Digital sovereignty is no longer a topic reserved for legal experts, cybersecurity professionals, or European institutions. It now plays a central role in decisions made by companies, public administrations, and technology providers. The reason is straightforward: a large portion of essential digital services depend on cloud infrastructures controlled by major U.S. companies, and this dependence is increasingly viewed as a practical risk, not just a political one.
The debate has gained renewed momentum in Finland after Joel Pihlajamaa, founder and CTO of UpCloud, spoke to Talouselämä about one of the most sensitive issues of the moment. According to information shared by the company based on that interview, between 70% and 80% of Finland’s public sector services may rely on U.S.-based cloud providers. While this figure is an estimate, it illustrates a problem that isn’t unique to Finland: Europe has digitalized some of its most critical services relying on infrastructures over which it does not always have full legal, operational, or strategic control.
The question isn’t whether Amazon, Microsoft, or Google provide quality technology—they do, often with unmatched scale, resilience, and managed services. The real issue is who controls the infrastructure, what legislation applies, what happens if the geopolitical context shifts, and how much actual flexibility an organization has to switch providers once its critical systems are deeply integrated.
Dependency, jurisdiction, and technological lock-in
Digital sovereignty doesn’t mean keeping all data within borders or rejecting foreign providers by principle. It means being able to decide where data resides, under what legal framework it is processed, who can access it, what technical dependencies exist, and whether an organization can realistically change providers without disrupting its services.
This is where Pihlajamaa highlights an important point: Europe has the technical capacity to build alternatives. It’s not starting from zero. There are European cloud providers, data centers, networks, software, cybersecurity solutions, databases, container platforms, and managed services. What often lacks is scale, visibility, ambitious public procurement, and a strategy that doesn’t reduce cloud to a simple price comparison per virtual machine.
The second point is legal. A significant portion of European critical data could fall under extraterritorial norms when hosted by providers subject to non-European jurisdictions. The debate over the U.S. CLOUD Act and its compatibility with GDPR has been ongoing for years. Not all cases are the same, and major providers have developed solutions for data residency and additional controls for European clients. Still, concerns remain: hosting data in Europe doesn’t always mean full control if the provider is governed by a parent company outside the EU.
The third challenge is vendor lock-in. Many organizations start using cloud services for flexibility but end up trapped by proprietary services, platform dependencies, specific databases, automation tools, closed APIs, exit costs, and teams trained in a single environment. Migrating later is not impossible but is often expensive, slow, and risky. For public administrations or regulated companies, that risk weighs as heavily as their monthly bill.
Europe is beginning to take action
The concern over cloud sovereignty isn’t new, but the context has changed. Artificial intelligence, cybersecurity, the war in Ukraine, trade tensions, and growing dependence on digital services have made infrastructure a strategic issue. Cloud isn’t just “where an application runs”—it underpins public procedures, health records, financial systems, corporate communications, educational platforms, and emergency services.
The European Commission has started translating this concern into procurement criteria. In 2026, it awarded a sovereign cloud contract valued at up to €180 million to European providers and developed a Cloud Sovereignty Framework to measure sovereignty against specific objectives, such as legal control, operational independence, security, technological openness, supply chain transparency, and compliance with European legislation.
This kind of movement won’t completely eliminate dependency by itself. The European cloud market is still dominated by U.S. hyperscalers, and many companies won’t rewrite their architectures overnight. But it sends a clear message: digital sovereignty is beginning to be reflected in tender specifications, not just rhetoric.
It’s also noticeable in the market. European providers like UpCloud are positioning themselves as alternatives for organizations aiming to keep data and workloads within European jurisdictions. UpCloud highlights its presence across multiple European data centers and has strengthened messaging targeted at the public sector, data residency, and reducing external dependencies. This is a commercial stance, but it also aligns with a real demand: more companies want to know not just how much the cloud costs, but who controls it.
It’s not about switching clouds overnight
The biggest mistake would be to view digital sovereignty as an immediate ideological migration. Many organizations rely on advanced services from major providers—analytics, AI, cybersecurity, distributed databases, DevOps tools, serverless platforms, or global low-latency services. Replacing all of these at once can be unfeasible or even counterproductive.
The most practical approach involves classifying workloads. Not all data has the same sensitivity. A public website differs vastly from a healthcare system, a tax database, a digital identity platform, or an administrative document repository. Some workloads can remain in global environments; others should have stricter requirements around jurisdiction, portability, encryption, auditing, and operational control.
Designing exit strategies from the outset is also essential: contracts should include real portability, open standards, containers, Kubernetes, less proprietary databases, exportable backups, encryption with customer-controlled keys, and tested migration plans. Sovereignty begins not when you decide to leave a provider but when you ensure you won’t get locked in in the first place.
For public administrations, this issue is even more sensitive. If a country wants to maintain autonomy over essential services, it must be able to operate, audit, and recover critical systems even in scenarios of legal, commercial, or geopolitical tension. This doesn’t mean technological isolation, but rather diversifying and reducing single points of dependency.
An industrial opportunity for Europe
Pihlajamaa suggests that transitioning to European cloud providers represents a growth opportunity for the region. The idea makes sense. To compete in AI, digital services, cybersecurity, and enterprise software, Europe needs more than regulation—it requires its own infrastructure, capable companies that can scale, and both public and private clients willing to purchase European technology that meets standards.
The challenge is significant. European providers cannot compete solely on sovereignty; they also need to deliver performance, availability, quality support, competitive prices, modern tools, industry-standard integration, and user experiences that meet technical teams’ expectations. Sovereignty can open the door, but quality service keeps customers loyal.
The opportunity extends beyond basic cloud. There’s room for data platforms, sovereign AI services, secure storage, edge computing, immutable backups, observability, identity solutions, managed cybersecurity, and sector-specific solutions for health, administration, industry, or finance. The more regulated or sensitive the sector, the greater the value of infrastructure under European control.
The Finnish debate reflects a broader conversation happening across Europe. U.S. cloud services will remain important, but they are no longer accepted without question. Companies and governments are starting to review where their data resides, what contracts they’ve signed, what risks they’ve assumed, and what alternatives exist.
Digital sovereignty is not about closing doors but about regaining the power to choose. That ability begins with a very simple question: if tomorrow it became necessary to move a critical service, could it be done without losing control?
Frequently Asked Questions
What is digital sovereignty in the cloud?
It is an organization’s ability to control where its data is hosted, under what laws it is processed, who can access it, and the practical scope for changing providers.
Why is dependence on U.S. providers concerning?
Because many critical European workloads are run on companies subject to non-European laws, raising concerns about data access, contractual dependence, operational continuity, and exit ability.
Does this mean companies must abandon AWS, Azure, or Google Cloud?
Not necessarily. The most realistic strategy is to classify workloads, impose sovereignty requirements where needed, avoid technological lock-in, and diversify providers for the most sensitive systems.
What opportunities do European cloud providers have?
They can grow if they deliver competitive infrastructure under European jurisdiction, with guarantees of data residency, portability, security, and proper support for companies and public entities.
via: LinkedIn