Sovereign Cloud And Data Sovereignty: An Overview
Sovereign Cloud And Data Sovereignty In The EU: Why It Matters Now
The concept of data sovereignty reached public interest after Edward Snowden revealed the close cooperation between US technology companies with the NSA under the PRISM program. With US President Donald Trump’s second term in office, data sovereignty and sovereign clouds are once again gaining prominence. The Trump administration’s political approach is making the EU increasingly aware of its dependence on US hyperscalers.
The Netherlands Court of Audit found that 67% of Dutch cloud infrastructure is provided by Google, Amazon, and Microsoft. According to a recent Bitkom study, 78% of the companies surveyed believe that Germany is too dependent on US cloud providers. US hyperscalers are responding to this development by launching their own sovereign cloud initiatives.
What is data sovereignty?
There is no universal definition of data sovereignty. The term is interpreted differently depending on the organization. According to hyperscalers, data sovereignty is determined by the laws and regulations of the country or region where the data is generated. This suggests that hyperscalers operating in the EU are not subject to the jurisdiction of foreign laws, such as US federal law, and that data remains secure within the EU.
In contrast, the European Commission developed the Cloud Sovereignty Framework (CSF) to define data sovereignty from eight different perspectives:
- Strategic sovereignty: This viewpoint describes the degree to which a cloud service provider’s services are anchored in the legal, financial, and industrial ecosystem of the European Union.
- Legal and jurisdictional sovereignty: The second perspective assesses the extent to which the services of a cloud service provider are anchored in European jurisdiction and protected from dependence on foreign authorities and external legal claims.
- Data and AI sovereignty: This factor is related to how data is secured, where it is processed, and to what extent companies retain control over AI functions.
- Operational sovereignty: The operational perspective measures the practical ability of EU actors to operate, support, and further develop cloud technology independently of foreign control.
- Supply chain sovereignty: This perspective assesses the geographical origin, transparency, and resilience of the technology supply chain. It examines the extent to which critical components and processes remain under EU control or are subject to foreign dependencies.
- Technology sovereignty: The technological component analyzes the degree of openness, transparency, and independence of the underlying technology platform. It ensures that EU actors can use, test, and further develop interoperable cloud solutions without being tied to foreign proprietary systems.
- Security and compliance sovereignty: The perspective determines the extent to which security measures, compliance obligations, and resilience measures are controlled within the EU. It serves to ensure independence from foreign legal systems and long-term operational security.
- Environmental sovereignty: The environmental factor describes the long-term autonomy and resilience of cloud services in terms of energy consumption, dependency, and raw material scarcity.
Accordingly, data sovereignty does not mean exclusively keeping data in one country or region. Equally important is who has control over cloud operations, access rights, metadata, and technical support, and which data protection laws must be taken into account.
However, this does not mean that a cloud service provider must meet all eight categories to be considered sovereign. The industry and workloads of a company are the most significant factors, as not all data has the same level of importance. Workloads processing financial data are considered to be sensitive workloads, similar to the ones which are processing medical or personal data, and therefore are subject to stricter regulations than the use of video and other collaboration tools.
Data sovereignty vs. data residency vs. data localization
The terms data sovereignty, data residency, and data localization are closely related and are sometimes used interchangeably. However, the three terms represent different concepts:
Data Sovereignty: Under the EU’s definition, the concept describes the self-determined control over the collection, storage, and processing of data from eight different perspectives.
Data residency: The term refers to the geographical or physical location where data is stored and processed. This differs from the location where the data is generated.
Data localization: The goal of data localization is to keep data within a country’s borders and, therefore, subject to that country’s laws.
The regulatory landscape affecting data sovereignty
In recent years, the US and the European Union have passed several regulations that influence the concept of data sovereignty:
GDPR (General Data Protection Regulation)
The European General Data Protection Regulation was adopted in 2016 and entered into force in 2018. It has governed how personal data is collected, processed, and transferred, including strict rules and rights for data subjects. It applies to EU member states and companies outside the EU if they process data belonging to EU citizens. Cross-border data transfers work according to a two-step process: companies must maintain their internal privacy processes and controls and establish an appropriate transfer mechanism.
US Cloud Act
The Clarifying Lawful Overseas Use of Data Act (Cloud Act) entered into force in 2018, allowing for efficient investigations by US law enforcement authorities. Even if companies host data in the EU, a cloud provider subject to U.S. jurisdiction can receive lawful orders to submit data, regardless of where it is stored.
EU Data Act
The new European Data Act entered into force in 2024 and entered into effect in September 2025, and aims to regulate international governmental access and transfers of non-personal data. In particular, cloud service providers need to take legal, technical, and organizational measures in order to prevent international and third-country governmental access and transfer of non-personal data held in the EU.
NIS2
The NIS2 Directive was introduced by the European Commission in December 2020, was officially adopted in May 2022, and entered into force on January 16, 2023. It aims to improve cybersecurity across the EU for a larger group of industries and entities, doing so by strengthening cybersecurity risk management processes and reporting obligations. NIS2 also establishes governance requirements, such as training and awareness standards.
DORA
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force in 2023 and applies from January 2025, aiming to improve the cybersecurity and operational resilience of financial institutions. It standardizes how banks, insurers, and investment firms prepare for ICT (Information and Communication Technology) disruptions, covering incident reporting, resilience testing, and third-party or outsourcing risk. Companies have to make sure that provider obligations align with the company’s regulatory duties.
EUCS
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) aims to create a common EU bar for cloud security by certifying cybersecurity measures of cloud services. The goal is to harmonize the security of cloud services with EU regulations, international standards, and industry requirements. At the moment, the EUCS is a candidate certification scheme and not finalised.
Importance and approach of data sovereignty for businesses
Many companies already use cloud infrastructures or are planning to move their applications to the cloud. This does not mean that European organizations are prohibited from choosing cloud service providers from the US.
When it comes to data sovereignty, a company’s industry and the type of data it handles are of great importance. Digital workloads responsible for the uninterrupted operations of systems and infrastructure, such as health and emergency services, telecommunications, national power supply etc., are considered to be critical. Similar crucial workloads exist on corporate levels, such as ERP systems, SIEMs, or other systems monitoring a company’s cybersecurity posture, etc.
Such critical workloads and systems require high availability, confidentiality, and, therefore, special protection. The organizations responsible for these areas are obligated to ensure complete control over their data and cloud infrastructure.
Companies and organizations with sensitive workloads should consider the following factors when selecting a cloud service provider:
| Factors | Explanation |
|---|---|
| Legal requirements | International data protection laws differ in their requirements. In addition, there are industry-specific regulations; failure to comply with them can result in legal or financial penalties. Companies must be aware of the laws that apply to them. |
| Cross-border data transfers | When transferring data across borders, companies must ensure that the necessary legal safeguards are in place at the destination. GDPR requires certain protection measures to be in place when transferring data outside the EU, while some countries require local copies or prohibit exports altogether. |
| Overlapping and extraterritorial laws | Even if company data is hosted in a German data center, a cloud service provider based in the US is still subject to US federal law. In cases involving terrorism or criminal activity, the cloud provider must disclose data to US authorities. Companies should check which jurisdiction cloud service providers fall under. |
| Operational management | Companies must establish clear rules regarding who is permitted to access data, where backups and recovery systems are stored, and how metadata is managed. Industry regulations often require strict access restrictions, complete audit trails, and strong encryption. |
| Regional access deficits | Locally stored data is subject to foreign data regulations if administrators or support teams from outside the country’s borders can access the cloud environment. |
| Constant regulatory changes | International and industry-specific data regulations can change quickly. Cloud service providers should provide information about these changes and implement them in their infrastructure to ensure data sovereignty. |
| Customize cloud structure | Depending on the workload, a new cloud service provider or a multi-cloud strategy may be necessary. For critical workloads in the EU, it is particularly advisable to move to the sovereign cloud infrastructure of an EU provider. This places the cloud under EU jurisdiction and prevents data access by foreign security authorities. |
What is a sovereign cloud?
Similar to the term data sovereignty, hyperscalers and the European Union define a sovereign cloud differently. For the former, a sovereign cloud is an infrastructure that helps companies comply with the data regulations of countries or regions where company data is generated, processed, and stored.
The EU uses the eight levels of data sovereignty described above to define a sovereign cloud. Accordingly, there is no universal definition of the term, but rather different perspectives. What matters is the industry in which companies operate and the workloads they have.
Core capabilities of a sovereign cloud
A sovereign cloud is not characterized solely by a local data center or compliance with laws. Equally important is who has access to the infrastructure, where data and metadata flow, and under which jurisdiction the cloud service provider falls.
According to the EU perspective, a sovereign cloud and its provider encompass the following core competencies. For the full list of considerations, please refer to the CSF.
| Competence | Properties |
|---|---|
| Strategic competencies | To what extent does the cloud provider depend on funding from EU sources? What is the extent of investment, jobs, and value creation within the EU? Does the provider participate in EU initiatives, and if so, to what extent? |
| Legal and judicial powers | What international regulations apply that may restrict use or transmission? In which location and under which jurisdiction do the creation, registration, and development of intellectual property fall (EU vs. third countries)? |
| Data and AI skills | Are there mechanisms that guarantee irreversible deletion of data with verifiable proof? To what extent can AI models and data pipelines be developed, trained, hosted, and managed under EU control to minimize dependence on non-EU technology stacks? |
| Operational skills | Can the provider guarantee that operational support will be provided from within the EU and will be subject exclusively to the EU legal framework? Is the complete technical documentation, source code, and operational know-how available for long-term autonomy? What is the location and legal control of critical suppliers or subcontractors involved in the provision of the cloud? |
| Supply chain expertise | In which countries is the cloud hardware manufactured or assembled? What is the jurisdiction and origin of the embedded code that controls hardware and firmware? Which jurisdiction governs the packaging, distribution, and updating of the software? Is the entire chain of suppliers and subcontractors in the cloud, including audit rights, transparent and visible to companies? |
| Technological expertise | Is the software accessible under open licenses, with the right to review, modify, and redistribute it to ensure transparency and adaptability? To what extent are the design and functionality of the cloud transparent, including architecture documentation, data flows, and dependencies? How independent is the EU in terms of high-performance computing capabilities, including processors, accelerators, and software ecosystems? |
| Competencies for security and compliance | Do security operations centers and response teams operate exclusively under EU jurisdiction? Can companies or EU authorities directly monitor cloud logs, alerts, and monitoring functions? Is it possible to report violations or vulnerabilities in the cloud in a transparent, timely, and EU-compliant manner? Can companies perform maintenance autonomously? Is it possible to develop, test, and apply security patches independently of non-EU providers? Can EU institutions conduct independent security and compliance audits with unrestricted access? |
| Environmentally friendly skills | How energy efficient is the cloud infrastructure? Is hardware reused, refurbished, and disposed of responsibly? |
Advantages of a sovereign cloud
With a sovereign cloud, companies avoid legal, operational, and compliance-related risks. The following four advantages explain the importance of a sovereign cloud:
- Protection against foreign access: A sovereign cloud ensures that data is hosted, processed, and managed within national borders. This means that it is beyond the reach of foreign jurisdiction, such as US federal law.
- Operational autonomy: The infrastructure enables data to remain under the control of EU-based companies. The companies and their regional teams manage the cloud infrastructure, define access rights, and set encryption levels.
- Compliance by design: Sovereign clouds are designed so that different data protection regulations, industry standards, and other specific compliance requirements are firmly embedded in the infrastructure. This reduces the risk of non-compliance.
- Secure encryption: This technology ensures that cyber threats are blocked using local defenses. Encryption keys are stored locally and controlled by the company itself to ensure that cloud providers cannot decrypt or view confidential information.
Sovereign cloud environments from EU providers are the right choice, especially for critical infrastructures: they guarantee local jurisdiction, compliance requirements, and operational structures.
Challenges when choosing a sovereign cloud provider
Choosing a sovereign cloud is a highly complex process. During this process, the infrastructure must be adapted to legal, technical, and operational factors. The following factors represent the most significant challenges.
Data protection regulations are constantly evolving
Compliance and data protection laws in the US, EU, and other regions are evolving rapidly, meaning companies must constantly review and adapt their cloud strategy to ensure continued compliance. Sovereign cloud service providers should ensure that appropriate changes are implemented in their infrastructure.
Company information is subject to varying degrees of protection
Companies need to understand their workloads and the resulting business risks in order to ensure the right level of data sovereignty. Critical infrastructures in particular are subject to strict guidelines, and non-compliance has legal and financial consequences.
Data backups and restores must take place in the same jurisdiction
Data sovereignty requires that backups and recovery systems remain within the same jurisdiction. This can increase provider costs or limit the choice of sovereign cloud services if these systems are located in a different jurisdiction. However, they ensure the continuity of business processes without foreign dependencies.
Sovereign cloud providers should be able to prove their sovereignty
Cloud sovereignty cannot be proven by a clear certification. Instead, companies should have access to transparent audits in accordance with the relevant legal jurisdiction and industry, and the assurance that all data will always remain within national borders. Once data crosses these borders, data sovereignty is no longer guaranteed.
How companies choose and implement a sovereign cloud
Selecting and implementing a secure cloud requires careful consideration of business operations, scope, and cloud architecture. The following six steps help companies achieve this:
Analyze your most critical workloads: Not every workload requires the same level of data sovereignty. Companies should analyze and evaluate their data, applications, and business risks to help them decide which workloads belong in a sovereign cloud and which could run on public cloud infrastructures.
Analysis of data flow: Companies should analyze where their data and metadata come from and where they flow to. This includes the generation, collection, storage, and backup of data. Doing so enables companies to identify cross-border data traffic and determine which legal protective measures need to be taken into account.
Review of data regulations: On this basis, companies can determine the data regulations and security risks that apply to them. This includes data protection laws such as the GDPR, industry-specific regulations such as DORA, and potential access rights by foreign authorities. The implementation of a sovereign cloud should be brought into line with applicable laws from the outset.
Assessment of the cloud service provider: The provider must have a legal presence in an EU country, operate under local jurisdiction, and employ local teams. It is also important that the cloud provider should not be subject to non-EU jurisdiction. For critical infrastructures, a sovereign cloud should operate exclusively within a country’s borders or a region. Accordingly, data centers must also be physically located within the country’s borders or the region. Sovereign clouds from EU providers operate and manage their infrastructure entirely themselves using regional teams.
Encryption rating: Data encryption should be managed exclusively by the company using BYOK and HYOK models. This ensures complete control over sensitive data and prevents access by the cloud service provider.
Compliance review: The cloud service provider should be able to demonstrate its data sovereignty through audits and industry certifications. These include ISO and IEC certifications, SOC audit reports, and national security standards such as BSI C5 in Germany.
This process enables companies to avoid critical compliance errors, effectively protect all data, and strengthen customer trust.
Sovereign cloud initiatives by US hyperscalers
US hyperscalers are responding to growing awareness of data sovereignty in the EU: Microsoft, Google, and Amazon Web Services have developed their own sovereign cloud initiatives. But how sovereign are they, and can they promise European data sovereignty?
The starting point:
At the beginning of 2025, hyperscalers began publicly promoting their sovereign cloud services. The companies promised local control mechanisms, regional data centers, transparency, and protection from data access by US federal law. This was intended to reassure the European Union about its dependence on US hyperscalers and rebuild trust.
The reality:
In the summer of 2025, it became public knowledge that the hyperscalers’ sovereign cloud initiatives cannot guarantee European data sovereignty. The technology companies themselves have made statements to this effect.
The general manager of Microsoft France, Anton Carniaux, testified under oath before the French Senate that he cannot guarantee that the data of French citizens is safe from access by US authorities. Representatives from Google, Amazon, and Salesforce also stated that they would hand over data belonging to European citizens to US authorities if required to do so by court order.
The reason:
The US hyperscalers want to show the EU that they respect European data sovereignty and oppose the influence of US federal law. To this end, they are using their sovereign cloud services as marketing tools, which, thanks to their high profile and well-developed ecosystem, have been a successful approach.
However, as US companies, they are always subject to US laws and must comply with them, even if they operate branches and data centers in EU countries. As of now, only sovereign clouds from EU providers guarantee true data sovereignty as defined by the European Union.
Conclusion
The European Union and US hyperscalers define data sovereignty and sovereign cloud infrastructures differently. From the EU’s perspective, true data sovereignty encompasses legal, technological, operational, and compliance-related aspects. Selecting the right sovereign cloud, therefore, requires careful analysis of workloads, data flows, relevant regulations, and the cloud provider’s capabilities in terms of control, transparency, and local presence.
US hyperscalers have promoted their own initiatives for sovereign clouds. However, due to their jurisdiction, they remain subject to US laws and cannot guarantee complete data sovereignty as defined by the EU. True data sovereignty that meets EU requirements can therefore only be guaranteed by sovereign clouds from European providers. A sovereign cloud from EU providers offers companies, in particular those with critical infrastructures, protection against foreign data access, operational autonomy, compliance by design, and secure encryption.
FAQ about data sovereignty and sovereign cloud
What is the data sovereignty principle?
European Data Sovereignty refers to the self-determined control over the collection, storage, and processing of data from eight distinct perspectives. Keeping data in one country or region is one principle. Who controls cloud operations, access rights, metadata, technical support, and the right data protection laws is just as important.
What is the difference between data residency and data sovereignty?
Data sovereignty refers to the self-determined control over the collection, storage, and processing of data from eight distinct perspectives. Data residency refers to the geographical or physical location where corporate data is stored and processed.
Does GDPR relate to data sovereignty?
Yes, GDPR (General Data Protection Regulation) is one of the data regulations that determines the concept of data sovereignty. It regulates how personal data is collected, processed, and transferred, including strict rules and rights for data subjects.
Does the US have data sovereignty laws?
The US Federal Law is affecting data sovereignty, the US Cloud Act is one of them. It allows US law enforcement authorities to conduct efficient investigations. A cloud provider subject to US jurisdiction can receive lawful orders to submit data wherever it’s stored, even if hosted in the EU.
What is the sovereign cloud?
Similar to data sovereignty, the EU defines a sovereign cloud using the eight levels of data sovereignty, emphasizing the importance of the industry and workloads of the companies.
How big is the sovereign cloud market?
The sovereign cloud market is expanding quickly, with analysts expecting the market to reach tens of billions of euros within the next few years. US hyperscalers still dominate the sovereign cloud market in the European Union, as the EU and companies are increasingly aware that their cloud infrastructures do not comply with European data sovereignty. Sovereign clouds from EU providers, on the other hand, are becoming increasingly important.
Sources:
European Commission: Cloud Sovereignty Framework (Version 1.2.1, Oct. 2025): https://commission.europa.eu/document/download/09579818-64a6-4dd5-9577-446ab6219113_en?filename=Cloud-Sovereignty-Framework.pdf
Netherlands Court of Audit: https://english.rekenkamer.nl/publications/reports/2025/01/15/dutch-central-government-in-the-cloud
