EU Sovereign Cloud: What the Label Actually Means

CISPE, the trade body representing European cloud providers, wrote to the European Commission this month with a blunt warning: the term “EU sovereign cloud” is being used to sell services that do not meet any agreed sovereignty standard. The letter, signed by 24 CEOs, introduced a word the industry needed. Sovereignty-washing. It captures a real problem. Organisations across the EU are being asked to trust a label that no regulation currently defines, no certification currently verifies and no contract currently enforces.

Why EU Sovereign Cloud Has No Agreed Definition

The phrase “sovereign cloud” appears in procurement documents, vendor marketing and policy papers across Europe. Yet as of March 2026, no EU legislation defines what EU sovereign cloud actually means. The European Commission published an 8-point sovereignty scoring framework in October 2025, but that framework applies exclusively to procurement by EU institutions. It does not bind private-sector contracts. The EU Cybersecurity Certification Scheme for Cloud Services (EUCS) is still being finalised; its higher assurance tiers are expected to encode EU ownership requirements, but the scheme remains stuck in political negotiation. The proposed Cloud and AI Development Act (CADA), which could eventually legislate a definition, is not yet law.

For a business signing a cloud contract today, the EU sovereign cloud label carries no regulatory weight.

The Jurisdiction Problem: Servers in the EU, Control Outside It

The most common misconception is that data stored on EU-based servers is governed by EU law. It is not, or at least not exclusively. If the cloud provider’s parent company is domiciled in the United States, it falls under the US CLOUD Act. That law compels American companies to hand over data on request, regardless of where the data is physically stored.

Microsoft’s Senate Testimony

This is not a theoretical concern. In June 2025, Anton Carniaux, Microsoft France’s director of public and legal affairs, testified before the French Senate. Asked under oath whether he could guarantee that French citizens’ data would never be transmitted to US authorities without French government consent, Carniaux answered no. He could not give that guarantee. Microsoft, like every US-domiciled company, is bound by the CLOUD Act. EU data residency does not override US jurisdictional reach.

AWS and the Limits of Sovereign Cloud Branding

Amazon’s response to the sovereignty debate is its European Sovereign Cloud, a physically separate infrastructure located within the EU and operated by EU-resident staff. AWS positions this as a compliance-ready EU sovereign cloud offering for regulated customers. The structural limitation remains: AWS is a US-domiciled company. A valid US government order could still compel disclosure, regardless of where the servers sit or who operates them. The sovereignty claim rests on operational separation, not legal independence.

What Current EU Sovereign Cloud Standards Cover

Practitioners looking for clarity face a patchwork of incomplete frameworks. The Commission’s 8-point scoring system covers EU institutional procurement only. EUCS certification, once finalised, should provide a broader standard; but its timeline and final requirements remain uncertain. The EU Data Act, in force since September 2025, requires cloud providers to reduce technical barriers to switching. That is a useful provision, but it is a separate concern from sovereignty. The EURO-3C project, a €75 million EU-backed federated infrastructure initiative launched in March 2026, signals long-term ambition; it does not solve the immediate definition gap. US hyperscalers still hold roughly 70 percent of the EU cloud market, according to Synergy Research Group. The label is everywhere; the legal backing is nowhere.

Three Questions Before Trusting an EU Sovereign Cloud Claim

Before treating any EU sovereign cloud claim as credible, practitioners should require written answers to three questions.

• Who is the ultimate legal owner of the entity providing this service, and under which country’s laws is that entity incorporated?
• Under which jurisdiction does the provider fall if served with a foreign government data access order?
• Which EU certification or label does this service carry, and what does that label actually verify?

If the vendor cannot answer all three in writing, the sovereignty claim is marketing, not a contractual commitment.

When the Label Matters and When It Does Not

For non-sensitive workloads (a company website, internal collaboration tools, general analytics) a hyperscaler with EU data centres is perfectly adequate. The EU sovereign cloud question becomes urgent for regulated data, critical infrastructure and anything touching AI training datasets under the EU AI Act. In those cases, the three questions above are not optional; they are the minimum due diligence before procurement.

The EU sovereign cloud market will eventually get a proper legal framework. Until it does, the label is a promise without a definition. Ask the questions. Get the answers in writing. If your cloud vendor cannot explain what sovereignty means in their contract, it means nothing at all.

If your organisation processes regulated data or operates in a sector covered by NIS2 or the EU AI Act, start mapping your current cloud dependencies against these three questions now.