For years, data sovereignty had been treated as a theoretical concern – debated in policy circles yet usually deferred behind commercial priorities. That phase now appears to be shifting, with Europe’s data sovereignty being tested not in white papers or by think tanks, but in courtrooms, procurement decisions and cross-border legal requests.
The US CLOUD Act gives American authorities the right to request access to data held by US cloud providers, regardless of where that data is physically stored. Data residency alone is no longer a sufficient safeguard. Control sits higher up the stack, at the level of ownership, jurisdiction and legal exposure.
The threat is not limited to the US. Access to data has quickly become a matter of national policy worldwide, with clear geopolitical implications. Governments increasingly view data not just as a commercial asset, but as a strategic one. It’s tied to security, industrial policy and economic leverage.
In a globally-connected cloud market, corporate structure and legal exposure matter just as much as physical location. European data can only be considered fully sovereign when it is both stored on European soil and operated by businesses that are legally and operationally European.
A recent case involving OVHcloud underlined the reality. The French cloud provider was ordered to provide access to customer data stored on European soil following a request from Canadian authorities. The request initially appeared to stall, but OVHcloud’s business presence in Canada potentially brought it within the reach of foreign jurisdiction. That’s despite the data in question being hosted in Europe.
This case is a stark example of the situation today. But it isn’t just corporations that are storing data with (most commonly) US hyperscalers; states are, too. The Finnish government, for example, recently migrated social insurance and election data to Amazon Web Services (AWS). That doesn’t just mean the data could be accessed through overseas law requests. In more practical terms, a service outage would have a devastating impact.
In a globally-connected cloud market, corporate structure and legal exposure matter just as much as physical location. European data can only be considered fully sovereign when it is both stored on European soil and operated by businesses that are legally and operationally European.
So how did Europe arrive at this point?
The continent’s cloud ecosystem grew in fragments. National strategies emerged in parallel, local providers developed in isolation with regulatory responses often lagging the market reality. While Europe debated frameworks, hyperscale providers like AWS, Microsoft and Google moved quickly to fill demand, offering scale, reliability and increasingly sophisticated platforms that local alternatives struggled to match.
Today, the trio of US hyperscalers account for the majority of cloud infrastructure used across the continent. Their dominance is not the result of a single policy failure, but rather their structural advantages. They bring economies of scale, deep integration across software and services and strong developer gravity. Once organisations commit to Microsoft, Google or Amazon, switching becomes costly, both technically and operationally.
This creates a paradox for policymakers. Europe has a rich landscape of cloud providers, MSPs, telcos and infrastructure specialists, but collectively they lack the scale to compete with global hyperscalers on cost and capability. Individually, many are strong. Together, they remain fragmented.
The next phase of Europe’s cloud future will not be defined by isolation or the pursuit of a single home-made continental champion. That approach misunderstands both the market and Europe’s own strengths. The alternative emerging across the industry is collaboration.
Rather than attempting to out-hyperscale hyperscalers, European providers must explore federated models, shared standards, interoperability and joint go-to-market strategies.
The logic is familiar. Europe already relies on coordinated systems in areas such as energy grids, aviation and telecommunications roaming. No single actor dominates, but the systems work because they are aligned.
Applied to cloud infrastructure, collaboration offers a path to sovereignty that is structural rather than symbolic. It allows providers to retain independence while achieving scale. It enables customers to access competitive services without surrendering jurisdictional control. More importantly, it shifts the debate from rhetoric to action.
Technology has evolved to the point that we can develop these systems for collaboration and coalition. We don’t need to emulate or copy hyperscalers. A unified cloud protocol could allow us to leapfrog and work together.
Europe does not lack talent, technology or ambition. What it has lacked so far is coordination. As data becomes an increasingly strategic asset, that gap is no longer sustainable.
The risk now is that Europe succeeds in regulating data sovereignty on paper, while losing it in practice through market concentration and legal exposure elsewhere.
The opportunity lies in recognising that sovereignty, in a connected world, is not built alone. It is built together.
Antti Pennanen is a serial entrepreneur with 20+ years of experience building IT companies across animation, cloud computing, and fintech. He is co-founder and CEO of SpaceTime, a Finland-based company delivering storage and compute for European companies. Previously, he founded fintech startup MONI, and built Basemotion Ltd into the Baltics’ largest animation studio.
