Since last year, data sovereignty has become a central concern in Europe.
Geopolitical tensions have made organizations increasingly uneasy about the fact that at least 65% of the European market is held by US-based cloud hyperscalers, according to the Center for European Policy Analysis (CEPA).
This dependency fuels demand for more control — but also creates space for misleading claims.
More cloud providers promote terms like “sovereign cloud,” even when the reality doesn’t match. This phenomenon, known as sovereignty washing, gives organizations a false sense of security.
What Cloud Sovereignty Really Means
Cloud sovereignty is about maintaining control over data stored and application workloads executed in the cloud.
Many companies keep their data (and applications) in European data centers owned by US cloud providers, but overlook a crucial fact: the data remains subject to US law, including the CLOUD Act.
This means U.S. authorities can request access, even if the data sits in Belgium or Germany.
As a result, organizations increasingly seek solutions where both data and services fall under European jurisdiction.
Where Sovereignty Washing Appears in the Cloud Market
As demand for guarantees grows, some providers exploit the trend with their own form of greenwashing: sovereignty washing. They market their cloud as “sovereign,” “EU only,” or “sovereign by design,” even when true independence is far more limited.
The idea of “sovereign by design” is valid in principle — autonomy and control built in from the start — but in practice it’s often diluted by marketing promises that don’t align with technical or legal reality.
The Strategic Risks Behind Misleading Sovereign Cloud Claims
The biggest threat isn’t technical but strategic: companies believe they’re shielded from non‑European laws when they’re not.
A US provider offering a “European sovereign cloud” is still bound by the CLOUD Act. Misconceptions like this can jeopardize operational continuity during geopolitical or legal pressure.
In Europe, the protection of sensitive and private data — or data sovereignty — has been a focus since the General Data Protection Regulation (GDPR) came in effect. But with recent geopolitical developments, the operational control of cloud environments became an area of concern.
In other words, ‘can a foreign government not only access my data, but my applications too?’
Organizations seeking a truly sovereign cloud quickly hit the limits of the European market. European providers represent only a tiny fraction of the cloud landscape.
According to Synergy Research, Amazon, Microsoft, and Google control about 70% of the European cloud market, while no European provider exceeds 2%.
Why Europe Still Depends on Non-European Cloud Providers
The EU introduced the EU Cloud Sovereignty Framework, which assigns a sovereignty score for public procurement. But the CISPE, which represents more than 30 European cloud providers, argues that the score creates confusion.
The reality is that sovereignty is not a binary choice, since there are many factors that determine the sovereign nature of the solution.
Moreover, true sovereignty is hard to achieve. For instance, technological sovereignty is very hard since most technology used is not European, except SAP and a few others.
Not All Data Needs to Stay in Europe
For many types of information — like marketing or generic operational data — international storage is perfectly fine. But for sensitive or strategic data — such as personal data, medical records, and critical business information — full control is essential.
Organizations must therefore define precisely where each category of data should reside.
How Organizations Can Detect Sovereignty Washing
Organizations can detect sovereignty washing by asking a few simple questions:
- Where is the provider headquartered? If it’s outside Europe, it is subject to its home country’s laws — regardless of where the data center is located.
- Who are the provider’s technology partners? Many European‑branded services actually run on AWS, Azure, or Google. Others rely on technologies from China or India. Any non‑European link introduces legal exposure.
All in all, sovereignty isn’t about a single provider but the entire chain behind the service. Without understanding that chain, organizations fall for labels. Only by knowing who is involved can companies make informed decisions about where and how to store their data.
What This Means for ERP Insiders
Sovereignty must be verified. Labels such as “sovereign cloud” create confidence that may not withstand legal scrutiny. Organizations need to examine jurisdiction, ownership, and operational control before assuming that a cloud environment is truly protected from foreign legal reach.
Sovereignty depends on the entire cloud supply chain. Cloud services rarely exist in isolation from other technologies or partners. Even when a provider appears European, dependencies on hyperscalers or foreign technologies can introduce legal exposure that undermines the sovereignty claim.
Data segmentation is imperative. Some workloads, such as marketing or generic operational data, can safely reside in international cloud environments. Sensitive categories — including personal data, medical records, and critical business information — require far stricter jurisdictional control.
Stefan Smeets is the Business Line Manager for Cloud & Application at Inetum.
A version of this article was published in French by L’Echo on January 30, 2026.
