While European tech sovereignty has been front of mind for the security-conscious even well before the CLOUD Act (2018), its urgency has been felt more broadly following reports that US sanctions affected ICC judges’ access to emails and other services.
In reaction, some are looking at homegrown alternatives to Visa or Mastercard, while others, such as France, are already phasing out US platforms across government departments.
In both the public and private sector, European decision-makers are looking to bolster their digital defences, so they don’t have to rely on foreign powers. And the role of sovereign clouds has become more important than ever.
But what makes cloud infrastructure truly sovereign and is the term becoming a catch-all? By definition, sovereignty largely refers to where data centres are based, but the reality runs deeper than geography.
What organisations actually mean when they invoke sovereignty is closer to security: data access rights, secure-by-design infrastructure, and meaningful compliance with regional regulatory frameworks. And the reality is you need both to make the label mean anything at all.
It’s right of access, in addition to geography
As LLM providers train on ever-larger datasets, concerns over security, privacy and government involvement have grown. In early 2026, the Trump Administration designated Anthropic a ‘supply chain risk‘ after negotiations broke down over the company’s restrictions on uses such as fully autonomous weapons. With Anthropic out of the equation, OpenAI indicated it would be open to military collaboration, raising broader question about how data and prompts entrusted to LLMs are being used, and by whom.
The implications for businesses are significant. When a company uses an LLM, it’s not simply transferring data. It’s imparting corporate priorities, strategic concerns, predictions about the future, and patterns of decision-making. Europe has greater safeguards in place to prevent that data from being misused; in the US, protection largely depends on the specific terms and conditions that have been signed.
That’s why delivering sovereign-aligned solutions isn’t just a question of where infrastructure is located; it’s a question of who has the legal right to access that data. By pivoting away from certain jurisdictions with foreign access legislation, cloud providers can shield their customers from security and privacy risks. In turn, they can bolster business confidence and help them to scale in the long-term – for instance, by removing fears of intellectual property being seized.
Of the most notable of these, the CLOUD Act allows US authorities to compel American companies (including major US headquartered cloud providers like AWS and Azure) to disclose data under legal process, regardless of whether it’s stored within the country or abroad. Not only does this infringe on the privacy rights of both American and non-American enterprises but it also undermines EU data protection norms, and in some cases non-disclosure orders mean companies may not be informed at the time about what has been requested, when, or why.
Meanwhile, EU-based cloud providers are governed by a stricter, more privacy-conscious set of rules. The GDPR limits how data is shared, while the EU AI Act introduces a risk-based framework, obligations for high-risk AI systems, transparency requirements and enforcement powers. EU-domiciled enterprises using EU-based cloud providers can operate with assurance that their providers are subject solely to European legal frameworks, which is a jurisdictional guarantee that US-headquartered hyperscalers are structurally unable to match, however strong their technical security
Security-by-design begins with infrastructure
Sovereignty is just one piece of the puzzle. Physical location and legal jurisdiction alone won’t protect business-critical information. Many think the answer is to continually add one layer on top of another to existing platforms, such as firewalls, encryption, access controls. But it becomes very easy to lose sight of the foundations: infrastructure.
This means that single-tenant environments, where your data does not share physical infrastructure with other organisations, cannot be accessed as a byproduct of their activity. It requires access controls and audit trails that are transparent and verifiable: not a contractual promise but a technical reality. And it demands that compliance be built into the architecture from the ground up, not retrofitted to meet GDPR, DORA, or the EU AI Act, but designed around them.
Colocation is often positioned as the answer, but rented data centre access does not alone solve the security challenge. Working with a provider that owns and operates its own infrastructure, rather than a reseller sitting on top of the very hyperscaler stack you are trying to move away from, certainly matters.
What underpins all of this, however, is the team you work with. Infrastructure can be sovereign- or secure-by-design, but if the people operating it are distributed across jurisdictions with differing legal obligations — or are themselves difficult to vet — the integrity of that environment is compromised. Knowing where your provider’s operations team is based, how they’re vetted, and that they’re subject to the same regulatory environment as your organisation is what separates contractual sovereignty from sovereignty in practice.
Where sovereignty lies
As Europe looks to triple its spending on sovereign clouds, it is important not to lose sight of where sovereignty lies. It is not through the sheer relocation of cloud architecture but through access, infrastructure and compliance. Without sovereign and secure clouds, nations and businesses will be vulnerable to foreign powers and customer data risks being accessed, seized, or abused.
One thing to remember. You can’t have genuine sovereignty without security. And you can’t have security without the right infrastructure or team.
This year is shaping up to be a deciding one for sovereign clouds across Europe and it will be fascinating to see how governments and enterprises respond to the challenge.
Cory Hawkvelt is Chief Product & Technology Officer at NexGen Cloud. He is a cloud systems architect with 15+ years in software development ensuring top-tier security for NexGen Cloud.
