Glossary · Cloud Architecture Cloud Sovereignty
The architectural and legal property of cloud infrastructure that ensures data, operations, and control remain under the jurisdiction of a specific country or region — typically the EU.
## What cloud sovereignty actually means
Cloud sovereignty is the application of [data sovereignty](/en/glossary/data-sovereignty/) and [digital sovereignty](/en/glossary/digital-sovereignty/) concepts specifically to cloud infrastructure. A cloud is "sovereign" to a jurisdiction when:
1. The cloud infrastructure is physically located in that jurisdiction
2. The cloud is operated by entities incorporated in that jurisdiction (or in jurisdictions with equivalent legal protections)
3. External jurisdictions cannot legally compel disclosure of data, operations, or access
For European cloud sovereignty specifically, the third condition is the critical one — and it's where US-headquartered cloud providers structurally fall short due to the [CLOUD Act](/en/glossary/cloud-act/).
## The four sovereignty levels
European cloud sovereignty isn't binary. It exists on a spectrum:
### Level 0: No sovereignty
Standard public cloud (AWS, Azure, GCP) without specific EU configuration. Data may be stored anywhere globally; full US legal exposure.
### Level 1: EU data residency
US-headquartered cloud with explicit configuration to keep data in EU regions. Better than Level 0 but doesn't address legal compulsion via CLOUD Act.
This is what Microsoft markets as "EU Data Boundary." Useful for general business workloads but legally insufficient for highest sovereignty requirements.
### Level 2: EU-headquartered cloud
Cloud operated by EU-headquartered entities with no US corporate control. CLOUD Act doesn't apply (entity isn't US-based). Data is in EU jurisdiction, controlled by EU entity, no external compulsion path.
Examples: [Hetzner](/en/alternatives/hetzner-vs-aws/), [Scaleway](/en/alternatives/scaleway-vs-google-cloud/), [OVHcloud](/en/alternatives/ovhcloud-vs-microsoft-azure/), [Infomaniak](/en/alternatives/infomaniak-vs-digitalocean/), IONOS.
This is the practical sovereignty level for most European businesses.
### Level 3: Sovereign cloud (certified)
EU-headquartered cloud with additional certifications providing explicit sovereignty guarantees:
- **French Cloud de Confiance** (Trusted Cloud) — strict French government certification requiring no foreign legal control
- **German BSI C5 sovereign cloud** — German cybersecurity certification for sovereign workloads
- **Italian and other national sovereignty frameworks**
Examples: Open Telekom Cloud (Germany), T-Systems Sovereign Cloud (Germany), Outscale (France, Dassault Systèmes subsidiary), Bleu (Microsoft + Capgemini + Orange joint venture for French sovereign cloud).
This is the level required for highest-stakes use cases — public sector, healthcare, critical infrastructure, defense.
## What "EU sovereign cloud" claims from US providers actually mean
Microsoft, AWS, and Google Cloud all market "sovereign cloud" offerings for European customers. These vary significantly in what sovereignty they actually provide:
**Microsoft EU Data Boundary** — Level 1 sovereignty. Data is stored and processed in EU. Microsoft Corporation (US parent) retains corporate control. CLOUD Act applies.
**AWS European Sovereign Cloud** (announced 2023, limited rollout) — Aspires to Level 2/3 with separate operational entity. Implementation timeline unclear.
**Google Cloud Sovereign Solutions** — varies by partner. T-Systems Sovereign Cloud Germany is operated by Deutsche Telekom — meaningful sovereignty. Other Google Cloud + EU partner combinations vary.
**Bleu (Microsoft + Capgemini + Orange)** — French sovereign cloud built on Azure technology but operated as fully French entity. Designed to qualify as Level 3 / Cloud de Confiance certified.
The pattern: US providers can technically achieve high sovereignty levels through complex partnership structures that separate operational entities from corporate control. These work but require careful evaluation of specific contractual and technical guarantees.
## When each sovereignty level makes sense
For European businesses making cloud architecture decisions:
**Level 0 (standard public cloud)** — Acceptable for general business workloads with no specific sovereignty requirements. Examples: marketing website hosting, public-facing assets, general office productivity.
**Level 1 (EU data residency)** — Acceptable for most business workloads with general GDPR compliance needs. Examples: customer-facing SaaS, internal collaboration tools, business application hosting.
**Level 2 (EU-headquartered cloud)** — Recommended for sensitive data, regulated industries, and businesses where sovereignty is a competitive feature. Examples: healthcare-adjacent applications, legal services, B2B SaaS serving European enterprises.
**Level 3 (sovereign cloud)** — Required for public sector, defense, highly regulated industries (banking under DORA, healthcare with patient data), and any organization with explicit sovereignty mandates.
Most European businesses operate at Level 1 with selective Level 2 for sensitive workloads. The strategic question is whether to expand Level 2 / Level 3 footprint over time.
## Cloud sovereignty and DORA
DORA (Digital Operational Resilience Act, in force since January 2025) creates specific cloud sovereignty pressures for European financial institutions:
- **Concentration risk requirements** — financial institutions cannot have all critical infrastructure on a single cloud provider, pressuring multi-cloud strategies that often include EU-resident providers
- **Critical ICT third-party provider oversight** — major cloud providers serving multiple financial institutions are now under direct EU regulatory oversight
- **Specific contract requirements** — DORA mandates clauses that US providers' standard terms typically need amendment to accommodate
For European fintech specifically, cloud sovereignty has shifted from preference to operational requirement.
## Cost implications
Higher sovereignty levels generally cost more, but the gap is smaller than commonly believed:
- **Level 0 vs Level 1**: minimal cost difference (mostly configuration)
- **Level 1 vs Level 2**: EU-headquartered providers (Hetzner, Scaleway) are typically *cheaper* than US hyperscalers, often by 50-80%
- **Level 2 vs Level 3**: sovereign cloud certifications add cost, typically 20-50% premium over standard EU-headquartered cloud
The Level 1 → Level 2 transition is particularly favorable economically — better sovereignty + lower cost. The Level 2 → Level 3 transition costs more but is required for specific high-stakes use cases.
For a concrete cost comparison, see our [AWS vs EU cloud cost calculator](/en/cloud-savings-calculator/).
## What 2026-2027 brings
Cloud sovereignty is an active regulatory and technical area. Watch for:
- **EU Cloud Certification Scheme (EUCS)** — pan-European cloud security and sovereignty certification, currently being finalized
- **Member state sovereignty frameworks** continuing to evolve (German Cloud Act 2024, French updated Cloud de Confiance criteria)
- **DORA enforcement** clarifying expectations for financial sector cloud sovereignty
- **EU AI Act** adding AI-specific cloud sovereignty considerations
- **Sovereign AI** as cloud sovereignty intersects with EU AI Act obligations
For European businesses, treating cloud sovereignty as ongoing strategic posture rather than one-time decision aligns with the regulatory direction.
Was this helpful?
Thanks for your feedback!