Over the past fifteen years, the move to the cloud was largely uncontested. Scalability, ease of use, and access to modern services offered advantages that the traditional on-premises world could not match. The downside, namely, a loss of control to American hyperscalers, is only now being felt. How can Europe become more digitally autonomous and define what its pursuit of sovereignty truly entails? We discuss this with experts from Cloudera, Dynatrace, Eurofiber, Rubrik, and Thales.
The sovereignty debate did not come out of the blue. However, as Ivo Veerman, Sales Director at Eurofiber Cloud Infra, points out, it was an academic discussion for a long time. Now, various incidents are showing that sovereignty has a major impact in practice—especially when there is a lack of this form of digital control. According to Veerman, sovereignty now revolves around concrete questions: Do you have control over your data? Where is that data stored? Who has access to it? And what are the consequences if your access is blocked?
Previously, other concerns were prevalent. Filip Verloy, Field CTO EMEA & APJ Rx at Rubrik, speaks of a different risk analysis than before. “In the past, people at the board and C-suite levels said they lacked availability and therefore had to use the public cloud. But today, that risk profile has completely flipped, and organizations must find a way to decouple themselves. That is now a bigger problem for some organizations.” Guido Gerrits, VP of IAM Sales Europe at Thales, sees a similar transition. Whereas companies used to focus primarily on how to keep their data confidential, that question has now shifted to whether they can even access the data at all.
The message is clear
That awareness varies by organization, and sometimes it’s simply not there. Gerrits knows of several examples where IT departments have moved large amounts of data to U.S. clouds, including within critical infrastructure. “I think a lot more education is needed.”
Not every organization needs to rush to move out of the cloud. But Chris Geebelen, Solutions Engineering Director for Benelux, the Nordics, Eastern Europe, and Iberia at Dynatrace, observes that governments and financial institutions understand the danger of excessive digital dependence. “But if you look at the manufacturing industry, that awareness is less prevalent.” Nevertheless, he does not expect sovereignty to cease being a concern even if a new, less confrontational U.S. president takes office.
Frank Beerlage, Managing Director Benelux at Cloudera, calls it a “wake-up call.” According to him, the shift toward sovereignty has led to once-unthinkable outcomes in just a few years. Examples include banks and governments reversing their cloud migrations and labeling legitimate players like Microsoft, Amazon, and Google as risks. “The only question now is: where are we headed?”
Sovereignty itself is not a motivation
It’s difficult to find an alternative to the hyperscalers. Microsoft and Google, in particular, offer such a wide range of products that it’s easy to become “Microsoft-first” or “Google-first” when it comes to IT choices. Overarching “cloud-only” ambitions have also become commonplace. Beerlage points out that cloud initiatives often started small but can now be massive. Nevertheless, major banks and government agencies are choosing to move their most confidential data away from the cloud providers.
Dependency may be unavoidable somewhere in the supply chain, especially by 2026. Geebelen of Dynatrace refers to the network, hardware, storage, and software. “You can’t do all of those things in Europe.” The question is also whether that’s even necessary. Veerman of Eurofiber emphasizes that no organization is pursuing sovereignty on its own, simply because this is “not in the company’s best interest at all.” In this regard, he says, parties are “not acting on principle.” Instead, they are seeking continuity: how do you minimize the risks of downtime, conflicts with providers, or legal issues? The move toward sovereignty is therefore being prepared indirectly at most, unless additional incentives can be devised.
Filip Verloy of Rubrik emphasizes that this drive toward independence amounts to a new dimension in organizations’ risk assessment. Whereas companies used to view the cloud primarily as a way to guarantee innovation and high availability, the risk profile has now completely reversed. “Now the cloud is really coming my way, and I have to try to disconnect from it,” he notes. According to Verloy, however, this is not a one-time project, but a “constantly evolving concept.” Organizations base their approach on current legislation and the role of the U.S., but in a few years they may have to adapt to entirely different global shifts. Sovereignty has thus simply become a permanent, additional factor in executives’ broad risk analysis. And consequently, it is also a skill in which some organizations excel while others fall short.
Is there a middle ground after all?
Still, this independence does not necessarily mean that American technology must be completely banned. At least, that is the approach taken by Gerrits’ company, Thales. A striking example of such a hybrid solution is the joint venture between Thales and Google (GCP), S3NS (pronounced “sense”). Gerrits (Thales) explains how this works in practice. S3NS is a wholly French company, with an exclusively French workforce, where data is hosted and managed locally. Although the underlying software is provided by Google, every update must first be rigorously reviewed and approved by the French National Cybersecurity Agency (ANSSI).
Even after the rollout of CADA, such a setup could potentially be “sovereign enough.” However, it is a practical consideration that organizations must prioritize, according to Verloy of Rubrik. He believes that “minimum viable sovereignty” should be the guiding principle. He argues that organizations must ask themselves which services they absolutely cannot outsource. At the same time, a company thus accepts that the rest of its IT environment runs elsewhere. There are certainly advantages, Beerlage explains. Consider the convenience, flexibility, and (as mentioned earlier) the innovation offered by public clouds.
Geebelen (Dynatrace) views the new trend toward sovereignty as classic market forces at work. Stricter regulations are now creating massive demand, and supply will inevitably follow. Years ago, there was simply no commercial necessity, which is why European providers lagged behind. Now that sovereignty imposes strict requirements on large organizations, a lucrative market is emerging. “When there’s demand, people start thinking: I can make money off this, so let’s do it,” explains Geebelen. According to him, this strong economic incentive will accelerate investment and the development of European alternatives.
Practical problems
Countless counterexamples show that the stated desire for digital autonomy won’t be fulfilled just like that. Verloy points to earlier grandiose European cloud initiatives that have fallen by the wayside over the years, such as Gaia-X and Catena-X. He also notes that you’d see “a lot of eye-rolling” if you asked technicians to disconnect IT infrastructure from American systems.
Ivo Veerman also sees a regulatory hurdle. Rejecting a provider based on its country of origin is not permitted in a public procurement process without good reason. Europe will therefore have to enforce digital autonomy through tenders where “no one wants, for example, an American or Chinese hyperscaler to be awarded the contract,” to give one example. Veerman also considers it risky to modify the structure to such an extent that non-European players can be excluded—aside from the fact that both national and European legislation prevents this, he believes it is not “all bad.” According to Veerman, it is therefore quite possible to responsibly create a “hybrid” environment with sovereign and less sovereign components.
That dynamic stems from a certain geopolitical naivety, according to Frank Beerlage. European companies receiving government support may still lose out on contracts to American or Chinese alternatives. This presents a chicken-and-egg problem: without adoption, there is no mature product, and without a mature product, there is no adoption. Nevertheless, European suppliers must also simply be competitive.
Conclusion: a clear goal
The drive for sovereignty is not inherently European. Yet the move toward true digital autonomy is far from universal. According to Gartner, only the United States and China can currently host a sovereign cloud. The rest must decide where they can reduce their dependence and whether it even makes sense to be autonomous on all digital fronts.
The experts paint a picture in which digital resilience takes center stage. For Europe, there is (as yet) no guarantee of a fully sovereign IT stack. They therefore emphasize risk assessments, awareness, and strict requirements in public sector procurement. A European offering that can compete with the hyperscalers does not yet exist. It is also not yet certain whether (and if so, in what way) U.S. cloud providers will remain involved in sovereignty efforts. What is truly needed to be sovereign? The fact that this question is now being asked aloud in boardrooms is progress. However, taking decisive action—something that did not happen with initiatives like Gaia-X—is now absolutely essential.