Sovereign cloud has become one of the most heavily used terms in enterprise technology.
Almost every major provider has gone to great lengths to market their version of it, promising that data is ‘residing locally’ or ‘ringfenced in Europe’, but the key question remains: what does true cloud sovereignty actually mean?
For governments, regulators and businesses handling sensitive workloads, distinguishing between what’s marketed as sovereign and what is sovereign in reality is vital.
The dominance of US hyperscalers in Europe makes this challenge even more pressing. Amazon Web Services, Microsoft Azure and Google Cloud together control more than two-thirds of the region’s cloud computing market, raising concerns about jurisdictional control and limits of so-called European cloud offerings.
As demand for sovereignty and resilience grows, the question is how Europe can build a more balanced and independent cloud ecosystem.
Defining true sovereignty
Sovereign cloud is not only a question of where data physically resides, but also of who has legal authority over it and the dependencies associated with it, including technology, supply chains and vendor lock-in, which may either enable or constrain freedom of action as sovereignty is understood.
Data residency answers the ‘where’ question, sovereignty addresses the ‘who’ and “up to which point”. This distinction is crucial when considering the different aspects of sovereignty. Take the question of legal authority for instance, in light of legislation such as the US CLOUD Act and Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Both pieces of legislation permit US courts and agencies to require US-headquartered firms to provide access to data related to investigations via warrants or other processes, even when hosted abroad.
In practice, this means that a European bank, healthcare provider or government department relying on an American cloud operator may not easily determine whether the data of some of its European customers has been provided to US law enforcement or intelligence agencies, even if the data resided outside the US.
For organizations entrusted with sensitive information, that exposure is not theoretical. It is a live compliance and trust issue.
True sovereignty therefore requires more than local hosting. It demands that both the infrastructure and the jurisdiction are aligned with the customer’s own legal environment.
It also requires interoperability and portability across cloud environments, allowing organizations to choose where and how workloads run without being locked into a single provider.
It also requires transparency on the underlying technology and supply chain, as well as the ability to risk manage and make choices that reduce dependencies or concentration.
The lingering questions
This is why there are still many questions surrounding the sovereign offerings from global hyperscalers. Providers have all launched initiatives that stress enhanced European control or partnerships with local entities.
Yet because the parent companies remain subject to US law, customers remain concerned that there is a jurisdictional gap. Put simply, a sovereign wrapper around non-sovereign foundations does not fully resolve the issue in every case.
Customers may achieve greater assurances about data location or operational independence, but unless the operating entity is legally insulated from foreign jurisdiction and enables customers to make choices, the claim of sovereignty remains partial.
For critical workloads, such as those in public sector, regulated industries and AI applications, relying on US-controlled clouds introduces operational and compliance risk that cannot be fully mitigated by local hosting alone.
Why it matters now
The speed of market growth makes clarity urgent. The global sovereign cloud market size is projected to grow from USD 154.69 billion in 2025 to USD 823.91 billion by 2032. Europe alone accounted for around 37% of the global market in 2024.
This growth reflects rising demand for secure, trusted environments, particularly in Europe, where regulatory frameworks such as DORA, the GDPR and Data Act emphasize local control, risk management, supply chain transparency and concentration risk.
The European Union, for instance, has made digital sovereignty a strategic priority, while countries like Germany and the UK are exploring frameworks to ensure their critical data assets cannot be subject to overseas legal claims. The direction of travel is clear, sovereignty must be defined and enforced, not assumed.
Clear standards and stronger ecosystems
What’s missing today is a consistent framework defining what constitutes a sovereign cloud.
EU Member States have created cloud certification schemes like C5 in Germany and SecNumCloud in France that contain sovereignty criteria. DGIT, the European Commission IT service, has made a notable attempt in the context of procurement to define sovereignty in the form of a scale of requirements.
All these attempts, while welcome, demonstrate the fragmentation of the EU market. Customers are often left to navigate competing claims and complex technical language without clear standards for comparison.
A truly sovereign cloud should guarantee that data is controlled, accessed and governed exclusively within the jurisdiction of the customer.
Achieving this does not mean retreating from global innovation. It requires enabling local providers to deliver services that meet sovereignty criteria without compromise. European cloud service providers such as Redcentric and ANS are well positioned to fulfil this role.
By operating under local legal and compliance frameworks and investing locally, they can give organizations genuine control over their data. In many cases, this control is best realized through private cloud environments, where infrastructure, governance and operational authority can be aligned directly to sovereignty requirements.
Technology vendors have a role to play in supporting this ecosystem. By providing the platforms, infrastructure software, and interoperability frameworks, they can empower local providers without becoming operators themselves.
This distinction matters. It avoids entanglement with foreign jurisdictions while fostering an environment where sovereignty is embedded by design rather than bolted on afterwards.
A sovereign-by-design future
As the market evolves, the focus shifts from whether sovereign cloud exists to whether it truly meets customers’ needs. Local hosting and compliance claims must be tested against jurisdictional control. Cloud services must be designed for sovereignty from the ground up, with governance structures aligned to the data they protect.
In the end, the debate over sovereign cloud is about more than technology. It reflects broader questions of trust, independence, skill development, economic growth, resilience and control in the digital economy. For businesses and governments alike, cutting through the hype will be essential to ensure sovereignty is real, not rhetorical.
We’ve featured the best identity theft protection.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
