The Health Data Hub: at last a step toward digital sovereignty
The Health Data Hub (HDH) is a public platform created in 2019 to centralise, structure and make available, within a controlled framework, French health data for research, innovation and the steering of public policy that…

This morning I was invited by France Culture to discuss the procedure launched by the government to find a new host for the Health Data Hub, the national health data platform. The radio format forces you to move fast, too fast. I don't even know whether the interview will air.
Yet I was unable to come back to several essential points: the exceptional value of this data, its strategic role for artificial intelligence, the very real legal issues tied to the American cloud, or what the announced migration concretely means, along with the notion of digital sovereignty.
This text is therefore a plain-spoken account of what is at stake.
What is the Health Data Hub?
The Health Data Hub (HDH) is a public platform created in 2019 to centralise, structure and make available, within a controlled framework, French health data for research, innovation and the steering of public policy.
It draws mainly on the Système National des Données de Santé (SNDS), which brings together in particular:
- reimbursement data from the Assurance maladie,
- hospitalisation data (PMSI),
- medical causes of death,
- and other medico-administrative sources.
In concrete terms, this covers nearly 99 % of the French population, or more than 67 million people.
What makes this database unique in the world is not only its volume (billions of records) but its quality: longitudinal, exhaustive, cleaned data, harmonised according to international standards and regularly updated. Few countries have such a level of historical depth at national scale.
The HDH is not a mere warehouse: it provides secure working environments, allowing researchers, hospitals, startups or public institutions to exploit the data without extracting it, within a controlled framework.
Why this data is strategic
In 2026, health data has become a major strategic asset for artificial intelligence.
A reliable medical AI requires datasets that are:
- massive,
- representative,
- low in bias,
- and of high quality.
The SNDS ticks all these boxes.
This data makes it possible in particular to:
- detect cancers or chronic diseases early,
- optimise care pathways,
- analyse treatment side effects at large scale,
- model epidemics,
- develop personalised medicine.
The national AI & health strategy (2025-2028) rests largely on this asset. The PariSanté campus already brings together more than 1,300 players around this ecosystem.
At European scale, the future European Health Data Space (EHDS) will rely directly on national databases like ours.
This data is therefore not only a scientific tool.
It is an economic, industrial and geopolitical lever.

The initial choice of Azure: a legal problem, not an ideological one
When the HDH was created in 2019, the choice fell on Microsoft Azure. At the time, the argument put forward was the absence of a sufficiently mature European alternative.
This choice immediately sparked controversy, and rightly so.
The problem is not "Microsoft is American", but the legal framework to which Microsoft is subject.
As an American company, Microsoft is subject to the CLOUD Act, which allows American authorities to demand access to data held by a US company, including when that data is hosted in Europe, and without going through a European court decision.
This risk is not theoretical.
👉 In July 2025, before a committee of the French Sénat, Anton Carniaux, director of public and legal affairs explicitly admitted it:
he could not guarantee that data hosted in Europe could not, in certain cases, be accessible to American authorities.
From that point on, the debate is no longer ideological.
It is factual.
To this legal risk is added a well-documented cyber risk:
the health sector is one of the most targeted in the world (around 40 % of major data breaches involve health). A compromise would have serious consequences: medical identity theft, blackmail, malicious exploitation for AI purposes.
Finally, there is an issue of strategic competition: hosting health data of such quality with an American hyperscaler means accepting that the non-European ecosystem indirectly benefits from a decisive advantage in training health AI models.
In terms of digital sovereignty, this was a major anomaly.
Migration to a sovereign host: a real turning point
On 6 February 2026, the government announced the launch of a procedure to select a new host for the HDH.
The tender is being launched today, 9 February 2026, with an award expected in the spring and a complete migration by the end of 2026.
The central criterion is clear:
👉 SecNumCloud qualification issued by ANSSI.
SecNumCloud requires in particular:
- a high level of encryption,
- European localisation and control of the data,
- reinforced protection against extraterritorial laws,
- regular and demanding audits.
In practice, this excludes American hyperscalers and favours French or European players (OVHcloud, Cloud Temple, sovereign offerings from Thales, etc.).
This is not a simple change of infrastructure.
It is a political and strategic choice: to protect citizens' privacy, strengthen cyber resilience, and keep the scientific and economic value of this data in Europe.
A good decision… but a turn taken far too late
Migrating the Health Data Hub to a SecNumCloud-qualified host is an excellent decision.
But it is also a late decision, and that delay has a cost.
For years, we lost time, credibility and above all trust.
The trust of citizens, who saw their most sensitive data hosted within a legally questionable framework.
The trust of researchers and institutions, locked into a permanent debate over the very legitimacy of the platform.
And, finally, trust in the State's ability to treat the digital domain as a strategic subject, rather than as a mere budget line or a technical problem.
This initial choice durably weakened the Health Data Hub.
It turned a project of general interest into a symbol of technological dependence, and fed a distrust that could have been avoided.
A structural dependence still very real
It would be an illusion to believe that this decision, on its own, marks a clean break with our dependence on the American cloud giants.
Even today, the majority of public tenders are written in a way that favours, sometimes implicitly, American hyperscalers.
Not out of ideology, but out of habit, out of convenience, and often out of a lack of technical and legal culture when the requirements are drafted.
Criteria of performance, scalability or managed services are too often thought through the prism of the American behemoths, relegating European players to the rank of "alternatives", when they should be considered strategic choices in their own right.
There lies the paradox:
we talk about sovereignty after the fact, once the dependencies are already in place.

A paradigm shift… more European than French
We must also be honest: this change of direction does not stem solely from a national awakening.
It is part of a much broader movement, at European scale, driven by:
- the rise of geopolitical tensions,
- the growing legalisation of data flows,
- and the late but real understanding that the digital domain is now a lever of power on a par with energy or defence.
What we are observing in France is a deep European trend.
Germany, the Nordic countries, the Netherlands and Italy are following the same trajectory: reassessing dependencies, strengthening control requirements, taking back the reins of critical infrastructure.
And this movement does not come only from States.
It also comes from the field.
Sovereignty is no longer a slogan, it is an operational need
At Cresco Cybersecurity, we already support public and private organisations facing very concrete digital sovereignty needs:
- control of sensitive data,
- genuine reversibility of infrastructure,
- lasting legal compliance,
- reduction of technological dependence.
These are no longer theoretical debates.
They are operational challenges, raised by CIOs, CISOs and executive boards that have understood that "all-American cloud" is no longer tenable in the long run.
Digital sovereignty is not an ideological posture.
It is a question of resilience, of continuity, and of responsibility.
A step in the right direction, but not an end in itself
The Health Data Hub's exit from Azure is a strong signal.
It shows that the State is finally capable of acknowledging a strategic mistake and correcting it.
But this shift comes late, and it must not remain isolated.
Sovereignty cannot be decreed: it is built over time, through governance, transparency, technical mastery and the ability to say no when necessary.
Digital sovereignty is not limited to a tender or a label.
It demands a deeper transformation:
- in the way architectures are conceived,
- in the drafting of public procurement,
- in the training of decision-makers,
- and in the political courage to break free from entrenched dependencies.
This choice is welcome.
It must now become structuring.
Otherwise, in a few years, we might discover that we have simply moved the problem without ever really solving it.
Questions fréquentes
What is the Health Data Hub?
It is a public platform created in 2019 to centralise, structure and make available, within a controlled framework, French health data for research, innovation and the steering of public policy. It draws mainly on the Système National des Données de Santé (SNDS).
Why is the choice of Microsoft Azure a problem?
The problem is not Microsoft's nationality but the legal framework to which the company is subject. The CLOUD Act allows American authorities to demand access to data held by a US company, including when it is hosted in Europe.
What did Microsoft admit before the Sénat in July 2025?
Anton Carniaux, director of public and legal affairs, admitted that he could not guarantee that data hosted in Europe could not, in certain cases, be accessible to American authorities.
What does the migration announced in February 2026 change?
On 6 February 2026, the government launched a procedure to select a new host, with ANSSI's SecNumCloud qualification as the central criterion. This effectively excludes American hyperscalers and aims for a complete migration by the end of 2026.
Does this decision put an end to dependence on the American cloud?
No. It is a strong but late and isolated signal. The majority of public tenders continue to favour American hyperscalers out of habit or a lack of technical and legal culture, and the structural dependence remains real.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
