France’s e-invoicing mandate is fast approaching and the conversations around compliance are moving fast. For many large companies, the biggest questions have already moved from invoicing formats or the mandate deadlines to the next level topics such as where the data lives, who can access it, and whether a foreign authority could compel access.
That is why data sovereignty has become a defining requirement in France and a topic of discussion in many enterprise meeting rooms and vendor discussions. It is a topic that spans security, legal, and operational teams, not just a hosting decision. For that reason, this article explains what “true” data sovereignty means in the French e-invoicing context and what to look for when choosing a Plateforme Agréée (PA).
TL;DR
- Data residency is about where servers sit. Data sovereignty is about which laws can reach your data, including exposure to extraterritorial laws such as the US CLOUD Act (see definitions at the end)
- France’s Y model relies on a network of accredited private platforms called Plateforme Agréée (PAs), alongside the state operated Portail Public de Facturation (PPF)
- The Plateforme Agréée accreditation is designed to be a trust anchor. It sets a high bar for security, governance, interoperability, and operational resilience
- Sovereignty in France is closely tied to SecNumCloud 3.2 (see definitions at the end), which includes legal safeguards designed to reduce exposure to non EU jurisdiction
- Compliance with France’s mandate is not only about invoice exchange. It includes e-reporting, lifecycle state management, and long term probative archiving
Data residency vs data sovereignty, in plain language
In vendor conversations, data residency and data sovereignty are often treated as the same thing. They are not:
- Data residency is simply the physical location of the infrastructure where data is stored
- Data sovereignty is about legal reach. It is the ability to show that your invoice data is subject to European legal control, and protected against foreign jurisdictional overreach
This matters because some foreign laws can, in certain circumstances, compel access to data even when that data is stored in Europe. If a provider, or the provider’s controlling entity, is exposed to those laws, the protection of geographic location alone may not satisfy the French requirements.
Why France treats sovereignty as a first class requirement
France is not the only country implementing continuous transaction controls (CTC). What is distinctive is how tightly France links the mandate to sovereign trust and national infrastructure.
Two drivers show up again and again in enterprise conversations.
- Protection against extraterritorial laws
France aims to reduce the risk that foreign authorities can compel access to fiscal and commercial data through a provider’s legal exposure. - Trust at national scale
The mandate will touch millions of businesses. France has designed the system to reduce single points of failure and to enforce a consistent trust perimeter across the ecosystem.
For buyers, this changes the definition of a suitable vendor. Feature depth matters, but trust architecture and governance become selection criteria.
The French Y model, and where Plateforme Agréée fits
France uses a decentralised continuous transactions control exchange (DCTCE) model approach commonly called the Y model:
| Platform Designation | Previous Terminology Used | Role within the Y-Model | Accreditation Status |
|---|---|---|---|
| Plateforme Agréée (PA) | Plateforme de Dématérialisation Partenaire (PDP) | Directly exchanges invoices, manages lifecycle statuses, performs e-reporting extraction, interfaces with the PPF and Annuaire. | Strictly certified by the DGFiP; requires SecNumCloud hosting, ISO 27001 ISMS, and rigorous interoperability testing. |
| Portail Public de Facturation (PPF) | None | The central governmental hub. Manages the National Directory (Annuaire) and receives tax extracts from PAs. | Operated exclusively by the French State (AIFE/DGFiP). |
Le modèle en Y de la facturation électronique en France illustre les échanges entre le fournisseur, l’acheteur, les plateformes agréées, le PPF et l’administration fiscale.
Unlike centralised models where all invoices are routed through a single government hub before delivery, which can create bottlenecks, the French Y model delegates exchange to accredited platforms. The goal is to support scalability and resilience while still giving the authorities the visibility required to combat VAT fraud. For more information, read our article that covers France’s invoicing and e-reporting mandate in more depth.
What a Plateforme Agréée (PA) actually changes for an enterprise buyer
Choosing a PA is not only about connectivity. It changes your risk profile. A PA sits inside your compliance chain. It touches sensitive invoice payloads and metadata. It also impacts your audit trail, your operational continuity, and your ability to prove compliance over time.
For enterprise buyers, three implications matter most:
1. Sovereign infrastructure is not a nice to have
France’s sovereignty expectations are closely tied to SecNumCloud 3.2. Beyond classic security controls, SecNumCloud 3.2 introduces legal, operational, and governance safeguards designed to reduce exposure to non-European control and non-EU jurisdiction.
What is SecNumCloud 3.2?
SecNumCloud is ANSSI’s cloud security and sovereignty qualification. In its 3.2 version, it goes beyond “classic” security controls and adds explicit sovereignty safeguards designed to reduce exposure to extraterritorial access. In practice, it requires that the service provider operates under EU legal control, with strict constraints on non‑EU ownership and with administration, operations, and cryptographic key management performed from within the EU. SecNumCloud 3.2 is often the clearest signal that a provider can support **true** sovereignty, not just EU hosting.
In practical terms, this pushes providers toward sovereign cloud environments and EU controlled administration, including EU controlled key management. If your business is subject to strict information security governance, this will appear quickly in procurement, legal, and security questionnaires.
2. Security is a system, not a checklist
The operational discipline of a PA is expected to be proven, not promised. And that is why ISO 27001 is a key asset to look for in a PA.
What is ISO 27001?
ISO 27001 is an international standard for an Information Security Management System (ISMS). In the French e-invoicing context, it is often treated as a baseline signal that security is run as an ongoing, auditable management system, not a one-off checklist. For buyers, it indicates that the provider has formalised processes for risk assessment, access control, incident response, change management, and supplier management, and that these processes are independently audited and continuously improved over time.
3. Compliance includes long term legal proof
French commercial and tax requirements include long retention periods for invoices. It is not enough to store files. You need **probative archiving**, meaning you can prove authenticity, integrity, and legibility years later. That is where standards like NF Z42-013 matter.
What is the NF Z42-013 standard?
NF Z42-013 is an AFNOR standard for Electronic Archiving Systems (SAE). It defines the controls needed to preserve a document’s **probative value** over long retention periods, so you can demonstrate authenticity, integrity, traceability, and legibility years later. In practice, it implies disciplined evidence mechanisms such as cryptographic hashing (sealing) and trusted timestamping (often aligned with eIDAS), plus audit trails and controlled processes that make any alteration detectable. For French e-invoicing, it is the reference many enterprises use to distinguish “legal archiving” from basic file storage.
In short, that means **e-archiving isn’t just e-invoicing storage**: it is evidence you can defend during an audit years later. For more in-depth information of e-archiving and how it differs from mere invoice retention, read our article about e-archiving vs invoicing storage.
Key dates to plan for the French mandate
| Milestone Date | Mandate Scope and Targeted Business Segment | Regulatory Requirements |
|---|---|---|
| February 2026 – August 2026 | Voluntary Pilot Phase | Real-world testing of B2B and B2G flows. Requires mutual agreement between suppliers and buyers. No tax enforcement penalties applied during this window. |
| September 1, 2026 | Phase 1 Go-Live | Mandatory reception of e-invoices for businesses of all sizes. Mandatory issuance, including e-invoicing and e-reporting, for large and mid-sized enterprises. |
| September 1, 2027 | Phase 2 Go-Live | Mandatory issuance, including e-invoicing and e-reporting, extended to small and medium enterprises (SMEs) and very small enterprises (VSEs/Micro-businesses). |
If you want to reduce go-live risk, you can join the French pilot now with ecosio as your Plateforme Agréée (PA) and start validating e-invoicing and e-reporting in production conditions ahead of September 2026.
What you should ask when vetting a service provider
If you are preparing for the pilot phase or for the September 2026 deadline, vendor evaluation needs to focus on evidence. Here are the questions that tend to surface in serious enterprise due diligence:
1. Are you accredited as a Plateforme Agréée, or are you operating as an uncertified operator connected to a third party PA?
PAs can directly clear invoices and interact with the PPF. Non-accredited providers, known as Opérateurs de Dématérialisation (ODs), are not accredited and must route through a PA, adding a layer of dependency, cost, and operational risk.
2. How do you address data sovereignty, not just EU hosting?
Ask where data is stored and backed up, who administers the infrastructure, and how cryptographic keys are managed.
3. What is your specific approach to data residency versus data sovereignty, particularly concerning the US CLOUD Act?
Storing data in Europe is insufficient if the provider is subject to foreign subpoenas. SecNumCloud 3.2 is mandatory for absolute protection. Only a PA infrastructure architected on SecNumCloud 3.2 qualified sovereign environments is able to ensure absolute legal immunity from extraterritorial legislation.
4. How do you handle the full scope of the mandate, including e-reporting?
France is not only B2B exchange. It also includes B2C and certain cross-border reporting, plus payment reporting. That has implications for data extraction, aggregation, and submission frequencies.
5. Can your platform handle the full scope of both e-invoicing and e-reporting, and synchronise statuses directly into our ERP?
The mandate creates a dense set of lifecycle outcomes across multiple actors. If statuses are not integrated into your processes, manual reconciliation will become the hidden cost of compliance. Partial solutions require manual data entry for cross-border and B2C flows, destroying automation ROI. An integration-first PA absorbs legacy ERP data, automatically parses B2B vs. e-reporting flows, and synchronises the DGFiP’s mandatory lifecycle statuses directly into the client interface in real time.
6. How do you manage the 10-year probative archiving requirement under French commercial law?
Ask how documents are sealed, how integrity is verified, and what evidence is produced for audit. Simple cloud storage fails tax audits. Archiving must meet strict cryptographic and integrity standards. A proper PA should utilize an Electronic Archiving System (SAE) fully compliant with NF Z42-013, applying eIDAS-certified digital seals to guarantee document integrity for the full statutory period.
Conclusion
France is turning e-invoicing into a regulated, sovereign trust network. In this environment, the difference between data residency and data sovereignty is not an mere academic or etymological exercise. It is a core phase of your vendor risk assessment.
If you treat sovereignty as a first class requirement early and get your PA selection right from the start, you reduce delivery risk, avoid late stage rework, and build a compliance posture you can defend for years to come.
If you’re assessing vendors for France, treat this as a partner choice, not a software purchase. You want a provider that is already operating inside the French trust perimeter, can support both e-invoicing and e-reporting end-to-end, and has the operational maturity to help you prove compliance over time. If you want to sanity check your approach or get ready for the pilot,feel free to get in touch. Our experts would be happy to discuss your scope, timeline, and data sovereignty requirements.
Definitions
- Data residency: where data is physically stored. It answers “which country hosts the servers”, but it does not automatically answer which jurisdictions may still be able to compel access.
- Data sovereignty: the ability to demonstrate that data is governed by, and practically protected under, the legal framework you are operating within. In this context, it is about reducing exposure to extraterritorial laws.
- Extraterritorial laws: laws that may allow a country’s authorities to request access to data beyond that country’s borders in certain circumstances. In this research, the key example is the US CLOUD Act.
- US CLOUD Act: a US legal framework that can, in certain scenarios, create risk that data could be requested from providers with US jurisdictional exposure, even if the data is hosted outside the US.
- SecNumCloud 3.2: a French cloud security and sovereignty qualification administered by ANSSI. Beyond security controls, SecNumCloud 3.2 introduces legal safeguards designed to reduce exposure to non EU control, including constraints on ownership and EU based administration and key management.
- ANSSI: Agence Nationale de la Sécurité des Systèmes d’Information, France’s national cybersecurity agency and the authority behind SecNumCloud.
- ISO/IEC 27001: an international standard for an information security management system. It is used to prove that security is managed as an ongoing, auditable system, not a one off checklist.
- ISMS: information security management system. A set of policies, processes, and controls used to manage information security risk across people, process, and technology.
- Opérateur de Dématérialisation (OD): a non-accredited “dematerialization operator” that can help digitize and prepare invoice data, but cannot independently ensure compliance under the French Y model. For regulated e-invoicing and e-reporting flows, an OD must rely on a certified Plateforme Agréée (PA) (or Chorus Pro for certain B2G cases) to exchange invoices and transmit the required data to the authorities via the PPF.
- Plateforme Agréée (PA): a government accredited platform within France’s e-invoicing framework. A PA can directly support compliant invoice exchange and related reporting duties under the Y model, and is expected to meet strict requirements on interoperability, security, and operational resilience.
- PPF: Portail Public de Facturation, the state operated component of France’s framework, including the national directory and the central repository for the data that must be transmitted to the authorities.
- Probative archiving: an approach to long term storage designed to preserve the legal value of an electronic document. It focuses on proof of authenticity, integrity, and traceability over the full retention period.
- NF Z42-013: an AFNOR standard for electronic archiving systems, internationally recognised as aligned with ISO 14641-1. In practice, it points to controls such as cryptographic sealing and timestamping to preserve integrity and legal evidence over time.
- eIDAS: the EU regulation that underpins trusted electronic services, including qualified electronic signatures and timestamps, commonly referenced in probative archiving contexts.
