Cloud Sovereignty: Pathways to Digital Independence for European Companies

In an increasingly digitalised business world, German companies face a dilemma: the use of powerful cloud services is essential for digital transformation – but frequently leads to growing dependency on US hyperscalers. This dependency poses regulatory, strategic and geopolitical risks to the long-term competitiveness of German enterprises.

What Does Cloud Sovereignty Mean?

Cloud sovereignty refers to an organisation's ability to exercise complete control and self-determination over its data, applications and IT infrastructure stored and processed in the cloud – independent of external influences, foreign jurisdictions and technological dependencies.

Cloud sovereignty encompasses three central levels: data sovereignty (encryption, access controls), operational sovereignty (portable applications, standardised interfaces) and technological sovereignty (cloud-agnostic infrastructure).

Hyperscaler Dominance: Risk or Opportunity?

The global cloud market is dominated by a few US hyperscalers. AWS, Microsoft Azure and Google Cloud control approximately 70 per cent of the worldwide cloud market – with direct implications for the strategic freedom of action of European companies.

The strong concentration on these providers poses considerable risks: the US CLOUD Act enables US authorities to access data under certain circumstances, even when stored in Europe. Standardised contractual models allow little scope for individual adaptations. High technical and financial switching barriers create vendor lock-in, and international tensions can directly threaten business continuity.

Simultaneously, hyperscalers offer continuous development of cutting-edge services and technologies (AI and analytics), attractive pricing models through global infrastructure, as well as extensive partner and developer communities.

The hyperscalers have recognised the growing demand for digital sovereignty and expanded their portfolios. AWS European Sovereign Cloud, Microsoft EU Data Boundary and Google Sovereign Cloud Portfolio offer operations in European data centres, customer-managed encryption keys, guaranteed regional data residency and legal safeguards against extraterritorial data access.

Despite these offerings, the providers remain US companies under US jurisdiction – in case of doubt, US authorities can exert pressure on parent corporations. Support, updates and security patches are delivered centrally from the United States, software remains closed source, and critical know-how resides exclusively with the providers. Moreover, sovereignty features come at a premium, and not all services are available.

The hyperscalers' sovereignty offerings are primarily compliance solutions, not genuine sovereignty guarantees. They fulfil regulatory requirements and reduce certain risks – but do not eliminate the fundamental dependency on US technology corporations.

European Alternatives – More Than Just Compliance?

Alongside the US hyperscalers, a landscape of European cloud providers (EU Cloud) has established itself, positioning themselves as sovereign alternatives.

1. Established providers include STACKIT (Schwarz Digits), the cloud platform of the Schwarz Group (Lidl, Kaufland) with proven enterprise scaling, BSI partnership for the highest German security standards (Link: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/250318_BSI_Resilienz_Cloud-Loesung.html) and exclusively European data centres.
2. The Open Telekom Cloud from Deutsche Telekom offers managed cloud services by T-Systems with German legal jurisdiction, a hybrid technology base with increasingly proprietary development and long-standing enterprise experience.
3. IONOS Cloud positions itself as a German cloud provider focusing on transparency and ease of use, completely European infrastructure and competitive pricing models.
4. OVHcloud, the largest European cloud provider (French, publicly listed), has global infrastructure under European control and can demonstrate an important practical proof with the successful migration of critical banking workloads for Commerzbank Real.

Can European Providers Compete with the US Giants?

The answer is more nuanced than the simple dichotomy "US vs. EU" suggests. European providers offer genuine legal certainty, as they operate as EU companies under EU law, thus eliminating US CLOUD Act risk. Data protection is natively integrated – GDPR by design rather than retrospective adaptation. Furthermore, they enable greater transparency and control through direct access to decision-makers and more open communication. Local support with German-speaking teams provides deep understanding of local compliance requirements.

Simultaneously, European providers face challenges: innovation speed is slower due to smaller R&D investments in AI/ML technologies. The service portfolio is more limited with fewer managed services and specialist tools. Global reach concentrates primarily on Europe with restricted worldwide presence. The cost structure is also a reality – European providers are often more expensive than hyperscalers due to smaller scale.

There is no single sovereignty strategy – the right choice depends on the criticality of data and workloads/applications, regulatory requirements and cloud maturity.

Beyond the individual offerings of the hyperscalers (Public Cloud), hyperscalers with sovereignty offerings (Sovereign Public Cloud) and European cloud providers (EU Cloud), organisations have further options.

Multi-Cloud Approach: Flexibility Through Diversification

A strategic multi-cloud approach distributes risks and reduces dependencies. Two variants are to be distinguished:

Two hyperscalers offer maximum service variety and global reach, but the sovereignty problem persists.

Hyperscaler + European provider enables genuine sovereignty for critical workloads and exit options, but requires management of potentially different technology stacks.

Both approaches improve negotiating position and reduce vendor lock-in. Success factor: Professional multi-cloud management and clear governance – otherwise multi-cloud becomes "multi-chaos".

Hybrid Models: The Best of Both Worlds

Hybrid cloud models combine on-premises infrastructure with cloud services and enable workload-based decisions. Typical distribution follows criticality: on-premises for business-critical and highly sensitive data, European cloud for sensitive data with sovereignty requirements and cloud scaling needs, hyperscaler cloud for standard processes, development/testing and AI workloads.

Three sovereignty variants are possible: Hybrid with hyperscaler offers maximum innovation, but the sovereignty gap remains. Hybrid with EU provider ensures comprehensive sovereignty with a more limited service portfolio. Hybrid with both (on-prem + EU cloud + hyperscaler) enables maximum flexibility but requires management across three levels.

The strategic advantage lies in granular control – each application can be operated based on a benefit-risk assessment where specific requirements are best met. Realistic challenges include high complexity in networking and security, specialised expertise and higher total costs.

On-Premises: Maximum Control with Limitations

Traditional on-premises infrastructure offers the highest data and operational control – all systems in one's own data centre.
Sovereignty advantages: Complete control over data access, no dependency on cloud providers, no risk from foreign jurisdictions.

The inconvenient truth: Even on-premises does not offer complete sovereignty. Critical technologies such as semiconductors, processors (Intel/AMD), firmware and network hardware (Cisco) predominantly originate from the USA or Asia.

Further disadvantages: Lack of scalability, high capital and operational costs, potentially outdated technology, skills shortage, longer time-to-market.

The central question: 

What degree of sovereignty is genuinely required for the most critical workloads/applications – and what compromises in innovation, costs and complexity are acceptable?