2025 has inherited a slew of geopolitical concerns that started years ago. U.S. Foreign policy, U.S. - China Relations, China’s geopolitical maneuvers, Conflicts in the Middle East, Russian Ukraine war, and cybersecurity threats. Additionally, new leadership in the United States adds to the uncertainty created by these concerns. And, as if all this were not enough, the backdrop of cloud computing in Europe is that the most robust and feature-rich clouds are U.S.-based and ultimately subject to US law. Geopolitical concerns always give rise to a need for sovereignty - or for governments and political unions to exert control over their assets to protect individuals, corporations, and state secrets. 

This paper aims to describe Europe's multifaceted cloud computing landscape amidst the current geopolitical landscape. Along the way, sovereign clouds will be defined, and alternatives to sovereign clouds will be proposed.

What is a Sovereign Cloud?

Look up the definition of “sovereignty” in any dictionary, and you will get a definition along the lines of “supreme power or authority.” So, a logical definition of “Sovereign Cloud” would be a cloud where a single governing entity like the European Union or a single government controls the physical layer (data centers and infrastructure), the code layer (quality standards, source code management, and design) and the data layer (ownership, flows and use). 

A common misconception is that a sovereign cloud is a cloud where all physical assets are located within the boundary of some governing entity, and digital assets within the data layer are never allowed to flow to infrastructure outside of this boundary. While this is an important requirement of a Sovereign cloud, it is not the only requirement. One more key criterion for a cloud to be truly sovereign is that it must fall under the auspices of only one government. To understand why this is necessary, consider the graphic below.

Source: Author

Each government makes regulations independent of the others. Also, most governments make rules that primarily benefit their interests. Consequently, what would happen if Government A made an act providing data acquisition tools for intercepting and obstructing terrorism that clashed with Government B’s protections for personally identifiable information?

Unfortunately, this is precisely the situation in Europe today. The graphic below replaces generically labeled vendors with real cloud providers and real governments. 

Source: Author

Let’s take a more detailed look at the current state of cloud computing in Europe today.

The Cloud Environment in the EU

The three biggest cloud providers operating in the EU are Google, Amazon, and Microsoft. They have a combined market share of 70 percent. European alternatives to these U.S.-based cloud providers are limited in number, and the few that exist are not as feature-rich as the U.S.-based cloud providers. Below is a diagram showing the conceptual difference between the capabilities of the U.S.-based hyperscalers and those of European cloud service providers.

Source: Policy brief Cloud sovereignty.pdf | Publicatie | AIVD

Organizations wishing to utilize cloud services must choose between a feature-rich platform from a US-based provider and a local European provider. If they need efficiencies and capabilities that only a full-featured platform can provide and the data that will reside in the cloud is safe from sovereign regulations, then one of the US-based providers is best. However, if the data stored in the cloud is sensitive, it could be in the crosshairs of two competing regulations from two governing entities. In this case, a local sovereign cloud is the best cloud choice.

To be fair, US-based cloud providers have announced sovereign cloud offers. However, it is still early to assess their viability for a couple of reasons. First, these offerings are relatively new and have not been sufficiently tested against European regulations. Second, the hyperscalers are primarily focused on keeping data within a specified border and helping their customers manage various regulatory controls. How US-based providers will deal with conflicts of interest between US and European regulations is unclear. Another long-term concern is that these “sovereign cloud offerings” may become too costly for the cloud provider in the long run. In this case, they could de-invest in sovereign clouds, leaving European governments and organizations to find a new sovereign cloud.

Now that we understand the true nature of a sovereign cloud and the cloud environment in the European Union let’s look at three different approaches to data from three different governments.

Different Approaches to personal and non-personal Data

Personal data refers to any information which can be used to identify a person directly or indirectly. It can vary from genetic, mental, physical, physiological, and cultural data, location data, identification numbers, and names. Personal data uses are endless, including using digital ID to gain access to e-government services, participating in political processes such as voting, making online purchases, accessing financial services, etc. Big tech companies have become notorious for their data extraction practices. A practice known as surveillance capitalism occurs when a company extracts usage data and uses it to predict future behavior patterns. This usage data is also considered personal data. The Cambridge Analytica scandal is a constant reminder about what can happen when big tech collects personal data and does not secure it properly.

Non-personal data is also important. Over the years, governments have realized that data is a valuable strategic asset in a digital economy. It can be used for planning, policy-making, creating new opportunities for businesses and individuals, and boosting economic growth. With the increase of big data analytics and artificial intelligence (AI), there is a growing need for rules, regulations, and policy direction on how AI should be leveraged to benefit people.

The chart below summarizes three governing bodies and their overall approach to digital sovereignty, personal data, and non-personal data.

Source: Global approaches to digital sovereignty: Competing definitions and contrasting policy

Some interesting observations can be made from the chart above. Let’s start with the US. Interestingly, the U.S. does not have a unified approach to personal data - especially if you consider the debacle of the Cambridge Analytica scandal. Most importantly, the Clarifying Lawful Overseas Use of Data (CLOUD) Act authorized US authorities to demand access to data that is held by US companies overseas.

It should be no surprise that China has everything locked down. Regulations on personal data are protected by their Personal Information Protection Law (PIPL), which is similar to Europe’s General Data Protection Regulation (GDPR). Non-personal data is categorized according to national security risks and secured appropriately based on these risks.

The European Union is leading the way in terms of protecting personal data. GDPR is influencing the policies governments around the world are putting together. They have also considered the fair use of non-personal data.

A Private Cloud is a Sovereign Cloud

what is the best cloud for organizations responsible for data that must be sovereign? Given the above facts about the true nature of a sovereign cloud, the current public cloud environment in Europe, and the differing approaches to data occurring worldwide, this is a challenging question - but one powerful option stands out. A cloud native private cloud provides sovereignty and can be built in a cost-effective manner. Modern data storage techniques like Data Lakehouses allow for storing both structured and unstructured data while simultaneously disaggregating compute from storage. Both storage and compute can scale independently, so organizations only pay for what they need and can scale out when their storage and compute requirements change.

By ensuring your private cloud is cloud-native, organizations can move it to a public cloud in the future should an acceptable sovereign public cloud come along.

Other Benefits of Private Clouds

No one will argue that public clouds are the best way to get started - you have resources on demand, and today, public clouds are feature-rich, so you will find everything you need to store your data, host your services, authorize your users, etc. Furthermore, they save considerably on capital expenditures. However, the public cloud is not a panacea. In the long run, they will cost you more for heavy workloads. Many organizations today are experiencing this, which has led to a migration from public clouds to private clouds - also known as repatriation.

As a concrete example of repatriation in action, consider 37signals - the company behind Basecamp and Hey. They recently announced their complete exit from AWS. They calculated that they will save $2 million annually by running on-premise.

Another notable example is GEICO, one of the largest automotive insurers in the United States, which is actively repatriating many workloads from the cloud as part of a comprehensive architectural overhaul to cut down on exploding cloud costs.

In Europe, many organizations are conservative in adopting AI because they do not want to bring their sensitive data to the cloud. Using a private cloud allows organizations to move quickly and, at the same time, maintain control over their data. For those who have invested in GPUs, a private cloud for model training and model hosting is best, as you need compute close to your data.

Conclusion

A sovereign cloud is a cloud that keeps digital assets within a specified physical boundary and, most importantly, protects personal and non-personal data from bad actors and the regulations of other governments. Today, a truly sovereign cloud is a relative concept. It only exists for a given organization if the cloud is owned and operated by another organization within the same political boundary.

If you have any questions, be sure to reach out to us on Slack.