Sovereign European clouds are the only way to minimize risk

Author Gerald Dürr on 22 April 2026 Gerald Dürr's blog

Recent months have shown how seriously governments and institutions are taking this issue. Swiss Army Chief Thomas Süssli called in September 2025 for dedicated IT infrastructure for sensitive data and a strategy to exit the Microsoft cloud. Denmark’s Minister for Digitalisation Caroline Stage announced that the government would switch from Microsoft Office to LibreOffice. The French city of Lyon is moving to open-source solutions to reduce its dependence on American software. The International Criminal Court in The Hague is replacing Microsoft Office with the European platform OpenDesk.

This movement does not affect only public authorities. CIOs, IT decision-makers, and compliance officers in regulated industries face the same questions: how do I protect my infrastructure from Cloud Act risks, vendor lock-in, and the vague “sovereign” partnerships offered by hyperscalers?

The answer lies in European cloud infrastructure under European ownership.

This article explains:

• The five pillars of cloud sovereignty and what they mean in practice
• Why sovereign clouds are becoming critical now
• Which cloud solutions are available
• How to identify a genuinely sovereign cloud — and why European ownership and European jurisdiction are decisive

Safe Swiss Cloud is a 100 per cent Swiss company offering sovereign cloud infrastructure that is subject to neither US nor EU jurisdictions — GDPR-compliant, yet politically independent.

What Is a Sovereign Cloud?

A sovereign cloud is more than just a data centre located in Europe. It ensures that no foreign government and no overseas company can influence, surveil, or shut down your IT infrastructure — whether through legal compulsion or implicit pressure.

The concept can be understood as self-determined digitalisation: it combines the capabilities of modern cloud technology with complete control over data, systems, and decisions. It is not about isolation, but about protection from external access and political pressure on your digital infrastructure.

Many providers advertise “data sovereignty” meaning only that data is stored in EU data centres. But genuine cloud sovereignty encompasses far more. It consists of five pillars that together guarantee complete control.

The Five Pillars of Cloud Sovereignty

1. Data Sovereignty

Where is your data physically stored? Who has access? Which laws apply?

Data sovereignty means that data is stored and processed exclusively in data centres within a defined jurisdiction. GDPR compliance requires, for example, that personal data belonging to EU citizens is handled in accordance with European data protection standards. Yet a secure storage location alone is not sufficient: access must also be controlled. The US Cloud Act permits US authorities to access data held by US companies — regardless of where that data is physically stored.

2. Operational Sovereignty

Who operates your infrastructure? Where are the staff located?

Operational sovereignty means that the individuals with access to systems are subject to local legal jurisdiction. A German data centre operated by employees of a US parent company does not provide operational sovereignty. Those employees can be legally compelled to grant access — as in the case of the International Criminal Court, where the Chief Prosecutor was suddenly locked out of his Microsoft account following US sanctions.

3. Technological Sovereignty

Can you switch providers without incurring massive costs?

Vendor lock-in is one of the greatest barriers to cloud adoption in Europe. Technological sovereignty means using open standards and interfaces that enable multi-cloud strategies and portability. The European Commission estimates that open standards alone could save up to EUR 1.1 billion per year in public procurement. Workloads should be migratable between platforms without major rearchitecting.

4. Legal Sovereignty

Which laws govern your data? Are there conflicting jurisdictions?

Legal sovereignty means clarity about which legal frameworks apply and the absence of competing jurisdictions. The conflict between the GDPR and the US Cloud Act is central here: US providers are simultaneously subject to both legal systems. In 2025, Microsoft’s chief legal officer confirmed before the French Senate that he could not guarantee Microsoft would never hand customer data to US authorities. This legal uncertainty is the antithesis of legal sovereignty.

5. Political Sovereignty

Are you protected from the effects of geopolitical decisions?

Political sovereignty means protection from service disruptions caused by geopolitical tensions. In 2022, Amsterdam Trade Bank collapsed within 24 hours after losing access to its digital infrastructure following EU sanctions against Russia. In 2025, Adobe locked Russian and Belarusian users out of Creative Cloud, leaving freelancers and agencies suddenly unable to access their work files. Geopolitical risks — from trade conflicts to sanctions — can disrupt critical services without warning.

Why Sovereign Clouds Are Becoming Critical Now

Data control was long considered a “nice-to-have” for compliance departments. Today it is a strategic question of survival.

Economic and Political Resilience

At the World Economic Forum in Davos in January 2026, EU Commission President Ursula von der Leyen drew a historical parallel: she recalled the Nixon Shock of 1971, when the United States unilaterally ended the dollar’s gold convertibility and the Bretton Woods system collapsed overnight. At the time, it was a warning to reduce dependence on a foreign currency. Today, von der Leyen argued, Europe faces a similar watershed moment — and the dependencies run far deeper.

How deep became apparent in May 2025: when the Trump administration sanctioned the Chief Prosecutor of the International Criminal Court in The Hague, Microsoft blocked his e-mail account. An international court with 125 member states was suddenly unable to communicate because its infrastructure ran on American software. The prosecutor was forced to switch to the Swiss provider Proton Mail. Six senior officials left the court. The ICC has since announced that it will replace Microsoft Office with the European open-source platform openDesk.

Political pressure is, however, only one of the risks. Cyberattacks and supply chain disruptions also illustrate how vulnerable central IT infrastructure has become. When the payment processor Change Healthcare was brought down by ransomware in February 2024, part of the US healthcare system collapsed: 40 per cent of all health insurance claims could no longer be processed. When semiconductors became scarce during the pandemic, European car factories ground to a halt because a modern vehicle requires between 1,400 and 1,500 chips.

The goal is not complete autarky — according to a CEPA analysis, that would cost Europe around EUR 3.6 trillion. The goal is strategic autonomy: the ability to keep critical systems running even when geopolitical tensions escalate, sanctions are imposed, or a foreign provider unilaterally discontinues a service.

Protection of Intellectual Property

Whilst compliance attracts media attention, the greatest damage often occurs quietly: IBM’s Cost of a Data Breach Report 2024 shows that intellectual property theft has risen by 27 per cent. 43 per cent of all data breaches involved intellectual property — up from 34 per cent in 2023.

The manufacturing sector is particularly exposed, with average breach costs of USD 5 million — the steepest cost increase of any industry (up 18 per cent year-on-year) — and the fastest-growing attack frequency. The reason: manufacturers hold valuable intellectual property: engineering blueprints, production formulas, and manufacturing processes.

What is at stake:

• Manufacturing processes representing years of optimisation
• Product strategies and R&D data prior to patent filing
• Marketing formulas and customer segmentation

The risk begins with misconfigurations: a 2025 report by Tenable shows that 9 per cent of all publicly accessible cloud storage contains sensitive data.

Sovereign clouds are not a defensive compliance measure. They are an offensive strategy for protecting what makes an organisation valuable.

Sovereign Cloud or Not? An Overview of Solutions

How much control over your data do you need? Not every cloud model that advertises sovereignty fulfils the five criteria outlined above. The decisive test: who owns the provider, who operates the infrastructure, and which jurisdiction governs it? Only when ownership, operations, and legal domicile are in Switzerland or Europe is sovereignty genuinely guaranteed when geopolitical pressure arises.

Below is an overview of the main cloud models — from maximum sovereignty to hyperscaler solutions. Only the first two options fulfil all five criteria of genuine sovereignty:

1. Open clouds (Sovereign Cloud Stack-based): The highest level of sovereignty is offered by cloud solutions based on the Sovereign Cloud Stack (SCS). The core philosophy: “Only open source guarantees digital sovereignty through interoperability, transparency, and independence from unlawful third-party claims.” This delivers complete independence from proprietary technologies and genuine provider portability.
2. Cloud providers in European ownership with data centres in Europe: The advantage: European ownership means the US Cloud Act does not apply. The caveat: European providers are not immune to court orders either, as discussed above.

The following models offer varying degrees of data protection and compliance, but do not fulfil all criteria of genuine cloud sovereignty:

3. Hyperscalers with sovereign cloud options: Oracle promises for its “EU Sovereign Cloud” more than 150 cloud services “at the same prices as commercial cloud regions”, operated by “EU-resident legal entities”. In principle, these options offer hyperscaler reach with certain sovereignty controls — though questions about genuine independence remain.
4. US technology with EU data protection: T-Systems with Google Cloud guarantees exclusive data storage in Germany with “compliance with the requirements of German regulatory authorities”, whilst T-Systems controls encryption and identity management. This is an attempt to combine hyperscaler innovation with European control — but it remains US technology under US ownership.
5. Hyperscalers without additional controls (AWS, Azure, GCP): Standard hyperscaler offerings provide maximum scalability and global reach. They are the most pragmatic choice for organisations without stringent compliance requirements.

Conclusion: No Real Trade-off

The misconception that greater sovereignty means less innovation persists stubbornly. European cloud solutions today offer comparable functionality and pricing — without the legal risks of US hyperscalers. The only genuine advantage of hyperscalers is global infrastructure presence. For European organisations, what matters is not the brand name, but who owns the provider and which jurisdiction governs it.

The European Alternative

Genuine cloud sovereignty requires European infrastructure: providers in European ownership, data centres in Europe, and no dependence on non-European jurisdictions. Only then can it be ensured that no foreign government can compel access to data or shut down services.

Within Europe, Switzerland occupies a unique position. The EU has recognised Switzerland as one of twelve countries with an equivalent level of data protection. The Swiss Federal Act on Data Protection (DSG) meets the same standards as the GDPR. At the same time, Swiss cloud providers in Swiss ownership are subject to neither the US Cloud Act nor the jurisdiction of any EU government. European data protection standards — but no foreign government capable of compelling access, not even a European one.

This combination is particularly relevant for:

• DACH organisations that must simultaneously satisfy FINMA or BaFin requirements and the GDPR
• Research organisations seeking to keep their intellectual property beyond the reach of US access
• Swiss and European mid-market companies looking for a sovereign cloud solution without the complexity and dependency of hyperscalers

Safe Swiss Cloud has stood for exactly this positioning since 2013: 100 per cent Swiss ownership, ISO 27001/27017/27018-certified, with customers on four continents. Complete data sovereignty, EU-equivalent data protection, no access by foreign governments. For organisations seeking genuine control over their data, this is the most consistent European answer to the sovereignty question.

Conclusion: Sovereignty Is No Longer a Luxury

Today, cloud sovereignty is a strategic necessity: the Swiss Army Chief is calling for strategies to exit US clouds, Denmark is switching to open source, and manufacturing companies are losing intellectual property through cloud breaches.

The good news: European and sovereign cloud solutions today offer comparable functionality to hyperscalers, without their legal and political risks. For organisations with stringent compliance requirements or sensitive intellectual property, Switzerland offers an additional advantage: full EU data protection equivalence, combined with a jurisdiction that answers to neither Washington nor Brussels. The question is no longer whether, but how much control you need over your digital infrastructure.