Sovereignty Washing: How Digital Sovereignty Should Be Assessed in the Cloud Industry

Executive Summary

Digital sovereignty is not a standardized product feature, but rather a strategic decision with individual consequences. The cloud market is dominated by numerous providers who all claim sovereignty for themselves. However, an analysis of 17 providers based on 31 criteria shows: No provider can be identified as a clear winner. US hyperscalers use EU subsidiaries to obscure jurisdiction risks, while European providers market EU ownership as a guarantee, but have technical gaps.

People

• Kai Müller (iX Author)

Topics

• Cloud sovereignty
• Compliance and certification
• Cryptography and key control
• Supply chain dependency

Clarus Lead

The market for sovereign cloud infrastructure is characterized by greenwashing practices that can systematically deceive decision-makers in IT and procurement. There is a significant gap between strategic intent and operational reality, which can be bridged by standardized evaluation criteria. The Sovereign Cloud Compass offers a publicly accessible comparison tool to identify substance behind marketing promises.

Detailed Summary

The analysis of 17 cloud providers uncovers systematic weaknesses on both sides of the market. Cryptography and key control represent an open flank for most providers – regardless of European or American origin. This means that even European providers do not automatically ensure better control over customer data.

Certifications such as BSI-C5 attestation, SecNumCloud, and ISO 27001 measurably improve sovereignty ratings, but simultaneously create high market entry barriers for new providers. This leads to market concentration and reduces competition. Supply chain dependency also relativizes any sovereignty promise of a purely European location – sovereignty is only as strong as the weakest component in the value chain.

Key Statements

• Digital sovereignty in the cloud is not a standardizable property, but requires individual assessment for each use case
• None of the 17 analyzed providers meets all sovereignty criteria simultaneously
• US hyperscalers use jurisdiction circumvention through EU structures; European providers have technical weaknesses
• Certifications improve transparency but increase market barriers
• Supply chain dependency is an underestimated risk factor for true sovereignty

Critical Questions

1. Data Quality: Is the analysis of 31 criteria based on objective technical measurements or subjective assessments? How is the validation method documented?

2. Conflicts of Interest: Who finances and operates the Sovereign Cloud Compass? Are there dependencies on the evaluated providers?

3. Causality: Do high certification hurdles actually lead to better sovereignty, or are they primarily a competitive barrier for smaller European providers?

4. Supply Chain Risk: How is supply chain dependency concretely measured? Which components or services are particularly critical?

5. Feasibility: Can a user actually make a secure selection decision based on the comparison criteria, or is additional organization-specific risk analysis required?

6. Jurisdiction Risks: How effective are EU subsidiaries as protection against extraterritorial data access (e.g., CLOUD Act)?

Bibliography

Primary Source: Sovereignty Washing: How to Really Assess Cloud Sovereignty – heise.de, 2025

Supplementary Sources:

1. Sovereign Cloud Compass – Public comparison tool for cloud sovereignty

Verification Status: ✓ 2025

This text was created with the support of an AI model. Editorial responsibility: clarus.news | Fact-checking: 2025