What Is a Sovereign Cloud? An EU Guide

Few phrases in enterprise technology have been stretched as thin as sovereign cloud. It appears on vendor slides, in government strategy papers, and in marketing emails from the very hyperscalers whose dominance prompted the term in the first place. Somewhere between the genuine legal concept and the buzzword, the meaning gets lost. This guide tries to put it back — to define what a sovereign cloud actually is, what merely looks like one, and why a growing number of European organisations are rethinking where their data and their systems live.

The short version: sovereignty is not a feature you switch on. It is about who ultimately controls your data and the infrastructure that processes it — legally, operationally, and technically. Once you look at it through that lens, a lot of marketing claims fall away.

Three layers of sovereignty

It is useful to separate sovereignty into three distinct layers, because a provider can satisfy one while quietly failing another.

Data sovereignty

This is the layer most people mean first: your data is stored and processed within a defined jurisdiction — say, Germany or the EU — and is subject only to the laws of that jurisdiction. It is closely tied to data residency, but residency alone is not sovereignty. Where the bytes sit is necessary but not sufficient.

Operational sovereignty

This concerns who can access and administer the systems. Can support staff in another country log in? Who holds the encryption keys? Can the provider's personnel be compelled to act under a foreign legal order? A cloud can store data in Frankfurt and still be operated by a team subject to non-EU jurisdiction — which undermines the very sovereignty the data residency was meant to provide.

Technical sovereignty

This is about avoiding lock-in deep enough that you cannot leave. If the platform is built on proprietary APIs and formats controlled by a single vendor, your independence is theoretical. Open standards — OpenStack APIs, standard hypervisors, portable data formats — are what make sovereignty durable rather than performative.

Why residency alone is not enough

The most common misunderstanding is that storing data in an EU region equals sovereignty. It does not. The reason is extraterritorial law. Legislation such as the United States CLOUD Act can compel US-headquartered companies to produce data they control, regardless of where in the world that data physically resides. A datacentre in Frankfurt operated by a US-owned entity is still, in principle, within reach of that legal mechanism.

This is the crux of the European concern. It is not anti-American sentiment; it is a recognition that legal control follows corporate control, and corporate control does not respect datacentre walls. True sovereignty requires that the entity operating the infrastructure sits squarely within your own legal order, with no foreign parent able to be compelled to hand over keys or data.

What is driving the shift

Several forces have converged to push sovereignty from a niche public-sector requirement into a mainstream board-level topic.

Regulation is the most concrete driver. The DSGVO set the baseline for personal data protection; sector rules like DORA for financial services and the NIS2 directive for critical infrastructure raise the bar further; and national frameworks such as the BSI C5 catalogue in Germany give organisations a concrete yardstick. For regulated industries and public bodies, sovereignty is increasingly not optional.

Geopolitics is the second driver. Recent years have made organisations acutely aware that supply chains, software, and cloud services can become entangled in trade disputes, sanctions, and shifting alliances. The desire to keep critical systems insulated from that volatility is rational risk management.

And the third is a hard commercial lesson. The Broadcom acquisition of VMware showed how quickly costs and terms can change when a critical platform is controlled by a distant vendor. Sovereignty, in this sense, is also about strategic and economic independence — not being captive to decisions made far outside your influence.

GAIA-X and the European framework

No discussion of European sovereignty is complete without GAIA-X, the initiative to define a federated, interoperable data infrastructure built on European values: transparency, openness, data protection, and portability. It is worth understanding what GAIA-X is and is not. It is not a cloud you can buy; it is a set of rules, standards, and a certification framework that lets compliant providers interoperate while guaranteeing certain sovereignty properties.

The practical takeaway is that GAIA-X reinforces the same principles this article keeps returning to: open standards over lock-in, transparency over opaque control, and legal clarity about who can touch your data. Providers aligned with these principles give you a foundation that is portable and auditable rather than a walled garden.

The role of open source

Open source is not a side note in the sovereignty story — it is structural. When the platform underneath your cloud is open (OpenStack for the cloud layer, KVM for virtualization, Ceph for storage, Linux throughout), you gain something proprietary stacks cannot offer: the ability to inspect, to run the same software anywhere, and to migrate without a vendor's permission.

This is what turns technical sovereignty from a slogan into a property you can verify. If you ever needed to move your workloads to a different provider or in-house, open APIs and standard formats make that a project rather than an impossibility. The absence of a single controlling vendor is precisely the point.

How to evaluate a sovereign cloud provider

If you are assessing providers, a handful of pointed questions cut through the marketing quickly.

Where is the data physically stored, and can that be guaranteed contractually? Who owns the operating entity, and under which jurisdiction does it fall? Who can technically access the systems, from where, and who holds the encryption keys? Is the platform built on open standards that allow you to leave, or proprietary ones that do not? What certifications — ISO 27001, BSI C5 — does the provider hold, and against what scope? Honest providers answer these directly; evasive answers are themselves an answer.

Sovereignty in practice

What does it look like when these principles are actually implemented? It looks like infrastructure operated by a European entity, on European soil, on an open foundation, by people subject to European law. This is the model clouditiv is built around: a sovereign, OpenStack-based private cloud delivered as a managed platform for European — especially German — organisations, with data that stays in Germany and operations aligned to ISO 27001 and BSI C5. The platform runs on OpenStack 2025.2, Ubuntu 24.04 LTS, KVM, and Ceph, and its parent company SETUP Protokolltester GmbH brings more than three decades of telecom and network expertise to the table. The point is not the brand — it is that the architecture and the legal structure both line up with what sovereignty genuinely requires.

Cutting through the noise

Sovereign cloud is a real and important idea wrapped in a great deal of marketing. Strip the noise away and it comes down to a simple test: can anyone outside your legal order be compelled to access, withhold, or control your data and systems? If the honest answer is no — across all three layers of data, operations, and technology — you have sovereignty. If the answer is anything else, you have data residency at best. For European organisations weighing where to put their most important workloads, that distinction is becoming one of the defining infrastructure decisions of the decade.