In June 2025, a Microsoft France executive sat before the French Senate and was asked a simple question: could the company guarantee that European customer data would never be handed to US authorities? The answer, under oath, was no. The reason — the US CLOUD Act — has not changed in the months since, and it sits at the centre of why Europe is now spending public money to build cloud infrastructure that, by design, American companies cannot reach.
What used to be a procurement footnote — where exactly does our data sit? — is now a board-level risk question across European banks, hospitals, ministries, and critical-infrastructure operators. The response has produced two things at once: a wave of new “EU-only” cloud regions from US hyperscalers, and a parallel push to build wholly European alternatives. They are not the same product, and the difference matters.
What Data Sovereignty Actually Means in 2026
Data sovereignty is the principle that data is governed by the laws of the jurisdiction it sits under — including which courts can compel its disclosure. This is not the same as data residency, which only describes where bytes physically live. A datacentre in Frankfurt operated by a Delaware-registered parent company satisfies residency but not sovereignty: the parent remains subject to US legal process under the CLOUD Act, which permits American authorities to compel US-headquartered providers to produce data stored anywhere in the world.
European regulators began drawing this distinction sharply after the Court of Justice of the European Union’s 2020 Schrems II ruling invalidated the EU-US Privacy Shield. The 2023 Data Privacy Framework patched the legal basis for transfers, but it did not repeal the CLOUD Act or eliminate the underlying conflict-of-laws problem. As a Canadian court ordered French provider OVHcloud to disclose data stored on European servers to Canadian police, even non-US extraterritorial reach is in scope. Sovereignty is now understood as a layered question covering legal jurisdiction, operational control, key custody, and supply-chain dependency — not just a flag on a server room.
The legal teeth come from a stack of overlapping regulations: GDPR for personal data; NIS2 for critical-sector cybersecurity; DORA for financial-services operational resilience; and the EU AI Act, which classifies certain AI systems as high-risk and imposes data-governance obligations on the entire training and inference pipeline. None of these explicitly mandates “use a European provider,” but in combination they make non-European providers progressively harder to use for the most sensitive workloads.
The Cloud Sovereignty Framework and SEAL Levels
In October 2025, the European Commission published version 1.2.1 of its Cloud Sovereignty Framework (CSF), the first attempt by an EU institution to convert sovereignty from a slogan into measurable procurement criteria. The framework measures sovereignty across eight concrete objectives spanning strategic, legal, operational, and environmental considerations, plus supply chain transparency, technological openness, security, and compliance with EU laws. Each objective is scored against a tiered scale called SEAL — Sovereignty Effectiveness Assurance Level — running from SEAL-0 to SEAL-4.
SEAL is the load-bearing concept. For providers to be considered eligible in EU institutional procurement, they must demonstrate at least SEAL-2, the Data Sovereignty level, meaning they abide by EU laws and regulations without requiring additional technical measures by the customer to protect data. SEAL-3, Digital Resilience, requires immunity from supply-chain disruption by non-EU actors. SEAL-4 demands a fully European supply chain from chips to software — a level no major commercial provider currently meets.
The framework’s first real test came in April 2026, when the Commission awarded its Sovereign Cloud tender — €180 million ($212 million) over six years — to four consortia. Three of the four — Post Telecom (with CleverCloud and OVHcloud), STACKIT, and Scaleway — reached SEAL-3. The fourth, led by Belgian operator Proximus, reached only SEAL-2 because it relies on technology from S3NS, a joint venture between French defence group Thales and Google Cloud. CISPE, the European cloud trade body, immediately accused the Commission of institutionalizing “sovereignty washing” at the highest levels.
That dispute defines the entire market.
How “EU-Only” Regions Differ from Standard EU Datacentres
Every major US hyperscaler has operated EU datacentres for years. AWS Frankfurt opened in 2014. Azure has multiple German and French regions. Google has Paris, Frankfurt, and Madrid. None of these qualifies as sovereign — they are EU residency, not EU sovereignty. The new generation of “EU-only” offerings tries to close that gap through legal, operational, and architectural separation from the parent company.
AWS European Sovereign Cloud, launching its first region in Brandenburg, Germany, is the most aggressive example from a US hyperscaler. It is physically and logically separated from standard AWS regions, with the first region designed to ensure that all customer data — including metadata generated by the use of services — remains exclusively within the European Union. Operations, maintenance, and technical support are carried out exclusively by AWS employees who reside in the EU and under independent European legal entities, creating a human and legal firewall that prevents access to data from foreign jurisdictions, even by AWS’s own US parent company. The architecture is “shared nothing” with respect to global AWS — its own identity, billing, and control planes, capable of operating if the global AWS network goes dark.
Microsoft’s approach is layered. The EU Data Boundary, completed in February 2025 across three phases, keeps customer data, pseudonymized personal data, and professional-services support data inside the EU and EFTA for Microsoft 365, Dynamics 365, Power Platform, and most Azure services. Layered on top is Microsoft Cloud for Sovereignty with Sovereign Landing Zones and Data Guardian — controls that route remote-engineer access through EU-resident approvers and log it in tamper-evident ledgers. For workloads that need full isolation, Microsoft 365 Local brings Exchange Server, SharePoint Server, and Skype for Business Server to Azure Local, with disconnected mode arriving in early 2026. Two partner-operated sovereign clouds — Bleu in France (with Capgemini and Orange) and Delos Cloud in Germany (with SAP and Arvato) — are designed for the most regulated public-sector customers.
Google Cloud‘s response runs through S3NS in France and direct EU partnerships elsewhere. Oracle Cloud Infrastructure operates two EU sovereign regions, in Spain and Germany.
The pure-play European providers — OVHcloud, Scaleway, STACKIT (Schwarz Group), Hetzner, Aruba, and IONOS — argue their proposition is structurally simpler: no US parent, no CLOUD Act exposure, no need for Data Guardian-style legal contortions. They sit at SEAL-3 by default and can pursue SEAL-4 because they control more of the stack. What they lack, in most cases, is the breadth of managed services that hyperscalers offer — the gap is narrowing on PaaS but remains wide on AI infrastructure.
Why “Sovereignty Washing” Is the Real Battle
The core unresolved question is whether legal exposure can be engineered away. Microsoft’s position, articulated repeatedly through 2025 and 2026, is that European boards, EU-resident operations, customer-held encryption keys, confidential computing, and contractual challenge of any US legal demand collectively reduce CLOUD Act risk to a level that is acceptable for most workloads. The company has reported no requests for EU customer data to date, and it commits to challenge any future ones.
Critics — most vocally CISPE, the Sovereign Cloud Stack project, Nextcloud, and a growing cohort of European policymakers — argue this is structural denial. Civo CEO Mark Boost put it directly: a datacentre in Paris or London does not change the fact that a US-headquartered company is governed by US law, meaning the data ultimately sits under US jurisdiction. Nextcloud’s Frank Karlitschek branded the latest hyperscaler measures “sovereignty washing”. The argument is that no contractual layer can override statute, and that genuine sovereignty therefore requires European ownership all the way up the stack — exactly what SEAL-4 contemplates and what no hyperscaler has committed to.
The Commission has tried to thread this needle. By recognizing that even non-European technologies, when operated within a strict and appropriate framework, can meet the minimum level of sovereignty required, the framework provides a clear and standardised method to assess cloud services, moving away from abstract principles to concrete sovereignty metrics. In practice this means SEAL-2 is acceptable for institutional procurement, but the political pressure inside member states is increasingly to require SEAL-3 or higher for sensitive workloads — particularly anything touching NIS2 essential entities, defence, healthcare records, or high-risk AI under the EU AI Act.
Practical Architecture Choices
For organisations actually building on this, the question is rarely “fully sovereign or not” — it is which workloads need which assurance level, and what that costs.
A hybrid model is now standard. Public-facing applications and general-purpose workloads stay in standard EU regions of a hyperscaler, accepting residency-level protection. Personal data of EU residents under GDPR sits inside the EU Data Boundary or AWS European Sovereign Cloud. Regulated workloads — health records, financial-services data under DORA, public-sector data, AI training data for high-risk systems under the EU AI Act — go to a SEAL-3-rated European provider or a partner-operated sovereign cloud like Bleu or Delos. Truly sensitive control-plane data and cryptographic key material stay on customer-controlled infrastructure or HSMs, with External Key Management wired into whichever cloud holds the encrypted payload.
The cost of this segmentation is real. Egress fees of $0.05–$0.09 per GB create material cost exposure for enterprises migrating regulated workloads, and replication across sovereignty tiers multiplies storage spend. Teams need to redesign data pipelines for locality, not just resilience.
There is also a skills-and-tooling cost. AWS European Sovereign Cloud will use the same SDKs as global AWS, but it is a separate partition — IAM identities, VPC peerings, account hierarchies, and cross-region replication do not transit the boundary. Sovereign deployments effectively become a second cloud account that happens to share an API surface.
FAQ
Is data residency in the EU enough for GDPR? For most personal-data processing, yes — provided appropriate safeguards under Chapter V are in place. GDPR does not, on its face, require sovereignty in the SEAL sense. The pressure for sovereignty comes from sectoral regulation (NIS2, DORA, the EU AI Act), public-sector procurement rules, and Schrems II-derived caution about transfers to third countries with extraterritorial surveillance laws.
Does the AWS European Sovereign Cloud eliminate CLOUD Act risk? It significantly reduces operational exposure through EU-resident staff, EU legal entities, and architectural isolation — but AWS’s parent company remains a US corporation. The legal question of whether a US court could compel the parent to act on data held by an EU subsidiary is unresolved and will be tested in litigation, not in marketing.
What is SEAL-4 and why does no commercial provider claim it? SEAL-4 requires a fully European supply chain from chips to software. The EU has no domestic equivalent of TSMC for leading-edge silicon, no x86 architecture under EU control, and no broadly adopted hyperscale software stack of European origin. SEAL-4 is therefore an aspirational ceiling rather than a current procurement target — for now, public-sector buyers settle for SEAL-3.
Are EU-only providers cheaper than hyperscalers? On raw compute and storage, often yes. On managed AI services, observability, and breadth of PaaS, hyperscalers retain a large feature lead, and the total-cost-of-ownership comparison usually favours them for general-purpose workloads. The sovereign-versus-cost trade-off is genuine; it is not solved by either pure choice.
What Comes Next
The Cloud Sovereignty Framework is two iterations old and already shaping a €180 million tender. The next test cases are not legal — they are operational. Whether S3NS can deliver Google-grade managed services under entirely European control. Whether AWS’s European Sovereign Cloud can match the feature velocity of global AWS without falling years behind. Whether OVHcloud, Scaleway, and STACKIT can close the AI-infrastructure gap before sovereignty pressure pushes regulated buyers to settle for SEAL-2 instead of waiting for SEAL-3 with the features they need.
The honest read is that sovereignty in 2026 is a spectrum being negotiated in real time between procurement officers, lawyers, and architects. The “EU-only” label hides at least four meaningfully different products. The work, for anyone building on cloud infrastructure inside Europe, is figuring out which version of “EU-only” the workload actually requires — and not paying for assurance you don’t need or accepting residency where the regulation will eventually demand sovereignty.
