Data sovereignty refers to the problem statement that data is subject to the laws of the country in which it “resides”, which is potentially different from the data owners location.
For individuals, this subject might be trivial. After all, everyone shares data online at their own discretion. The stakes increase drastically when we refer to data collected by governments or public institutions. This includes medical records, financial information, and government communications.
Data sovereignty directly affects national security, privacy, and democratic independence. If a foreign government can access the digital data from another state, privacy becomes little more than a slogan.
In recent years, the issue has become more urgent. The CLOUD Act and the exponential growth of American tech companies, along with the scale of European data moving into these foreign infrastructures, have reignited the debate: Can Europe ever be fully independent while relying on foreign infrastructure?
The cloud market was pioneered and aggressively scaled by U.S. companies like AWS, Google, and Microsoft starting in the mid-2000s. These firms built a global network of data centers before European competitors could mobilize a response. By the time European companies began developing their own cloud infrastructure and products, U.S. providers already had mature, battle-tested platforms deployed at scale. This allowed American cloud services to capture the European market early, offering superior functionality at competitive prices that local alternatives simply couldn’t match.
This early-mover advantage created a self-reinforcing cycle of dominance. As billions of dollars began flowing from European customers into U.S. cloud providers, these companies channeled that revenue into expanding their services, building more data centers, and creating tightly integrated ecosystems where applications, databases, and tools work seamlessly together. This level of integration became a dealbreaker for most enterprises. European providers, lacking comparable capital, fell further behind with each passing year.
But the timing advantage alone doesn’t explain the full picture. There’s a deeper, systemic reason for U.S. dominance: a staggering $1.36 trillion investment gap between the U.S. and EU in ICT infrastructure and R&D accumulated between 2005 and 2022. This isn’t just about one company outspending another. It reflects a fundamental difference in how capital flows into innovation. The U.S. tech sector grows at a pace the European ICT sector simply cannot match.
The disparity in venture capital allocation tells the story in stark terms: U.S. pension funds invest 1.9% of their assets in venture capital, fueling the next generation of tech companies. European pension funds? Just 0.018%, a more than hundredfold difference. This structural disadvantage in innovation financing means that even when European startups show promise, they often lack the growth capital needed to scale and compete with American giants, perpetuating Europe’s dependence on U.S. technology.
So what Are U.S. Companies Putting in Place to Reassure Europe of Their Sovereignty
The biggest U.S. companies providing cloud services in Europe have come forward with their own “sovereign” solutions to try and reassure Europeans that their data is safe and they own it:
Microsoft has launched sovereign solutions which will ensure that all European data stays in Europe and is controlled by Microsoft employees in Europe. It will also include an encryption controller managed by the customer, meaning the cloud provider will not have the decryption key. How this will look functionally and if this is only for enterprise customers, remains to be seen.
The architecture of the Microsoft Sovereign Solution involves data residency commitments, where data is stored exclusively in European data centers, and access controls that limit which Microsoft personnel can interact with the data.
AWS is about to launch its version of a dedicated cloud for Europe with infrastructure and personnel from Europe having access to and control of the data stored in Europe.
Oracle is also launching EU Sovereign Cloud, claiming it will be a completely separate entity from Oracle US. All data will be stored and controlled in Europe.
All these initiatives show that U.S. companies are trying to make a real move toward clouds for Europe in Europe, independent of any external control.
One way U.S. companies could provide Europe with their cloud solutions while giving sovereignty would be by handing over all encryption keys to the customer and not having access to any. This means that only the customer would be able to decrypt the data, and if the cloud provider has to hand over data to the U.S. government, they would hand over something that is unreadable. Ofcourse, this also has an impact functionally: if the cloud provider has no access at all to your data, they also cannot offer value-added data processing in their ecosystem. This could lead to you still having to run your own data-processing services, which reduces the flexible nature of your cloud.
All these initiatives share one fundamental flaw: under the United States CLOUD Act, geography doesn’t matter. Jurisdiction does.
No matter where the data resides, as long as it is stored on hardware owned by an American company or one of its subsidiaries, that data falls under U.S. jurisdiction. If the U.S. government requests access, the company is legally bound to comply or face severe consequences such as heavy fines, loss of federal contracts, or even exclusion from doing business in the United States.
Even the Microsoft legal team admitted before the French Senate that it could not guarantee that, if the U.S. government demanded access to data belonging to French citizens and stored in France, it would be able to block that request.
Microsoft claims that such a request would need to be “legitimate.” But how much trust can Europe really place in a company whose ultimate goal is to maximize profit, and whose current leadership, while perhaps law-abiding today, could one day change?
What happens if the United States drifts further toward an authoritarian state, and someone less concerned with legal boundaries takes control of Microsoft? Who will then guarantee that European data remains protected and only accessed under legitimate circumstances?
The sovereignty problem doesn’t stop at “Who has access to my data?”, It also relies on the security of the hardware it’s stored on.
These findings demonstrate that technical sovereignty can be as fragile as legal sovereignty. If the underlying hardware designed by non-European manufacturers contains fatal flaws, then even data hosted in European data centers by European companies can be at risk. Or what if there are flaws in there, left on purpose.
Some U.S. cloud providers have introduced confidential computing technologies, for example AWS Nitro Enclaves. These work by creating isolated execution environments using multiple layers of hardware-based security. The approach combines disk encryption, RAM encryption, secure boot processes, and binding to Trusted Platform Modules (TPM) to create a comprehensive protection system.
At the hardware level, confidential computing encrypts data at rest using full-disk encryption with keys managed by dedicated security chips. RAM encryption protects data in memory, preventing extraction even during runtime. Secure boot ensures that only trusted firmware and operating systems can execute, while TPM binding stores encryption keys in hardware that can only be released when the system’s integrity is verified. This means that even if someone gains administrative access to the cloud infrastructure, they cannot decrypt the data inside these enclaves without the specific hardware and proper authentication.
However, these technologies don’t solve the fundamental jurisdiction problem. While AWS cannot technically access data inside a Nitro Enclave or Nitro hypervisor, the CLOUD Act requires legal compliance, not technical impossibility. If the U.S. government demands access, AWS would be legally obligated to provide whatever access it can, including shutting down the enclave or providing local access.
A recent study by KU Leuven and the University of Birmingham has shown a critical flaw in Intel’s and AMD’s processor chips, allowing anyone with physical access to the server to steal data in an almost invisible way. So even if your sovereign cloud provider uses hardware encryption to secure your data on foreign premises, this does not mean the risk is zero.
In other words, we can’t simply push for European data centers to be built and European companies to run them. We also need to push for the manufacturing of silicon made in Europe, for Europe to hold the complete supply chain.
Europe faces a double dilemma. It relies on foreign infrastructure on one side and foreign hardware on the other, both of which undermine Europe’s ambition to be fully digitally sovereign.
The technological advancement gap between Silicon Valley and Europe compounds this problem. While Silicon Valley thrives on a culture of rapid innovation, risk-taking, and massive venture capital investment, Europe’s approach remains more cautious and fragmented. In 2023, the U.S. invested approximately €62.5 billion in artificial intelligence alone, while Europe attracted only around €9 billion. This disparity isn’t just about money, it reflects fundamentally different attitudes toward innovation, failure, and scaling.
Some initiatives are emerging, like the supercomputer chip Rhea-1 developed in France by SiPearl, OVHCloud Sovereign Solution, and NumSpot, another European cloud provider. Yet these initiatives can’t yet compete with the giants like Google, Microsoft, or Amazon. Another problem is how slowly European companies are trying to create competitors. This change is coming too slowly to become a real alternative to U.S. tech.
To change this, Europe must:
European digital sovereignty is being challenged at every level. The legal reach of the CLOUD Act, the dominance of American tech giants, and the vulnerabilities in hardware manufactured outside Europe reveal one thing: Europe has no control over its cloud infrastructure.
If Europe wants to really become digitally independent from the U.S. and China, it should invest in building a truly independent digital foundation.
Without such an effort, Europe will continue to entrust its most sensitive data to foreign powers, exposing itself to geopolitical risks and the erosion of trust that comes with dependency.
So what is, for now, the best path forward? I think we can take three routes:
The sensible way: Keep using the most popular cloud providers, but prepare for the worst: your data can be requested by foreign entities since end-to-end encryption does not exist in IaaS/PaaS. You can opt for the middle-way by making use of confidential compute and bring-your-own encryption keys to mitigate the risk to some extent. Keep an eye on the EU cloud providers for their technical roadmap, in case they catch up and meet your use case requirements.
The hardened way: If you are a governmental entity or otherwise someone who is very concerned about sovereignty (and you have the capital available), look at commercial cloud provider sovereign cloud solutions. This means that they will provision your cloud resources in either your own private Data Center ($$$), or run resources in a Data Center operated by a neighbouring country you trust. (e.g. Thales runs GCP Sovereign Cloud in Paris) The risk is not completely gone, since your hard-and-software is still provided by a foreign entity, but it dumbs it down to a supply chain attack issue at least.
The hardcore way: Only use cloud providers that are operated and ran in the EU. Accept the fact that your will miss out on certain technical features or guarantees compares to the most prevalent providers. According to your requirements, this can be perfectly OK.