When a critical banking application fails, it is not just a financial issue. Customer trust erodes, regulatory scrutiny intensifies, and the entire ecosystem is weakened.
In this context, sovereignty is no longer a matter of doctrine, it has become a fundamental condition for survival. It is the ability to retain control and exercise one’s own decision-making autonomy.
1. The new equation for banks
In the banking sector, critical applications support core functions where even a minor failure can have systemic impact. These applications are not only an infrastructure concern, but also a matter of sovereignty and trust with regulators and end customers. The triad “secure, transform, decide” enables business and IT leaders to align their priorities around shared challenges.
2. What a critical application is in banking
Talking about critical applications first means addressing data sensitivity and the business risk associated with their unavailability. Within the same institution, some applications can tolerate limited downtime, while others must operate continuously, as they ensure service continuity, regulatory compliance, and brand reputation. In practice, an instant payment or interbank clearing application cannot afford any interruption: just a few seconds are enough to halt thousands of transactions. By contrast, an internal reporting tool can tolerate a few minutes of downtime without major consequences.
To structure these challenges, banks rely on internal classification frameworks, for example from C1 to C4, where C3 and C4 cover the most sensitive and critical information.
3. From C1–C4 classification to Cloud choices
This classification has a direct impact on Cloud strategy: for C1 data, it may be acceptable to use non-European hyperscalers, provided that the governance model and applicable jurisdiction are clearly understood and accepted. Once beyond C2—and especially for C3/C4 scopes—control over data location, access, legal framework, and protection against extraterritorial laws becomes essential, making the use of sovereign Cloud a structuring requirement.
In France, the ANSSI SecNumCloud qualification has become the reference standard for identifying “trusted Cloud” offerings designed to protect sensitive data, including against extraterritorial laws.
4. OUTSCALE’s complementary multi-cloud approach
At OUTSCALE, a Dassault Systèmes brand, we advocate a complementary multi-cloud approach rather than a direct opposition between hyperscalers and sovereign Cloud. Less sensitive workloads can rely on non-European hyperscalers, while the most critical applications and data should remain on-premise or migrate to a qualified sovereign infrastructure.
Understanding what a critical application is and why sovereignty is now central to banks’ Cloud decisions is key. In the next article, “Secure: compliance, SecNumCloud, and DORA resilience for banks,” we will explore how to concretely secure this trajectory through compliance, SecNumCloud, and the DORA regulatory framework, before addressing transformation and sovereign AI in the third piece.
