From Theory to Requirement
Eighteen months ago, sovereign cloud was primarily a European policy discussion. GAIA-X was developing its governance framework. National cloud strategies were being written. European cloud providers were making sovereignty positioning statements. The enterprise procurement conversations that were happening were cautious and exploratory.
The position in late 2023 is different. Sovereign cloud has become an active procurement requirement for a growing number of European enterprises, driven not by abstract sovereignty principles but by specific regulatory obligations, commercial risk assessments, and sector-specific requirements that have crystalised faster than most organisations anticipated.
The three forces converging to make this conversation urgent are distinct but reinforcing. Understanding them separately is important for organisations trying to assess how sovereign cloud requirements apply to their specific context.
Force One: Tightening Data Protection Regulation
The regulatory foundation for European data sovereignty is built on GDPR, but the specific obligations driving sovereign cloud procurement are more recent developments in how data protection obligations are interpreted and enforced.
The Schrems II ruling of July 2020 invalidated the EU-US Privacy Shield and established that transfers of personal data to the US require additional safeguards beyond standard contractual clauses, because the protections available under US law do not meet GDPR’s adequacy standard. The subsequent enforcement by European data protection authorities has been uneven but directional: organisations in several member states have been found to violate GDPR through data transfers to the US for analytics services, web services, and cloud infrastructure, even where standard contractual clauses were in place.
The new EU-US Data Privacy Framework, adopted in July 2023, provides a new adequacy determination for the US that is expected to resolve the Schrems II problem for organisations whose US providers are certified under the framework. However, this framework itself faces legal challenge from privacy advocates who believe it does not address the surveillance law concerns that drove Schrems II in the first place. The possibility of a Schrems III ruling that invalidates the new framework has led some European organisations, particularly those in highly regulated sectors, to avoid reliance on the EU-US Data Privacy Framework and to seek architectures that do not require data transfers to the US at all.
Force Two: Geopolitical Risk in Hyperscaler Supply Chains
The second force is less regulatory and more strategic: a growing enterprise risk assessment that concentrating critical digital infrastructure in hyperscalers subject to non-European jurisdiction creates business risk that was underweighted in earlier cloud strategy decisions.
The specific concern is the US CLOUD Act, enacted in 2018, which allows US law enforcement to compel US-based companies to provide data stored outside the US without requiring local law process. Major US hyperscalers are subject to the CLOUD Act regardless of where their data centres are located. This means that an organisation’s European-hosted cloud data can potentially be accessed by US authorities through legal process served on the US parent company, without the notification requirements that European law would typically impose.
The operational risk this creates is not primarily about US government surveillance of European enterprise data, which is a low-probability scenario for most organisations. It is about the due diligence and liability questions that arise when organisations cannot give customers, regulators, and boards categorical assurance about who can access their data. For enterprises in regulated industries where demonstrating data access controls is part of their regulatory obligations, the inability to exclude CLOUD Act access is a material compliance gap.
Force Three: Sector-Specific Regulatory Requirements
The third force is the emergence of sector-specific regulatory requirements that effectively mandate sovereign cloud architectures for organisations in those sectors.
In financial services, the European Central Bank and national financial supervisors have increased expectations for operational resilience and data sovereignty in the financial institutions they supervise. The ECB’s cloud outsourcing guidance requires financial institutions to maintain effective control over their data and systems even when using cloud services, and to demonstrate that they can exit a cloud provider relationship without material operational disruption. These requirements, combined with DORA’s operational resilience testing and third-party risk management obligations, are driving financial institutions toward sovereign cloud architectures that provide the control and exit capability the regulators require.
In healthcare and public administration, national and EU-level data governance requirements for health data and public sector data are creating sovereign cloud mandates. The European Health Data Space regulation will impose data governance requirements on health data that effectively require European cloud infrastructure for its most sensitive categories.
In critical infrastructure, NIS2’s requirements for operational security and the CER Directive’s operational resilience requirements are creating pressure for cloud infrastructure with demonstrable sovereignty characteristics, particularly for operators whose services are deemed essential under national security assessments.
The Honest Assessment of What Sovereign Cloud Currently Offers
The pressures described above are real. The sovereign cloud options available to European enterprises in late 2023 are not perfectly matched to those pressures.
For data residency, the requirement is well served. Every major hyperscaler offers EU-based regions with strong data residency commitments. For organisations whose sovereign cloud requirement is primarily data residency, the current hyperscaler offerings are adequate.
For operational sovereignty and CLOUD Act protection, the options are more limited. The hyperscalers have invested significantly in technical controls and operational separation designed to limit non-European personnel access to European customer data, but the adequacy of these controls for the most demanding regulatory requirements is contested. European cloud providers that operate entirely under European jurisdiction offer more credible protection from CLOUD Act exposure but at a capability level that is significantly below hyperscaler alternatives.
For EU-certified sovereign cloud, the EUCS certification scheme has not yet been finalised, and the highest assurance tier remains under political negotiation. The certification landscape will clarify in 2024.
The Strategy That Makes Sense Now
The enterprise cloud strategy that makes sense for European organisations facing sovereign cloud requirements in late 2023 is not to wait for the perfect sovereign cloud option or to migrate everything to European providers. It is to implement a data classification and workload tiering approach that matches different workloads to the cloud architecture appropriate for their sovereignty requirements.
The highest-sensitivity workloads, those subject to the strictest regulatory requirements, use sovereign cloud architectures even at the cost of reduced capability. The medium-sensitivity workloads use hyperscaler EU-region deployments with maximum contractual protections, operational controls, and monitoring of the sovereignty controls in place. The lowest-sensitivity workloads use hyperscaler infrastructure with standard protections.
This is not a complete sovereignty solution. It is a risk management approach that proportions the sovereign cloud investment to the actual sovereignty requirement of each workload category. It also positions the organisation to adapt as the sovereign cloud market matures and the regulatory requirements clarify.
The conversation is urgent because the market is developing and the regulations are being enforced. The organisations that start the workload classification exercise now will be ahead of the ones that wait for certainty that is not coming.