Sovereign Cloud has been a permanent agenda item in European IT departments since the US Cloud Act and the Schrems rulings. Marketing brochures promise data control, full European oversight and independence from US hyperscalers. The reality is usually softer than the slide deck suggests. This article explains what Sovereign Cloud actually means in 2026, which providers hold up under scrutiny and when it makes sense for a European mid-market company to migrate away from a hyperscaler.
What Sovereign Cloud means, and what it does not
There is no single definition. In the broadest sense, Sovereign Cloud refers to cloud infrastructure where an organisation retains legal, technical and operational control over its data, without a non-European state being able to assert access rights. The EU Cloud Strategy and the Gaia-X initiative shaped the term without making it binding.
In practice at least three readings circulate. First, cloud services run from European data centres whose parent companies sit in the US. Microsoft Azure, AWS and Google Cloud fall into this group with their EU regions. Second, cloud services operated by European providers that are independent of US corporations. OVHcloud, IONOS Cloud, Open Telekom Cloud, Hetzner and STACKIT belong here. Third, legally walled-off joint ventures such as Microsoft Cloud for Sovereignty or Google Cloud Sovereign Solutions, which use hyperscaler technology but run through European operating entities.
Anyone evaluating Sovereign Cloud has to separate these layers cleanly. An AWS EU region is not a Sovereign Cloud in the narrow sense; it is a hyperscaler region localised in the EU. The US Cloud Act still applies because the parent company is US-based.
Why the topic matters right now
Several developments are pushing the agenda. The European Court of Justice invalidated Privacy Shield with the Schrems II ruling, the Standard Contractual Clauses are under constant scrutiny, and legal experts already discuss the 2023 EU-US Data Privacy Framework as the next Schrems III candidate. Anyone betting today on a US hyperscaler region is building legally on shifting ground.
Sectoral regulation adds pressure. The NIS-2 directive requires essential and important entities to demonstrate control over supply chains and cloud dependencies, even though it does not explicitly mandate Sovereign Cloud. We covered this in detail in our piece NIS-2 Compliance for Mid-Size Companies. DORA tightens the screws further for financial services. Anyone selling into the European public sector now has to take BSI C5 and the new EUCS scheme seriously.
The third driver is industrial policy. The German government and the European Commission actively support the buildout of European cloud alternatives. STACKIT (owned by the Schwarz Group), IONOS Cloud, Open Telekom Cloud and the Gaia-X ecosystem are getting visible tailwind. In public tenders, providers are now routinely asked whether they can offer Sovereign Cloud options.
Three sovereignty tiers, pragmatically explained
Instead of asking a binary sovereignty question, it is more useful to think in tiers.
Tier 1 is data residency. Data is stored and processed in an EU data centre and not exported. All major hyperscalers meet this bar in their EU regions. It solves practical data-protection questions but does not protect against extraterritorial access under the US Cloud Act.
Tier 2 is operational sovereignty. The platform is administered by European staff, and US headquarters personnel have no technical access. Microsoft Cloud for Sovereignty with the EU Data Boundary plus Confidential Computing variant aims in this direction, as do Google Sovereign Solutions in partnership with T-Systems or Thales. This tier substantially reduces Cloud Act risk without fully eliminating it.
Tier 3 is legal and corporate sovereignty. The provider is domiciled in the EU, has no US ownership and is subject solely to European law. OVHcloud, IONOS, Open Telekom Cloud, STACKIT and Hetzner Cloud satisfy this criterion. The technical depth at these providers, however, does not match the major hyperscalers. Anyone relying on SageMaker, Vertex AI or Azure OpenAI will not find a complete replacement at this tier.
Which tier a mid-market company actually needs depends on the data class involved. Classic office and CRM workloads are often well covered by tier 1. As soon as patient records, HR files, security-sensitive research data or critical-infrastructure data come into play, the pressure shifts toward tier 2 or tier 3. A clean data classification is the precondition for any Sovereign Cloud strategy.
The 2026 provider landscape: a reality check
The German and European provider landscape has clearly professionalised over the last three years. A sober look at strengths and gaps is still warranted.
STACKIT (Schwarz Group) now offers compute, storage, Kubernetes-as-a-Service, Postgres and object storage in two German regions. The corporate backing brings stability and the roadmap has visibly accelerated. References include Lidl and Kaufland.
Open Telekom Cloud is built on OpenStack, holds a BSI C5 attestation and is well established in public administration. The user interfaces are functional but not at the polish of an Azure portal. Anyone coming from the hyperscaler world should plan for a learning curve.
IONOS Cloud targets SMEs more directly. Pricing is attractive and the feature set covers classic LAMP and container workloads. AI and data platforms still need to be assembled in-house.
Hetzner Cloud is hard to beat on price, legally clean in Germany, and very popular for self-managed workloads. What is missing is depth in managed services, for example managed databases with multi-AZ, as well as some of the security and compliance certifications that larger providers carry.
OVHcloud out of France is the only European provider with meaningful scale, but suffered a severe data centre fire in 2021. The lessons learned are visible in current disaster-recovery designs, but should be factored into any architecture decision.
For the sovereign variants of the hyperscalers, the question remains how far “EU-operated” actually carries. Microsoft Cloud for Sovereignty in partnership with Capgemini and Orange is a serious effort, but the parent company is still US-based. Anyone aiming for tier 3 has not arrived here.
A complementary option is self-operation on sovereign infrastructure, for example an OpenStack platform at a German provider or classic colocation. Which workloads suit this approach and when self-operation becomes economically attractive is something we worked through in Self-Hosted vs. SaaS.
When the switch pays off, and when it does not
Sovereign Cloud is not free. Migrating from an AWS region to STACKIT or IONOS costs anywhere between 30 and 200 person-days per workload, the running licences are rarely cheaper, and the feature set is usually narrower. A migration for its own sake does not pay off.
Three constellations justify the effort. First, regulatory pressure. Anyone working in the public sector, healthcare or critical infrastructure increasingly faces clear obligations. Migration becomes a requirement, not a choice. Second, data classes with protection needs at “high” or “very high”. Patient data, HR files with health context, security-sensitive research data or tax data with third-country reach justify the sovereign path. Third, strategic anti-lock-in. Anyone aiming for long-term technological independence builds leverage with a Sovereign Cloud architecture that goes beyond immediate economics. A sovereign workplace such as the one described in OpenDesk: A Sovereign Workplace on Open Source supports the same strategy.
If none of these constellations apply, take an honest look at whether tier 1 (a hyperscaler EU region) plus a clean Data Processing Agreement, encryption and customer-side key management already covers the case. That variant is typically two to three orders of magnitude cheaper than a full provider switch and resolves most practical data-protection questions.
Conclusion
In 2026 Sovereign Cloud is no longer a marketing topic. It is a serious decision with regulatory, technical and economic weight. Anyone working in the public sector, healthcare or critical infrastructure can hardly avoid a tier 2 or tier 3 architecture. For classic mid-market companies, a differentiated assessment remains the right move: classify data cleanly, prioritise workloads, then deliberately move the high-protection workloads to European providers. A full hyperscaler exit is rarely the rational path.
EverBright IT supports European mid-market companies in evaluating Sovereign Cloud options, from data classification through provider selection to concrete migration. Learn more about our cloud advisory or get in touch directly.
Frequently Asked Questions
How is Sovereign Cloud different from a hyperscaler EU region?
A hyperscaler EU region satisfies data residency, meaning the storage and processing happen in Europe. A Sovereign Cloud goes further and ensures the provider itself is not legally subject to the US Cloud Act. An AWS EU region is therefore not a Sovereign Cloud in the narrow sense, because the parent company is US-based and US authorities can demand access.
Does every company need to move to Sovereign Cloud now?
No. A full migration only pays off in a few constellations, such as regulatory pressure in the public sector or healthcare, data categories with high protection needs, or strategic anti-lock-in goals. For typical office and CRM workloads, a hyperscaler EU region with a clean Data Processing Agreement and customer-side key management usually covers the requirements.
Which European providers are realistic for SMEs?
STACKIT, IONOS Cloud, Open Telekom Cloud and Hetzner Cloud are the most-cited options. STACKIT and Open Telekom Cloud lean toward enterprise workloads, while IONOS and Hetzner suit smaller and mid-sized setups. Companies running AI workloads need to be clear that the feature depth does not match Azure OpenAI or Vertex AI. Self-hosting models on sovereign infrastructure is feasible but requires more effort.
How heavy is a migration out of AWS or Azure?
A realistic range is 30 to 200 person-days per workload, depending on the managed services in use. Self-managed containers and virtual machines are highly portable; proprietary services such as DynamoDB, SageMaker or Azure Cognitive Services require an architecture rebuild. An honest per-workload assessment before migration prevents nasty surprises.
Are there certifications that prove Sovereign Cloud status?
Several frameworks exist. BSI C5 is established in the German market and assesses cloud security and compliance. EUCS is the upcoming EU-wide scheme with three assurance levels, including a sovereign tier. Gaia-X provides labels and criteria for data ecosystems. A BSI C5 attestation at the “substantial” trust level, combined with an honest tier 3 evaluation of the provider, is a pragmatic minimum bar for sensitive workloads.
