Europe is leading the charge in the move toward cloud sovereignty, as 72 percent of European businesses now prioritise data sovereignty when selecting technology vendors. This shift is largely fuelled by increasing awareness around the need for stringent data security and integrity within the region’s borders.

Yet, despite this momentum, US hyperscalers continue to dominate the European cloud market. Vendors such as Oracle and AWS are expanding their European ‘sovereignty’ offerings, but these solutions fall short of delivering “true” sovereignty. As long as control remains in the hands of dominant hyperscalers, what’s being offered will only be an illusion of sovereignty.

Growing concerns over this struggle for sovereignty, compliance, and overall hyperscaler dominance are becoming increasingly evident. Microsoft’s introduction of the EU Data Boundary and CISPE’s shift toward a fully European governance structure highlight the shifting cloud landscape. Amid these market developments, it’s clear that increasing pressure from regulators and geopolitical uncertainty will continue to influence cloud strategies across Europe. But, are these developments reflective of a true inflection point, or are we at the early stages of a larger transformation journey?

Who is behind the shift towards sovereignty?

Cloud sovereignty is being driven by both the public and private sectors. While policy and regulation play an important role in guiding standards, the legislative process is often slow due to drawn-out negotiations. In contrast, the private sector’s innate agility can help bridge this gap, accelerating progress to facilitate true sovereignty.

The private sector is already driving better security standards that support sovereignty. Dominique Tessier, head of Cybersecurity Focus Group at the European Champions Alliance (ECA), notes that “the move to make sure the EU Cloud Certification Scheme will finally include an “upper security layer” is mainly driven by private European companies, as AIRBUS, EDF, Telecom Italia and others, whose efforts are gaining momentum.”

Despite a clear push from Europe, questions remain as to whether compliance-driven US investments in European infrastructure from the likes of Microsoft are truly sovereign, or simply strategic attempts to navigate around regulatory constraints. In contrast, European-led initiatives, such as the joint venture between OVHcloud and Capgemini, aim to provide truly sovereign solutions that do not cede control to US companies.

These initiatives are a signal of intent from Europe and reflect a growing understanding of the necessity of cloud sovereignty. Rahiel Nasir, research director, European Cloud at IDC Europe, seconds this view, stating: “interest in sovereignty has moved from governments and regulated sectors to all industry sectors, especially in Europe, and everywhere else where cloud is just beginning to pick up.”

This acknowledgement is a first step towards European digital independence, but achieving true sovereignty will require far more engagement going forward.

Defining true cloud sovereignty

True cloud sovereignty goes beyond simply localizing data storage, it requires full independence from US hyperscalers. The US 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act highlights this challenge, as it grants US authorities and federal agencies access to data stored by US cloud service providers, even when hosted in Europe. This raises concerns about whether any European data hosted with US hyperscalers can ever be truly sovereign, even if housed within European borders.

However, sovereignty isn’t dependent on where data is hosted, it’s about autonomy over who controls infrastructure. Many so-called sovereign cloud providers continue to depend on US hyperscalers for critical workloads and managed services, projecting an image of independence while remaining dependent on dominant global hyperscalers. Tessier agrees, stating: “The USA not only has an economical dominance in this domain, but moreover they have set legal rules which entitle their services to capture data wherever they are stored, provided such storage is supplied by an American company.”

This view is supported by the UK Competition and Markets Authority (CMA), which recently determined that high data egress costs, restrictive commercial models, and technical challenges make switching cloud providers or changing models a massive undertaking. These restrictive practices are maintaining hyperscalers’ dominance and blocking real sovereignty. However, progress is being made by data regulators in enforcing European data sovereignty. A prime example of this is Meta’s €1.2 billion ($1.36bn) fine by the EU for breaking GDPR, coupled with an order to stop transferring personal data from the EU to the US – but more than regulation is needed to solve the problem entirely.

Achieving true cloud sovereignty requires building an environment that empowers local players to compete and collaborate with hyperscalers. While hyperscalers play a large role in the broader cloud landscape, Europe cannot depend on them for sovereign data. Tessier echoes this, stating “the new US Administration has shown that it won’t hesitate to resort either to sudden price increases or even to stiffening delivery policy. It’s time to reduce our dependencies, not to consider that there is no alternative.”

Nasir is more interested in a balanced approach: “Ideally, local providers and global providers should partner for sovereignty to work at scale.” The global agility of larger providers combined with the sovereignty of smaller European players can ensure sensitive personal data remains within European borders without sacrificing business agility. Rather than replacing hyperscalers entirely, the crucial element is reducing their reliance on them. Once accomplished, organisations can, in real terms, become operationally independent within their own jurisdictions.

Building a sovereign infrastructure

Europe’s accelerating shift toward cloud and digital sovereignty is a promising sign, but balance will be key to achieving success. Reducing reliance on US hyperscaler dominance and supporting local providers so they can compete on a global scale must remain a top priority. While regulators must take the lead in setting the direction, their efforts must be balanced with private sector initiatives to provide the agility for local providers to compete globally.

Sovereignty, at its core, is not just about regulatory compliance; it’s a vision for independence. Bolstering competition from local providers and building the required interconnected network infrastructure will equip Europe with the level of digital autonomy necessary to support the economic and technological growth needed to become truly sovereign.