Key Takeaways
- GrapheneOS announced it is removing all active servers from France and ending its relationship with OVHcloud.
- The move is driven by concerns over French legislation that could force backdoors in encryption and the broader “chat control” debate.
- OVHcloud’s boss Octave Klaba responded, but the dispute remains unresolved.
- GrapheneOS is migrating services to Canada and Germany, with long‑term plans for hosting in Toronto.
- The split highlights ongoing tensions in European cloud sovereignty and digital‑privacy policy.
Introduction
On 28 November 2025, the open‑source, security‑focused mobile operating system GrapheneOS declared that it had ceased all active servers in France and was in the process of leaving its longtime cloud provider OVHcloud [^1]. The project cited “fears of state access” and France’s stance on digital privacy as the primary reasons for the migration, underscoring a growing clash between privacy‑first tech initiatives and European regulatory trends.
Background: GrapheneOS and its privacy‑first model
GrapheneOS is a nonprofit fork of the Android Open Source Project (AOSP) that removes Google services, hardens the kernel, and implements advanced sandboxing and verified boot mechanisms [^2]. It is widely regarded by privacy advocates as one of the most secure mobile platforms, offering features such as full‑disk encryption enforced by a hardware secure element, disabled advertising identifiers, and minimal data collection.
Why France’s policy triggered the exit
The French government has been a vocal supporter of the EU’s proposed “Chat Control” legislation, which would require online platforms to provide backdoors for automatic scanning of private communications [^1]. GrapheneOS developers argue that such mandates would make France “unsafe for open‑source privacy projects.”
“France isn’t a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed.” [^1]
The project’s X (formerly Twitter) post emphasized that even static web services hosted via OVH’s Canada/US subsidiaries were considered insecure under the current legal climate [^1]. French law also criminalises refusal to provide decryption keys, contrasting with protections found in jurisdictions such as the United States [^2].
Impact on OVHcloud and European cloud sovereignty
OVHcloud, Europe’s largest cloud provider, has faced criticism from other European businesses over data‑sovereignty disputes, including a legal battle in Canada concerning cross‑border data requests [^1]. The loss of GrapheneOS’s infrastructure adds another high‑profile case where a privacy‑focused project questions the suitability of French‑based cloud services for sensitive workloads.
Industry analysts note that the incident may accelerate discussions about “digital sovereignty,” with companies like Civo and Microsoft exploring multi‑jurisdictional cloud strategies to mitigate regulatory risk [^1].
Migration plan and technical implications
GrapheneOS outlined a staged migration:
- Immediate decommissioning of French servers and rotation of TLS/DNSSEC keys.
- Short‑term relocation of services (Mastodon, Matrix, Discourse) to shared infrastructure in Canada.
- Critical web infrastructure moved to German host Netcup, with a long‑term goal of colocation in Toronto.
- Backups remain encrypted during the transition.
The move does not affect end‑users’ ability to install or run GrapheneOS on supported devices; updates will continue to be signed and verified using the platform’s existing security chain [^1][^5].
Reactions from stakeholders
OVHcloud’s CEO Octave Klaba publicly expressed support for GrapheneOS’s development but claimed the group’s statements were “confusing” and that no technical incident had occurred on OVH’s infrastructure [^1].
Privacy‑focused organizations, including Proton, echoed GrapheneOS’s concerns, describing France’s stance as a “broader message” to privacy‑first companies [^2]. Meanwhile, commentators on platforms such as Hacker News highlighted the broader implications for open‑source projects operating under hostile legal environments [^9].
Conclusion
GrapheneOS’s departure from France underscores the tension between emerging European privacy legislation and the technical realities of delivering secure, open‑source software. The migration signals to other privacy‑centric projects the importance of evaluating jurisdictional risk and may spur further diversification of cloud hosting across multiple regions. As the EU continues to debate “Chat Control” and related measures, the industry will watch closely to see whether regulatory pressure forces more developers to relocate or adapt their architectures.
References
[^1]: Richard Speed (2025‑11‑28). “GrapheneOS bails on OVHcloud over France’s privacy stance“. The Register. Retrieved 2025‑11‑28.
[^2]: Elena Constantinescu (2025‑11‑26). “GrapheneOS leaves France — what it means for encryption“. Proton. Retrieved 2025‑11‑28.
[^3]: (2025‑11‑28). “Reddit post – GrapheneOS departure discussion“. Reddit. Retrieved 2025‑11‑28.
[^4]: (2025‑11‑22). “GrapheneOS migrates server infrastructure from France amid police intimidation claims“. Privacy Guides. Retrieved 2025‑11‑28.
[^5]: Alex Lekander (2025‑11‑28). “GrapheneOS exits France over encryption backdoor pressure“. CyberInsider. Retrieved 2025‑11‑28.
[^6]: Noah Bovenizer (2025‑11‑28). “GrapheneOS exits French servers and French cloud provider over security concerns“. The Stack. Retrieved 2025‑11‑28.
[^7]: (2025‑11‑25). “Security-focused OS GrapheneOS withdraws from France due to ‘state threats’“. GIGAZINE. Retrieved 2025‑11‑28.
[^8]: (2025‑11‑25). “France’s Encryption War Escalates: GrapheneOS Exodus Signals …“. Compliance Hub. Retrieved 2025‑11‑28.
[^9]: (2025‑11‑28). “Hacker News discussion on GrapheneOS migration“. Hacker News. Retrieved 2025‑11‑28.
[^10]: (2025‑11‑25). “We couldn’t see any of the spe… – GrapheneOS Mastodon“. Mastodon. Retrieved 2025‑11‑28.
