The uncomfortable truth about European cloud sovereignty
Source: Dev.to
AWS European Sovereign Cloud – A Reckoning
My recent blog post about AWS European Sovereign Cloud generated more backlash than I anticipated. The core criticism was simple and sharp: AWS is still a US company. No matter how many legal structures you build, no matter how much you isolate the infrastructure, that fundamental fact doesn’t change.
The critics are right. And they’re also missing the point.
This isn’t a defence of AWS. It’s a reckoning with how we got here and what our actual options are. Because the uncomfortable truth is that we’re having this conversation decades too late. We’re trying to solve a sovereignty problem we created by failing to invest in European alternatives when it mattered.
The European Cloud Providers We Do Have
- StackIt – built by the Schwarz Group (the people behind Lidl).
- OVHcloud – a French company that has been building data centres and cloud services for years.
These aren’t trivial efforts; they’re substantial businesses run by capable people.
But let’s be honest about where they are
- Neither offers the breadth of services you get from AWS.
- Neither has the global infrastructure.
- Neither has the innovation velocity.
If you want managed machine‑learning services, serverless computing at scale, or cutting‑edge database technologies, you won’t find AWS‑equivalent offerings there.
This isn’t their fault.
Why the Gap Exists
| Factor | US Cloud Giants (AWS, Azure, GCP) | European Providers |
|---|---|---|
| Resources | Decades of massive investment, huge cash flow, and a global partner ecosystem. | Fraction of the resources; limited funding and market size. |
| Early Adoption | Early enterprise customers willing to take risks; a US market culturally comfortable with cloud. | No comparable early‑adopter base. |
| Government Support | Implicit backing via a thriving tech sector and private investment. | European governments didn’t pour billions into cloud infrastructure. |
| Venture Capital | Massive VC funding for cloud‑related startups. | Much smaller VC ecosystem for cloud. |
| Enterprise Commitment | Companies chose proven, complete solutions. | Few enterprises committed to home‑grown providers at scale. |
We chose convenience over sovereignty, proven solutions over nascent European alternatives, and each choice widened the gap.
Gaia‑X – A Missed Opportunity
- Launch: 2020, Franco‑German initiative to build a European cloud.
- Goal: Create a genuine alternative to US cloud providers.
What happened?
- Governance debates, competing national interests, and endless committee meetings stalled progress.
- The vision diluted from “build a European cloud” to “create standards for federated cloud services.”
- Gaia‑X morphed into a standards body rather than a competitive cloud platform.
This is the pattern: good intentions, fragmented execution. Every major European country wants digital sovereignty, but no one wants to subordinate its national champion to a truly European effort.
The Current Reality
Organizations that need genuine sovereignty today face two limited options:
- European providers that can’t match the required capability.
- US providers with sovereignty bolt‑ons.
Neither is ideal. Both are consequences of decisions (or indecisions) made over the past 15 years.
AWS’s Sovereign Cloud Messaging
When AWS first announced its European Sovereign Cloud, the messaging was confident:
“The infrastructure will be completely isolated. European customers will have total protection. This solves the sovereignty problem.”
I had questions. Lots of them.
- How independent can the infrastructure be when the parent company is subject to US law?
- What happens if US authorities invoke the CLOUD Act?
- Could future geopolitical pressures create access requirements?
- Who actually controls the “kill switch”?
AWS’s response evolved.
- Initial claim: completely isolated.
- Revised claim: we’ve done our utmost best to make it as hard as possible for the US to gain control.
That shift matters. It moves from claiming a solved problem to acknowledging a mitigated problem.
The new framing (more honest)
- There is a German legal entity.
- Staff are European.
- Hardware designs and software code are available for a “red‑button” scenario.
- But we can’t guarantee that geopolitical pressure will never force US authorities to demand access.
I respect this evolution. The initial messaging was too confident; the revised messaging acknowledges constraints while explaining mitigations. That honesty is more useful than false certainty.
Bottom Line
There are limits to what any US company can promise about sovereignty, no matter how much they isolate the infrastructure. The European cloud landscape is still catching up, and the choices we make today will shape whether we ever achieve true digital sovereignty.
Sovereignty, Trade‑offs, and the Reality of AWS ESC
The parent company’s jurisdiction creates inherent constraints. Legal structures and operational controls can make those constraints harder to exploit, but they can’t eliminate them entirely.
This isn’t unique to AWS. Microsoft and Google would face the same issues. Any US cloud provider trying to offer a truly sovereign European service would hit the same walls.
The question isn’t whether these constraints exist; it’s whether the mitigations are sufficient for your specific risk tolerance.
What “sovereignty” really means
There is no perfect solution. Every option involves trade‑offs. The question isn’t “which solution is flawless?” but rather “which trade‑offs can I live with?”
- Pure European cloud providers give stronger sovereignty guarantees, but you sacrifice innovation velocity and service breadth. You might wait years for capabilities that AWS ships next quarter, and that delay has real business cost.
- AWS ESC (European Sovereign Cloud) gives you innovation and capability, but you accept that the parent company is American and subject to US jurisdiction. You’re trusting legal structures and operational controls to create meaningful barriers, while knowing those barriers aren’t absolute.
When ESC makes sense
- Regulated industries that need specific compliance guarantees.
- Government agencies handling sensitive data.
- Critical‑infrastructure operators.
- Companies in sectors where geopolitical risk is material.
If you belong to one of these categories and need cloud capabilities that European providers can’t yet deliver, ESC is a pragmatic choice.
When ESC may not be the best fit
- Start‑ups optimizing for speed and cost – the additional sovereignty layer can be unnecessary overhead.
- Organisations not handling particularly sensitive data – standard AWS regions might be sufficient.
- Companies that can wait for European providers to mature – supporting them may align better with corporate values.
The bigger conversation
We’re having the wrong conversation when we argue about whether ESC is “good enough.” The real conversation should be about why we’re in this position in the first place.
- European organisations need cloud capabilities – it’s no longer optional. Digital transformation, data analytics, and machine learning are foundational to staying competitive.
- We also need sovereignty over critical digital infrastructure. Recent years have shown that geopolitical stability is fragile, supply chains can become negotiating chips, and digital infrastructure is caught up in power politics.
The fact that we have to choose between capability and sovereignty is a policy failure.
- We should have invested in European cloud providers a decade ago.
- We should have committed government workloads to them to help them achieve scale.
- We should have funded the R&D needed to compete with US innovation.
We didn’t. Now we’re retrofitting sovereignty onto US infrastructure because it’s the best available option for many use cases.
What would be better?
- Invest now in European alternatives before the gap becomes unbridgeable.
- Government cloud programmes that commit to European providers.
- Investment in open‑source cloud infrastructure.
- Support for European companies building cloud‑native services.
Will that happen? I don’t know. Europe tends to regulate American technology rather than build alternatives. GDPR was easier than creating European competitors to Google and Facebook. Arguing about ESC’s sovereignty guarantees is easier than funding European cloud providers properly.
If we want genuine digital sovereignty in ten years, we need to start building it now. ESC can be part of the bridge to that future, but it can’t be the destination.
Bottom line
- ESC is valuable for organisations that need it. The supply‑chain transparency, legal independence, and operational controls are meaningful improvements over standard AWS regions. For entities handling sensitive data or operating critical infrastructure, those improvements matter.
- It is not a complete solution to European digital sovereignty. It’s a US company’s answer to European concerns, and that comes with inherent limitations.
The critics who say “AWS is still American” are correct. The alternative is either to wait for European providers to catch up, build everything yourself, or accept higher risk in standard regions.
ESC exists because European organisations need a pragmatic answer to that dilemma. It isn’t the answer we wish we had – we wish we had European cloud providers with AWS‑equivalent capabilities. Since we don’t, we work with what we have:
- Push AWS to be as transparent and accountable as possible.
- Use ESC where it makes sense.
- Support European alternatives where they can meet our needs.
- Start investing seriously in building the digital infrastructure we should have built 15 years ago.
That’s not a satisfying conclusion, but it’s an honest one. Right now, honesty about our constraints seems more valuable than pretending we have perfect solutions.