In recent months, several hyperscalers such as AWS, Microsoft, Google, and Oracle have presented their own proposals for a "sovereign cloud" for Europe. Their announcements mention data centres in the EU, local operational staff, and regions isolated from the rest of their global infrastructure. However, despite these announcements, one question remains unanswered:
Can there be digital sovereignty if the provider is subject to extraterritorial laws?
Hosting data in Europe is a necessary condition, but it does not guarantee sovereignty on its own. At the legal level, there are regulations such as the CLOUD Act and others such as the Patriot Act, which allow US authorities to require a company whose parent company is located within its jurisdiction to hand over data or metadata, even if it is physically stored within the EU.
The problem is that there is still no clear case law on how to reconcile these obligations with the GDPR, NIS2 or future European regulations. In the absence of firm court rulings, any potential conflict remains open to interpretation in the courts.
To meet European requirements, several hyperscalers have introduced new layers of operational control within the Union: isolated regions, exclusively European staff, local key management, or specific subsidiaries for certain countries. These measures improve certain aspects of compliance and add value in specific uses.
However, all these controls share a structural limitation: none of them change the jurisdiction governing the parent company. Even if the infrastructure is located in the EU and day-to-day operations are carried out by European personnel, the provider remains subject to extraterritorial laws that may compel it to hand over data or metadata even if they remain physically within the Union.
There are specific precedents for this risk. Data protection authorities, such as those in Switzerland, have warned that SaaS services from US providers may be exposed to external access requests even when advanced encryption measures are adopted and European data residency is guaranteed.
Compared to the GDPR and NIS2, which establish a protection framework based on EU jurisdiction, the CLOUD Act introduces a potentially incompatible obligation when ultimate corporate and technological control lies outside Europe.
The fundamental question remains open: can a highly controlled architecture within the EU compensate for a legal framework that acts from outside? This debate remains unresolved. Technology can isolate infrastructures, but companies remain subject to the laws that govern them. Therefore, the tension has both a technical and a legal dimension, and currently neither has been resolved.
When we talk about the cloud, we tend to think of servers, racks and data centres. But there is one piece that is crucial: the software that governs the entire infrastructure, known as the control plane.
This control plane manages virtual machines, networks and snapshots. It administers access, stores the most sensitive metadata and defines who can do what within the cloud.
If this software depends on a company subject to external jurisdiction, sovereignty remains incomplete, even if the servers are located in European territory. Controlling the servers is important, but controlling the software that manages them is crucial.
First, exclusively European jurisdiction. The infrastructure and control plane must be under the same legal framework.
Second, technological control. The ability to audit, maintain and evolve the cloud without relying on decisions made outside the EU.
Third, governance and resilience. The ability to respond autonomously to incidents, cyberattacks or regulatory conflicts.
Without these three layers, "sovereignty" remains in the realm of marketing.
Europe has cloud providers that operate entirely under European jurisdiction and with their own technological control. They often go unnoticed in the face of announcements by hyperscalers, but they exist and are competitive, overshadowed by announcements of agreements with large global providers, which tacitly position themselves as the only viable option.
The debate should focus on something more structural: is Europe willing to define its own sovereignty criteria and apply them in its public procurement, regulation and digital strategy?
As long as the assessment depends on external announcements rather than a clear policy of technological autonomy, the balance will continue to tip towards the most visible solutions, which are not always the most sovereign ones.
Get the most out of your project with the fastest disks and most powerful CPUs in the Cloud.
Digital sovereignty combines jurisdiction, technological control and governance capacity. Data centres in Europe help, but they alone do not solve the problem.
If the European Union wants true autonomy in the management of its data and critical infrastructure, it will need to define clear criteria for sovereignty, apply them consistently and make room for solutions that already exist within its own technological ecosystem.
Today, rather than asking ourselves whether Europe has alternatives, we should be asking ourselves when it will decide to take advantage of them.
