AWS, Microsoft Azure and Google Cloud have increased so-called sovereign offers in recent months to reassure their European customers. Behind the same vocabulary, the approaches are nevertheless very different.
Over the past year and a half and Donald Trump’s return to power, the term sovereignty has never been used so much, more or less wisely, in the digital world. The brutal methods and aggressive speeches of the American administration towards the former European ally have reminded us of our great dependence on US tech giants.
In a published study in April 2025, Cigref, the club of major French IT departments, coldly stated the observation. Of the 400 billion spent on software and cloud services for professional use that Europe spends per year, 83% ends up with American companies. Given their vendor lock-in situation, European organizations must, moreover, accept regular price increases amounting to 8.7% over the last three years.
Protect yourself from the “kill switch”
The risks linked to this dependence are technological, economic, legal and also geopolitical. In January 2025, in a fictional story posted on LinkedInHenri d’Agrain, general delegate of the same Cigref, raised the possibility of a “kill switch”. To force Denmark to cede Greenland, the host of the White House imposes a digital embargo. A simple presidential decree is enough to cut off the services provided by American tech players in the Scandinavian kingdom.
From fiction to reality, Washington activated this kill switch on Friday June 12 by suspending the access of “any foreign national” to the most efficient AI models from Anthropic, Mythos 5 and Fable 5. After blocking the export of Nvidia chips, the American administration thus showed that it could also deprive its former allies of software services. To justify this unprecedented decision, she cites a risk to national security.
Faced with the danger of a digital blackout which would bring the European economy to a standstill, the three hyperscalers are trying to reassure their customers on the Old Continent by increasing their pledges of confidence in recent months. At the end of April 2025, Brad Smith, president of Microsoft, split a very long blog post to detail the commitments made by his company to preserve “Europe’s digital resilience, despite geopolitical fluctuations”.
While admitting to helplessness a few lines later. “In the unlikely event that a government orders us to suspend or cease our cloud operations in Europe, we are committed to ensuring that Microsoft will quickly and vigorously challenge any such action using all available legal avenues including taking legal action in court.”
Questioned under oath by French senatorsin June 2025, Anton Carniaux, director of public and legal affairs at Microsoft France, had, for his part, admitted that it was impossible to guarantee the immunity of French citizens’ data from American extraterritorial laws, such as the Patriot Act, the Cloud Act or FISA.
Five criteria to qualify a cloud as sovereign
In this particularly complex market, Thomas Dallemagne, managing partner, Data AI at Klee Group, urges us to move away from a binary definition of the sovereign cloud. “There is not one sovereignty, but several sovereignties,” he summarizes, inviting us to examine five criteria of geographic, legal, operational, technological and economic sovereignty.
From this matrix, the question does not come down to ensuring that the data is hosted on European soil. AWS, Microsoft Azure and Google Cloud have long offered the choice of location. On the other hand, only the highest level of SecNumCloud qualification, version 3.2, guarantees immunity from extraterritorial laws. Joint venture of Thales and Google Cloud, S3NS won this precious ticket last December for its trusted cloud.
“Operational sovereignty refers to the ability to maintain operations in all circumstances,” continues Thomas Dallemagne. Regulations like DORA or NIS2 impose requirements for resilience and continuity of service. The question implicitly arises as to whether a foreign authority has the capacity to “pull the plug”. “What would happen if, tomorrow, a European entity found itself disconnected from its cloud for geopolitical or commercial reasons?”
More pragmatically, the operation, maintenance and monitoring of cloud services must be carried out exclusively by staff based in Europe, whether present in the data center or remotely accessing the systems. In the strictest definition of sovereignty, the company operating this infrastructure must have its headquarters in Europe and its capital controlled by European actors to avoid any foreign interference.
The ultimate stage of technological sovereignty involves mastering all the software and hardware components necessary to operate a cloud, from the cloud orchestrator to the servers including the highly sought-after GPU graphics processors. Not to mention the shortage metals and rare earths which are used in the composition of this equipment. A condition that is impossible to completely fulfill regardless of the trusted cloud operator.
S3NS and Bleu, the best of both worlds?
There is also the question of the technological evolution of cloud services. S3NS and Bleu, a subsidiary of Thalès for one and Capgemini and Orange for the other, tick most of the boxes of the criteria previously mentioned. These French companies employ French staff while operating the technologies of two hyperscalers, Google Cloud and AWS respectively. They seem to bring together the best of both worlds: namely the guarantees of a trusted cloud on the one hand, and the depth of catalog and the capacity for innovation of cloud leaders on the other.
What remains is the technological dependence of S3NS and Bleu on the platforms of their American partners. “If Google Cloud receives an injunction from the American authorities, the cloud continues to function,” says Henri Lhomme, partner at Deloitte, head of technology, strategy, AI, data, cloud and sovereign cloud. “On the other hand, customers no longer benefit from developments in the platform and the addition of innovative services.”
AWS, Microsoft and Google, each has its own strategy
What do live hyperscalers offer? Everyone adopted a different strategy. “Microsoft has added additional layers to offer more control and governance,” notes Thomas Dallemagne. In June 2025, Microsoft Azure strengthened its Cloud for Sovereignty offering for all of its European regions. The cloud provider offers client companies the opportunity to provide their encryption keys and use their own hardware security module (HSM), through partnerships established with Thales, Futurex and Utimaco.
Operationally, “only Microsoft personnel residing in Europe control remote access to these systems.” And if ever engineers outside Europe need this access, the Remond firm has put in place “human and technical supervision”. These accesses are “approved and monitored in real time by staff residing in Europe and recorded in a tamper-proof register”.
Last February, Microsoft went a step further by offering environments disconnected from its public cloud. With its “Local disconnected operations” offerings, companies and public organizations can run Azure and Microsoft 365 environments and AI models in their own infrastructures while benefiting from the cloud provider’s management and compliance tools.
For its part, AWS presents “AWS European Sovereign Cloud” as “a new independent cloud for Europe entirely located within the European Union, physically and operationally isolated from other AW regions”. Operated exclusively by residents of the European Union, it is designed to “continue to operate sustainably, even if communications with the rest of the world are disrupted.”
In terms of governance, AWS has created a parent company and local subsidiaries, based in Europe and run by European citizens. Moving to general availability since January, AWS European Sovereign Cloud launched its first region in Brandenburg, Germany, awaiting new “Local Zones” in Belgium, the Netherlands and Portugal.
Of the three hyperscalers, Google Cloud is the one that has communicated the least on the subject. The American giant has also set its sights on Germany. In November, it launched its first Sovereign Cloud Hub in Munich. A sort of showroom to present the provider’s sovereign solutions. This hub makes it possible to “deploy workloads with local control and assurance via trusted local partners”, including Thales for France.
It is with this same Thales that Google Cloud intends to replicate the success of S3NS in Germany. Announced in May, this new European sovereign cloud offering “will be based on a dedicated infrastructure which will be managed and operated by a new German entity, which Thales will fully own and control.” It must meet national regulatory requirements, C5 and C3A, the German equivalent of SecNumCloud. Note that Google Cloud allows, with Google Distributed Cloud, to use its technologies in on-premises environments.
A risk-value approach
Given these guarantees of trust, is it acceptable or not to use an American cloud? Deloitte encourages its clients to adopt a “risk-value” approach. “Hyperscalers provide strong value in terms of innovation and performance, recalls Henri Lhomme. This contribution must be weighed against legal, operational and geopolitical risks. The regulatory aspect also weighs on certain regulated professions such as bankers, insurers or notaries.”
In his eyes, organizations must find the right balance. “It is important to diversify your suppliers so as not to be totally dependent on one service provider without, however, multiplying them excessively at the risk of not weighing on any of them.” Preaching for his parish, he indicates that Deloitte offers “a multi‑business offering, mobilizing risk teams, lawyers and IT operational staff to help clients structure a 360° sovereign risk analysis”.
|
AWS European Sovereign Cloud |
Microsoft Sovereign Cloud |
Google Sovereign Cloud |
S3NS |
Blue |
|
|---|---|---|---|---|---|
|
Data in EU |
Yes |
Yes |
Yes |
Yes |
Yes |
|
European law company |
Yes |
No |
No |
Yes |
Yes |
|
European employees |
Yes |
Yes |
No |
Yes |
Yes |
|
Immunity from extraterritorial laws |
No |
No |
No |
Yes |
Yes |
|
SecNumCloud 3.2 qualification |
No |
No |
No |
Yes |
In progress |
|
Technological independence |
No |
No |
No |
No |
No |
Benchmarks can also shed light on organizations. In France, the Digital Resilience Index (IRN) makes a diagnosis of their state of technological dependence according to different criteria such as the nationality of suppliers, the applicable legal framework or the adoption of open source technologies. The European Commission has published the Cloud Sovereignty Framework (CSF) to assess the level of sovereignty of cloud services operating in Europe.
Like his colleague, Thomas Dallemagne pleads for a pragmatic approach to risk management. “Many companies remain in a binary reading. Either, they consider that sovereignty does not present an issue, or, they want to move towards the all-sovereign.”
However, according to him, there is a whole gradation of solutions resulting from compromises between performance, cost, functional richness or level of control. He recalls that “sovereignty often implies additional costs, increased operational complexity, or even technological delay”. Rather than showing dogmatism on the subject, it is appropriate, in his eyes, to arbitrate according to the criticality of the activities supported and the sensitivity of the data.
