Sovereignty is a procurement clause.

There are two ways to talk about European digital sovereignty. The first is the speech version — strategic autonomy, rules of the digital age, values-based technology, a chorus of nouns that requires no commitment. The second is the procurement version — three operational tests that a contract can fail, and that a procurement officer can run on a Monday morning.

Only the second one keeps a system under European control when it matters. The rest is sentiment.

Sovereignty is not residency

Every public-sector RFP I have read in the last two years opens with a line about storing data in the European Union. That line is necessary; it is the table-stakes baseline. It is not the win condition.

You can store every byte of patient data in a Frankfurt rack and still have a US parent company that is legally compellable to access, copy, or disable that data. You can run an entire municipality on an EU-region tenant and still have your encryption keys, your identity provider, and your control plane sitting in a service that any hyperscaler can revoke from a console outside the Union. The data did not leave Europe. The control over it never arrived.

Residency answers the question "where does the data sit?" Sovereignty answers a different question: "who can be lawfully ordered to act on it, and what happens if we say no?"

Three tests

The three tests that survive a procurement contract are short to state and uncomfortable to apply.

Control. Who, sitting in which jurisdiction, can be lawfully ordered to do something to the system? A genuine sovereign offering will name a single jurisdiction, a single legal entity, and a key-management arrangement where the customer or a customer-controlled HSM holds the cryptographic root. Anything weaker is a localisation layer with a sovereignty label.

Code. What actually runs the stack? If the runtime is proprietary and the orchestrator is closed, every layer above is a trust statement. Sovereign procurement requires either source-available stacks with European fork rights or contractual escrow that can be activated under defined conditions. The open source baseline — Kubernetes, PostgreSQL, OpenStack, OpenSearch, EU-hosted open-weight models — is the only layer Europe controls outright.

Exit. Can you actually leave? Since 12 September 2025 the EU Data Act gives every cloud customer the legal right to switch providers on two months' notice; most switching fees are phased out by 12 January 2027. That is the law. The operational reality — that there is no functional equivalence between BigQuery and Snowflake, between Cosmos DB and DynamoDB, between Bedrock-hosted models and an EU-hosted Mistral deployment — is what the customer has to engineer for. The Data Act gives you the legal scaffolding for an exit; it does not build the migration runway.

A more careful walkthrough lives in the companion essay, European Sovereign Cloud — Why Sovereignty Means More Than Residency.

2026 is not 2022

The sovereignty conversation has moved on. AWS opened its European Sovereign Cloud in Brandenburg in January 2026, structured as a separate German legal entity with EU-resident-only operations. Microsoft has finalised its EU Data Boundary and routes regulated French workloads through Bleu, the Orange–Capgemini joint venture under French state oversight. Google has its equivalent through S3NS with Thales. The Digital Commons EDIC was formally established in late 2025 to harden the open source layer.

None of these existed when most procurement templates were written. All of them deserve a sharper test than the one those templates apply. The job of European sovereignty work in the next eighteen months is not to demand new options — the options now exist — but to make sure that public buyers can actually evaluate, procure, and exit them.

A procurement clause, not a slogan

The procurement consequence of all of this is small. Three clauses and a drill.

The control clause names the operating entity, its jurisdiction, the location of decryption keys, and the legal regimes under which the provider can be compelled to act. The code clause identifies which components of the stack are open or escrowed, and what the European fork or rebuild path looks like. The exit clause references the Data Act switching obligations, names a target alternative provider, and commits both parties to an annual portability test. The drill is the test itself: pick a non-critical workload, move it, document what broke, fix it, repeat.

Do this and the word sovereignty stops being a slogan. It becomes a property a system retains under stress.

What I work on

Sovereign-cloud procurement support for ministries, regulators, and operators of essential services. Translation work between national sovereignty regimes — SecNumCloud in France, ACN in Italy, C5+ in Germany — and the still impasse-bound EUCS scheme. Open source procurement strategy and engagement with the Digital Commons EDIC. Writing and briefing on the operational meaning of European sovereignty for boards, parliaments, and editors.

A separate essay covers the next eighteen months of the European infrastructure question: DC EDIC and the Next Eighteen Months.

For specific engagements — sovereign-cloud reviews, procurement-clause drafting, board briefings, or speaking — please get in touch.