVHcloud Bare Metal server in the GRA (Gravelines) region, you control a physical machine in a French data centre operated by French personnel, governed by French law, with no hypervisor layer shared with other customers.
GDPR Art. 32 relevance: Article 32 requires "appropriate technical and organisational measures to ensure a level of security appropriate to the risk." Physical namespace isolation eliminates multi-tenant side-channel attacks (Spectre/Meltdown exploitation in shared hypervisors), a residual risk in all hyperscaler VMs. For processing special-category data (GDPR Art. 9) — medical records, biometric data, political opinions — dedicated infrastructure reduces residual risk scores in DPIAs.
Contrast with hyperscalers: AWS EC2 instances run on shared Nitro hypervisors. Azure VMs run on shared Hyper-V hypervisors. GCP VMs run on shared KVM hypervisors. Even with tenant isolation, the underlying silicon is physically shared. OVHcloud Bare Metal is not.
Pattern 3: Global DC Replication Risk Pattern
Mechanism: OVHcloud operates DC regions in France (Roubaix/RBX, Strasbourg/SBG, Gravelines/GRA), UK (London/LIM), Germany (Frankfurt/DE1), Canada (Beauharnois/BHS), United States (Hillsboro/IAD), and Asia (Singapore/SGP). If a customer enables cross-region replication or backup without explicit EU-only configuration, data may transit non-EU infrastructure.
Specific trigger: OVHcloud's managed services (Object Storage, Managed Databases, Hosted Private Cloud) offer cross-DC replication by default in some configurations. A Managed Kubernetes cluster with cross-region node pools that includes BHS (Canada) or IAD (US) nodes creates a GDPR Art. 44 international transfer that requires an SCC addendum.
GDPR Art. 44 analysis: Canada is an adequacy country (GDPR Art. 45 adequacy decision) — data transfer to BHS is legal without SCCs. The US is not (post-Schrems II invalidation of Privacy Shield). Transfer to IAD requires SCCs. Singapore is not an adequacy country — transfer to SGP requires SCCs.
Mitigation: Explicitly configure OVHcloud services to EU-only regions (GRA/SBG/RBX/DE1/LIM). Use OVHcloud's region-picker at deployment time. Verify Object Storage bucket region settings. Document the decision in your ROPA (Records of Processing Activities) per GDPR Art. 30.
AWS → OVHcloud Migration Table
| AWS Service | OVHcloud Equivalent | CLOUD Act Delta |
|---|---|---|
| EC2 (instances) | Bare Metal / VPS (Public Cloud Instances) | 23→1 |
| S3 | Object Storage (OpenStack Swift-compatible) | 23→1 |
| EKS | OVHcloud Managed Kubernetes | 23→1 |
| RDS | Managed Databases (MySQL/PostgreSQL/MongoDB) | 23→1 |
| Lambda | OVHcloud Functions (beta) | 23→1 |
| CloudFront | CDN (powered by OVHcloud PoPs) | 23→1 |
| Route 53 | OVHcloud DNS | 23→1 |
| VPC | vRack (private network backbone) | 23→1 |
| IAM | OVHcloud IAM (granular scopes) | 23→1 |
| ECR | OVHcloud Harbor Registry | 23→1 |
| DynamoDB | No direct equivalent → use managed Cassandra/Redis | 23→1 |
| CloudWatch | Grafana / Prometheus (OVHcloud Logs Data Platform) | 23→1 |
| Elastic Load Balancer | OVHcloud Load Balancer / HAProxy managed | 23→1 |
| SageMaker | AI Endpoints (GPU cloud H100/A100 in GRA/SBG) | 23→1 |
| Secrets Manager | Vault (customer-managed) / OVHcloud Secret Manager (beta) | 23→1 |
SecNumCloud — What It Means for Compliance Teams
ANSSI's SecNumCloud qualification (Référentiel de qualification des prestataires de service d'informatique en nuage, v3.2) is the most rigorous cloud security certification in the EU. Key requirements:
- Art. 19.6: Provider must ensure that cloud operator personnel with privileged access hold French security clearances or are EU nationals approved by the customer
- Art. 27.1: Provider must maintain a dedicated Security Operations Centre (SOC) with French-resident analysts
- Art. 19.4: All cryptographic key management must remain under EU legal jurisdiction
- Governance requirement: Provider's governing law and dispute resolution must be EU-only — no US-law arbitration clauses
For French public sector clients (Opérateurs de Services Essentiels under NIS2, central government, healthcare via HDS certification), SecNumCloud is often a procurement requirement, not just a preference. OVHcloud's Hosted Private Cloud offer is the primary SecNumCloud-qualified product.
HDS certification (Hébergement de Données de Santé) — OVHcloud is HDS-certified, meaning it can host French healthcare data (dossier médical partagé, EHPAD records) in compliance with French health data law (Code de la santé publique L.1111-8).
EU-Native IaaS Stack for GDPR-Critical Workloads
For teams that need zero CLOUD Act exposure and EU-only data processing:
| Layer | OVHcloud Option | Alternative EU Option |
|---|---|---|
| Compute | Bare Metal / Public Cloud Instances | Hetzner Dedicated, Scaleway Elastic Metal |
| Storage | Object Storage (S3-compatible) | Hetzner Storage Box, Scaleway Object Storage |
| Orchestration | Managed Kubernetes | Scaleway Kapsule, Hetzner K3s |
| Network | vRack private network | Hetzner vSwitch |
| AI/GPU | H100/A100 GPU Cloud | Scaleway H100, IONOS GPU |
| Security | ANSSI SecNumCloud (unique) | ISO 27001 + BSI C5 (Hetzner/IONOS) |
Cost comparison (EU mid-tier, 1 vCPU, 2 GB RAM, 80 GB SSD):
| Provider | Monthly Cost | CLOUD Act Score | SecNumCloud |
|---|---|---|---|
| OVHcloud VPS Starter | ~€5.99 | 1/25 | ❌ (VPS tier) |
| Scaleway DEV1-S | ~€7.99 | 1/25 | ❌ |
| Hetzner CX22 | ~€5.99 | 0/25 | ❌ |
| AWS t3.micro (eu-west-1) | ~€9.20 | 23/25 | ❌ |
| Azure B1s (westeurope) | ~€10.80 | 22/25 | ❌ |
Deployment Decision Framework
Choose OVHcloud when:
- You need SecNumCloud qualification (French public sector, NIS2 critical infrastructure, HDS healthcare)
- Physical isolation (Bare Metal) is a security requirement
- You want ANSSI-backed SOC monitoring included
- Your DPO requires a French-law DPA with Loi de blocage contractual confirmation
Choose Hetzner when:
- You need the absolute lowest CLOUD Act score (0/25)
- Cost optimisation is primary
- German BSI C5 certification is preferred over French ANSSI
Choose Scaleway when:
- You need GPU compute at scale (H100 clusters)
- Serverless Functions + Containers are in scope
- French jurisdiction with developer-friendly DX is priority
Stay with AWS/Azure/GCP when:
- Existing workloads cannot be migrated (proprietary services: SageMaker Autopilot, Azure OpenAI Service, Google Vertex AI)
- Global multi-region latency SLAs require hyperscaler PoP density
- SOC2 Type II + FedRAMP is a customer requirement (US government contracts)
GDPR Art. 28 Processor Assessment Checklist
Before engaging OVHcloud as a data processor under GDPR Art. 28:
- Confirm chosen region is EU-only (GRA/SBG/RBX/DE1/LIM) — verify in OVHcloud Control Panel → Region
- Sign OVHcloud DPA with SCCs (available at trust.ovhcloud.com)
- Verify Object Storage bucket region:
openstack endpoint list | grep object-store - Audit Managed Kubernetes node pool regions:
kubectl get nodes -o wide | grep "Region" - For healthcare: verify HDS certification scope covers your service tier
- For SecNumCloud: confirm Hosted Private Cloud offer is in scope (not standard VPS)
- Add OVHcloud to ROPA Art. 30 with legal basis: Art. 28 DPA + SCCs (for UK/non-EU customer access if applicable)
- Set up CNIL notification path: ovh-dpo@ovhcloud.com for breach notifications >72h
Conclusion: OVHcloud's Unique Position
OVHcloud occupies a unique position in the EU cloud market: it is the only EU-native IaaS provider with both a CLOUD Act-immune legal structure (1/25) and ANSSI SecNumCloud qualification — the EU's most demanding cloud security standard. For French organisations and EU entities handling regulated data, this combination is unmatched.
The three named risk patterns — French Blocking Statute Shield, Sovereign Namespace Isolation, and Global DC Replication Risk — define the practical governance boundaries. Document them in your DPIA and ROPA, configure EU-only regions, and OVHcloud becomes one of the lowest-risk IaaS options available to European engineering teams.
Next in the EU Cloud Infrastructure series: IONOS Cloud (DE) — German IaaS under BSI C5, CLOUD Act immunity, and the hybrid-cloud Deutsche Telekom angle.
Part of the sota.io EU Cloud Infrastructure Providers series. See also: Hetzner Cloud EU Alternative 2026 | Scaleway EU Cloud 2026
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.