Sovereignty Washing: How Cloud Sovereignty Is Really Evaluated

Executive Summary

Digital sovereignty in the cloud is not a standardized product feature, but a strategic decision with individual consequences. The market for sovereign cloud providers today is characterized by contradictory promises: US hyperscalers obscure jurisdictional risks through EU subsidiaries, while European providers market EU ownership as a sovereignty guarantee. An analysis of 17 providers based on 31 criteria shows that no provider emerges as a clear winner – both camps exhibit significant weaknesses in cryptography and key control.

People

• Kai Müller (iX author)

Topics

• Cloud sovereignty
• Digital sovereignty
• Provider comparison
• Data protection and control

Clarus Lead

The gap between strategic intent and operational reality is today the central problem: decision-makers must choose cloud providers that all promise sovereignty but have different – sometimes hidden – weaknesses. Certifications such as BSI-C5, SecNumCloud, and ISO 27001 create security but also establish high market entry barriers that distort competition. The Sovereign Cloud Compass offers transparency where marketing promises disappear.

Detailed Summary

The central phenomenon is so-called "sovereignty washing" – the rhetoric of sovereignty without the technical reality fully backing it up. US hyperscaler corporations use regulatory-approved constructions (EU subsidiaries with EU governance) to minimize jurisdictional risks without fully relinquishing technical control over infrastructure, data, or encryption. European providers, by contrast, advertise physical location and ownership structure but often neglect technical security mechanisms such as end-to-end encryption and user-controlled key management.

The analysis uncovers a core problem: cryptography and key control are underdeveloped in the industry – regardless of whether providers are European or American. This means that even European providers with EU certification can technically-administratively retain control over customer data. Additionally, there is supply chain risk: sovereignty at the provider level is relativized by dependencies on hardware manufacturers, software components, and cloud infrastructure operators (often non-European).

Certifications play an ambivalent role. They increase trust value and signal compliance with standards – but simultaneously create market entry barriers that exclude smaller, innovative European providers. This leads to a paradoxical situation: while large US corporations de facto establish subsidiaries to achieve certifications, European startups cannot even go through the certification process.

Key Statements

• "Sovereignty Washing" is widespread: All provider segments use sovereignty rhetoric without fully relinquishing technical control.
• No clear winner category: European providers score on governance but lose on technical encryption; US hyperscalers the opposite.
• Cryptography is the open flank: Both provider categories insufficiently rely on user-controlled key management.
• Supply chain undermines sovereignty: Physical location in the EU does not guarantee that critical components are controlled.
• Certifications are double-edged: They raise standards but exclude smaller competitors.

Critical Questions

1. Evidence: What methodology does the analysis of 17 providers base itself on? Are the 31 criteria scientifically validated or editorially selected? What sources were used for the technical evaluation?

2. Conflicts of Interest: What financial or editorial relationships exist between heise/iX and the 17 analyzed providers? Were providers asked for statements?

3. Causality: Does it follow from the fact that certifications create entry barriers that market concentration leads to lower security? Or is the security of certified providers actually higher than that of uncertified ones?

4. Feasibility: How can a user concretely proceed to evaluate cryptography and key control gaps when selecting a provider? What technical tests are recommended?

5. Supply Chain Risk: Is a distinction made between direct (provider-controlled) and indirect (supplier-controlled) dependencies? Which supply chain risks are acceptable for typical use cases?

6. Governance vs. Technology: Why are governance properties (ownership, location) and technical properties (encryption) weighted equally when they offer different protection levels?

Source Index

Primary Source: Sovereignty Washing: How Cloud Sovereignty Is Really Evaluated – heise.de/iX, 2025

Referenced Tools:

• Sovereign Cloud Compass – Publicly accessible comparison tool

Relevant Standards:

• BSI-C5 Attestation (Federal Office for Information Security)
• SecNumCloud (Cloud Services Certification for France)
• ISO 27001 (Information Security Management Systems)

Verification Status: ✓ 2025

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-Check: 2025