If you were to ask cloud providers whether their services are sovereign, my view is that most would say yes. The European Union (EU) has an opportunity to provide a standardized and widely understood definition that could bring more clarity to this market. The question is not whether policymakers will take this opportunity to define sovereignty; judging by numerous public statements, there seems to be consensus they will, but rather what form a sovereignty definition will take.
Several forces have converged to push the issue up the political agenda. Rising geopolitical tensions, concerns about supply chain resilience and the rapid expansion of artificial intelligence have all reshaped how organisations think about cloud infrastructure. What was once seen primarily as an IT procurement decision is now a matter of strategic autonomy and economic security.
This shift reflects a broader realisation that the early promise of frictionless, global cloud adoption has encountered new risks. European organisations are increasingly concerned about the concentration of digital infrastructure in the hands of a small number of providers over which they do not have full jurisdictional control, the potential for geopolitical developments to disrupt services, and the possibility that foreign policy decisions could indirectly affect critical systems. At the same time, the growth of AI is increasing demand for computing power and trusted digital infrastructure across the continent, creating opportunities for economic growth as well as concerns that Europe’s AI ecosystem might fall behind this technological opportunity.
But while the objective of strengthening Europe’s control over its digital infrastructure is widely shared, the path to achieving it is far from straightforward.
Sovereignty Is More Than Just Where Data Is Located
One reason is that sovereignty has no single common definition in Europe and historically it was reduced to the idea that data must simply be stored within European borders. In reality, genuine digital sovereignty is far more complex. It involves multiple dimensions, including legal jurisdiction, operational and technological control, data governance and the ability for organisations to move workloads between providers without being locked into a single ecosystem. Data localisation alone does not guarantee that infrastructure is free from external control or influence.
Equally important is recognising that modern cloud technology operates within highly interconnected global supply chains. Expecting Europe to build every layer of the technology stack independently would be neither economically viable nor technologically realistic. Even the hardware components that underpin digital infrastructure depend on materials and manufacturing processes sourced from around the world.
The challenge for policymakers, therefore, is not to pursue sovereignty through technological isolation but to strike a delicate balance; strengthening resilience and control while maintaining an open and competitive digital market that also enables local investment and the creation of a European technological ecosystem.
The Risk of Getting Sovereignty Wrong
Getting that balance wrong carries real risks. If sovereignty requirements remain undefined or are designed poorly, they could fragment the European market. Different interpretations across member states would force providers to navigate multiple regulatory regimes, increasing compliance costs and reducing the scale advantages that make cloud infrastructure viable. Fragmentation would ultimately make sovereign solutions more expensive and discourage investment.
Overly restrictive definitions could also limit supplier choice without necessarily improving resilience or quality of service. If policymakers focus too heavily on the nationality of technology providers rather than the actual control and governance of services, they risk: reducing competition; slowing innovation; and putting their own providers and services at a disadvantage through reduced features and forced obsolescence.
Another concern is the emergence of what some describe as “sovereignty washing”; solutions sold as sovereign that do not deliver genuine operational independence and local resilience. Without clear definitions and EU-wide applicable technical standards, it becomes difficult for customers and policymakers to distinguish between meaningful sovereignty commitments and hollow claims.
A workable definition of sovereignty should rest on four verifiable pillars: jurisdictional independence (the provider operates under EU law, free from foreign legal obligations that could compel data disclosure); operational control (the customer manages encryption keys, security controls, decides where workloads run, who has access to them, and holds a documented, time-bound exit path); technical portability (data and workloads can be exported in standard formats without material re-architecture), technological control (the customer is not locked-in, it’s able to make architectural, hardware and software choices and controls the supply chain) . These are not novel requirements. They are already implicit in GDPR, in national certification schemes like France's SecNumCloud framework, and in procurement frameworks such as the DG DIGIT Cloud Sovereignty Framework. The recent Commission announcement awarding a sovereign cloud tender to European providers demonstrates the validity of the model. Making them explicit and universal would allow any provider, European or global, to be assessed against the same bar.
From Debate to Implementation: The Role of DIGIT
This is why recent developments in the EU’s policy framework are significant. The European Commission’s DIGIT Cloud Sovereignty Framework represents an important step forward in moving the debate from theory to implementation that was recently put to practice through competitive bidding. The framework introduces a functional and scalable definition of sovereignty that can be applied in procurement decisions, allowing organisations to assess the level of control and independence provided by different cloud services.
Crucially, the framework adopts a risk-based approach. Not every workload requires the same level of sovereignty. Sensitive public sector systems or critical infrastructure may demand stricter requirements, while other applications can operate with more flexibility. By recognising these differences, the framework reflects the practical realities of how organisations use cloud infrastructure and enables decision makers to calibrate their procurement decisions based on risk without prejudicing a particular technology or business model.
Perhaps most importantly, embedding sovereignty considerations in procurement shifts the discussion from abstract policy goals to real-world action. When sovereignty requirements become part of contract criteria, they directly influence how companies design and deliver their services and this is something clearly observable in the market.
CAIDA and The Next Phase of Europe’s Cloud Strategy
The Cloud and AI Development Act (CAIDA) has the potential to become the legislative anchor for the EU’s cloud sovereignty agenda needs, but it should offer future-proof solutions to businesses and Member States. The EU does not need to build its digital infrastructure in isolation to achieve sovereignty. A more realistic path lies in strengthening the European cloud ecosystem through partnerships and clear governance structures that give control to Europeans on data, operations and infrastructure. In a model like this, European providers maintain operational control, jurisdiction and customer relationships while deploying advanced technologies that allow them to compete globally. In practice, this can take more than one form. Organisations with the resources and expertise may deploy an integrated private cloud infrastructure directly, maintaining full operational control themselves. Others may meet their sovereignty objectives by relying on trusted European cloud providers who deliver managed services under EU jurisdiction. Both routes are legitimate, and policy frameworks should accommodate both.
The challenge we have ahead of us requires focus on practical solutions: does it give a procurement officer in a national ministry a clear, applicable definition that can be used for a technology tender? If the answer is yes, it will change behaviour. If it targets the right incentives around permitting and data center development it may boost the growth of compute and AI-capable infrastructure in Europe. The good news seems to be that the first attempt to implement this through the DIGIT cloud procurement framework seems to be working.
If policymakers can strike the right balance, the EU’s sovereignty agenda could strengthen resilience without sacrificing innovation or openness. The goal should not be to close Europe’s digital market, but to ensure that the infrastructure underpinning its economy remains trusted, competitive and ultimately under European control, contributing positively to local innovation and economic growth.
The Cloud and AI Development Act (CAIDA) has the potential to become the legislative anchor for the EU's cloud sovereignty agenda, but only if it translates ambition into operational clarity. What the legislation should do is adopt and codify a risk-based, tiered definition of sovereignty, applied consistently across member states, with the option of independent attestation at the highest tier. If policymakers can strike the right balance, the EU's sovereignty agenda could strengthen resilience without sacrificing innovation or openness. That is the shortest, and realistic path from principle to practice, and the surest way to make sovereignty a source of competitive strength and industrial growth for Europe rather than a barrier to it.