A Concept Whose Time Has Arrived Before the Market Has Caught Up
Data sovereignty in cloud infrastructure has been a European regulatory preoccupation for several years. The Schrems II ruling in 2020, which invalidated the EU-US Privacy Shield framework, established the principle that personal data of EU citizens cannot be transferred to jurisdictions without equivalent data protection standards without additional safeguards. GAIA-X, the European cloud infrastructure initiative, was launched to provide a framework for digital sovereignty in European cloud. EU cloud certification schemes under ENISA have been developing a tiered assurance model.
What has changed in 2023 is the transition from regulatory discussion to procurement requirement. European enterprises in financial services, healthcare, public sector technology, and critical infrastructure are being asked by regulators, customers, and boards to demonstrate that their cloud infrastructure meets sovereignty requirements that the standard public cloud offerings from global hyperscalers do not fully satisfy. The question is no longer theoretical.
The problem is that the answers are not fully available. The sovereign cloud market is developing in response to regulatory requirements that are themselves still being defined. European enterprises asking suppliers about sovereign cloud capability are frequently receiving answers that are partly aspiration and partly reality, with the boundary between the two not always clearly drawn.
What Sovereign Cloud Actually Means in Practice
Sovereign cloud is not a single concept. It encompasses several distinct requirements that may apply in different combinations depending on the organisation’s regulatory context, sector, and the specific data categories involved.
Data residency, the requirement that data is stored and processed within a defined geographic boundary, is the most commonly understood dimension. European cloud customers have been able to specify European data regions with the major hyperscalers for several years. Data residency addresses where data is stored; it does not address who has access to it.
Operational sovereignty, the requirement that cloud infrastructure is operated by personnel who are subject to European jurisdiction and cannot be compelled by non-European legal systems to provide access to data, is more demanding. The concern is that hyperscaler employees in non-EU jurisdictions with access to European customer data could be compelled under foreign legislation, such as the US CLOUD Act, to provide access to that data without triggering EU data protection notification requirements. Hyperscalers have responded with operational controls, staff separation commitments, and technical access controls designed to address this concern; the adequacy of these controls is contested by European regulators.
Regulatory control and certification is the third dimension: the requirement that the cloud infrastructure and its operator are certified under European regulatory schemes and subject to European supervisory authority. ENISA’s European Cybersecurity Certification Scheme for Cloud Services (EUCS) is intended to provide this assurance, but as of mid-2023 the certification scheme has not yet been finalised and the highest assurance tier remains subject to political negotiation about whether non-European providers can qualify.
Where the Genuine Capability Gaps Still Exist
The sovereign cloud market in mid-2023 has genuine capability in some dimensions and significant gaps in others. An honest assessment for enterprise technology leaders looks like this.
Data residency is well served. Every major cloud provider offers EU-based regions with commitments that data will not leave those regions without explicit customer configuration. For organisations whose primary sovereignty requirement is data residency, the current hyperscaler offerings satisfy the requirement.
Operational sovereignty is partially addressed. The hyperscalers have invested significantly in technical and operational controls designed to limit non-European personnel access to European customer data. The adequacy of these controls for regulated organisations, particularly in financial services and public sector, remains disputed between providers and regulators. Organisations requiring high assurance on operational sovereignty should seek specific legal and regulatory counsel rather than relying on provider representations.
EU-certified sovereign cloud options are limited. The European cloud providers that can credibly offer operational sovereignty under European jurisdiction are smaller than the hyperscalers and offer more limited capability portfolios. For organisations requiring the highest level of sovereignty assurance, particularly those that fall under EUCS high assurance requirements when the scheme is finalised, the choice of providers is currently narrow and the capability gaps relative to hyperscaler offerings are significant.
How to Incorporate Sovereignty into Cloud Strategy
The strategic mistake is to treat data sovereignty as a binary: either you are on a hyperscaler and sovereignty is unaddressed, or you are on a European cloud provider and sovereignty is solved. The reality is more nuanced and requires more careful architectural thinking.
The appropriate approach for most European enterprises is a data classification and workload categorisation exercise that maps different data types and workloads to appropriate cloud environments based on their specific sovereignty requirements. Data that carries the highest regulatory sensitivity, such as health records subject to strict national regulation or financial data subject to DORA requirements, may require the highest level of sovereign cloud assurance. Less sensitive operational data may be adequately served by hyperscaler EU-region deployments with operational controls.
This workload-based approach requires hybrid and multi-cloud architectures that can serve different workloads from different environments with appropriate data governance controls between them. It is more complex to operate than a single-provider deployment, and the operational complexity needs to be factored into the investment case.
Cloud contracts also need attention. Standard hyperscaler terms may not provide the specific contractual commitments on data access, audit rights, and operational sovereignty that regulated European enterprises require. Negotiating appropriate data processing agreements, including provisions that address the CLOUD Act exposure where it is relevant, is legal and procurement work that should accompany the technical architecture decisions.
The Questions Worth Asking Suppliers
The sovereign cloud conversation with cloud providers is more productive when it asks specific questions rather than generic ones. Which data categories can be processed in a configuration that satisfies EUCS high assurance requirements, and what is the timeline for achieving that certification? What specific technical and operational controls prevent non-EU personnel from accessing customer data without a European legal process? What contractual protections are available against compelled disclosure under foreign legislation? And what is the provider’s roadmap for closing the gaps between current offerings and emerging regulatory requirements?
Providers that can answer these questions specifically are more likely to deliver on sovereign cloud commitments than those that respond with architectural principles and roadmap intentions. The market is developing, and the questions worth asking are the ones that distinguish current capability from future aspiration.