Data has always lived somewhere. But only recently has it started to matter where that "somewhere" is. Across Europe, regulators, business leaders, and cloud customers are asking new questions about who controls their data and what protections exist when data crosses invisible legal borders.
The tension between data residency and data sovereignty is moving from academic debate to urgent boardroom discussion. A new report from Johan David Michels of Queen Mary University of London, commissioned by Broadcom, suggests the time for Europe to reconsider its cloud dependencies may have finally arrived.
The growing divide between data residency and data sovereignty
Data residency sounds reassuring. It simply refers to the physical location where data is stored. Many US cloud providers have eagerly promised European customers that their data will stay within European borders, offering server farms dotted across Germany, France, and Ireland.
But geography is not the whole story.
Data sovereignty asks a deeper question: under whose jurisdiction does your data fall? It focuses on where the servers are located and who can legally access the data, compel its disclosure, or interfere with its availability.
What does sovereign cloud really mean?
undefined VMware (@VMware) March 4, 2025
With so many definitions, what does a true sovereign cloud mean? Johan David Michels, Researcher of Cloud Computing Law, breaks it down in this report. https://t.co/5oyRPMwn7Z pic.twitter.com/5iLmlGuWfj
As Johan David Michels explained during our conversation, "Storing data in Europe does not prevent the US government from accessing that data." This is because US laws like the CLOUD Act and FISA Section 702 allow American authorities to demand access to data held by US-based companies, no matter where the actual servers are.
Data residency might tell you where your information sleeps, but sovereignty tells you who has the keys. The difference between these two concepts is more than a technicality. It is why cloud customers across Europe are increasingly skeptical when US providers market "sovereign" services based only on local data centers. As Michels put it bluntly:
"If your cloud provider is saying to you, you don't have to worry about foreign government access because we've got a European subsidiary, and we're storing your data in Europe, then that is misleading."
Understanding this distinction is the first step toward smarter decisions about Europe's digital future.
Why Europe is rethinking its cloud dependencies
Concerns about foreign control over European data are not new. They date back at least to the Snowden revelations of 2013, when the scale of global surveillance programs became public. Yet despite the alarm, European organizations relied heavily on American hyperscalers like Amazon Web Services, Microsoft Azure, and Google Cloud.
Today, these US providers still dominate, controlling an estimated 60 to 70 percent of the European cloud infrastructure market, while European providers account for closer to 15 percent.
🇪🇺 150+ European companies including Nextcloud & Airbus call on the EU for undefinedradical actionundefined to reduce reliance on foreign tech. It’s time to build a sovereign digital infrastructure for Europe’s future! 🚀
undefined Nextcloud 📱☁️💻 (@Nextclouders) April 23, 2025
Will you join us?#EuroStackhttps://t.co/0ce7r1D8hR pic.twitter.com/5KDkYFgj46
What has changed is the intensity of political and regulatory scrutiny. Since introducing GDPR and initiatives like France's SecNumCloud certification, legal obligations around data protection have tightened. At the same time, geopolitical tensions have made the risks of foreign government overreach feel less theoretical.
As Michels noted: "There are longstanding concerns in Europe about the widespread reliance on foreign and particularly U.S. cloud providers." In an age of trade wars, technology nationalism, and unpredictable global politics, Europe is waking up to the real stakes of digital sovereignty.
The organizations leading this shift often deal with the most sensitive information. Think state intelligence agencies, healthcare providers managing personal medical records, or companies conducting AI, cryptography, and defense technology research.
"You wouldn't want the US intelligence agencies being able to access that data by simply saying to a US provider, 'hand that over,'" Michels pointed out. For these organizations, protecting data from extraterritorial access is not about theoretical risk calculations. It is a practical necessity.
Today, we took a big step toward a sovereign European cloud. With key French officials and industry leaders present at the World AI Cannes Festival, one thing was clear: people care about digital independence.
undefined Hivenet (@hivenet_cloud) February 13, 2025
Europe shouldn’t have to rely on foreign infrastructure for its data.… pic.twitter.com/aDkEHvXV7a
Of course, not every organization is handling state secrets. For many businesses, the calculus is different. Using a blend of public cloud and sovereign solutions is becoming increasingly popular. In our conversation, Michels captured this reality well: "There won't be a one-size-fits-all solution for sovereign cloud implementations."
In this more nuanced world, companies might store customer loyalty data in a US-based public cloud while reserving sensitive HR records or confidential R&D projects for sovereign environments. Hybrid and multi-cloud setups are no longer compromises. They are conscious choices.
Proposed Path Forward: A Sovereign Cloud code of conduct
One of the most constructive ideas from Michels' research is the call for a Sovereign Cloud Code of Conduct. Instead of pushing for new legislation, Michels proposes an industry-led initiative to create clear, regulator-approved standards.
"We don't need new regulations. We need to improve the certainty of how the existing regulations apply to using foreign cloud services."
Michels believes a code could outline the technical and organizational measures cloud providers must take to protect customer data from unauthorized foreign government access. Providers that adhere to the code could then offer credible assurances to customers about GDPR compliance.
Such a code would bring much-needed transparency to a market muddied by marketing spin. It would help customers understand their actual risks and choices. It would also reduce the phenomenon Michels calls "sovereignty-washing," where providers slap sovereign labels onto services without fundamentally addressing jurisdictional vulnerabilities.
The rise of sovereign cloud projects
Some signs of change are already visible. Projects like Bleu in France and Delos in Germany are attempting to blend European infrastructure ownership with US software excellence. By operating Microsoft services on European-controlled servers, they aim to keep customer data outside US jurisdiction.
It is a promising model. But, as Michels warned, it is not without its risks. Even in isolated deployments, there is always the lingering question of software backdoors or remote update dependencies. European control over hardware and software remains an ambitious, long-term goal.
Building an independent European cloud stack would require massive investment, political will, and time. In the meantime, hybrid strategies and joint US-European models offer better protection than standard public cloud options, even if they cannot eliminate all risks.
11/15 European executives are frantically seeking alternatives to US cloud providers, with German company SAP positioning itself as the undefinedsovereign cloudundefined solution. pic.twitter.com/CVckjQuKae
undefined Innovation Network (@INN2046) April 28, 2025
However, fears around surveillance and third-party data access are not isolated to European nations. Similar anxieties are growing inside the United States, especially around Chinese access to sensitive information. Greg Genung, CEO of Snowfire AI, recently observed: "This issue underscores two growing concerns: a) providers like DeepSeek transmitting data to servers in China, and b) the broader risk of sending sensitive company information to any external LLM where that data leaves the security of the enterprise environment. That's why we made our infrastructure cloud-based and fully hosted within AWS's US-East-1 region in Northern Virginia."
Genung added, "While we did not anticipate tariffs like those, we've long believed data sovereignty would be a key differentiator. So yes, US businesses are increasingly opting to store data at home, and we anticipate that Europe and others will do the same. A splinternet isn't just possible—it's already underway, and businesses must prepare."
Who holds the keys? Europe's quiet shift toward data sovereignty
The battle for Europe's data sovereignty is not about abandoning innovation or walling off technology. It is about making smarter, more informed choices based on actual legal and operational risks.
Moving company data away from US cloud servers is not a question of protectionism. It is a question of prudence, especially for those handling sensitive personal, strategic, or national security information.
As Michels wisely said, "It's no longer about where your data sits at rest. It's about who holds the keys to your data while you're sleeping."
In the end, sovereignty is not a destination. It is a direction of travel. The splintering of global internet infrastructure is no longer a future risk. It is already happening, and the journey toward genuinely protecting its digital future has already begun for Europe.
Your email address will not be published. Required fields are markedmarked