Who really controls your data? The test of sovereign cloud
Cloud sovereign has become one of the most widely used terms in business technology.
Nearly every major vendor has gone to great lengths to market their version, promising that data “resides locally” or “is confined to Europe,” but the key question remains: what does true cloud sovereignty actually mean?
For governments, regulators, and businesses managing sensitive workloads, it is critical to distinguish between what is marketed as sovereign and what actually is.
The dominance of American hyperscalers in Europe makes this challenge even more urgent. Amazon Web Services, Microsoft Azure and Google Cloud together control more than two-thirds of the region’s cloud computing market, raising concerns about jurisdictional control and the limits of so-called European cloud offerings.
As the demand for sovereignty and resilience increases, the question is how Europe can build a more balanced and independent cloud ecosystem.
Defining true sovereignty
The sovereign cloud is not just about where data physically resides, but also about who has legal authority over it and the dependencies associated with it, including technology, supply chains and dependence on vendors, which can either enable or restrict freedom of action in the sense of sovereignty.
Data residency answers the question “where”, sovereignty answers the question “who” and “how far”. This distinction is crucial when considering different aspects of sovereignty. Consider, for example, the question of legal authority, in light of legislation such as the US CLOUD Act and Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Both pieces of legislation authorize U.S. courts and agencies to require U.S.-based companies to provide access to investigation-related data through warrants or other processes, even when it is housed abroad.
In practice, this means that a European bank, healthcare provider, or government department that relies on a U.S. cloud operator cannot easily determine whether the data of some of its European customers was provided to U.S. law enforcement or intelligence services, even if the data resided outside the United States.
For organizations dealing with sensitive information, this exposure is not theoretical. This is a real compliance and trust issue.
True sovereignty therefore requires more than local accommodation. This requires that the infrastructure and jurisdiction be aligned with the client’s legal environment.
It also requires interoperability and portability between cloud environments, allowing organizations to choose where and how workloads run without being locked into a single provider.
It also requires transparency about the underlying technology and supply chain, as well as the ability to manage risks and make choices that reduce dependencies or concentration.
The lingering questions
This is why many questions remain around the sovereign offerings of global hyperscalers. The providers have all launched initiatives emphasizing reinforced European control or partnerships with local entities.
However, as parent companies remain subject to US law, clients remain concerned about the existence of a jurisdictional loophole. Simply put, sovereign envelopment of non-sovereign foundations does not fully solve the problem in all cases.
Customers may obtain greater guarantees regarding data localization or operational independence, but unless the operating entity is legally insulated from foreign jurisdictions and allows customers to make choices, the claim to sovereignty remains partial.
For mission-critical workloads, such as those in the public sector, regulated industries, and AI applications, reliance on U.S.-controlled clouds introduces operational and compliance risks that cannot be fully mitigated by local hosting alone.
Why it matters now
The speed of market growth makes clarity urgent. The global sovereign cloud market size is expected to grow from $154.69 billion in 2025 to $823.91 billion by 2032. Europe alone accounted for approximately 37% of the global market in 2024.
This growth reflects the increasing demand for secure and trusted environments, particularly in Europe, where regulatory frameworks such as DORA, GDPR and the Data Act emphasize local control, risk management, supply chain transparency and concentration risk.
The European Union, for example, has made digital sovereignty a strategic priority, while countries like Germany and the United Kingdom are exploring frameworks to ensure their critical data assets cannot be subject to legal claims abroad. The direction to follow is clear, sovereignty must be defined and applied, not assumed.
Clear standards and stronger ecosystems
What is missing today is a coherent framework defining what constitutes a sovereign cloud.
EU member states have created cloud certification systems like C5 in Germany and SecNumCloud in France that contain sovereignty criteria. DGIT, the IT department of the European Commission, has made a notable attempt in the context of public procurement to define sovereignty in the form of a scale of requirements.
All these attempts, although welcome, demonstrate the fragmentation of the European market. Customers are often faced with competing claims and complex technical language without clear standards of comparison.
A truly sovereign cloud must ensure that data is controlled, accessed and governed exclusively within the customer’s jurisdiction.
To achieve this, we must not give up on global innovation. This requires allowing local providers to provide services that meet sovereignty criteria without compromise. European cloud service providers such as Redcentric and ANS are well placed to fulfill this role.
By operating within local legal and compliance frameworks and investing locally, they can give organizations real control over their data. In many cases, this control is best achieved in private cloud environments, where infrastructure, governance, and operational authority can be directly aligned with sovereignty requirements.
Technology providers have a role to play in supporting this ecosystem. By providing the platforms, infrastructure software and interoperability frameworks, they can empower local providers without becoming operators themselves.
This distinction is important. This avoids entanglement with foreign jurisdictions while fostering an environment in which sovereignty is embedded by design rather than reinforced afterwards.
A sovereign future by design
As the market evolves, the focus shifts from whether the sovereign cloud exists to whether it actually meets customer needs. Claims of local accommodation and compliance must be tested against judicial review. Cloud services should be designed for sovereignty from the start, with governance structures aligned with the data they protect.
Ultimately, the sovereign cloud debate is about more than technology. It reflects broader issues of trust, independence, skills development, economic growth, resilience and control in the digital economy. For businesses and governments alike, putting an end to the hype will be essential to ensure that sovereignty is real, not rhetorical.
We have presented the best protection against identity theft.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you would like to contribute, find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
