What Changed in 2024-2025
Two major infrastructure announcements signaled a market shift:
- Microsoft Sovereign Cloud (2024): Data residency guarantee in 15+ countries, in-country processing for Copilot.
- AWS European Sovereign Cloud (2025): €7.8B investment, separate control plane operated by AWS Germany, data residency in EU.
Both vendors are responding to real demand: EU organizations want sovereignty. But there's a critical limit neither vendor can solve. Understanding that limit is the difference between a sound sovereignty strategy and a false sense of security.
The CLOUD Act Problem (Explained)
US law (Stored Communications Act as amended by CLOUD Act) allows US authorities to legally demand access to data held by US companies, regardless of where that data is physically stored and regardless of that country's privacy laws.
Key distinction: The CLOUD Act applies to company ownership, not data location.
Translation: If Microsoft stores your European data in an EU datacenter, operated by EU teams, under GDPR, the US government can still issue a subpoena to Microsoft (a US corporation) and demand access to that data.
Microsoft has publicly acknowledged this. AWS has publicly acknowledged this. Both vendors argue that the risk is low because:
- Subpoena requests are infrequent
- Microsoft/AWS legal teams will fight overbroad requests
- EU law (Schrems II) now requires impact assessments before US data transfers
These are valid points. But they're risk reduction, not elimination.
The Sovereignty Levels Framework
Instead of binary thinking ("sovereign" vs. "not sovereign"), it's more useful to assess along four levels:
Level 1: Vendor Control (Standard Cloud)
What you get: Data in region of choice, but vendor controls all infrastructure, keys, access.
CLOUD Act exposure: High. US vendor, US jurisdiction applies.
Best for: Non-sensitive workloads, cost optimization, velocity.
Cost: $$ (baseline)
Level 2: Regional Isolation (Sovereign Cloud)
What you get: Data residency + in-country processing + separate control plane.
CLOUD Act exposure: Moderate. Still US vendor, but operational separation increases friction on US legal requests.
Best for: Regulated data (healthcare, finance), EU compliance, when you need to demonstrate "reasonable efforts."
Cost: $$$$ (20-40% premium)
Reality check: This is Microsoft Sovereign Cloud and AWS European Sovereign Cloud.
Level 3: Independent Vendor (Non-US Company)
What you get: EU cloud vendor (e.g., OVHcloud, Deutsche Telekom) with GDPR enforcement and EU jurisdiction.
CLOUD Act exposure: Low/None. No US vendor, no US jurisdiction.
Best for: High-sensitivity data, regulatory requirements, jurisdictional mandates (e.g., France's cloud strategy).
Cost: $$$$$ (40-60% premium, limited feature parity)
Reality check: EU vendors lack enterprise scale, maturity, and feature richness of AWS/Azure. Often slower innovation.
Level 4: Self-Hosted (On-Premises)
What you get: Complete control, no vendor involvement, your jurisdiction.
CLOUD Act exposure: Zero (assuming US-independent infrastructure).
Best for: Maximum control, perfect sovereignty, or compliance with absolute residency mandates.
Cost: $$$$$$ (2-3x cloud cost, plus staffing, infrastructure, security operations)
Reality check: Most organizations lack the operational maturity for this. Requires world-class infrastructure and security teams.
Decision Framework: Which Level Makes Sense?
The right choice depends on four factors:
| Factor | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|
| Data Sensitivity | Low (public, internal) | Medium (regulated) | High (sensitive PII, health) | Critical (state secrets) |
| Regulatory Requirements | GDPR basic | GDPR Article 32 | GDPR + Schrems II | Perfect residency |
| Budget | Tight | Moderate | Comfortable | Unrestricted |
| Operational Maturity | Any | Intermediate | Advanced | Expert |
Case Study: The Right Answer Varies
Scenario 1: Professional Services Firm (EU)
Client data is their asset. GDPR compliance is mandatory. Decision: Level 2 (Sovereign Cloud) for client data processing, Level 1 for internal operations.
Why not Level 3? Feature gaps, vendor lock-in risk, and cost don't justify the marginal gain when Level 2 meets your regulatory requirements.
Scenario 2: Healthcare Org (Germany)
Patient data falls under German data protection law (stricter than GDPR). Government scrutiny is high. Decision: Level 3 or 4. Sovereign Cloud isn't enough.
Scenario 3: Fintech (UK)
Customer financial data, FCA regulation. CLOUD Act risk is acceptable if mitigated by DPA (Data Processing Agreement) and incident response planning. Decision: Level 2. Cost-benefit favors Sovereign Cloud over building Level 3.
What Microsoft & AWS Don't Tell You
- Cost is steep. Level 2 adds 20-40% to your cloud bill. Forever.
- Feature lag is real. New services take 6-12 months longer to reach Sovereign Cloud.
- Lock-in deepens. Switching providers after committing to Sovereign Cloud is expensive and slow.
- CLOUD Act risk isn't eliminated. It's reduced, but not removed. You still need a DPA and incident response plan.
- You still need encryption. Sovereign Cloud + customer-managed encryption = maximum protection, but adds complexity.
The Decision Criteria
When evaluating sovereign cloud options, assess across these dimensions:
- Data residency: Where does your data sit at rest? (AWS EU, Microsoft EU, OVHcloud, on-premises)
- CLOUD Act exposure: Is your vendor subject to US law? If yes, what's your legal mitigation?
- Encryption control: Who holds the keys? You, vendor, or hybrid?
- Feature completeness: Does your required workload exist on the platform?
- Cost & timeline: How long until Level X break-even? What's the operational overhead?
- Vendor lock-in: If you need to exit, what's the effort and cost?
The Vendor Comparison Tool below walks through all six dimensions and produces a decision matrix customized to your data classification, budget, and regulatory posture.
The Honest Take
Perfect sovereignty is rare and expensive. Most EU organizations achieve adequate sovereignty through Level 2 (Sovereign Cloud) + DPA + encryption. This costs 25-30% more than standard cloud but is defensible in audit and aligns with GDPR Schrems II requirements.
If you need Level 3 or 4 (independent vendor or self-hosted), you need clear justification: regulatory mandate, board directive, or existential risk. The operational and cost burden is substantial.
Get the Vendor Comparison Tool
A decision framework for evaluating Microsoft Sovereign Cloud, AWS European Cloud, independent vendors, and on-premises options. Includes the 6-category assessment rubric and cost-benefit analysis.
You'll also get the Sovereignty Risk Assessment Framework and quarterly updates on regional cloud infrastructure.
Next Steps
If you're evaluating sovereign cloud architecture for your organization, let's discuss your specific compliance and risk posture. We can assess which level (1-4) makes sense for your data, budget, and regulatory environment.