Why many “sovereign clouds” aren’t actually sovereign

When hyperscalers launched their European “sovereign cloud” offerings, the promise sounded reassuring: EU data centres, EU staff, EU operations. On closer inspection, that promise often collapses.

This article sets out the structural and legal basis for evaluating “sovereign cloud” claims, with references to applicable law and documented failure cases.

The comforting story

Most sovereign cloud propositions emphasise where data is stored:

• Data centres in the EU
• Operations run by European entities
• Compliance with GDPR and EU regulations

For many buyers, that feels like sovereignty. It is not.

The fine print that matters

Behind the marketing, the underlying structure often remains unchanged:

• US parent ownership
• US legal control
• Exposure to US extraterritorial laws, including the CLOUD Act

This is not a theoretical risk.

An organisation may store its data in Frankfurt or Paris and fully comply with GDPR. Yet if the provider falls under US jurisdiction, US authorities can legally compel access to that data. In some cases, this can happen without customer notification and without EU judicial oversight.

The data location is not sovereign.
The controlling entity is.

What real digital sovereignty requires

Genuine sovereignty is structural. It cannot be added as a policy layer.

At minimum, it requires all three of the following:

1. Legal independence
   The provider must not be subject to non-EU jurisdictions that can assert control over data.

2. Customer-controlled encryption
   Encryption keys must be held by the customer, not merely managed on their behalf. The provider should be technically incapable of accessing plaintext data.

3. Enforced technical architecture
   Sovereignty must be guaranteed by design, not by contracts, promises, or internal procedures.

Many so-called sovereign cloud offerings fail on at least one of these points. Some fail on all three.

A simple test before you buy

Before accepting any sovereign cloud claim, ask one question:

Can a foreign government legally force this provider to hand over my data without telling me?

If the answer is anything other than a clear and unambiguous “no”, then what you are buying is reassurance — not sovereignty.

Why this keeps happening

The problem is not bad faith. It is structural.

Sovereignty is expensive.
It limits acquisition, growth, and exit options.
It constrains ownership models and governance choices.

Marketing, by contrast, is cheap.

As long as sovereignty is framed as a location problem rather than a control problem, this gap will persist.

Sources

• US Congress, CLOUD Act (2018) – https://www.congress.gov/bill/115th-congress/house-bill/4943
• Executive Office of the President, Executive Order 12333 – https://www.archives.gov/federal-register/codification/executive-order/12333.html
• Court of Justice of the European Union, Schrems II (Case C-311/18) – https://curia.europa.eu/juris/liste.jsf?num=C-311/18
• The New York Times, Microsoft suspends ICC-related email services after US sanctions – https://www.nytimes.com/2025/06/20/technology/us-tech-europe-microsoft-trump-icc.html