Sovereign Cloud — Why European Companies Move Data Home

In January 2026, AWS launched its European Sovereign Cloud in Brandenburg. Airbus issued a €50 million tender for migrating mission-critical applications to a sovereign cloud. 61% of European CIOs report wanting to increase their use of local cloud providers. And IDC predicts that by 2028, 60% of multinational companies will operate AI stacks split across sovereign zones — with triple the integration costs. Digital sovereignty is no longer a political buzzword. For European enterprises, it is a matter of business continuity.

Market State: Europe is Waking Up¶

Three American cloud platforms — AWS, Microsoft Azure, and Google Cloud — currently control approximately 70% of the European market for cloud infrastructure. European providers hold a mere 15%. This dependency, long considered an acceptable risk in exchange for innovation and scalability, became a strategic problem in 2026.

70% of the EU cloud market is controlled by US hyperscalers

61% of European CIOs want to increase their use of local providers

€100 billion predicted EU sovereign cloud market by 2031

3× increase in integration costs with split AI stacks (IDC)

A Gartner survey of CIOs and IT leaders in Western Europe from late 2025 revealed a clear trend: more than half of respondents stated that geopolitical factors are preventing them from further deepening their dependence on American hyperscalers. Gartner estimates that IT spending in Europe will grow by 11% to $1.4 trillion in 2026 — and a significant portion will go toward sovereign cloud solutions and on-premises/edge architectures.

The reason is not an abstract fear of regulation. It is a concrete business risk. The American CLOUD Act allows US authorities to access data stored by American companies — regardless of where it physically resides. Microsoft itself has admitted that it cannot guarantee data independence from American authorities. For companies in regulated industries — banking, healthcare, defense, energy — this is not an academic discussion but an existential risk.

Regulatory Tsunami: What Changed in 2025–2026¶

2025 and early 2026 brought an unprecedented wave of EU regulations that directly affect the cloud strategy of European companies. This is not about a single directive — it is a complex of interconnected rules that together create a new regulatory framework:

NIS2 — Network and Information Security Directive

Cybersecurity of Critical Infrastructure¶

The NIS2 Directive entered into force in October 2024 and member states are transposing it into national laws throughout 2025 and 2026. It expands the scope of regulated entities to medium and large enterprises across 18 sectors — from energy through healthcare to digital infrastructure. For companies, this means mandatory supply chain risk management (including cloud providers), a 24-hour incident reporting deadline, and personal liability for management. If your cloud provider cannot guarantee NIS2 compliance, you have a problem.

DORA — Digital Operational Resilience Act

Operational Resilience of the Financial Sector¶

DORA took effect in January 2025 and specifically targets the financial sector — banks, insurance companies, investment firms, and their ICT providers. It requires explicit concentration risk management for third parties (read: hyperscalers), stress testing of ICT systems, exit strategies from cloud providers, and a register of contractual relationships with ICT suppliers. For banks implementing AI this means they cannot run critical workloads with a single provider without a documented exit strategy.

EU Data Act

Data Portability and Interoperability¶

The EU Data Act will come into full effect in September 2025 with gradual implementation in 2026. It requires cloud providers to support data transfer between platforms, remove technical barriers to switching, and provide data in standard formats. The goal is clear: reduce vendor lock-in and increase competition. In practice, this means that companies will finally have a real option to move from a hyperscaler to a European provider — at least theoretically.

EU AI Act + Upcoming CADA

AI Regulation and the Future Cloud and AI Development Act¶

The EU AI Act categorizes AI systems by risk and establishes obligations for providers and users of high-risk AI. The European Parliament is simultaneously pushing the Commission to define sovereign cloud criteria in the upcoming Cloud and AI Development Act (CADA) — expected in the first half of 2026. CADA aims to link data sovereignty requirements with AI infrastructure and create a unified European framework. For companies deploying agentic AI systems this means the need to address data sovereignty not only for storage but also for inference and training pipelines.

EUCS — European Cloud Services Certification¶

ENISA (the EU Agency for Cybersecurity) has been preparing the European Cybersecurity Certification Scheme for Cloud Services (EUCS) since 2020. The highest certification level should define criteria for a “sovereign cloud.” However, progress has stalled — as of February 2026, the scheme is still not finalized due to disagreements among member states over whether American companies should be excluded from the highest level. Watch this closely — the final form of EUCS will fundamentally affect what can be called a sovereign cloud.

What Sovereign Cloud Actually Is — and What It Is Not¶

The term “sovereign cloud” has no official definition. That is a problem. Every vendor interprets it in their own way. AWS offers “European Sovereign Cloud.” Azure has “EU Data Boundary.” Google operates the S3NS partnership in France. Are these sovereign solutions? It depends on whom you ask.

In October 2025, DGIT (the IT department of the European Commission) published a framework with an 8-point definition and a formula for calculating a “sovereignty score.” The definition includes these dimensions:

• Data residency — data physically stored in the EU, never leaving the jurisdiction
• Operational autonomy — operations and management exclusively by EU residents/citizens on EU territory
• Legal independence — legal entity under EU law, without subordination to extraterritorial legislation (CLOUD Act, FISA)
• Technical isolation — physically and logically separated infrastructure from global regions
• Governance transparency — independent oversight, audit trail, control mechanisms
• Supply chain sovereignty — control over both hardware and software supply chains
• Interoperability — ability to transfer data and workloads between providers
• Encryption & key management — encryption keys under the control of the customer or an EU entity

In practice, there is a spectrum. At one end is “full sovereignty” — completely European infrastructure, software, and operations (OVHcloud, Scaleway, Hetzner). At the other end are “sovereign features” of American hyperscalers — data in EU data centers, but the legal entity in Seattle. Most companies will fall somewhere in between.

Why “AWS in Frankfurt” Is Not Enough¶

Your data may physically reside in Frankfurt, but your contract is with an American corporation. The CLOUD Act allows US authorities to request data from American companies regardless of location. Azure Data Boundary and AWS EU Region are not a legal firewall — they are technical controls within American jurisdiction. For sensitive workloads (national security, industrial IP, health records), this is the difference between “data residency on paper” and actual sovereignty.

Overview of Sovereign Cloud Solutions in 2026¶

The Hyperscalers’ Response: Sovereign Partnerships¶

American hyperscalers responded to demand by creating “sovereign” variants of their services. In January 2026, AWS launched its European Sovereign Cloud — a physically and logically separated cloud in Brandenburg, operated by EU residents under German law. It is led by Stephane Israel (an EU citizen) with an advisory board composed exclusively of EU citizens. AWS plans to expand with Local Zones in Belgium, the Netherlands, and Portugal.

Similar models exist elsewhere: Google operates the S3NS partnership with Thales in France (SecNumCloud certification), Microsoft collaborates on the Bleu project (with Orange and Capgemini) and Delos in Germany (with SAP). In Germany, Microsoft also launched “Sovereign OpenAI” for enterprise customers.

The question remains: is a partnership with an American company, even with an EU legal wrapper, truly sovereign? The trade association CISPE (Cloud Infrastructure Service Providers in Europe) argues it is not — and accuses the EU Sovereignty Framework of being set up in favor of American incumbents.

European Native Cloud Providers¶

Truly European alternatives exist and in 2026 have matured to the stage where they are a realistic choice for production workloads:

Provider	Origin	Strengths	Suitable for
OVHcloud	France	Broadest European portfolio, SecNumCloud certification, own data centers, GPU cloud	Enterprise workloads, AI inference, regulated industries
Scaleway	France	Developer-friendly, managed Kubernetes, AI/ML services, Terraform support	Startups, dev teams, cloud-native workloads
Hetzner	Germany	Best price-to-performance ratio, bare metal, data centers in EU and Finland	Self-managed infrastructure, CI/CD, compute-heavy workloads
T-Systems / Open Telekom Cloud	Germany	Enterprise-grade, BSI C5 certification, GDPR-native, consulting services	Large corporations, public sector, banking
STACKIT	Germany	Schwarz Group (Lidl/Kaufland), Kubernetes, managed databases	Retail, enterprise focused on the German market
Aruba Cloud	Italy	Data centers in 5 EU countries, ISO 27001/27017/27018 certification	SMB, web hosting, IoT backend services

Also important is the open source ecosystem, which enables building sovereign infrastructure without dependence on proprietary software. OpenNebula as an alternative to VMware for virtualization, Nextcloud instead of Microsoft 365 for collaboration, Kubernetes as a universal orchestration layer — France is already actively pushing its public administration toward these alternatives, replacing Zoom and Teams with local solutions.

Gaia-X: Vision vs. Reality¶

The Gaia-X initiative, launched in 2019 by Germany and France, had the ambition to create an “Airbus of cloud” — a federated European data infrastructure. In practice, the project has been struggling with slow progress, disagreements among members, and criticism that the involvement of American companies undermines its very purpose. Nevertheless, Gaia-X has created important standards for federated data spaces and its trust framework is becoming the foundation for sector-specific data ecosystems — for example in the automotive industry (Catena-X) and healthcare. Gaia-X is not a cloud provider. It is a framework for interoperability. And therein lies its real value.

Sovereign AI: Where Data Sovereignty Meets GPU Reality¶

The biggest challenge for sovereign cloud in 2026 is AI infrastructure. LLM training requires thousands of GPUs, which today are primarily controlled by American companies — NVIDIA dominates the market and its top-end chips (H100, B200) are subject to American export controls. IDC predicts that by 2028, 80% of enterprise organizations will prioritize AI sovereignty for mission-critical workloads through non-public hosting, open technologies, and regional partners.

IDC FutureScape for 2026 identifies a key problem: by 2028, 60% of multinational companies will operate AI stacks split across sovereign zones. The result? Triple integration costs due to regulatory fragmentation and supply chain risks. For companies running RAG systems in production this means that data sources, embedding models, and inference endpoints may each fall under a different jurisdiction.

However, concrete solutions are emerging:

• Mistral AI (France) is investing in its own GPU infrastructure in the EU while maintaining a partnership with Microsoft Azure for scaling
• AWS European Sovereign Cloud offers AI Factories and Outposts for customers who want AI inference in a sovereign environment
• IBM introduced its Sovereignty Platform in January 2026 — an integrated solution for sovereign AI deployment with full control over keys and data
• Open source models (Llama, Mistral, Qwen) enable self-hosted inference on European infrastructure without dependence on American API endpoints

Practical Tip: Sovereign AI in Practice¶

If you are running AI agents processing sensitive data, consider a hybrid architecture: training on hyperscaler GPUs (anonymized data), inference on sovereign infrastructure (sensitive data, embeddings, vector database). Open source models like Mistral Large or Llama 3 can be run on dedicated hardware at OVHcloud or Hetzner with full control over data. For architectural recommendations on security, see our article on AI agent security.

Case Study: Airbus and the €50M Sovereign Cloud Migration¶

The sovereign cloud trend was most visible at Airbus. The European aviation giant announced a ten-year tender worth €50 million at the end of 2025 for migrating mission-critical applications to a sovereign European cloud. Catherine Jestin, Executive Vice President for Digital, summed it up simply: “We want to ensure that this information remains under European control.”

Airbus requires a complete stack under EU jurisdiction:

• Data at rest and data in transit within the EU
• Logging and audit trail under EU law
• IAM (Identity & Access Management) operated by an EU entity
• Security monitoring independent of American tools
• Contractual and legal firewalls against extraterritorial access

For industrial companies with sensitive IP — and in the European context this includes automotive, defense industry, energy companies, and of course the banking sector — Airbus is a model of where the future is heading. It is not a question of if, but when and how fast.

Practical Guide: Sovereignty Assessment for Enterprises¶

Transitioning to sovereign cloud is not a binary “move everything” decision. It is a risk-driven classification of workloads and gradual migration. Here is a 6-step framework:

Step 1 — Inventory & Classification

Map What You Have and Where It Runs¶

Conduct an inventory of all cloud workloads: applications, databases, storage, AI/ML pipelines, SaaS tools. Assign each a data classification (public, internal, confidential, regulated) and regulatory requirements (GDPR, NIS2, DORA, sector-specific regulation). The output is a matrix of workload x sensitivity x regulation x current provider. Without this inventory, you are making decisions blindly.

Step 2 — Sovereignty Decision Framework

Decide What Needs Sovereignty¶

Not everything needs to be sovereign. A public website can happily run on Cloudflare. But a core banking system, health records, or an AI model trained on customer data — those are candidates. Evaluate each workload along four axes: data sensitivity (what happens in case of a leak?), regulatory obligation (does the law require it?), operational sovereignty (what happens if the provider disconnects?) and cost impact (how much does migration cost vs. the risk?). Use a 1–5 scale for each axis and set a threshold for sovereign deployment.

Step 3 — Hybrid Architecture

Design a Multi-Cloud/Sovereign Topology¶

For most companies, the answer is a hybrid model: sensitive workloads on sovereign infrastructure (OVHcloud, T-Systems, on-premises), less sensitive ones on hyperscalers (better services, lower cost), edge computing for latency-critical operations. The key is a standardized abstraction layer — Kubernetes as the orchestration platform, Terraform for infrastructure-as-code, and clearly defined networking and security policies across environments. See our guide on Platform Engineering for details on Internal Developer Platforms.

Step 4 — Exit Strategy

Document How to Leave Each Provider¶

DORA requires this explicitly, but every company should have it: a documented exit strategy for each cloud provider. This includes: data export format, migration timeframe, alternative target platform, test scenarios, and responsible persons. The EU Data Act from September 2025 requires providers to technically support switching. Test exit strategies regularly — just as you test disaster recovery.

Step 5 — Gradual Migration

Migrate Iteratively, Not Big-Bang¶

Start with workloads that have the highest sovereignty score and the lowest migration complexity. Typically: sensitive data storage, backup and DR, logging and audit, development/staging environments. Only after validation should you migrate production workloads. Use blue-green or canary deployment patterns. Each iteration must include performance benchmarking and compliance validation. For zero-downtime migration techniques, see our cloud migration guide.

Step 6 — Continuous Compliance

Sovereignty Is Not a One-Time Project¶

Set up continuous compliance monitoring: automated data residency audits (where does the data actually reside?), regular review of contracts with providers, tracking of regulatory changes (CADA, EUCS, national NIS2 transpositions), and incident response plans for cases when a provider breaches sovereignty SLA. Integrate sovereignty metrics into your observability stack — data residency and encryption status should be monitored just like uptime.

Context for European Enterprises¶

The Czech Republic is in a unique position. On one hand, it is strongly integrated into the European industrial chain (automotive, engineering, defense industry), and on the other hand, it has a relatively small local cloud market. Most Czech enterprise companies run workloads on AWS (Frankfurt, Ireland), Azure (Netherlands, Ireland), or Google Cloud (Belgium, Finland) — within the EU, but with American companies.

For companies in regulated sectors, we recommend considering:

• NIS2 transposition into national law — national cybersecurity authorities are preparing implementation that will specify obligations for local entities. Stay actively informed.
• Hetzner — the most affordable EU-native provider with a data center in Finland (low latency from Central Europe), excellent price-to-performance ratio for self-managed workloads
• OVHcloud — the most comprehensive European alternative with managed Kubernetes, GPU cloud, and SecNumCloud certification
• Hybrid approach — sensitive data on EU-native infrastructure, AI inference and general-purpose compute on hyperscalers with a clear exit strategy
• Local data centers — for the highest level of sovereignty, consider on-premises or colocation in local data centers with a Kubernetes overlay

Don’t Forget the SaaS Layer¶

Sovereign cloud addresses IaaS and PaaS, but what about SaaS? Microsoft 365, Google Workspace, Salesforce, Slack — all American companies under the CLOUD Act. France is already actively migrating its public administration to Nextcloud and local videoconferencing solutions. For companies with highest-sensitivity data (defense, energy, banking), SaaS sovereignty should be on the roadmap — at minimum for email, documents, and communications.

Conclusion: Sovereignty Is Not Protectionism — It Is Risk Management¶

Sovereign cloud is not about ditching AWS and going back to servers under a desk. It is about deliberate diversification — recognizing that a 90% dependency on American cloud infrastructure is a single-point-of-failure at a geopolitical level. It is about having an exit strategy before you need one. It is about meeting NIS2 and DORA regulations before the audit comes. And it is about protecting customer data from a jurisdiction you do not control.

2026 is an inflection point. AWS launched the European Sovereign Cloud. The EU is preparing CADA. Airbus is migrating. 61% of CIOs are changing their strategy. Companies in regulated sectors should begin a sovereignty assessment — not in a year, but now.

Start with step 1: map what you have, where it runs, and under whose jurisdiction. The result will probably surprise you.

Sources and References¶

• AWS Blog: Opening the AWS European Sovereign Cloud (January 2026) — aws.amazon.com
• Broadcom/VMware: Three Predictions for Sovereign Cloud in 2026 — news.broadcom.com
• IDC FutureScape: The High Cost of Sovereignty in the Age of AI (February 2026) — idc.com
• Gartner: Survey Reveals Geopolitics Will Drive 61% of CIOs to Increase Reliance on Local Cloud Providers (2025) — gartner.com
• The Register: Euro firms must ditch Uncle Sam’s clouds and go EU-native (January 2026) — theregister.com
• Forbes: How AI Will Shape Cloud Services And Infrastructure In 2026 (January 2026) — forbes.com
• SoftwareOne: Digital Sovereignty in 2026: Your Action Plan — softwareone.com
• B2B Cyber Security: Cloud Trends 2026: Digital Sovereignty is Key (February 2026) — b2b-cyber-security.de
• IBM/CIO Dive: IBM tackles cloud, AI sovereignty with new platform (January 2026) — ciodive.com
• EU Commission DGIT: Framework for Identifying Sovereign Clouds (October 2025) — commission.europa.eu