This blog is mostly technical, but over the last few years I’ve focussed on the sovereignty aspect of public cloud (well before it became the topic everyone is talking about now).
Most current discussions tend to reduce sovereignty to jurisdiction alone, often concluding with: “We can only be sovereign by hosting in Europe.”
In the next few posts on this blog, I want to provide the broader vision. Why sovereignty is indeed a problem, how it affects most customers, why hosting in Europe usually does not just solve the problem and what hyperscalers actually provide or what you trade-in when going “local”.
This will be the start, each of these topics below will be discussed in the next posts… happy to have discussions on this.. find me on LinkedIn to comment and open an honest and clear dialog.
So, lets start with the drivers of sovereignty. Why is it a hot topic, boiling up ever since cloud became common around 15-20 years ago.
Sovereign Drivers
Digital sovereignty has gone through a quiet but fundamental shift.
For years, it was treated primarily as a compliance problem. Organizations relied on regulatory frameworks, contractual commitments, and assurances from providers to manage data protection and maintain a sense of control. As long as data stayed within the right boundaries and the right agreements were in place, the problem seemed largely solved. Which is why there are “data residency” commitments, “data encryption” and even complete “European Only Cloud” options from the hyperscalers. All technical features to comply with requirements, not jurisdiction.
However, that model is starting to break down.
A combination of geopolitical escalations, the demonstrated extraterritorial reach of foreign legislation, and a series of very real incidents has exposed a more uncomfortable reality: control over digital systems is not defined purely by architecture or technical safeguards. It is, to a large extent, shaped by legal jurisdiction and political influence into IT systems. This dependency to foreign influence feels uneasy and directly attacks the feeling of self-control. However, these systems provide a service, that is bound to service terms, they are the equivalent of first class aeroplane travel. Going back to coach on a low-cost carrier is an option, but building and flying your own plane means taking on a lot of responsibilities.
Dependencies on cloud
Platforms like M365, AWS, Google Workspace, GitHub and more, have become deeply embedded in how organizations operate and provide services to their end users. We should not forget why these services were created and are now deeply embedded. It is because they provided value for the company in cost, ease of deployment, reduced operational overhead, redundancies, global reach and more. But as these platforms are becoming more integrated into daily operations, the harder it becomes to decouple from them. And with that dependency comes increased exposure: if control is constrained, disrupted, or challenged, the impact is no longer limited to a single workload. It affects the organization as a whole.
This is the paradox at the center of the sovereignty discussion:
as dependency increases, so does the potential impact of losing control.
It is no longer sufficient to ask whether data is compliant or stored locally. Those concerns are still relevant, but they no longer capture the full risk.
Instead, the focus is shifting towards more fundamental questions:
- Can we maintain operational continuity under adverse geopolitical conditions?
- Will we retain control of our data if legal or political pressures are applied?
- Do we keep decision-making autonomy if external constraints start to influence the platform?
These are no longer theoretical scenarios. They are part of how organizations are starting to assess their exposure.
Sovereignty is not binary but a risk
It is no longer about meeting a predefined set of regulatory requirements in binary format. It becomes an exercise in managing systemic risk, why? Because just “moving to European, self-hosted, open-source” has consequences.
A common assumption in current discussions is that moving to European, self-hosted, or open-source environments automatically restores control. That assumption is only partially correct. It’s true that such a move can reduce exposure to foreign jurisdictions, improve alignment with local regulatory frameworks, and increase direct control over infrastructure. But those gains exist in only one dimension of the problem.
What actually happens is more complex. Risk is not removed; it is redistributed. When organizations move away from hyperscale platforms, they take on responsibility that was previously abstracted away. Security, patching, monitoring, and incident response are no longer embedded capabilities of the platform, they become operational responsibilities that must be actively managed. Complexity increases, integration becomes harder, and the burden of execution shifts inward.
This is where many sovereignty strategies start to break down. Technologies like open-source software and self-hosted environments are often positioned as transparent, controllable, and independent. While that is true in terms of licensing and access, it does not automatically translate into operational simplicity or security. Instead, these models introduce a dependency on internal execution quality. Security is no longer something that is continuously enforced at platform level; it becomes something that depends on people, processes, and consistency over time.
That shift introduces variability, and variability is risk. In highly integrated, hyperscale environments, security is deeply embedded, automated, and continuously updated. In self-managed environments, security outcomes depend on how consistently and effectively teams can operate and maintain systems. The result is not necessarily weaker security, but less predictable security.
At the same time, complexity scales faster than control. As organizations combine open-source components, hybrid architectures, and multiple providers, the environment becomes increasingly fragmented. Identity models diverge, security controls vary across systems, and trust boundaries become harder to define and manage. What initially appears as increased control over individual components often results in reduced control over the system as a whole.
There is another dimension that is often overlooked: access to scale-driven capabilities. Modern advances in cybersecurity, threat detection, and particularly AI are tightly coupled with scale. They rely on large volumes of data, centralized processing, and continuous global feedback loops. When organizations move toward smaller, more isolated environments, these advantages are reduced. Detection becomes less effective, response mechanisms may slow down, and the pace of innovation can be harder to sustain.
And these are just the beginnings of that equation as we will see in later posts.
Summary
There is a real sovereignty risk. That part is not up for debate.
The question is not whether the risk exists, but how large it actually is in practice, and whether it has been properly understood, or simply amplified. In many discussions, the focus is almost entirely on jurisdictional exposure, often without placing it in context of likelihood, actual enforcement patterns, or existing mitigations.
At the same time, the proposed response is often to move away from integrated platforms toward more localized, self-managed, or alternative environments. That decision is not neutral. It introduces its own set of trade-offs; in innovation velocity, operational capability, security consistency, and ecosystem integration.
So the real decision is not about eliminating risk, but about choosing which risk versus other risks and benefits to prioritize.
Are we comfortable accepting a relatively low-frequency, high-impact jurisdictional risk? Or are we willing to trade that for more immediate and continuously present risks tied to operational execution, reduced access to advanced capabilities, and reliance on environments that may have less scale, fewer integrations, and more fragmented security models?
Sovereignty, in that sense, is not a destination. It is a choice about where risk sits, and who is best equipped to manage it.
So for the next post.. lets take a look at those risks..
Chapter 1. Sovereign Risks
Chapter 2. Hyperscale advantages
Chapter 3. Sovereign Europe