In this article, I offer a pragmatic perspective on digital sovereignty, noting that it is not a black-and-white issue, but rather a balance that must be struck between technical, legal, operational, and economic dimensions.
Using concrete examples, let’s explore together the strategies best suited to different types of companies, the limitations of so-called “sovereign” offerings, and the European initiatives aimed at strengthening the continent’s digital autonomy.
Beyond Circumstances, a Matter of Resilience.
At a time when geopolitical tensions are awakening minds, sovereignty is back at the top of the priority list.
On Friday, June 12, under orders from its government, Anthropic (an American AI provider) abruptly cut off access to one of its models overnight.
CLOUD Act, Data Act, European certifications, pricing conditions of major software publishers, supply chain dependencies: these are all topics that now require corporate management to look at their architecture for what it is—a strategic choice, and no longer merely a technical one.
Digital sovereignty is neither a defensive reflex nor a marketing argument; let us avoid widespread “sovereign-washing“—it is a structural function.
Just like energy supply, transportation, or healthcare, digital technology is an infrastructure over which an organization, an administration, or a country must retain control for its critical activities.
Everything in this discussion relates to risk management, and I sincerely hope this topic will not stop the day the world appears stable again. Because digital sovereignty is not a fear-driven reflex in response to current events.
In the vast majority of cases among our clients, the right architecture is neither a
- 100% sovereign cloud,
- nor entirely on-premises,
- It is a permanent balance.
The challenge consists of practicing this hybridization without letting operational complexity take over, and reducing vendor lock-in through, for example, technical abstraction layers. It is this balance that prevents confinement within a single dependency and allows, as the context evolves, for adjusting the weight of each component rather than suffering a abrupt change of direction.
We will discuss here the impact of digital dependencies integrated into your strategy and the evolution of the legal frameworks governing them. To go further, I have also given the floor to three founders of Swiss and European clouds: Antoine Coetsier (Exoscale), Matthieu Robin (Hidora), and Octave Klaba (OVHcloud).
Sovereignty is Not an ON/OFF Button
What do we mean when we talk about sovereignty? Depending on the speaker, the word covers very different realities. It is a deeply subjective question.
Some believe that sovereignty must be mastered from end to end. Others consider that a data center located within the country, operated by a locally registered company outside the reach of the CLOUD Act, is sufficient. Between these two extremes lies an entire spectrum of sensitivities.
In reality, sovereignty can be broken down into at least four dimensions: hardware, software, legal, and operational. Each organization must place its cursor according to its risk profile, sector, and regulatory obligations.
The Material Dimension
The hardware dimension, first, meaning the control of the physical infrastructure. How far can we go?
At the extreme, certain players master a remarkable portion of their industrial chain. OVHcloud, for example, assembles its own servers in its factory in Croix, and has designed and manufactured its liquid cooling systems for over twenty years.
At the other end of the spectrum, no European player engraves its own processors: chip manufacturing remains largely in the hands of TSMC in Taiwan, and general-purpose CPU design is held by Intel, AMD, and ARM.
AI has made certain dependencies much more visible, particularly around GPUs. It would be illusory to claim that Europe currently possesses an equivalent alternative to NVIDIA for large-scale AI use.
Hardware sovereignty is therefore rarely absolute; however, it would be equally dangerous to consider this situation permanent. New initiatives are emerging—let us prepare tomorrow’s alternatives.
Nvidia: In the era of AI, an acceptable dependency or the Achilles' heel of your sovereignty?
The software dimension next.
The structuring choice is that of standards.
Building an architecture on open blocks, such as Kubernetes, PostgreSQL, or OpenStack, guarantees real portability and possible reversibility toward other providers. Building on proprietary ecosystems, conversely, gradually shifts the technological decision to the publisher.
To take a concrete case, Exoscale’s SKS relies on Karpenter, an open-source project supported by the Cloud Native
Computing Foundation (CNCF): this choice of open standards gives clients the freedom to change providers.
In contrast, a proprietary autoscaler whose code and roadmap remain the vendor’s exclusive domain creates an adherence whose cost is often only measured at the moment of departure. Software sovereignty, in practice, is the retained capacity to leave a solution.
What is your red line: the one thing you will never do, even if it costs you clients?
The Legal Aspect
The legal dimension is probably the most meaningful for legal departments and CISOs. The decisive criterion is not the location of the data center, but the jurisdiction that can, ultimately, demand access to the data.
The American CLOUD Act, since 2018, authorizes US authorities to request data held by any company under US control, regardless of the country where that data is physically stored. A European entity 100% owned by an American parent company therefore remains, legally, exposed (the AWS Sovereign Cloud, for example, remains subject to it).
And the European Data Act, applicable since September 2025, requires cloud providers to do exactly the opposite: prevent any illegal access by a third-party government.
Choosing a provider means also choosing the law that applies above it.
The Operational Dimension
The operational dimension, finally:
- Who holds the encryption keys, who can regenerate them, who operates them?
- Do administrators have privileged access to the data?
- Where are they resident, under which jurisdiction do they act, and where is the SOC supervising the platform located?
In certain regulated sectors—finance, healthcare, defense—these questions are no longer theoretical: they are the subject of precise contractual clauses, sometimes accompanied by citizenship requirements for cleared personnel.
The Genevan provider Hidora illustrates this requirement with its Hikube platform, whose workloads are natively distributed and synchronously replicated across three Swiss data centers in Geneva, Gland, and Lucerne. The complete loss of one site is absorbed automatically, and the data never leaves Swiss territory at any time. It is at this level that sovereignty is proven, or cracks.
I have voluntarily simplified the criteria grid because other objectives rely on strategic sovereignty, data & AI, supply chains, security & compliance, or environmental sustainability.
Initiatives like the “Digital Resilience Initiative” help us measure the level of technological dependency of our organizations based on a transparent methodology. For many companies, the challenge is not to find the perfect strategy immediately. The challenge is to begin. To establish an initial assessment. To identify critical dependencies. To understand which exposures are acceptable and which are not. Ultimately, we establish a weighted mapping highlighting vulnerability levels.

My conviction: it is never A or B, sovereign or not sovereign. The best architecture is almost always hybrid. It is a work of enterprise architecture for the information system, a case-by-case governance, workload by workload. It is not glamorous, but it is the reality on the ground.
Two Client Profiles, Two Concrete Strategies
On the ground, I observe that two main categories of companies emerge. Each has different challenges, but the same necessity: thinking about its digital autonomy.
“We are full Azure/AWS”: The Cloud-First Profile
These organizations are already deeply anchored with an American hyperscaler. The challenge is not to leave everything; that would be unrealistic and unnecessary. The challenge is to have a credible plan B in case of a “kill switch.”
This plan B must contend with five risks:
- geopolitical exposure,
- loss of negotiating power,
- innovation lag,
- market concentration,
- and capacity limits.
What would this scenario look like in practice?
Probably not an abrupt cutoff. The prospective Europe 2031 scenario, published by a collective of European researchers, imagines it more insidiously: a licensing regime that rations access to cutting-edge services by country categories, with priority allies, capped volumes, and rising prices for others.
Fiction, certainly. But the mechanism already exists: American export controls on semiconductors operate precisely by country tiers. A credible plan B must therefore anticipate gradual degradation as much as sudden failure.
Concretely, this can involve:
- hybridizing the infrastructure by placing critical workloads on a sovereign European or Swiss cloud,
- deploying DRP/BCP on an alternative infrastructure,
- or setting up data portability and reversibility mechanisms.
The goal is not to duplicate the entire environment, but to ensure that vital functions survive any scenario by not putting all one’s eggs in one basket.
“We are on-premises, we don’t have this problem”: The Traditionalist Profile
Many organizations still consider that hosting their infrastructure internally constitutes a form of default sovereignty. This approach retains real advantages: equipment control, data proximity, and operational oversight.
But you close yourself off to agility, flexibility, and above all, innovation. In the era of artificial intelligence, buying GPUs to put in your server room is not always the solution, either financially or operationally. Technological dependency, skills, innovation, capacity, operational resilience: these are all risks that internalisation displaces rather than erases.
A European or Swiss sovereign cloud allows organizations to benefit from cloud agility (GPU as a Service, ML platforms, on-demand scalability) while retaining their digital autonomy. Without massive investment, without American dependency.
And here, there is a concrete opportunity waiting to be seized.
Stop being held hostage by an hypervisor vendor
Since Broadcom’s $69 billion acquisition of VMware in late 2023, the virtualization market has been upended. Perpetual licenses were eliminated. The catalog of over 160 products was reduced to a few subscription bundles. Prices multiplied by two, three, or even ten in some cases. AT&T publicly denounced a 1,050% increase. The minimum number of cores per license went from 16 to 72, making access prohibitive for smaller structures.
Sovereign clouds are credible alternatives to on-premises environments, carrying far less risk than an external foreign cloud.
This is a strategic opportunity. Migrating to solutions based on open standards within a Swiss cloud. It is a way to stop depending on an American hypervisor vendor playing with its license bundles, while accessing solutions that are not necessarily more expensive.
An IT Director tells you "you are too small for my critical production". What do you reply to him?
Transforming a forced dependency into a chosen autonomy. That is what I call good risk management.
American “Sovereign Clouds”: Progress and a Structural Limit
Hyperscalers are currently adapting to Europe; the AWS European Sovereign Cloud is probably the best evidence of this.
In January 2026, AWS made it available with a first region established in Germany. A German legal entity, operations entrusted exclusively to EU-resident personnel, infrastructure physically and logically separated from other regions, 7.8 billion euros committed.
The effort is real, and the controls are too: independent assessments place the offering at a strong level regarding operational sovereignty, security, and compliance. For many workloads requiring European data residence and operational autonomy, it is a credible and useful answer.
The limit is not technical; it is structural. The European entity remains 100% owned by Amazon, an American corporation. As long as ultimate control lies outside the Union, the legal and strategic dimensions remain exposed: the US CLOUD Act (for example) authorizes American authorities to demand data held by any company under US control, regardless of the storage location. Legal and strategic sovereignty is not respected for this reason.
This is also a good reminder: an announcement is not a verdict. AWS indicates it has never transferred European client data to US authorities since 2020. This is plausible. But the absence of a request to date does not guarantee one tomorrow, and for the most sensitive data—healthcare, defense, critical infrastructure—a residual legal risk can be enough to rule out a vendor.
A clear example of this is found in this exchange before the French Senate:
Mr. Dany Wattebled, rapporteur: “Mr. Carniaux, as director of public and legal affairs, you represent Microsoft France to public decision-makers. Can you guarantee before our commission, under oath, that French citizens’ data entrusted to Microsoft via the UGAP will never be transmitted following an injunction from the US government without the explicit
agreement of French authorities?”
Mr. Anton Carniaux: “No, I cannot guarantee it, but, once again, that has never happened.”
An inherent legal tension is added. The European Data Act, applicable since September 2025, requires cloud providers to prevent illegal access by authorities from a third country. The CLOUD Act demands the opposite. American providers find themselves caught between the two, and their clients along with them.
Hyperscalers should not be excluded from the European digital strategy. They must be repositioned within an architecture where no single dependency becomes critical.
It must be kept in mind that a sovereign cloud offered by an American player genuinely reduces many operational and residence risks, which has value. But, by design, it does not remove the legal and strategic dependency. The former is a concrete and legitimate improvement. The latter is an architectural and contractual commitment of a different nature.
Choosing well means knowing which of the two a given workload truly demands.
The Virtuous Circle: Confidence is Lacking, Not Competence
Let us be honest: European actors do not yet possess all the capabilities of American or Chinese hyperscalers. OVHcloud, the largest European cloud, holds less than a 2% share of the global market, compared to 32% for AWS and 23% for Azure. The gap is enormous.
But it is a matter of a virtuous circle. If European companies and organizations trust these clouds, they will use their services, generate profits, and enable greater investment to become competitively compelling.
What threatens the sovereign cloud the most: hyperscalers or the cautiousness of Swiss IT Directors?
And we must not underestimate what already exists. Many European services build on open standards rather than proprietary ecosystems. In terms of portability, interoperability, and reversibility, this is a significant competitive advantage. Less vendor lock-in.
The Swiss Federal Council made digital sovereignty one of the three priority themes of its 2026 strategy. Client requests with European actors tripled in the first half of 2025.
And yet, some companies I meet are still cautious, citing a lack of maturity or reliability among Swiss and European cloud providers.
I often hear the argument: “Yes, but… the data centers burned down…” No cloud is infallible, and this is not a criticism of anyone.
Mistrust keeps European actors small, their small size feeds mistrust, and dependency self-reinforces until it becomes a negotiation lever in the hands of others.
Yet even the largest and best-designed platforms experience major incidents.
- In October 2025, AWS suffered a major outage in its US-EAST-1 region lasting approximately fifteen hours, with well over a hundred services affected and tens of millions of reports worldwide.
- A week later, a configuration change in Azure Front Door caused an outage of about nine hours on Azure and Microsoft 365.
- In July 2024, a faulty CrowdStrike update paralyzed millions of Windows endpoints.
These are not arguments against any specific vendor; they are reminders that size does not equal immunity.
What will tip the market faster: a European law or the next hyperscaler outage?
The lesson is architectural, and that is precisely where competence is shown. Resilience does not come from the logo on the data center; it comes from design: redundancy, multi-region, and, when it matters, multi-cloud, properly tested disaster recovery plans, vendor diversification, and abstraction layers that keep a workload portable.
A localized fire and a hyperscaler control plane outage lead to the same discipline: design for failure, never assume a single vendor or a single region will always be there. European and Swiss sovereign clouds naturally find their place in this schema as a credible second pillar for critical workloads.
Other organizations see sovereignty as a strategic axis to preserve their freedom and ensure alignment with their values.
From GAIA-X to the European Framework: A Missed Appointment, a Methodology in Construction
The idea of building a European cloud powerhouse is not new. In 2020, France and Germany launched GAIA-X, a consortium meant to lay the foundations for a sovereign European cloud ecosystem.
GAIA-X: A Legitimate Ambition, a Textbook Case of What Not to Do.
Strategic ambiguity: no one really knew what GAIA-X was. A European hyperscaler? A standards label? A governance framework? Everyone projected their expectations onto it, and the compromise diluted the ambition.
Co-optation: AWS, Microsoft, Google, and even Huawei and Alibaba joined the consortium. When the annual GAIA-X conference is sponsored by the very companies it is supposed to protect against, there is a problem. The CEO of Scaleway even advanced the thesis that American hyperscalers had infiltrated the project to slow it down from within. Whether one believes it or not, the result speaks for itself.
Bureaucracy: years of conceptual documents, zero services delivered. Forrester ultimately described GAIA-X as a “static entity.” The founder of Nextcloud summarized it even more bluntly in 2025: “GAIA-X is dead, taken over by American hyperscalers. The original goal is no longer there.”
GAIA-X is a textbook case of what happens when you invite competing interests into the core of an initiative. It nevertheless shifted mentalities and now serves as a stepping stone toward a more mature approach, new reasons to collaborate, and Europe took advantage of it to change its methodology.
EUCS (European Union Cybersecurity Certification Scheme for Cloud Services)
Let us begin with the EUCS, the European cybersecurity certification scheme for cloud services, stemming from the Cybersecurity Act. The idea is simple and powerful: a unique repository at the European scale to certify the cybersecurity level of providers, with three assurance levels (Basic, Substantial, High) and, in its early versions, a High+ level carrying sovereignty requirements (headquarters in the EU, data stored in Europe) to reach the top.
Why it matters: NIS2 and the Data Act allow member states to require their essential entities to only use EUCS-certified providers. The certification would then become the gateway to public contracts and regulated sectors.
Let us be honest about the turbulent areas: the sovereignty requirements of the High+ level were removed from the project in March 2024, under pressure from certain member states and lobbies. France, Italy, and Spain are pleading to reintegrate them.
In parallel, the European Commission went further by creating its Cloud Sovereignty Framework, detailed on June 1, 2026, which no longer contents itself with labels or declarations of intent: it measures sovereignty on evidence, across eight objectives built on 48 verifiable criteria :
- strategy,
- jurisdiction,
- data governance,
- operations,
- supply chain,
- technology,
- security and compliance,
- sustainability
Europe’s Massive New Plan
The political component followed on June 3, 2026, when the Commission presented its technological sovereignty package. The framework is direct: build a European technology stack so that, in its own words, “no one holds a kill switch.”
The initial assessment is severe: more than 80% of digital products, services, and infrastructures used in the Union benefit American providers, and AWS, Azure, and Google Cloud hold approximately 70% of the European cloud market.
According to estimates by the Europe 2031 collective, Europe hosts approximately 5% of the global computing power dedicated to AI, compared to nearly 80% for the United States.
Meanwhile, the European cloud landscape is split among dozens of players of various sizes without excessive dominance.
Does Europe need a single cloud champion or dozens of players?
The new plan relies on four pillars:
- A Chips Act 2.0 for semiconductors,
- A Cloud and AI Development Act (CADA) which aims to approximately triple data center capacity in Europe over five to seven years and introduce a single European method to evaluate the sovereignty of cloud and AI offerings in the same logic as the Cloud Sovereignty Framework,
- An open-source strategy,
- And a roadmap linking digital tech and energy, with data center electricity consumption now part of the equation.
Europe is starting from far behind: no European organization will entirely turn away from American hyperscalers in the short or medium term, and a complete exit is neither realistic nor the objective.
My reading: after the difficulties encountered by GAIA-X, Europe seems to favor a more pragmatic approach. We are moving from slogans and contested labels to criteria that can be measured and opposed (the CSF) and to concrete legislative tools (the June package). If sovereignty requirements return to the EUCS, Europe will have a harmonized instrument that clearly distinguishes a certified, sovereign cloud from a “sovereign-washed” cloud, providing real visibility to companies and administrations.
There are also concrete successes to display. Recently, the ECB chose OVH for the sovereign infrastructure of the digital euro. That matters.
For a positioning anchored in Switzerland, this is also where the data residence argument hits the mark: a provider operating entirely under Swiss jurisdiction naturally ranks high on the legal and operational dimensions that these frameworks now evaluate.
Conclusion: A Framework for Reflection, Not a Slogan
Digital sovereignty is neither a political whim, nor a passing fad, nor a commercial argument. It is an architectural discipline, a risk governance, and an investment in resilience.
Deep down, the question is neither ideological nor technological. It holds in a single sentence: for each critical activity of your organization, do you know who holds the switch, and what it would cost you to take it back? If the answer is documented, tested, and quantified, your cursor is in the right place, regardless of your provider. If it is not, the subject deserves to be addressed.
At Qim info, we observe that most organizations do not lack technology. They lack, above all, methods to objectify their dependencies and arbitrate their choices. Our role consists less in recommending a provider than in helping our clients build a trajectory adapted to their constraints, their risks, and their ambitions. This frequently involves more hybridization, open standards, and diversification, but rarely universal answers.
At Qim info’s Center of Expertise, we accompany our clients in this urbanisation reflection: evaluating critical workloads, structuring hybridization, qualifying providers, and building a pragmatic digital autonomy. Not dogmatic.