No foreign company can sell you sovereignty

Every month I get a call from another partner-network rep pitching me “sovereign” cloud from a US hyperscaler. It always ends the same way.

Every month I get a call from another partner-network rep pitching me "sovereign" cloud from a US hyperscaler. It always ends the same way. Local datacenter. Local employees. Regional CEO. A shiny brochure. And I sit there thinking they either don't respect my intelligence or don't respect their own customers, because the entire pitch collapses the moment you read the ownership chart.

Here is the position, plainly: no foreign-owned company can provide a sovereign service to an EU customer. Not with a Frankfurt region. Not with a Dutch subsidiary. Not with a legally binding "European Digital Resilience Commitment". Sovereignty follows jurisdiction, and jurisdiction follows ownership. Everything else is set dressing.

The Serious Argument

The charitable version of the opposing argument goes like this. The big US providers have spent years building region-locked infrastructure, EU-only support staff, contractual commitments, and encryption schemes specifically to insulate European data from US reach. Gartner is projecting sovereign cloud spend in Europe will more than triple between 2025 and 2027, and the hyperscalers argue their new offerings are what that money should buy. The claim is that with enough legal and technical scaffolding, a US-owned service can be functionally sovereign for the customer's purposes, even if the parent company sits under US law. It's a serious argument made by serious people, and I want to give it its due.

It still doesn't hold. In June 2025, Microsoft's own director of public and legal affairs in France, Anton Carniaux, was asked under oath whether he could guarantee French citizens' data would never be handed to US authorities without French approval. His answer was "Non, je ne peux pas le garantir". No, I cannot guarantee it. He then confirmed that under a legally valid US CLOUD Act order, Microsoft has to comply, regardless of where the data physically sits. That is not a marketing nuance. That is the vendor telling a national senate, on the record, that the product they are selling as sovereign is not sovereign.

What Sovereignty Looks Like in Practice

And it isn't theoretical. Microsoft reportedly shared the names of Dutch civil servants at the ACM and the Dutch Data Protection Authority, people working on enforcing the Digital Services Act, with the US House of Representatives, unredacted, in emails and meeting minutes. When the ICC's chief prosecutor Karim Khan was sanctioned by the Trump administration, his Microsoft email was cut off, and the ICC later moved to OpenDesk from the German Centre for Digital Sovereignty. A sanctioned ICC judge bought an e-book and watched it disappear off her device. These are not edge cases dredged up to score a point. This is what a "legally justified US order" looks like in practice, and it lands on exactly the sort of people that a serious sovereignty policy is supposed to protect: regulators, prosecutors, judges.

On the one hand, the hyperscalers do build genuinely excellent services and I still use them. On the other, I know exactly what I am handing over when I do. I'm not arguing anyone should rip out Azure or AWS tomorrow. I'm arguing you should stop letting a sales rep tell you their product is something it structurally cannot be. A US-owned provider can give you performance, scale, uptime, a decent SLA, and a regional datacenter. It cannot give you immunity from US law. Those are different products.

The Two Questions That Matter

Although yes, there are real categories where none of this matters much. The test is actually two straightforward questions, and if both come back low, a US hyperscaler is a perfectly reasonable choice and the sovereignty concern is low for that specific case.

First: does the workload hold business-sensitive data? Not in an abstract sense, but concretely. Contracts, customer records, internal strategy, anything that would cause real operational or legal exposure if accessed by a third party. If the data is already public or carries no personal or confidential weight, the CLOUD Act risk is close to zero in practice.

Second: what is the honest business impact if this service goes dark without warning? The cold calculation here is usually more forgiving than the gut feeling. When you sit down and work through what actually stops, the real cost is often lower than the number that first comes to mind, which means the benefit of the service might outweigh the tail risk. For those workloads, using a hyperscaler is a fair call.

The Practical Implication

So the practical implication is actually rather simple. For every service you are buying, ask two questions before the contract is signed. What data is going into it, and how much of your business stops if a foreign jurisdiction reaches in and switches it off. If the answer to either question is "a lot", the vendor's ownership matters more than their datacenter map, and "sovereign" on a slide is not an answer. It's a tell.