Sovereign cloud has become one of the most used terms in enterprise technology.
Almost every major vendor has gone to great lengths to market their version, promising that data “resides locally” or “protected in Europe,” but the key question remains: what does true cloud sovereignty really mean?
For governments, regulators, and enterprises handling sensitive workloads, it is vital to distinguish between what is marketed as sovereign and what is actually sovereign.
The dominance of American hyperscalers in Europe makes this challenge even more pressing. Amazon Web Services, Microsoft Azure and Google Cloud together control more than two-thirds of the region's cloud computing market, raising concerns about jurisdictional control and the limits of so-called European cloud offerings.
As demand for sovereignty and resilience grows, the question is how Europe can build a more balanced and independent cloud ecosystem.
Defining true sovereignty
Sovereign cloud is not just a question of where the data physically resides, but also of who has legal authority over it and the dependencies associated with it, including technology, supply chains and vendor lock-ins, which can enable or limit freedom of action as sovereignty is understood.
Data residency answers the question “where”, sovereignty addresses the “who” and “to what extent”. This distinction is crucial when considering the different aspects of sovereignty. Take, for example, the question of legal authority, in light of laws such as the US CLOUD Act and Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Both laws allow US courts and agencies to require US-based companies to provide access to data related to investigations through court orders or other processes, even when hosted abroad.
In practice, this means that a European bank, healthcare provider, or government department that relies on a U.S. cloud operator may not easily determine whether data from some of its European customers has been provided to U.S. law enforcement or intelligence agencies, even if the data resides outside the United States.
For organizations entrusted with sensitive information, that exposure is not theoretical. It is a live issue of compliance and trust.
True sovereignty therefore requires more than local accommodation. It requires that both infrastructure and jurisdiction be aligned with the client's own legal environment.
It also requires interoperability and portability between cloud environments, allowing organizations to choose where and how to run workloads without being limited to a single provider.
It also requires transparency about the underlying technology and supply chain, as well as the ability to manage risks and make decisions that reduce dependencies or concentration.
The persistent questions
That's why there are still many questions surrounding sovereign offerings from global hyperscalers. All suppliers have launched initiatives that emphasize greater European control or partnerships with local entities.
However, because parent companies remain subject to US law, customers remain concerned that a jurisdictional gap exists. Simply put, a sovereign wrapper around non-sovereign foundations does not completely solve the problem in all cases.
Customers can achieve greater assurances about data location or operational independence, but unless the operating entity is legally isolated from the foreign jurisdiction and allows customers to make decisions, the claim to sovereignty remains partial.
For critical workloads, such as those in the public sector, regulated industries, and artificial intelligence applications, relying on US-controlled clouds introduces operational and compliance risks that cannot be fully mitigated by on-premises hosting alone.
Why is it important now?
The speed of market growth makes clarity urgent. The global sovereign cloud market size is projected to grow from $154.69 billion in 2025 to $823.91 billion in 2032. Europe alone accounted for around 37% of the global market in 2024.
This growth reflects the growing demand for secure and trusted environments, particularly in Europe, where regulatory frameworks such as DORA, the GDPR and the Data Act emphasize local control, risk management, supply chain transparency and concentration risk.
The European Union, for example, has made digital sovereignty a strategic priority, while countries such as Germany and the United Kingdom are exploring frameworks to ensure that their critical data assets cannot be subject to legal claims abroad. The direction forward is clear: sovereignty must be defined and applied, not assumed.
Clear standards and stronger ecosystems
What is missing today is a coherent framework that defines what constitutes a sovereign cloud.
EU Member States have created cloud certification schemes such as C5 in Germany and SecNumCloud in France that contain sovereignty criteria. The DGIT, the IT service of the European Commission, has made a notable attempt in the context of public procurement to define sovereignty in the form of a scale of requirements.
All these attempts, although welcome, demonstrate the fragmentation of the EU market. Customers are often forced to navigate competing claims and complex technical language without clear standards by which to compare.
A truly sovereign cloud should ensure that data is controlled, accessed and governed exclusively within the customer's jurisdiction.
Achieving this does not mean withdrawing from global innovation. It requires allowing local providers to provide services that meet sovereignty criteria without compromise. European cloud service providers such as Redcentric and ANS are well positioned to play this role.
By operating under local legal and compliance frameworks and investing locally, they can give organizations genuine control over their data. In many cases, this control is best achieved through private cloud environments, where infrastructure, governance, and operational authority can be directly aligned with sovereignty requirements.
Technology providers have a role to play in supporting this ecosystem. By providing platforms, infrastructure software and interoperability frameworks, they can empower local providers without becoming operators themselves.
This distinction matters. It avoids entanglement with foreign jurisdictions while fostering an environment in which sovereignty is embedded by design rather than consolidated afterward.
A sovereign future by design
As the market evolves, the focus shifts from whether a sovereign cloud exists to whether it truly meets customer needs. Compliance and local accommodation claims must be weighed against jurisdictional control. Cloud services must be designed for sovereignty from the ground up, with governance structures aligned with the data they protect.
In the end, the sovereign cloud debate goes beyond technology. It reflects broader issues of trust, independence, skills development, economic growth, resilience and control in the digital economy. For both companies and governments, overcoming the hype will be essential to ensuring that sovereignty is real, not rhetoric.
We have presented the best protection against identity theft.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
