The “Sovereign Cloud” has become one of the most repeated tags in the tech industry. Microsoft, AWS, and Google have strengthened their European proposals in recent months with messages about data residency, local operation, enhanced controls, encryption, isolated regions, and regulatory compliance. The problem is that the word “sovereign” is being used to describe very different realities.
The core issue is no longer just where the data center is located. A server in Frankfurt, Paris, Madrid, or Amsterdam can improve latency, facilitate GDPR compliance, and reduce international transfers, but it doesn’t, by itself, answer the central question: under which jurisdiction does the provider operating the infrastructure, management plane, support, keys, software, and service continuity operate?
Data Residency is Not Sovereignty
For years, much of the market has equated data residency with sovereignty. The simple idea was: if data is stored and processed within the European Union, European customers are protected. But that claim has proven inadequate.
The debate has shifted because extraterritorial laws weigh as heavily as the physical location of the servers. The U.S. CLOUD Act, passed in 2018, allows U.S. authorities to request data controlled by companies under U.S. jurisdiction, even if that data is stored outside the U.S., as long as legal procedures are followed. AWS, Microsoft, and other providers insist that there is no automatic or unlimited access, and that requests must meet legal requirements. However, legal exposure remains a real concern for governments, defense, healthcare, energy, justice, banking, or critical public services.
The case of Microsoft before the French Senate made this very clear. According to reports from The Register, Microsoft France representatives swore under oath that they could not guarantee that French citizens’ data would not be transmitted to U.S. authorities under a valid legal order. The company emphasized that it reviews, limits, and fights unwarranted requests, but the key answer was that it could not provide an absolute guarantee.
That is where sovereignty stops being just a marketing slogan. A cloud may have European data centers, European personnel, advanced technical controls, and solid contractual commitments. But if the parent company is subject to foreign jurisdiction with legal authority over the provider, sovereignty is not full. It may be an improvement over a conventional global cloud but does not necessarily equate to European control.
| Concept | What it Means | Why It Matters |
|---|---|---|
| Data Residency | Data is stored in a specific region | Helps compliance but doesn’t resolve jurisdiction |
| Operational Sovereignty | The service can operate without critical external dependence | Important in crises, sanctions, or geopolitical disruptions |
| Legal Sovereignty | The provider falls under European laws and control | Reduces exposure to extraterritorial norms |
| Control Plane Sovereignty | Administration, support, keys, and privileges are under local control | Prevents third-party intervention in the service |
| Supply Chain Sovereignty | Software, hardware, and dependencies are auditable and controllable | Reduces risks hidden in critical technical layers |
| Real Sovereignty | Combines legal, technical, operational, and governance control | Requires more than just a marketing label |
EU Moves from Rhetoric to Confidence Levels
The European Commission has begun to formalize this distinction. Its new technological sovereignty package, announced on June 3, 2026, includes the proposal for the Cloud and AI Development Act, a regulation that introduces a tiered framework to evaluate cloud and AI services in the public sector. The proposal still needs negotiations between the Commission, European Parliament, and member states but already sets a clear political direction.
According to Tech Policy Press, the framework proposes four confidence levels for cloud services used by public authorities. Criteria include ownership and control, supply chain dependencies, data processing, infrastructure location, and cybersecurity. All public entities should use at least Level 1 services, while more sensitive functions—such as national security, defense, law enforcement, or border management—must rely on higher levels subject to independent audits.
TechTimes describes this framework more directly: Level 1 focuses on infrastructure physically located in the EU; Level 2 adds independence from third-country governments and supply chain transparency; Level 3 requires ownership and control within the EU; and Level 4 demands full control and transparency over the entire software supply chain, with no interference from third countries.
The implication is clear. A U.S. hyperscaler may meet data residency requirements or even create isolated European regions, but it will find it difficult to achieve the highest levels if it remains subject to U.S. legislation. It’s not about their technology being inferior. Many are global leaders in scale, security, availability, service catalog, and innovation. The issue lies elsewhere: who holds the final legal authority over the provider?
The Commission itself acknowledges the scale of dependency. According to Tech Policy Press, U.S. cloud providers control over 70% of the European cloud market, while the EU produces less than 10% of global semiconductors and spends about €264 billion annually, mostly on proprietary U.S. IT products and services. Europe seeks to correct this asymmetry but cannot do so by simply changing labels.
Industry Reactions Confirm That Change Matters
The responses from U.S. tech lobbying groups show that the European proposal is not superficial. The Computer and Communications Industry Association, representing major U.S. tech firms, labeled the higher levels of the framework as “closed market” requirements disguised as public policy thresholds, according to TechTimes. They argue these criteria could intentionally exclude international providers from sensitive contracts.
This critique has some commercial logic. If the EU demands European control for critical workloads, major U.S. providers will lose access to some sensitive public markets. But it also confirms that sovereignty levels have tangible effects. If it were purely marketing, there wouldn’t be so much resistance.
The debate isn’t about whether AWS, Microsoft, or Google are good or bad providers. It’s more uncomfortable: Europe has delegated much of its critical digital infrastructure to non-European companies for years. Now, it’s trying to regain leverage in a context where the cloud is no longer just a business tool but the foundation of government, AI, defense, healthcare, energy networks, and the digital economy.
Hyperscalers have responded with their own solutions. AWS launched its European Sovereign Cloud, positioned as an independent infrastructure for Europe. Microsoft announced new sovereignty capabilities for European customers and its Microsoft Sovereign Cloud proposal. Google has collaborated with Thales on S3NS and new sovereign cloud initiatives in Europe. All these responses are relevant and may cover many use cases, but they do not automatically resolve the fundamental legal question.
This is why a new distinction is gaining relevance in the market: not all clouds branded as “more sovereign” are equivalent to fully sovereign clouds. There are degrees—controls, residual risks, and different use cases. For a corporate website, a commercial app, or a non-critical load, a European region of a hyperscaler might suffice. But for state secrets, judicial data, defense, critical infrastructure, or sensitive public AI, the bar is much higher.
Sovereignty Also Requires Building European Capacity
Europe is right in demanding more control over its critical data, but this demand will only be credible if accompanied by real industrial capacity. It’s not enough to exclude or limit; Europe must build competitive alternatives in cloud, software, cybersecurity, chips, AI, networks, data centers, energy, and talent.
The European Commission is aware of this. Its technological sovereignty package includes measures to accelerate data center zones, coordinate cloud capacity among member states via a future EuroCloud Federation, promote national strategies for cloud and AI, and review semiconductor policies with a Chips Act 2.0. Tech Policy Press reports that investment needs are enormous: €120 billion for semiconductors, €200 billion for data centers through 2036, €100 billion for cloud & AI, and €2 billion for open-source software over seven years.
Sovereignty isn’t decreed overnight. It requires robust providers, interoperability, open standards, funding, smart public procurement, and clients willing to pay for more than just the virtual machine price. It also involves avoiding “sovereignty washing”: solutions that appear European in commercial layers but rely heavily on foreign technology, support, control, or ownership.
The EU’s first sovereign cloud contract, worth €180 million, already illustrated this complexity. Awarded to European groups like Post Telecom with CleverCloud and OVHcloud, StackIT, Scaleway, and Proximus, it faced criticism from CISPE over the inclusion of S3NS, a joint venture of Thales and Google Cloud, as risking institutionalizing incomplete sovereignty. The Commission defended that non-European technologies operated under strict governance can meet certain thresholds, confirming that the debate won’t be binary.
The key question for companies and administrations is no longer “Is my cloud in Europe?” but rather “What level of sovereignty do I need?” Not all data require the same treatment. But the most sensitive data demand a clear answer regarding ownership, jurisdiction, support, keys, continuity, auditability, and operating under geopolitical pressure.
The sovereign cloud is no longer just a comfortable label. Europe is starting to turn it into a legal and operational classification. That may upset those selling sovereignty as just data residency under another brand, but it will also make buyers more rigorous. In the end, the real question isn’t whether the server is in Frankfurt. It’s who can turn it off, operate, audit, legally obligate, or access its data when things get complicated.
Frequently Asked Questions
What’s the difference between a sovereign cloud and data residency?
Data residency indicates where data is stored or processed. Sovereign cloud adds other elements: provider jurisdiction, operational control, keys, support, supply chain, service continuity, and resilience to external interference.
Is an AWS, Microsoft, or Google cloud in Europe truly sovereign?
It can meet residency, security, and local operation requirements, but not necessarily full sovereignty if the provider remains under extraterritorial laws of third countries. It depends on the use case, architecture, and control levels required.
What does the new European cloud and AI proposal propose?
The Cloud and AI Development Act introduces trust levels for cloud and AI services used by the public sector. More sensitive workloads would require higher sovereignty levels, with stricter requirements on ownership, control, supply chain, and jurisdiction.
Why does the CLOUD Act matter in this debate?
Because it can compel providers under U.S. jurisdiction to disclose data under certain legal orders, even if stored outside the U.S. Providers insist there is no automatic access, but legal exposure exists.
