Europe Wants Sovereign Cloud

In this post: why Europe suddenly cares, why server location is not enough, how law still reaches into the cloud, why metadata matters, where the real European alternatives are, and why geopolitics has changed the debate.

Sovereign cloud sounds comforting. It sounds local, safe and independent. It sounds like Europe finally wants to stand up on its own feet, and find a way to loosen its dependence on AWS, Microsoft and Google.

That is the sales pitch. The reality is not so rosy.

Europe talks more and more about digital sovereignty because we has realised something awkward. American firms still dominate the cloud market in Europe, and the serious alternatives are fewer than people like to pretend.

That dominance matters because cloud is not just somebody else’s server in somebody else’s building. It is e-mail, identity, office software, remote administration, telemetry, storage, collaboration, security tooling and the management layer that sits on top.

Once a handful of foreign firms control most of that stack, sovereignty starts to look less like a policy ambition and more like supply chain risk.

Why Europe suddenly cares

For years, the answer was simple. Keep sensitive data in Europe, pick a local region, add a few contract clauses, then move on.

That answer no longer supports that ideal world.

European policymakers and companies are openly talking about digital sovereignty because they are worried about concentration risk, legal exposure and dependence on a small number of American providers. This is not really about being anti-American. It is about dependence without leverage.

That is a different argument, and a more serious one.

Sovereign cloud is not a silver bullet

The phrase itself is part of the problem. Sovereign cloud sounds binary, as though a service either is sovereign or it is not.

That is not how it works.

Sovereignty sits on several layers at once. Who owns the provider matters. Which legal system can compel it matters. Who controls the software matters. Who controls the management plane matters. Where the data sits matters. Who owns the buildings and wider infrastructure matters as well.

Who has the encryption keys.

A cloud can look European from the outside and still depend on American law, American software, American control planes or American owned infrastructure somewhere underneath.

That is why the term is so slippery. A sovereign bumper sticker is easy. Real sovereignty is hard.

The law still wins

This is where the debate stops being abstract.

The CLOUD Act made clear that American service providers can be compelled to preserve and produce data under their control even when that data is stored abroad. That is the heart of the problem, and it is why people still confuse data residency with legal control.

They are not the same thing.

A workload can sit in Frankfurt, Paris or Zurich and still remain exposed to foreign legal reach if the provider is subject to that foreign jurisdiction.

That is why so much sovereign cloud marketing starts to wobble the moment lawyers enter the room. The server may be local. The branding may be local. The legal exposure may not be.

The Karim Khan moment

One reason this debate became more urgent is that people were given a vivid real world example.

After sanctions were imposed on ICC chief prosecutor Karim Khan, his account was allegedly disabled by Microsoft. That detail landed hard in Europe because it turned a theoretical concern into a practical one.

The lesson was not subtle. If a foreign provider controls a core communications platform, then politics can suddenly become an operational issue.

That is what sovereignty debates look like when they leave conference rooms and enter real life.

Very awkward, very quickly.

Switzerland is not immune either

Switzerland occupies a special place in the European imagination. Swiss hosting sounds safer. Swiss providers sound more private. Swiss law sounds more stable.

Sometimes that confidence is justified. Sometimes its nothing more than hot air.

The Proton case is a useful reminder. Reporting in 2026 said the FBI obtained identifying information linked to a Proton Mail account through a request routed via Swiss legal channels, and that payment related information helped identify the user.

That case matters because it punctures a lazy assumption. People hear terms such as encrypted or zero knowledge and assume the provider therefore knows nothing useful.

That is not how most systems work.

Content, payment data, subscriber records and operational metadata are not the same thing. A provider may protect one layer well and still hold enough surrounding information to expose the user behind it.

That does not make Proton uniquely dishonest. It makes the broader point. Privacy claims often sound strongest precisely where the caveats are least understood.

Metadata is often the real story

Most people imagine cloud risk in terms of files and message content. That is only part of the picture.

In practice, the surrounding information can matter just as much, sometimes more. Billing records, account identifiers, IP logs, identity links, telemetry, support records and audit trails can reveal who did what, when, where and with which system.

This is where many sovereignty discussions go wrong. They ask who holds the document. They forget to ask who holds the context.

That context is often enough.

The control plane problem

There is another part of this discussion that receives less attention than it should.

Modern cloud is not just compute and storage. It is endpoint agents, orchestration, remote management and telemetry.

That matters because the management layer has deep visibility and deep control. The real question is not just who stores the file. It is also who can push commands, harvest logs, gather telemetry, manage policy and shape the environment around the workload.

You may own the application. You may not fully own the operating context in which it runs.

That is a very different thing from sovereignty, even if the marketing says otherwise.

Europe has alternatives, just not enough of them

This is the structural weakness in the European argument.

There are many small hosting and cloud providers across Europe and Switzerland. But once you narrow the field to providers that are locally governed, technically credible, reasonably mature and broad enough in service catalogue to replace meaningful chunks of AWS, Azure or Google Cloud, the list gets much shorter.

That is the capacity problem. Europe does not mainly lack slogans. It lacks enough providers with the scale, depth and completeness to offer a real substitute.

That is why American dominance persists. Not because Europeans have never noticed it, but because replacing it is hard.

The serious names worth watching

That does not mean there are no contenders.

There are.

In Switzerland, Infomaniak has made sovereign cloud central to its identity and presents itself as an independent provider with infrastructure in the heart of Europe. Hidora has pushed the same theme from a Swiss angle, with its Hikube offer aimed at regulated sectors such as finance and healthcare.

Exoscale also belongs in the discussion. It is one of the more credible regional cloud names, even if it does not erase the wider structural dependence on large foreign platforms.

In Germany, STACKIT matters because it looks like a serious attempt to build a sovereign cloud proposition at meaningful scale rather than just another marketing wrapper. Who would have though that the same Lidl that you buy your eggs from would be replicating Amazon model.

Across the wider European market, names such as OVHcloud, Scaleway, Hetzner and T-Systems remain part of any serious discussion of European alternatives. But the recurring pattern is the same. The alternatives exist, yet the gap in scale and service breadth is still obvious.

That is why the market remains so lopsided.

Colocation is the awkward middle layer

This is one of the least glamorous parts of the story. It is also one of the most important.

A provider can be European or Swiss owned and still depend on third party facilities, wider connectivity chains and hardware ecosystems that it does not fully control. The more closely you inspect the stack, the more sovereignty starts to look layered rather than absolute.

That does not mean local providers are fake. It means the word sovereign is doing a lot of work, and in some cases too much.

A more honest vocabulary would distinguish between local provider, local jurisdiction, local hosting and fully sovereign stack. Those are not the same thing.

The desktop problem

Cloud is only part of the dependency.

Europe still relies heavily on Microsoft at the desktop and productivity layer as well. Even when organisations discuss sovereign cloud, many remain dependent on Microsoft for office software, collaboration and identity.

This matters because sovereignty cannot stop at infrastructure. If the data leaves Amazon but remains tied to Microsoft identity, Microsoft productivity software and Microsoft management tooling, the dependency has shifted rather than disappeared.

That is still dependence, just with better marketing.

Geopolitics has entered the fray

The sovereign cloud debate is no longer just about privacy or procurement. It is now about geopolitics.

Repeated incidents involving undersea infrastructure in the Baltic region have changed the tone of the discussion. The important point is not that every cable incident is sabotage. The important point is that Europe now has to treat digital infrastructure as critical infrastructure.

The seabed is part of the argument. The cable route is part of the argument. The geopolitical environment is part of the argument.

That changes the tone of the whole debate. Sovereign cloud starts to look less like a nice policy preference and more like strategic infrastructure.

Not every workload needs the same answer

This is where some restraint is useful.

Not everything needs to run in a fully sovereign environment. A low risk website is not the same as a court system. A brochure platform is not the same as a hospital system. A development sandbox is not the same as a national identity service.

The case for sovereign cloud becomes much stronger where legal compulsion, vendor lock in, service interruption or geopolitical pressure would create unacceptable consequences.

That is the sensible way to frame it. Not everything. But certainly some things, and probably more things than Europe once assumed.

So what should sovereign cloud really look like

At the very least, it should mean more than local hosting.

It should mean clear jurisdiction, meaningful operational control, reduced exposure to foreign legal compulsion, transparency about dependencies, a realistic exit path, and enough local capability to keep essential systems running under stress.

Anything less is just cloud with a flag attached to it.

Europe’s real problem

Europe does not really have a branding problem. It has a capacity problem.

American hyperscalers spent nearly twenty years building ecosystems that became too broad, too deep and too convenient to ignore. Europe noticed the dependency long ago, but noticing it is not the same as reducing it.

That is why this debate matters now. Law matters. Control matters. Infrastructure matters. Geopolitics matters.

Europe does not need more talk about sovereignty. It needs to start building some.

That means more investment in cloud, software, infrastructure and local capability; less complacency about relying on foreign platforms for critical systems; and a clearer understanding that digital resilience is part of national resilience.

If Europe wants more control over its future, it has to build more of the technology its future depends on.