We tend to think of sovereignty as a matter of territory: my machines, my land, my flag. This is an incomplete view. International law has long recognized another form of sovereignty, one that is based neither on territory nor on ownership of buildings, but on a clearly defined and watertight legal boundary. It has a name in diplomatic practice, it is enshrined in legal texts, and it works. It is useful to understand this concept before discussing the cloud, because it shows that a space can be subject to a legal framework without being physically located within the territory governed by that framework.
What the Law Already Does Beyond National Territory
An embassy is not a piece of the territory of the state that occupies it. This is a widespread belief, but it is false. The 1961 Vienna Convention on Diplomatic Relations does not state that the premises of a diplomatic mission constitute the territory of the sending state. Article 22 of the Convention states that these premises are inviolable: officials of the host State may not enter them without the consent of the head of mission. The territory remains that of the host country. What changes is who can exercise coercive power there. The host state voluntarily forgoes its police authority over an area that it continues to possess.
Diplomatic pouches follow the same logic. Article 27 provides that they may neither be opened nor detained. It may pass through several countries or transit through airports subject to different laws, without any of those jurisdictions being able to inspect it. The container moves; the legal regime follows it. It is not a protected place; it is a status that travels with the object.
Vehicles with diplomatic license plates operate in the same way. The license plate does not transfer the vehicle to another jurisdiction. It indicates that the vehicle is subject to a special regime of immunity, recognized by the host state. Status of Forces Agreements (SOFAs) go even further: they establish by treaty which law applies to the military personnel of one state stationed on the territory of another. An American base in Germany remains on German soil. The SOFA determines, on a case-by-case basis, which jurisdiction applies to personnel, offenses, and property.
None of these arrangements romanticizes anything. They are negotiated, limited, sometimes contested, and always revocable. But they establish a simple fact: a state can exercise its authority in a space that is not its territory, provided that a legal framework defines it and the other party respects it. Legal sovereignty does not require ownership of the land. It requires a defined boundary, an applicable law, and a commitment not to cross that boundary.
Transposing the Boundary, Not the Metaphor
The digital realm raises exactly the same question, stripped of its geographical context. When an organization seeks a sovereign cloud, it is not primarily looking for a physical location. It is looking for a space where the applicable law is known, and which no foreign law can reach. This is the definition of diplomatic inviolability, applied to data rather than to physical premises.
The parallel is precise on one point. Just as an embassy does not depend on territory but on status, a sovereign service does not depend on the location of the servers but on the operator’s legal affiliation and the security of the perimeter. Data hosted in France remains subject to extraterritorial law if the operator falls under a foreign jurisdiction. The U.S. CLOUD Act, passed in 2018, allows U.S. authorities to demand data held by a company under their jurisdiction, regardless of where it is stored. Location does not provide protection. The legal perimeter does, provided it is built to withstand such demands.
This is precisely what ANSSI’s SecNumCloud certification seeks to establish: a perimeter impervious to extraterritorial laws. The functional equivalent of Article 22. A space that foreign law cannot penetrate—not because it is located elsewhere, but because its status prohibits it.
What the model explains, and what it leaves out
The diplomatic model clearly illuminates one category of offerings. S3NS, a joint venture between Thales and Google, and Bleu, backed by Capgemini, Orange, and Microsoft, encapsulate the technology of an American hyperscaler within an isolated perimeter certified as SecNumCloud. The framework is French, the applicable law is French, and foreign law does not extend to the perimeter. This is legal sovereignty in the strict sense. Just as an embassy applies the law of the sending state within walls built by the host country, these offerings apply French law to a technology stack designed elsewhere. Legal sovereignty does not require industrial sovereignty.
The analogy ends there, and it must end there. An embassy does not serve millions of users nor does it depend on a global technology supply chain. The diplomatic model does not account for operational continuity. If Microsoft or Google discontinues the underlying technology, terminates the partnership, or changes its terms, the legal scope remains intact, but the service may cease to function. Nor does it explain reversibility: the ability to exit, to retrieve one’s data and configuration elsewhere without having to rewrite everything from scratch. An embassy can close overnight. An information system cannot be moved that easily.
Two Types of Sovereignty, Two Distinct Risks
We must therefore keep these two concepts separate, because they address two risks that are entirely unrelated. Legal sovereignty addresses legal exposure: who can compel the operator, under what law, and with what scope beyond national borders. Industrial sovereignty addresses technological dependence: who controls the stack, and what happens the day the provider disappears, cuts off access, or changes the rules.
Both are real. Both have different limits. One can maintain the first without the second; this is the case with encapsulated offerings. One can maintain the second without the first—as is the case with a technologically autonomous entity that is, however, tied to an exposed jurisdiction. A well-drafted contract reduces legal exposure but says nothing about reversibility. A controlled tech stack guarantees continuity but says nothing about the applicable law.
The decision is not about choosing the right flag. It is about determining which of the two sovereignties one is purchasing, which one still needs to be built, and which of the two risks one has decided to cover. Diplomatic law has made this clear since 1961: an area can be sovereign without being a territory. But an area that is sovereign under the law is not necessarily a system that one controls.
Sources
- Vienna Convention on Diplomatic Relations, 1961, Articles 22 and 27
- Status of Forces Agreements (SOFAs), NATO practice
- CLOUD Act (United States, 2018); SREN Act, Article 31
- ANSSI, SecNumCloud certification and “Cloud at the Center” doctrine, cyber.gouv.fr
- S3NS (Thales, Google) and Bleu (Capgemini, Orange, Microsoft), documentation for certified offerings