First and foremost, I really dislike the term because it’s laden with all sorts of militaristic and anti-free movement and all sorts of other problematic baggage, but it’s the term the industry is using, so we go with it I guess until the current push is over and we can quietly suggest a different term like happened with git branch names and replication terms. It's also annoying to spell correctly.
So what is it and why does it matter? Well, at the highest level, it means that data is kept within the EU for EU citizens. It’s more than that of course but that’s the premise that is underlying the situation.
We’re already done! eu-west-1.
So in that case, AWS’ eu-west-1 zone, based in Ireland fits the bill, right, and we can just deploy there and be sovereign? Well, turns out, no, that’s the “more than that” part. First of all, AWS (as with all the other cloud providers) has zone-based, region-based and importantly global services. Oh dear, so if you use any of the global services, now your data is replicated out of eu-west-1 and into us-tirefire-1 (officially known as us-east-1) and the other AWS regions.
So, just don’t use global services and good right? Well, theoretically, but see the legals section below. Also, if you’re doing much with AWS, you’re gonna use them, s3 for instance is a global service, which is a dealbreaker for most people. Bigger than that, all of the auth in AWS goes through us-east-1, yup, your logins, your “can this service talk to that service” rules. Also DNS, which no less than 13 AWS services depend upon to spin up, that’s not in your region, it’s in, you guessed it us-east-1.
Argh, okay, I guess we use this new AWS European Sovereign Cloud region?
Well… as of 2025-10-21 that’s still in “Coming Soon” status, it’s being delivered by really putting some people through the wringer in Berlin, with hugely optimistic deadlines, and as those who have waited for AWS regions to come online, chances are it will launch with a limited subset of services. Also, this is still legally gray as I’ll go into below.
What about this t-systems google sovereign cloud, same problems there? Google are a bit further on with this region but still are struggling to get it up to full parity from their europe-west3 (Frankfurt, most commonly used in the EU) or europe-west1 (Belgium, cheaper) regions. It also tries and fails to sidestep the legal issues here.
Microsoft Azure? Even more behind as I understand it (but I don’t have contact with them, as I avoid working with azure in general).
So these legal issues?
Here’s the meat of it. Simply put, an American company must comply with US law, seems reasonable, until it’s incompatible with EU law, and that’s the big issue here. Here’s the biggest example to me:
Under US law, if a judge decrees it (or in some cases, government or intelligence agencies), any activity related to a potential crime can be accompanied by a “gagging order” – compelling, legally, people involved not to speak of it. The theory behind this is if someone has evidence that could lead to an arrest, they don’t want to tip off the perpetrator to the investigation so they can flee. This activity, crucially, could be seizure of (copies of) data.
Under EU law if a citizen’s data is accessed by a third party, the provider must notify them. No exceptions.
This is the big stumbling block that has had multiple attempts to be solved, the Safe Harbour principles (in the Schrems I case CJEU found this invalid), the EU-US Privacy Shield (In the Schrems II case CJEU found this invalid) and the current Data Privacy Framework (which makes no mention of gagging orders that I could find for instance, so whilst it may work as it says the US companies must comply with EU law, no case has yet tested this where the US and EU laws are in conflict).
How does the AWS/Google/MS sovereign cloud stuff deal with this? It doesn’t. The closest is Google’s attempt, which puts the management of the cloud resources under T-Systems (a German company not a subsidiary, which is a great start), but is still using Google’s software stack and given that it’s a cloud provider, it would need security updates. What is to stop a Judge who doesn’t know what cloud even means saying “Yes, we need to compel google to put in a backdoor in their next security update and enforce a gagging order to prevent it being heard of.” when requested to do so by some government agency? AWS are just “Oh you pay AWS Europe, that’s a separate (subsidiary) company that has to comply with EU law”. Yeah, that’s not a good enough guarantee for me, as AWS Europe is entirely dependant on AWS for their software, job security, and well, their existence. Same for the Microsoft one. I’m willing to bet that all the other US cloud companies (Oracle, DigitalOcean, Salesforce cloud?!) are somewhere on the spectrum between Google’s approach or AWS’ approach or are just not doing “sovereign” at all.
So how can companies use “the cloud” and not American companies? Simple, don’t use American cloud providers.
Yes, the EU “cloud providers” are lagging behind but they’re catching up. Scaleway, Herzner, and others are there, and you should check them out if you’re starting a business in the EU. You can even look at VPS providers and see what you can make with their offerings. Running VMs in multiple EU providers is going to be a challenge depending on your size of company, but it could make you pretty bulletproof.
If you’re considering a migration, then you’re really going to need to sit down and chew on your architecture, there’s no easy way around it, but please, for peoples’ sanity, don’t ask for a detailed plan and then say “Oh, we decided it’s not worth it and we’ll pay fines if we get them”.
Lastly if you’re looking at a cloud provider's Kubernetes offerings and don’t feel they’re great (frankly all “managed” kubernetes’ are semi-managed at best in my opinion), consider using siderolabs’ Omni to manage your own fleet of k8s nodes, it’s really very good.
Comments on this blog post? On Mastodon here.