EU Sovereignty: Why EU Companies Must Rethink Strategy

Do you know where all your data is hosted and can you REALLY ensure that it is processed in accordance with the current EU law?

A recently published independent report by Cloud Legal Project Researcher Johan David Michels from Queen Mary University of London – “Sovereign Cloud for Europe” –  highlights the growing importance of sovereign cloud solutions in Europe.
This demand is mainly driven by stringent European data protection laws combined with the operational need to protect data, such as personal data or trade secrets, from being accessed by foreign governments.

Already, a simple example in the actual study shows the violation of GDPR, if a foreign government (here, the U.S.) orders its local cloud provider to disclose data of EU customers of its subsidiary.

Source: Sovereign Cloud for Europe – Study by Queen Mary University London, Feb 2025

A situation getting more and more complicated

The above-mentioned example only proves that there have been high violation-risks for years, as the GDPR already came into effect in 2018.

Also, the new rising focus point of “supply chain risk management” required by younger published regulations (e.g. by DORA for Financial Services, by NIS2 for critical infrastructure, by CRA for connected products) underlines the necessity for every EU-based company to rethink its data situation and implement new technologies.

But it is not only about to be compliant, but also a basic need for every senior management to ensure their businesses continuity, as critical events – which lead to worldwide business disruptions or data losses – can and already have happened in the past, only to mention most important examples like Log4J, CrowdStrike update, theft of M365 Masterkey.

Despite the obvious possible uncontrollable violations against existing EU-law and high risks in business continuity, many companies in the EU are still hesitant to migrate to EU Sovereign Clouds. This hesitation stems from several complications coming also from regulatory uncertainties, missing suitable cloud alternatives, and emerging risks by dependencies on the existing cloud providers:

1. Untransparent cloud architecture: By cloudification, companies already are still moving data and functions in any cloud (public, private, hybrid) in order to stay competitive in costs and assure high data availability. However, this complex cloud landscape with its partially unknown dependencies leads to concerns for upcoming migration processes, where companies especially fear disruptions and potential downtimes as functionalities might not be easily migratable to a new cloud provider.
2. Regulatory disagreements: Navigating the complex and growing landscape of EU laws can be daunting. Furthermore, as regulations continuously change and become a moving target, companies hesitate to adopt new standards (e.g., comparing the back-and-forth regarding the Safe Harbor Agreement between the U.S. and EU, which is always challenged in court by Schrems).
3. Missing comparable cloud alternatives: Although reliance on non-EU cloud providers exposes companies to geopolitical risks, including foreign government access to sensitive data, all Big Tech providers and hyperscalers (e.g., AWS, Google Cloud, Microsoft Azure) have their headquarters in the U.S. making lots of companies assume there is no alternative.

Example of a development toolchain incorporating several cloud and software providers
Source: Sonatype DevSecOps Reference Architecture

Experts will recognize the irony in having the need to migrate on a new/local cloud provider to get rid of untransparent dependencies and assure business continuity in the future, while the untransparent dependencies puts your current business continuity at risk during the migration process itself.

Let’s be honest there are solutions already today and we just need to keep it simple

Even with the above-mentioned challenges, EU-based companies need to focus on a successful shift to EU-sovereign clouds in order to get rid of dependencies and complexity, which can be misused especially in the case of today’s geopolitical events. The more uncomplex and reliable the better, as it additionally enables companies to quickly exit/switch providers in case of uncertainties or arising risks. All of this can be achieved already today by simply following a step-by-step approach by cutting the regulatory requirements and business needs into pieces and aligning those, e.g.:

1. Improving GDPR-compliance and business data confidentiality by encryption: Regarding our initial GDPR violation threat, in order to easily raise data protection and assure foreign/unauthorized third parties cannot get access to business data, local EU-based servers can already be combined with gateway encryption methods, making it simply impossible that locally stored data is being read without having the locally stored key.
2. Assurance of NIS2-/DORA-Supply Chain Risk Management and raising business resilience/continuity with local vendors: When data is kept (and encrypted) on an EU-based cloud, business data is far less affected by the geopolitical risk of being secretly spied on, misused or ransomed. By additionally implementing reliable dependency tracker and software code checks, companies can easily (re-)gain control of their cloud landscape, implement warnings and alerts regarding detected CVEs and therefore raise resilience in their software supply chains. Especially the check of SBOMs (Software Bills of Materials) has proven to be a valuable method for assuring code quality in CI/CD-pipelines.
3. Ensuring compliance for future regulatory requirements by being part of the system: While foreign cloud providers always need to react on EU regulations, aligning them with local laws (and might have no big interests in foreign regulations due to administrative overkill), strong EU-Sovereign cloud providers will always be ahead and high likely be part of relevant associations to assure EU-regulations will be designed in the most effective but also efficient way (e.g. regarding implementation costs). Therefore, companies having contracts with EU-based providers simply can be sure that their contractual partner will always act in the interest of the EU and therefore on the (EU uniformed) companies’ base business values.

No reason to hesitate any longer

The time to act is now. Companies in the EU must prioritize migrating to EU Sovereign Clouds at least to safeguard their data from unauthorized access and mitigate geopolitical risks. Embrace the future of cloud computing and take the first step towards digital sovereignty. Contact a sovereign cloud expert today to explore how EU Sovereign Clouds can transform your business.