Search "sovereign cloud," and you’ll be given content from all the major platform players. Since sovereign cloud started as an infrastructure debate, that makes sense, but the infrastructure framing is only half the picture. And the unknown factor is critical for European security leaders.
I kicked off this conversation in a Financial IT piece earlier this month. My core argument is that identity isn't a downstream detail in sovereign cloud planning. It's the control layer that decides whether any of the platform choices hold up to regulatory scrutiny. A French government agency, a German industrial firm, and a UK financial institution can all pick the "right" sovereign platform and still end up with access governance that doesn't meet regulatory standards.
More often than not, my conversations with customers start with the platform question and end somewhere uncomfortable when they realize they haven't answered the identity one. As I’ve been thinking more about this topic, I wanted to add some commentary to the piece I wrote to help you weather the (admittedly plentiful) changes and knit identity security into your understanding of sovereign cloud.
Why the sovereign cloud conversation is shifting (regulation, risk, and jurisdiction)
A lot has changed in the last 12–18 months, but here are the highlights.
“European organisations consuming services from US-headquartered cloud providers now face a genuine and legally real possibility that their data could be accessed or compelled to be shared under US jurisdiction, regardless of where it physically resides. That risk has always existed in the small print, but recent shifts in US government behaviour have brought it to the foreground in a way that can no longer be dismissed.
Layered on top of this is the EU Cloud Act, which came into force in 2024, and sets clear expectations for cloud providers serving EU customers. It is about more than just data sovereignty in the traditional sense. It also addresses provider lock-in, portability, and the ability to switch providers without prohibitive commercial penalties.”
There is one additional point worth emphasizing here. The EU Cloud Act is politically motivated. That's often used as a reason to dismiss it, but political motivation and sound security outcomes aren't opposites. The commercial and security consequences of the Act, including portability, reduced lock-in, and clearer jurisdictional guarantees, matter to CISOs regardless of the legislation's driving forces. Treating it as a procurement or compliance checkbox misses what's at stake.
Why identity governance matters more than platform choice in sovereign cloud
This is the core argument, and the lens you should apply to every sovereign cloud decision.
“Knowing how you are going to govern access to the systems you put into a sovereign cloud is arguably a more important and more urgent question than which systems you put there. The access control layer touches everything. And as AI agents, machine identities, and third-party integrations proliferate inside enterprise environments, that access governance question becomes more complex, not less.
The organisations that think about identity governance early in their sovereign cloud planning will be in a materially better position than those who treat it as a downstream implementation detail.”
What defines true digital sovereignty?
There’s another way to visualize this that I find especially helpful. When it's all boiled down, true digital sovereignty sits at the overlap of three things:
- Data sovereignty: Where your data lives and which jurisdiction claims it.
- Platform infrastructure: Which hyperscaler or regional provider hosts it?
- Identity security: Who can reach it, under what conditions, and with what audit trail.
The industry has been busy arguing about the first two, but the third is where most of the regulatory exposure sits. Identity security is the layer regulators will point to when they ask how you know.
The trade-offs of sovereign cloud: cost, innovation, and compliance risk
Sovereign cloud isn't a free lunch, and I said so in the original piece:
“Sovereign cloud environments, particularly highly localised ones, are generally more expensive to operate and currently lag behind the major hyperscalers in depth and breadth of services. The pace of innovation, including AI capabilities that are increasingly embedded into enterprise platforms, is directly tied to the scale of investment that comes with operating at hyperscaler size.”
That trade-off is why the identity question matters as much as it does. If you're going to accept higher costs and slower feature velocity in exchange for jurisdictional guarantees, the guarantees need to be real. Access governance is what makes them real. You can host every workload in an EU-only region and still fail an audit if you can't demonstrate to a regulator who has access to what, how that access was granted, when it was last reviewed, and how quickly it can be revoked.
For AI agents and non-human identities, this only gets harder. AI agents proliferate inside sovereign environments the same way they do anywhere else: created in seconds, granted broad permissions by default, and often outliving the use case that spawned them. A sovereign cloud posture that governs only human identity is going to age badly.
3 questions to ask before choosing a sovereign cloud strategy
The full piece closes with three questions I'd recommend every CISO put to themselves before they put them to a provider.
- Are you clear on your technology enablement strategy for the next two to three years?
- Which of your services are genuinely critical, and what providers can actually meet those requirements at the required standard?
- How will you govern access to the systems you deploy in that environment?
Clarity on how your business intends to leverage AI in the next two to three years is vital to choosing the right platform, since onboarding a tool that can’t meet your needs will only create more confusion. Knowing your most critical services lets you understand the regulatory obligations you need to adhere to and set the appropriate risk tolerance. And the final question recenters identity. The platform is only as sovereign as the access governance model sitting on top of it. This last piece, however, is where most plans begin to falter.
Read the full sovereign cloud analysis
The full article on Financial IT puts these questions into context and outlines where the sovereign cloud market is heading next.
There’s no single blueprint for sovereign cloud, but there is a consistent point of failure: access governance. The industry has spent plenty of time debating infrastructure, residency, and provider choice, but those aren’t the factors that ultimately determine whether a strategy holds up. The harder (and more important) question is how access is governed in practice. If identity isn’t addressed upfront, the rest of the strategy is built on shaky ground. Until that shifts, most sovereign cloud approaches will continue to miss the mark.
Back to Blog
