Posted by 
Hosken: The term ‘sovereignty’ is used by different providers in different ways, which can lead to confusion. What does sovereign cloud mean for customers?
Michels: From a customer perspective, the term ‘sovereign’ cloud is often used to describe a service that offers a high degree of control. For example, the customer can determine who can access data stored in the cloud, for what purposes that data can be used and in which region(s) the data is stored. The provider is also transparent about the sub-processors it uses and the metadata it collects. A customer can then make its own informed and autonomous decisions about how to use the service. Further, the customer can port its data to another provider, if it wants to do so, or move data back in-house. In this broad sense, sovereign cloud describes an ideal centered on customer choice and autonomy , rather than a particular service type.
But the term is also used to focus specifically on foreign government access. Can a foreign government order your cloud provider to disclose your data without telling you? This question impacts both public sector organizations (especially those that deal with defense and national security), as well as private companies that process personal data regulated under the GDPR [ the EU’s General Data Protection Regulation], or store commercially sensitive data in the cloud.
Aside from such customer concerns, there is a wider policy discussion about European cloud sovereignty. For example, the EU aims to promote the use of European cloud providers as part of its industrial strategy to strengthen the EU economy and maintain competitiveness and technological leadership in an increasingly uncertain world. Hyperscalers in the United States have access to enormous amounts of data. The European Commission would prefer that European cloud providers benefit from this ‘data advantage’ instead. Lastly, EU policymakers also have geopolitical concerns about an overreliance on foreign service providers and the strategic autonomy of European states. Yet such issues are typically more relevant to EU policymaking than to individual customer deployments.
Hosken: Why are European organizations turning to European cloud providers rather than hyperscalers in the United States for sovereign cloud solutions?
Michels: For some aspects of sovereignty, the provider’s nationality doesn’t matter. For example, providers in the United States can offer a high degree of transparency and provide data residency options by using local data centers.
Yet provider nationality does matter when it comes to foreign government access. This is because American providers are necessarily subject to their country’s jurisdiction. So, any data they process could be subject to United States’ production orders. For example, courts in the United States can issue warrants for law enforcement purposes under the Stored Communications Act, as amended by the CLOUD Act, while the National Security Agency can issue directives for foreign intelligence purposes under Section 702 of the Foreign Intelligence Surveillance Act.
Such production orders could compel a cloud provider in the United States to disclose European customer data. For instance, per the CLOUD Act, production orders can target any customer data within a United States’ provider’s “possession, custody, or control”, regardless of data location. As a result, it is possible that production orders in the United States can target European customer data, even if the data is stored in Europe by an American hyperscaler’s European subsidiary. This is because data processed by the European subsidiary is considered to fall within the American parent company’s ‘control’, since the parent company can exercise legal control over its subsidiary.
We therefore need to distinguish data residency (which concerns the location of storage) from cloud sovereignty (which looks at the risk of foreign government access). By contrast, a European provider can offer a service that is more likely to be immune to jurisdiction and production orders in the United States. This immunity would apply especially if the provider does not have customers, assets or employees there.
Yet that doesn’t mean only European providers can offer sovereign cloud solutions. American providers might also be able to protect customer data from United States government access through technical measures such as client-side encryption, encryption with third-party key management or confidential computing. If securely implemented, the American provider can then only disclose data in its encrypted form. In addition, United States law allows cloud providers to challenge production orders under certain circumstances, including on the basis of comity. Whether such measures can reduce the risk of foreign government access to an acceptable level depends on the nature of the data and the specific use case.
Hosken: At Broadcom, we’re seeing growing customer interest in building sovereign clouds across Europe. What’s driving this demand?
Michels: I see regulation as one of the main drivers for European customers seeking to protect their cloud data. This is particularly true of the GDPR, given the high level of potential fines. Admittedly, the EU and the United States have made progress on international data transfers and on increasing the level of protection for European personal data, including through the EU-US Data Privacy Framework. Nonetheless, there remains a level of legal uncertainty as to whether American providers can provide an appropriate level of security and offer sufficient guarantees of compliance when acting as processors of European personal data. An example of this uncertainty is the European Data Protection Supervisor’s enforcement action regarding the EU Commission’s use of Microsoft 365. In France, the CNIL [National Commission on Informatics and Liberty] has also repeatedly raised concerns about the use of American cloud providers.
This problem applies especially to so-called special category data , such as those relating to health and ethnicity, which are subject to strict rules under the GDPR.
Some member states also have domestic legal requirements for sovereign cloud, which apply at the national level. These typically apply to the public sector and to operators of critical infrastructure, as with the French SecNumCloud scheme. That said, regulation isn’t the only driver. Many customers also seek to protect commercially sensitive information and trade secrets from foreign government access.
Hosken: Will European organizations move all their data to sovereign clouds or is there a case for multi-cloud?
Michels: European customers will continue to use the traditional cloud services of American hyperscalers. But many organizations also need to think more strategically about which data belong in which IT environment. Different environments suit different workloads depending on technical and security requirements, cost and regulatory compliance. For example, some workloads benefit from the scalability and functionality that American hyperscalers offer, while other, more sensitive data require additional protection. So, for some customers, there is a strong case for cloud deployments that combine traditional hyperscale cloud with sovereign cloud solutions.
So, for some customers, there is a strong case for cloud deployments that combine traditional hyperscale cloud with sovereign cloud solutions.
Hosken: What challenges do organizations face in adopting sovereign cloud?
Michels: An organization that wants to adopt sovereign cloud solutions can face three main challenges. First, the organization needs to understand the data it processes, including which of its data are sensitive and so need extra protection, whether as regulated personal data or from a commercial perspective. This can be achieved by data classification policies.
Second, a lack of interoperability between cloud services can prevent customers from combining the services of different providers. Better interoperability would support integrated cloud deployments across multiple providers instead of separate, siloed workloads.
Third, a lack of portability can stop customers from migrating data from their current cloud provider to another provider. Better portability would empower customers who are unhappy with their current service to switch providers and allow them to benefit from the advantages that different cloud services offer.
In theory, the EU Data Act should support customer switching beginning in September 2025. Yet practical challenges to switching may well persist, despite the new (and untested) legal requirements. Much will depend on how the law is implemented.
Hosken: One way you have suggested that cloud providers could help customers navigate legal uncertainty around sovereignty requirements is a so-called code of conduct. While we at Broadcom have not taken a position on this approach, could you share your views on this?
Michels: To address legal uncertainty under the GDPR, the cloud industry could work together to develop a new Sovereign Cloud Code of Conduct. The code would focus on what providers can do to reduce the risk that foreign government access poses to the fundamental rights and interests of European data subjects. The code can also recognize that different providers can reduce that risk in different ways, including through technological measures such as confidential computing.
To address legal uncertainty under the GDPR, the cloud industry could work together to develop a new Sovereign Cloud Code of Conduct
Once approved by a regulator, the code would reduce legal uncertainty under the GDPR. Compliance with the code would give the customer assurance that their data will not be subject to an inappropriate level of risk of foreign government access. This should benefit customers and providers alike, as well as assure European data subjects that their fundamental rights are protected in the cloud.
Michels researches cloud computing law for the Cloud Legal Project at the Centre for Commercial Law Studies, Queen Mary University of London. He has co-authored papers on the implications of sovereignty for European policy and GDPR compliance. The Cloud Legal Project is made possible by the generous financial support of Microsoft. The author is grateful to Broadcom for providing funding to conduct a series of expert interviews and prepare a forthcoming report on cloud sovereignty. Responsibility for views expressed remains entirely with the author and do not necessarily reflect views shared by Broadcom.
