Bottom line: Data sovereignty through local cloud infrastructure is necessary but insufficient — true control requires robust identity governance and transparency over metadata, encryption keys, and access protocols.
European companies have demonstrated under regulatory pressure that sovereign cloud infrastructure alone does not secure true control over sensitive data and AI workloads. Actual control lies at a different level: identity governance and access management.
European companies have carried out large-scale migrations to sovereign cloud infrastructure over the past two years under pressure from DORA (fully applicable since January 2025), the NIS2 Directive enforcement, and the high-risk regulations of the EU AI Act (effective from August 2026). In the process, it became clear: data sovereignty alone — that is, physical residency in European data centers — does not provide the control that boards, compliance teams, and auditors expect. AWS launched its European Sovereign Cloud in January 2026; Microsoft and Google followed with their own offerings. Yet operational reality deviates significantly from the promises.
The practitioner discourse has shifted measurably. At the European Identity and Cloud Conference 2026 in Berlin, it became evident that Identity Fabric, Workload Identity Management, and AI Security topics took center stage, while sovereign cloud architecture itself became an assumed infrastructure foundation. Martin Kuppinger (KuppingerCole) summarized the insight: sovereignty is not an end in itself. The required level depends on the use case and credible risk assessment. There is no binary sovereignty model. This means: companies must distinguish between workloads with different protection requirements.
The open question remains: Who actually controls what? Data sovereignty only defines where data physically resides. The critical control questions remain unanswered: Who holds the encryption keys and under what legal conditions can they be accessed? Who can see metadata, access logs, and workload telemetry? For AI model training and inference: Who controls the model registry, the training data pipeline, and output logs? And when autonomous AI agents provision workloads or make access decisions: On what infrastructure do these agents run, and who can observe their actions?
For CISOs, this means: sovereign cloud is a necessary but not sufficient measure for regulatory compliance in the context of AI and critical infrastructure. Actual control must be ensured through a robust identity governance framework, key management, audit logging, and access control at the application layer — regardless of which cloud provider operates the infrastructure.
Source: www.csoonline.com · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.