The 4 Levels of cloud sovereignty: a practical guide for European CEOs & CTOs

In June 2025, Microsoft France's legal director told the French Senate, under oath, that he could not guarantee European data wouldn't be handed to US authorities. This was not a surprise to privacy experts. But it was the first time a hyperscaler executive said it this clearly, on the record, in a parliamentary hearing.

The reason is a US law called the CLOUD Act. Passed in 2018, it allows American law enforcement to compel any US company to produce data, regardless of where that data is physically stored. A server in Frankfurt doesn't help if the company running it is headquartered in Seattle.

For European CTOs and founders, this creates a problem. Most of your stack probably runs on US-owned infrastructure. And "we host your data in the EU" is a common reassurance from vendors. But hosting location and legal jurisdiction are two different things.

Here's the good news: there are real options at every level of the spectrum. Here's how to think about them.

The four levels of cloud sovereignty

Not all European hosting offers the same protection. We've identified four levels, from lowest to highest sovereignty, each with clear trade-offs.

Level 1: EU-hosted, US-owned

What it is. A standard AWS, Azure or Google Cloud region located in Europe. Your data sits in Frankfurt, Dublin, or Paris. The company running the infrastructure is American.

Examples. AWS eu-central-1, Azure West Europe, Google Cloud europe-west1.

CLOUD Act exposure: high. The US government can issue a warrant directly to the parent company. Microsoft confirmed this under oath. No amount of contractual guarantees changes the legal reality. Standard encryption (BYOK) doesn't help either: if the provider holds the keys or can access the data in plaintext, they can be compelled to hand it over.

Best for. Non-sensitive workloads, public-facing websites, development environments. Any data you'd be comfortable seeing in a breach notification.

Level 2: US sovereign cloud partitions

What it is. A separate cloud environment, run by a European subsidiary of a US company, with dedicated infrastructure and EU-based staff. Physically and logically isolated from the provider's global regions.

Examples. AWS European Sovereign Cloud (launched January 2026 in Brandenburg, Germany, with 7.8 billion euros in committed investment). Operated by a German GmbH, managed by EU citizens, with its own security operations center.

CLOUD Act exposure: medium-high. The European subsidiary is a separate legal entity, but it's still 100% owned by the US parent. Whether a CLOUD Act warrant can reach through this structure hasn't been tested in court. AWS argues that its Nitro encryption makes customer data inaccessible even to its own staff. This is a strong technical safeguard, but the legal question is open.

Best for. Regulated workloads where you need the full breadth of AWS/Azure services but want stronger sovereignty controls than a standard region. Public sector customers who require EU-based operations.

Level 3: EU-operated joint ventures, US technology

What it is. A European company operates the cloud infrastructure independently, using licensed technology from a US hyperscaler. The US company has no ownership stake (or a minority one) and no operational control.

Three projects to know:

Bleu is a joint venture between Orange and Capgemini in France. It operates Microsoft Azure and Microsoft 365 services for the French market. Microsoft has no stake in Bleu and no access to operations. Bleu is currently pursuing SecNumCloud 3.2 certification from France's ANSSI, with full qualification expected in 2026.

S3NS is a joint venture between Thales (majority shareholder) and Google Cloud (~20%). It offers Google Cloud services operated exclusively by French staff on dedicated infrastructure. S3NS obtained SecNumCloud 3.2 certification in December 2025, making it the first hyperscaler-based offering to achieve this qualification.

Delos Cloud is a German partnership between SAP and Arvato Systems (Bertelsmann). It operates Microsoft Azure and M365 for the German public sector, with compliance tailored to BSI standards.

CLOUD Act exposure: lower. Because the operating entity is European and the US vendor has no controlling stake, a CLOUD Act warrant can't be served directly to it. This is a meaningful legal improvement over Levels 1 and 2.

But there's a catch. These joint ventures depend on the US partner for software updates, patches, and underlying technology. If the US government restricted exports or the vendor decided to cut ties, the service could stop functioning within days or weeks. This happened in practice: when the ICC was locked out of its Microsoft account in May 2025 after US sanctions, it demonstrated how operational dependency on a US vendor creates a single point of political failure.

Best for. Sensitive and regulated workloads that need enterprise-grade US software (Microsoft 365, Google Workspace, Azure AI) with the strongest available legal insulation from the CLOUD Act. Financial services under DORA, healthcare, public administration.

Level 4: EU-owned and EU-built

What it is. European companies that own their infrastructure, write their own code, and answer only to European law. No US parent, no US technology dependency, no CLOUD Act exposure.

Examples. There's a growing ecosystem of EU-native providers, each with different strengths:

For IaaS and cloud computing: OVHcloud (French, publicly traded, 43 data centers, S3-compatible storage, SecNumCloud qualified), IONOS (German, 6.3 million customers, managed databases), Scaleway (French, Iliad Group, strong managed database offering), Hetzner (German, founder-owned, excellent price-performance ratio), and 3DS Outscale (French, Dassault Systemes subsidiary, first provider to achieve SecNumCloud 3.2).

For broader EU hosting: Open Telekom Cloud (Deutsche Telekom, enterprise-focused), Aruba Cloud (Italian, 5 owned campuses, 16 million users), UpCloud (Finnish, 99.999% SLA), and Clever Cloud (French PaaS, per-second billing).

You can browse the full directory of European cloud providers on our site.

CLOUD Act exposure: none. These companies are incorporated in the EU, owned by EU entities, and operate exclusively under European law. A US warrant has no legal path to reach them.

The trade-off is real. European providers can't yet match the breadth of managed services that AWS, Azure or Google offer. If you need 200+ managed services, proprietary AI models, or a global CDN with 300 PoPs, a Level 4 provider won't cover everything. The gap is narrowing, OVHcloud just crossed 1 billion euros in annual revenue and European providers are growing fast, but it's honest to say the feature parity isn't there yet for every use case.

Best for. Any workload involving personal data of EU citizens, health records, legal documents, financial data, government contracts, or anything where regulatory compliance (GDPR, NIS2, DORA) or reputational risk makes CLOUD Act exposure unacceptable.

How to use this framework

You don't need to move your entire stack to Level 4 overnight. That's neither practical nor necessary.

Start by classifying your workloads by sensitivity. Put your most sensitive data (customer PII, health records, financial data, legal documents) on Level 3 or Level 4 infrastructure. Keep your less sensitive workloads (public websites, dev/staging environments, analytics) wherever the best tool lives, even if that's Level 1.

The key insight is that sovereignty is a spectrum, not a binary. What matters is making a conscious decision for each workload, not defaulting to "we host in the EU" without understanding what that actually protects.

For a broader look at European SaaS alternatives across every category, check our guide to building a European SaaS stack. And if you want to understand the regulatory context behind these choices, our article on digital sovereignty goes deeper.

The European cloud ecosystem is smaller than the US one. But it's real, it's growing, and it's the only option that gives you full legal certainty. Every tool you evaluate is a choice. Make it a conscious one.