en

The Microsoft confession that shattered digital sovereignty illusions

Cloud Transformation
Digital Sovereignity
IT Transformations

Reality check: why sovereign clouds don't exist

The U.S. Cloud Act has applied to European data since 2018. We knew this. Legal experts warned about it. Privacy advocates highlighted it. But somewhere lingered the hope that maybe there were workarounds, technical solutions, or contractual gymnastics that could preserve European data sovereignty while keeping hyperscaler conveniences.

When Microsoft representatives sat before French parliamentarians on June 10th and confirmed under oath that US legislation would take precedence, even for data physically stored in Europe, that last comfortable illusion died.

No American cloud provider can protect European data and interests from US government involvement. The legal framework makes it impossible. Even if the sovereign cloud initiatives from the hyperscalers would prevent US government access (which they can't), withholding service or support would kill any service based on their offering.

There is a big catch though: moving away from US hyperscalers isn't just about changing vendors. It's about accepting responsibility for the capabilities that AWS, Azure, and Google currently handle better than your organization does.

So what does this mean for your organization's technology strategy?
17 September 2025 minute read

Key takeaways about the sovereignty dilemma

  • Microsoft's confession killed the illusion: US legislation always takes precedence over European data promises. No American provider can offer true EU control.
  • Sovereignty is a spectrum, not binary: Trade-offs exist between complete hyperscaler dependency and total operational self-sufficiency.
  • European alternatives aren't equivalent: They lack hyperscaler ecosystem breadth and demand significantly more technical expertise from your team.
  • NIS2 makes this mandatory: Regulated entities must demonstrate meaningful control over security and continuity, whether they're ready or not.


      The sovereignty choice: mix & match your risk levels


      The sovereignty choice isn't binary; it's a spectrum between two extremes: complete dependency on foreign hyperscalers versus total operational self-sufficiency. Accept state-level access to your data and sudden loss of service (e.g., due to export controls) versus responsibility for operating, securing & running services that hyperscalers spend billions perfecting.

      When you move critical workloads away from US providers, you're not eliminating risk; you're trading one risk profile for another. The question becomes: can you protect yourself from state actors and geopolitical changes without dramatically increasing integrity and availability risks while maintaining competitive advantage?

      Repatriating your entire IT infrastructure takes years during which your technical team has no capacity for strategic projects. During this period, your competitors (especially US competitors) may continue building new capabilities and take market share. Even after transition, European alternatives demand more active management than hyperscaler services, shifting your technical resources from business-enabling projects to infrastructure maintenance. The sovereignty transition doesn't just cost money, it costs opportunity and market position.

      A big-bang exit probably introduces more risks than it solves.

      European offerings are not up to par

      European cloud alternatives exist, but they're not equivalent to hyperscaler ecosystems. They are lacking in both breadth of service and technical abstraction. You're not switching brands of the same product; you're accepting different operational & integration responsibilities. Exactly the things you were happy to be rid of.

      The service breadth problem: European providers offer very good hosting and basic platform services. They may offer other specific services but lack the breadth of the integrated tooling ecosystem that makes hyperscalers attractive. No integrated identity and access management spanning thousands of services. No click of the button automated threat detection.

      The skills investment: Running workloads on European providers demands more technical expertise from your team. You'll have to do more yourself since the offering is not on the same level as hyperscaler services: you’ll have to convert workloads so they can run on a different system (e.g., by using containers), and then you’re responsible for operations. Security monitoring you currently outsource becomes your responsibility. Infrastructure management that happens automatically requires active oversight. Compliance frameworks you inherit through hyperscaler certifications must be built and maintained internally. This is why you need more technical expertise either in-house or from a supplier who understands both sovereignty objectives and operational requirements.

      European providers are working to close the gaps, but this will take months if not years.


      NIS2: when regulation forces the trade-off


      The Network and Information Systems Directive (NIS2) requires that companies assess the risks (e.g., export control risks, state actor confidentiality) and implement measures to control or accept them. This changes the conversation for regulated organizations across energy, transport, banking, healthcare, and digital infrastructure sectors.

      • The control requirement: NIS2 demands that organizations maintain “technical and organisational measures” even when outsourcing to cloud providers. You cannot simply point to your hyperscalers’ compliance certifications; you must demonstrate meaningful control over business continuity and security oversight.
      • The sovereignty implication: Microsoft's confirmation that US legislation takes precedence over European data promises, forces NIS2-covered organizations to take action. Compliance may require taking steps in the sovereignty trade-off whether they feel operationally ready or not.
      • The capability demand: NIS2 doesn't just require sovereignty, it requires competence. Organizations must prove they can maintain security and continuity standards regardless of their provider's nationality, policies, or operational status.
      For regulated entities, the trade-off is no longer theoretical. It's a compliance requirement with measurable consequences.


      The market dynamics: why this gets more complex

      The sovereignty challenge extends beyond individual organizational choices to market dynamics that complicate any migration strategy.

      • The ecosystem effect: Your suppliers, partners, and customers may remain dependent on US platforms, creating integration challenges that sovereignty alone cannot solve. Independence without ecosystem alignment creates operational isolation.
      • The innovation lag: US hyperscalers drive cloud innovation globally. European alternatives often implement capabilities months or years after AWS, Azure, and Google introduce them. Sovereignty may mean accepting slower access to emerging technologies.
      • The cost reality: European hosting and cloud services typically have lower direct costs than hyperscaler equivalents, but organizations may face higher total cost of ownership. The additional internal expertise required, extended management overhead, and reduced operational efficiency can offset initial savings. Sovereignty includes hidden costs that affect competitiveness in cost-sensitive markets.



      The YaWorks perspective: honest assessment, strategic planning

      The sovereignty conversation demands honesty about capabilities, risks, and trade-offs. Organizations need to consider both the geopolitical imperatives and the operational realities of maintaining security without hyperscaler safety nets.

      Digital sovereignty represents a strategic context shift rather than a technical revolution. The core infrastructure challenges (cloud architecture design, network optimization, data center operations) remain consistent. What changes is the operational framework: organizations may now prefer these capabilities delivered through European-controlled resources while maintaining hyperscaler-equivalent performance and security standards.

      The transition toward greater sovereignty control doesn't require immediate wholesale changes. Organizations can begin building resilience incrementally, making strategic decisions that reduce foreign dependency risks while maintaining operational effectiveness. Each step builds capability and reduces vulnerability without demanding comprehensive infrastructure replacement.

      Conclusion: the choice you can't avoid 


      Microsoft's confirmation crystallized what many suspected: digital sovereignty requires accepting operational responsibilities that hyperscalers currently handle. The question isn't whether you should pursue sovereignty, but whether you have the capabilities to take steps.

      For NIS2-covered entities, the choice is mandatory. For others, it's strategic. Both require assessment of your organization's risk tolerance and technical capacity.

      Digital sovereignty isn't about ideology: it's about reducing foreign risks without creating bigger ones. A structured growth model makes this possible through concrete steps rather than wholesale transformation. Our cloud dependency reduction insights explores five strategic lenses for this progression.




        Maarten Vervoorn CTO