European Sovereign Cloud — Why Sovereignty Means More Than Residency

The residency reflex

Every public sector RFP I have read in the last two years opens with the same sentence: "Data must be stored within the European Union." It is the political reflex of a decade that learned the word "sovereignty" the hard way — through Schrems, through CLOUD Act subpoenas, through the Microsoft Ireland case. The reflex is correct, but it has been mistaken for the goal.

Residency is the table-stakes baseline. It is not the win condition.

You can store every byte of patient data in a Frankfurt rack and still have a US parent company that is legally compellable to access, copy, or disable that data under FISA 702 or the CLOUD Act. You can run an entire municipality on an EU-region tenant and still have your encryption keys, your identity provider, and your control plane sitting in a service that any hyperscaler can revoke from a console in Seattle. The data did not leave Europe. The control over it never arrived.

This is why the EU Cloud Services Cybersecurity Certification Scheme (EUCS) has been stuck in an impasse since 2024. The drafts that included explicit sovereignty requirements — EU headquarters, immunity from non-EU law — were dropped in the March 2024 revision under heavy lobbying. What is left certifies cybersecurity, not jurisdiction. The political question was not answered; it was deferred. France kept SecNumCloud. Italy kept ACN. Germany kept C5+. The single market has, in the meantime, three sovereignty regimes and one residency reflex.

The 2026 cloud landscape now offers something better than the 2022 debate assumed: real sovereign offerings from real providers. AWS opened its European Sovereign Cloud in Brandenburg in January 2026, structured as a separate German legal entity with EU-resident-only operations, an independent IAM, billing, DNS, and certificate authority. Microsoft finalised its EU Data Boundary and routes regulated French workloads through Bleu — the Orange–Capgemini joint venture operating Microsoft technology under French state oversight. Google has its own equivalent through S3NS with Thales. None of these existed when the residency clause was first written into your procurement template. All of them deserve a sharper test than the one your template applies.

Three tests survive the procurement contract: control, code, and exit.

Test 1 — Control: who can be compelled to act?

The first question is not where the data lives. It is who, sitting in which jurisdiction, can be lawfully ordered to do something to it. Read the operating company's articles, the parent's filings, the staff residency requirements, the key-management documentation. Ask explicitly: under which legal compulsion regimes is this provider operable, and which entity holds the master keys?

A genuine sovereign offering will answer with a single jurisdiction, a single legal entity, and a key-management arrangement where the customer (or a customer-controlled HSM) holds the cryptographic root. Bleu can answer this for SecNumCloud workloads. AWS ESC can answer it for Brandenburg. Microsoft's standard EU Data Boundary cannot — and Microsoft has been honest about this, which is why the sovereign cloud product line exists.

If the answer involves any phrase like "operational support from headquarters," you do not have a sovereign system. You have a localisation layer.

Test 2 — Code: what actually runs your stack?

The second question is whether you can read, audit, and rebuild the software on which your services run. This is where the sovereignty conversation collides with the open source conversation, and where most procurement processes still flinch.

If the runtime is proprietary, every layer above it is a trust statement. Confidential computing helps; it does not solve the problem if the firmware, the orchestrator, or the AI model weights remain a black box owned and updateable by a non-EU vendor. Sovereign procurement should require either source-available stacks with European fork rights, or contractual escrow that can be activated under defined conditions. The open source baseline — Kubernetes, PostgreSQL, OpenStack, OpenSearch, EU-hosted open-weight models — is no longer a hobbyist option. It is the only layer Europe controls outright.

This is also the layer the Digital Commons EDIC was created to harden. Treat it as part of your procurement strategy, not as a separate ideological conversation.

Test 3 — Exit: can you actually leave?

The third question is whether the contract you are about to sign survives a future where you no longer want it. Since 12 September 2025, the EU Data Act gives every cloud customer the legal right to switch providers on two months' notice. Most switching fees are phased out entirely by 12 January 2027. IaaS providers must enable "functional equivalence" on transition; PaaS and SaaS providers must publish open switching interfaces.

That is the law. The operational reality is harsher.

Functional equivalence does not exist between BigQuery and Snowflake. Between Cosmos DB and DynamoDB. Between Bedrock-hosted models and an EU-hosted Mistral deployment. The Data Act gives you the legal scaffolding for an exit; it does not build the migration runway. That work is yours.

Build it before you sign. Run a documented restore-to-an-alternative-provider drill at least once a year, the way you run a disaster recovery test. If the answer is "we couldn't realistically do this in under 18 months," the contract you are about to sign is not a service agreement. It is an annexation.

The procurement playbook

You do not need a new procurement framework. You need three clauses and one drill.

The control clause names the operating entity, its jurisdiction, the location of decryption keys, and the legal regimes under which the provider can be compelled to act. The code clause identifies which components of the stack are open or escrowed, and what the European fork or rebuild path looks like. The exit clause references the Data Act switching obligations, names the target alternative provider, and commits both parties to an annual portability test. The drill is the test itself: pick a non-critical workload, move it to a second provider, document what broke, fix it, repeat.

Do this and the word "sovereignty" stops being a slogan. It becomes a property your system retains under stress.

That is the only definition that matters.

Read the companion essay on DC EDIC and the next eighteen months, or get in touch to discuss applying these tests to a specific procurement.