Europe’s push for digital sovereignty has entered a new phase and companies are struggling to keep pace. Whilst the risk was nascent, so were the protections required with data storage locations and the use of Standard Contractual Clauses within Data Processing Agreements the go to solution. These were non-technical and simple to enforce and implement. Today, the stakes are meaningfully higher, and those familiar tools are a step behind. Whilst also necessary, they don’t give you nearly the cover required in today’s environment.
Fuelled by geopolitical unrest, the rapid rise of AI, and the growing importance of data and technology as a strategic asset, data sovereignty has become a boardroom and even governmental priority. And as demand for “sovereign” cloud and AI solutions accelerates, so too does a more alarming issue: data sovereignty washing. This question now centres upon genuine control over layers of technological infrastructure, including the big cloud providers, rather than just where data is and who can access it.
Across the market, major cloud providers are increasingly positioning their services as sovereign to Europe. At face value, this appears to be progress – localisation, regional data centres, and enhanced compliance controls do represent meaningful steps towards sovereignty. And for many providers it is genuine progress, but for some, beneath the surface, many of these offerings fall short of what true sovereignty requires: full protection against foreign jurisdiction and full control of your technical infrastructure.
Cross-border access
This distinction is becoming increasingly important in today’s complex legal and geopolitical environment. Legislation such as the US CLOUD Act enables authorities to request access to data held by US headquartered companies, regardless of where that data is physically stored. The Foreign Intelligence Surveillance Act (FISA) goes further and allows US HQed companies to access data without a warrant and without the knowledge of the data controller. As a result, data located in a European data centre may still be subject to legal processes originating outside the region. At the same time, service providers have mechanisms available to review and, where appropriate, challenge CLOUD, but not FISA requests within established legal frameworks.
Sovereignty is no longer as simple as where your data sits
This creates a nuanced dynamic. The CLOUD Act was introduced to support an increasingly global digital economy and to provide clearer mechanisms for cross-border law enforcement access. However, it has also contributed to ongoing discussions about how privacy, jurisdiction and data governance should be managed across different legal regimes. The US isn’t the only country with these sorts of legislation, but the focus is on the US as that is where most of the world’s cloud technology comes from.
In this context, there can be a gap between perception and reality. Organisations may assume that storing data within a specific geography ensures that it is governed solely by local laws. In practice, jurisdiction can depend on a broader set of factors, including ownership, control and legal accountability.
This is where concerns about sovereignty washing emerge, where solutions are positioned as sovereign based primarily on data location, without fully addressing the wider legal and operational dimensions of control.
How at risk is your data?
The risks are not abstract, with tens of thousands of CLOUD requests in between the US and the UK, and many requests in for the EU. Currently a request immediately breaches GDPR, and the cloud provider would refuse and send it through diplomatic channels. They affect privacy, compliance, and at the most extreme end of the scale, national security. Public sector bodies, regulated industries, and organisations developing AI systems are all increasingly reliant on data that must be not just secure, but demonstrably under European control. If that control is illusory, so too is the protection.
If control is illusory, so too is the protection
For the industry to see a noticeable shift, European policy and procurement must reflect this reality. Across the EU, there is growing recognition that sovereignty must be defined not by infrastructure location alone, but by a broader set of criteria: legal jurisdiction, operational independence, control over encryption keys, and the ability to move or repatriate workloads without restriction.
A solutions-oriented approach
The solutions which worked before still work now, if your data is in Europe then you have much better protections. If you are a European entity with European citizen data but your data is in the US, then the protections leveraged under GDPR will not hold much weight.
To avoid FISA jurisdiction, investment and selection of European-controlled infrastructure — from cloud platforms to hardware supply chains — is essential. Without it, sovereignty will remain dependent on external actors. Recent efforts to direct public contracts towards European providers highlight how procurement can stimulate local ecosystems, improve competitiveness, and reduce dependency over time.
Europe needs to enforce a clear definition of “sovereign”
Organisations also must take greater responsibility for due diligence, understanding which cloud providers are offering actual sovereignty and which are just marketing. Understand where data resides, which jurisdiction different providers come under, and have a framework for assessing this.
Finally, Europe needs to enforce a clear definition of sovereign, with this term being protected. Without it, the term risks becoming another overused label, and one which obscures risk rather than mitigating it. Industry warnings about sovereignty washing already highlight how easily the concept can be diluted if left unchecked.
Europe’s sovereign potential
Done properly, Europe’s sovereignty agenda has the potential to be a powerful growth engine. It can strengthen trust in digital systems, drive investment in local innovation, and build a more resilient and competitive cloud and AI ecosystem.
But achieving this vision requires a reality check about the current state of play. Sovereignty must be designed into the architecture, governance model, and the legal frameworks from the outset.
The stakes are only getting higher, as AI systems are increasingly trained on sensitive public and private data, the question of who controls that data will shape not just compliance outcomes, but Europe’s long-term strategic autonomy.
If Europe is serious about digital sovereignty, it must move beyond appearances and take control for real.
Europe’s push for digital sovereignty has entered a new phase and companies are struggling to keep pace. Whilst the risk was nascent, so were the protections required with data storage locations and the use of Standard Contractual Clauses within Data Processing Agreements the go to solution. These were non-technical and simple to enforce and implement. Today, the stakes are meaningfully higher, and those familiar tools are a step behind. Whilst also necessary, they don’t give you nearly the cover required in today’s environment.
Fuelled by geopolitical unrest, the rapid rise of AI, and the growing importance of data and technology as a strategic asset, data sovereignty has become a boardroom and even governmental priority. And as demand for “sovereign” cloud and AI solutions accelerates, so too does a more alarming issue: data sovereignty washing. This question now centres upon genuine control over layers of technological infrastructure, including the big cloud providers, rather than just where data is and who can access it.
Across the market, major cloud providers are increasingly positioning their services as sovereign to Europe. At face value, this appears to be progress - localisation, regional data centres, and enhanced compliance controls do represent meaningful steps towards sovereignty. And for many providers it is genuine progress, but for some, beneath the surface, many of these offerings fall short of what true sovereignty requires: full protection against foreign jurisdiction and full control of your technical infrastructure.
