PaaS
In brief
You no longer rent machines, but a platform ready to run your code. You upload your application, and the service provider takes care of the rest: the system, the runtime environment, the database and scaling.
▶ Precise definition
Platform as a Service, as defined by NIST (SP 800-145). The service provider manages the infrastructure, the runtime environment and the middleware. The customer retains ownership of their code, data and application configuration, without having to manage the underlying system or hardware. Examples: Cloud Run (Google), Elastic Beanstalk (AWS), Heroku, Scalingo, Clever Cloud.
Our analysis
PaaS is the layer where technical teams gain speed at the cost of increased dependency. We deliver faster because we no longer have to manage servers, but we become tied to the provider’s choices, formats and managed services.
When it comes to sovereignty, two risks combine. The first is the provider’s jurisdiction, as is the case at every layer. The second is specific to PaaS: code portability is rarely guaranteed. An application written for Cloud Run cannot be redeployed elsewhere without being rewritten, because it relies on conventions and services specific to the platform. This is application lock-in, distinct from data lock-in: one can repatriate one’s data yet remain unable to run one’s application outside the original platform.
This is also the layer where sovereign certifications are the rarest and most recent. Certifying an IaaS amounts to certifying a foundation; certifying a PaaS requires, in addition, the certification of the entire managed runtime environment, which is a much broader scope. S3NS certified both IaaS and PaaS simultaneously in December 2025, making this a milestone rather than a routine procedure.
See also