OUTSCALE calls itself sovereign. Is it?

date: Dec 9 2025 5 min read

The French "sovereign cloud" has the qualifications. But does paperwork equal security?

.cloud.sovereignty.europe.security

OUTSCALE, a Dassault Systèmes subsidiary, claims to be “the French sovereign cloud”. In December 2023, they became the first provider qualified SecNumCloud 3.2, the highest French government security qualification

The claim is legitimate. But what does that actually mean?

The qualification is real

SecNumCloud is a “qualification”, not a certification: the state tests the product, not an auditor.

SecNumCloud 3.2 requires:

  • EU headquarters, no American or Chinese ownership
  • No single non-EU entity can hold more than 24% of shares
  • Immunity to US Cloud Act and FISA
  • 350+ technical security requirements

OUTSCALE passes all of this cleanly. 100% owned by Dassault Systèmes, a French company. No American shareholders. No asterisks

Compare that to OVHcloud, which got the same qualification but has KKR (American private equity) holding ~6% of shares. They claim “legal isolation” from US jurisdiction. Maybe. OUTSCALE doesn’t need to make that argument

What SecNumCloud actually guarantees

SecNumCloud is normative security, not operational security. It guarantees:

  • Governance and procedures
  • A European legal framework
  • Documented security management
  • Controlled operations
  • Clear responsibility when things go wrong

It was never meant to be a continuous pentest, a bug bounty program, a battle-tested 24/7 SOC, or a CVE shield. That’s not what it claims

Real operational security is different. It’s your server getting hammered by 100 different IPs per second at 3am. It’s patching a critical CVE before it gets exploited. SecNumCloud doesn’t guarantee that, and it doesn’t pretend to

I’ve seen “certified” infrastructure with unpatched vulnerabilities. The certificate was valid because the governance was in place. The security wasn’t because nobody was actually watching

While writing this article, I checked OUTSCALE’s website SSL:

$ openssl s_client -connect en.outscale.com:443
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate

The certificate chain is broken. The intermediate certificate isn’t properly configured, so browsers can’t verify the chain back to the root CA. This is TLS 101. Any SSL checker flags it immediately

SecNumCloud qualified with 350+ security requirements, but they can’t configure a certificate chain on their marketing site. The auditor checked their governance documentation. Nobody checked if the website actually works

OUTSCALE’s qualification means they’ve structured their company properly: governance, procedures, legal protection from US jurisdiction. It doesn’t mean their infrastructure is inherently more secure than a well-maintained Hetzner VM

The pricing

Let’s compare equivalent VMs. 2 vCPU, 4GB RAM:

Hetzner CX22: €4.51/month

OUTSCALE Europe: €0.034/h per vCore + €0.005/h per GiB RAM = €0.088/h = €64/month

OUTSCALE SecNumCloud: €0.041/h per vCore + €0.006/h per GiB RAM = €0.106/h = €77/month

OUTSCALE is 14 to 17 times more expensive for the same specs. €77/month for 2 vCPU and 4GB RAM. That’s obscene

For that price at Hetzner, you get a dedicated server with 64GB RAM. At OUTSCALE, you get a VM that wouldn’t run a busy WordPress site

That’s the qualification tax. You’re paying for governance, compliance paperwork, and the SecNumCloud stamp. Not for better hardware

What OUTSCALE is actually for

OUTSCALE targets government agencies and defense contractors. Dassault Aviation uses their cloud for FCAS development, the next-generation European fighter jet. When your compliance requirements include “no American legal exposure” and “qualified by ANSSI”, OUTSCALE is the answer

Their CEO says it directly: “We don’t want to replace the American giants. We cover the most critical applications in terms of security”

It’s a niche. Government contracts, defense industry, sensitive public sector data. If you’re in that niche, OUTSCALE is legitimate

For everyone else

If you don’t need government qualifications, you don’t need OUTSCALE

But that doesn’t mean sovereignty doesn’t matter. I don’t want Americans snooping on my files. I don’t want AWS managing my keys or rotating them through some black-box service I can’t audit. Closed source is insecure by design, you’re trusting code you can’t read

Hetzner gives you a German company, German data centers, GDPR compliance, zero US exposure. No qualification theater, just infrastructure that works. A CX22 costs €4.51/month. You manage your own keys, your own encryption, your own stack. Everything is auditable because you control it

The “sovereignty” you actually need is: European company, European data centers, no Cloud Act exposure, and control over your own security. Not a qualification that says someone else checked the boxes for you

The bottom line

OUTSCALE’s sovereignty claim is legitimate. They’re the cleanest French sovereign cloud option for government and defense use cases

But “sovereign” and “qualified” don’t mean “operationally secure”. They mean “compliant with government requirements”, with proper governance and legal protection. Different thing

For sensitive government data, use OUTSCALE. For everything else, run your own stack on European infrastructure. Real security is what you build and maintain, not what an auditor signs off on

Sources:

Enjoyed this article? Share it!

Sofiane Djerbi
Sofiane Djerbi

Cloud & Kubernetes Architect, FinOps Expert.

LinkedIn GitHub
Related articles
../ [All]
Comments