Sovereign Cloud: A Misleading Label for the Wrong Level

Executive Summary

Amazon and Microsoft introduced cloud offerings under the "sovereign" label in 2026: AWS European Sovereign Cloud in Brandenburg with EU operations and Microsoft 365 Local with on-premises hardware. Author Golo Roden argues that these solutions address data residency and operational autonomy, but leave legal sovereignty untouched. The problem: the CLOUD Act and FISA Section 702 enable US authorities to retrieve data from US corporations, regardless of physical location or EU subsidiary status.

Persons

• Golo Roden (Founder and CTO, the native web GmbH)

Topics

• Cloud Sovereignty
• Digital Sovereignty
• Data Residency
• Cloud Governance
• EU Regulation

Clarus Lead

The EU Commission has created a framework with the Cloud and AI Development Act that measures sovereignty in tiers – and thereby identified the problem: "Sovereign" is not a reliable label, but rather marketing for technical measures that ignore the decisive level. With two-thirds of the European cloud market held by three US corporations, political pressure to reduce this dependence is growing, yet without clear definitions, organizations are buying illusion instead of control.

Detailed Summary

Roden distinguishes three levels of cloud sovereignty. Data residency concerns the physical location of data; operational autonomy the management by independent personnel; legal sovereignty the jurisdiction to which the parent company is subject. Only the first and second can be established contractually and technically. The third – who has the final say in a conflict – eludes such measures because it depends not on server location, but on the legal order of the corporation.

AWS European Sovereign Cloud operates in a separate partition with its own euro billing system and exclusively EU-based personnel. Microsoft relocates sensitive services such as Exchange to customer hardware outside the public cloud. Both merely shift the jurisdiction problem without solving it. A US authority can instruct the parent corporation to compel its European subsidiary to take action – a legally untested construct. Microsoft confirmed before the French Senate in 2025 that it cannot guarantee European data will never reach US authorities.

The EU regulatory framework recognizes the gap: the Cloud and AI Development Act defines sovereignty in tiers. The lowest requires only EU processing; the highest demands ownership, control, and personnel independence from third countries. This distinction shows that true sovereignty is a design discipline, not a purchase. European providers currently hold only 15 percent of the market; through procurement requirements, they could gain ground.

Roden advocates for resilience as a fallback position: customer-controlled encryption, data portability, and technical reversibility protect against extraterritorial access without requiring complete independence. Initiatives such as EuroStack and migrations in public administration point toward a more laborious but more stable path – control over one's own stack rather than inheriting dependence on vendors.

Core Statements

• Sovereignty has three levels: data residency, operational autonomy, and legal control; current cloud offerings address only the first two.
• The CLOUD Act and FISA Section 702 enable US authorities to access data extraterritorially, which EU subsidiaries cannot prevent.
• The EU framework (Cloud and AI Development Act) defines sovereignty in measurable tiers and shows that "sovereign" as a mere label is incomplete.
• True sovereignty requires deliberate design decisions per system, not blanket migration to hyperscalers.
• Resilience through encryption and data portability offers pragmatic protection without requiring complete independence.

Critical Questions

1. Evidence/Data Quality: The author claims that US authorities can force an EU subsidiary to share data – which precedents or legal opinions specifically substantiate this jurisdictional assumption?

2. Conflicts of Interest: Golo Roden is founder of a software development company. Does the industry benefit from skepticism toward hyperscalers, and how does this influence his argumentation?

3. Causality/Alternatives: Is Microsoft's lack of guarantee before the French Senate evidence of technical impossibility or rather of legal uncertainty and lack of binding contracts?

4. Feasibility/Risks: Initiatives such as EuroStack are announced – how realistic is a sustainable European cloud market given financing, talent shortages, and existing AWS/Azure dependencies?

5. Causality: Does the classification into "sovereignty tiers" actually lead to better control, or is it in fact ignored by authorities when cost considerations outweigh it?

6. Conflicts of Interest: Which European cloud providers directly benefit from a restrictive definition of sovereignty, and are their positions in the debate made transparent?

7. Data Quality: The claim that 2/3 of the European cloud market is held by three US corporations – which market definition (Public Cloud? Hybrid? SaaS?) underlies this figure?

Bibliography

Primary Source: The Sovereign Cloud That Isn't – A Label for the Wrong Level – heise.de, June 2026

Complementary Standards & Regulation:

1. EU Commission: Cloud and AI Development Act (June 2026)
2. Federal Office for Information Security (BSI): Cloud Sovereignty Criteria Catalog
3. Court of Justice of the European Union: Schrems II (2020) – Invalidation of Privacy Shield
4. US CLOUD Act (2018); FISA Section 702; Executive Order 12333

Verification Status: ✓ June 2026

This text was created with the support of an AI model. Editorial responsibility: clarus.news | Fact-checking: June 2026