Cloud sovereignty in Europe: Who controls your cloud infrastructure - and why it matters

Why hyperscaler dependency is becoming a cloud sovereignty risk for European organizations

The issue is not the use of hyperscale cloud services themselves. In many cases they remain an essential part of modern infrastructure strategies.

The concern arises when critical workloads, data platforms, and digital services depend exclusively on infrastructure controlled outside Europe.

Several factors are driving this reassessment acrossEuropean enterprises:

Regulatory exposure and EU data jurisdiction

European organizations must operate within increasingly complex regulatory environments governing data residency, privacy, and digital sovereignty. When infrastructure platforms are operated by companies under foreign jurisdictions, questions arise around legal access, compliance boundaries, and regulatory alignment.

Frameworks such as GDPR, NIS2, and-for financial services-DORA create binding requirements around data location, operational resilience, and third-party oversight. For industries such as finance, healthcare, and the public sector, these considerations can become particularly significant.

A particularly significant legal dimension is the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which grants US authorities the power to compel American cloud providers to disclose data stored on their servers-regardless of whether that data physically resides in Europe. This creates a direct and unresolved tension with GDPR and European data sovereignty requirements: an organization may store data in an EU-based data center operated by a US hyperscaler and still face the risk of that data being accessed under US law, without the knowledge or consent of the data subject or the European supervisory authority.

Geopolitical risk and cross-border technology dependency

Technology infrastructure is increasingly intertwined with geopolitical dynamics. International tensions, sanctions regimes, and cross-border regulatory conflicts have demonstrated that access to critical technologies can become politically sensitive.

While such risks remain hypothetical in many cases, organizations responsible for critical systems increasingly consider them in long-term infrastructure planning.

Vendor concentration risk in cloud infrastructure

The global cloud market is dominated by a small number of hyperscale providers. As more infrastructure moves into these ecosystems, organizations may find themselves increasingly dependent on a limited set of vendors for essential digital capabilities.

This concentration can affect negotiating leverage, platform roadmap influence, and long-term strategic flexibility.

In this context, the discussion is not about rejecting hyperscalers. It is about ensuring that organizations retain meaningful control over where their most critical workloads ultimately run.

Digital sovereignty in Europe: How policymakers and enterprises are responding

Across Europe, policymakers and industry leaders have begun addressing these questions more explicitly.

Initiatives such as the European Cloud Rulebook, EUCS (EU Cloud Certification Scheme), and EU Cloud Sovereignty Framework reflect a broader recognition that digital infrastructure has become a strategic asset. Public sector organizations and regulated industries in particular are increasingly exploring infrastructure models that allow them to maintain cloud-native capabilities while ensuring infrastructure jurisdiction remains aligned with European regulatory and policy frameworks.

For many organizations, this is not a purely political issue. It is a matter of long-term operational resilience and strategic independence.

Cloud repatriation vs. sovereign cloud: Why simply moving back on-premises is not enough

One intuitive response to hyperscaler dependency is to move workloads back to traditional on-premises infrastructure.

In practice, however, modern applications are deeply tied to cloud-native architectures.

Organizations today rely on platforms built around:

• containerized workloads
• Kubernetes orchestration
• distributed data platforms
• automated infrastructure provisioning
• scalable application platforms

Simply moving applications back to traditional infrastructure environments can require significant architectural changes and may undermine the development and operational models organizations have adopted over the past decade.

As a result, the real challenge is not abandoning cloud-native architecture, but finding ways to retain it while regaining infrastructure sovereignty.

The sovereign cloud-native infrastructure model: OpenStack and Kubernetes as the foundation

An emerging approach is to build cloud platforms on open, widely adopted technologies rather than proprietary hyperscaler services.

In this model, organizations retain the cloud-native development and operations paradigm while running the infrastructure layer under their own control.

A typical sovereign cloud-native architecture combines:

• Kubernetes as the application orchestration platform
• ‍OpenStack as the open infrastructure layer providing compute, storage, and networking
• An ecosystem of open-source components supporting networking, security, observability, and platform services

Because these technologies are open and vendor-neutral, they avoid dependency on proprietary hyperscaler APIs and services.

This enables cloud-native workloads to run on infrastructure controlled by the organization, including:

• private infrastructure in their own data centers
• infrastructure operated by trusted European cloud providers
• hybrid environments spanning multiple locations

Applications built on Kubernetes can operate consistently across these environments, allowing organizations to maintain the same development model while retaining flexibility over infrastructure location.

In this architecture, sovereignty is achieved not only through where infrastructure runs, but also through control of the underlying technology stack.

When sovereign cloud infrastructure makes strategic sense: Key decision criteria

A sovereign cloud-native infrastructure model is particularly relevant for organizations whose infrastructure choices carry long-term regulatory, economic, or strategic implications.

This often includes organizations that:

• operate large-scale private or hybrid infrastructure environments
• face regulatory, data residency, or digital sovereignty requirements-particularly under EU frameworks such as GDPR, NIS2, DORA, or the EU Cloud Rulebook
• require predictable long-term infrastructure economics
• are building large data or AI platforms
• treat infrastructure as a strategic platform rather than a commodity utility

For these organizations, reducing dependency on proprietary hyperscaler ecosystems is less about replacing one technology with another and more about establishing a sustainable foundation for critical digital services.

Cloudboostr: An EU-built sovereign cloud foundation for European enterprises

For organizations seeking to implement this model, Cloudboostr-developed by Grape Up, a European cloud-native software company-provides a practical and enterprise-ready foundation.

Cloudboostr is an EU-built cloud platform designed specifically for organizations that require sovereignty, regulatory alignment, and long-term control over their infrastructure stack.

The platform combines:

• OpenStack-based infrastructure for compute, storage, and networking
• a production-grade Kubernetes runtime for cloud-native workloads
• a platform architecture built entirely on upstream open-source components

Because Cloudboostr relies on open technologies rather than proprietary hyperscaler services, organizations maintain full architectural transparency and independence from hyperscaler ecosystems.

The platform is also designed with European regulatory and sovereignty requirements in mind, supporting deployment models that align with EU data residency and compliance expectations.

Cloudboostr environments can be deployed:

• in an organization's own data centers
• through trusted European cloud infrastructure providers
• in hybrid environments combining multiple locations

With an EU-built and EU-supported platform based on open technologies, organizations gain a sovereign cloud-native foundation capable of running modern applications, data platforms, and AI workloads while retaining full control over infrastructure jurisdiction and technology choices.

Conclusion

Hyperscale cloud providers will continue to play an important role in the global digital ecosystem. Their platforms have enabled unprecedented innovation and remain essential for many use cases.

At the same time, as digital infrastructure becomes increasingly critical to economic and public systems, some organizations are reconsidering whether exclusive dependence on a small number of global providers aligns with their long-term strategic needs.

A sovereign cloud-native infrastructure model offers a pragmatic path forward. By building platforms on open technologies and deploying them on infrastructure under European control, organizations can maintain modern cloud-native architectures while regaining flexibility over where critical workloads run.

In the coming years, the most resilient infrastructure strategies may not be those that choose between hyperscalers and sovereign infrastructure, but those that retain the freedom to operate across both. Open cloud platforms such as Cloudboostr are specifically designed to make that balance achievable for European enterprises.

Cloud sovereignty across Europe: DACH, CEE, and the public sector landscape

Cloud sovereignty has moved to the top of the technology agenda across European markets-with the DACH region (Germany, Austria, Switzerland) and Central and Eastern Europe (CEE) at the forefront of institutional and regulatory pressure.

In Germany, the federal government's Sovereign Tech Fund and Bundescloud initiatives signal a structural shift toward public-sector infrastructure operated under domestic or EU jurisdiction. German financial institutions regulated by BaFin and healthcare organizations subject to the German Hospital Future Act (KHZG) face explicit requirements that directly affect cloud infrastructure choices.

In Austria, public procurement guidelines and federal data processing rules create similar obligations for government-connected organizations. In Switzerland, the Federal Data Protection Act (nFADP)-aligned in spirit with GDPR-adds further compliance layers for cross-border data infrastructure.

Across CEE-including Poland, Czech Republic, Slovakia, Romania, and the Baltic states-national cybersecurity strategies and NIS2 transposition are accelerating the demand for EU-operated infrastructure for critical sectors including energy, transport, finance, and public administration. Organizations in these markets increasingly require cloud solutions that combine cloud-native capabilities with demonstrable data residency and regulatory traceability.

Cloudboostr, designed and operated within the EU, is positioned to serve organizations across DACH and CEE that require sovereign infrastructure without sacrificing the operational capabilities of modern cloud-native platforms.

FAQ: Cloud sovereignty and sovereign cloud infrastructure in Europe

1. What is cloud sovereignty and why does it matter for European organizations?

Cloud sovereignty refers to an organization's-or nation's-ability to maintain control over its data, digital infrastructure, and the legal jurisdiction under which that infrastructure operates. For European organizations, it matters because critical infrastructure hosted on non-EU hyperscalers may be subject to foreign laws (such as the US CLOUD Act), creating potential conflicts with GDPR, NIS2, and national data protection frameworks.

2. What is the difference between sovereign cloud and private cloud?

A private cloud is infrastructure dedicated to a single organization, typically operated on-premises or in a colocation facility. Sovereign cloud is a broader concept that adds the dimension of legal jurisdiction, regulatory alignment, and data residency-the infrastructure must not only be private, but also operated under a defined legal and regulatory framework, typically within the EU. A sovereign cloud can be private, but a private cloud is not automatically sovereign.

3. Which EU regulations require cloud sovereignty or data residency?

Several EU frameworks create direct or indirect requirements relevant to cloud sovereignty: GDPR (data protection and cross-border transfers), NIS2 (cybersecurity resilience for critical infrastructure operators), DORA (digital operational resilience for financial entities), and the proposed EU Cloud Rulebook. Sector-specific rules in banking, healthcare, and public administration often add additional data residency obligations on top of these baseline frameworks.

4. Can European organizations still use AWS, Azure, or Google Cloud under GDPR?

Using hyperscalers is not prohibited under GDPR, but it requires careful management of data transfer mechanisms, processor agreements, and risk assessments-particularly following the Schrems II ruling. For non-critical workloads, hyperscalers can remain compliant. For highly regulated or sensitive data, organizations may need infrastructure operated entirely within the EU or under EU-governed contracts, which is where sovereign cloud alternatives become relevant.

5. What is OpenStack and how does it support sovereign cloud deployments?

OpenStack is an open-source cloud infrastructure platform that provides compute, storage, and networking capabilities without dependency on proprietary hyperscaler services. It is widely deployed by European telcos, financial institutions, and public sector organizations as the foundation for sovereign cloud infrastructure. Because OpenStack is vendor-neutral and can be run on hardware under an organization's control, it is a natural foundation for EU data sovereignty strategies.

6. How does Cloudboostr differ from using a hyperscaler's EU region?

A hyperscaler's EU region stores data in Europe but the infrastructure is still controlled, operated, and ultimately governed by a US-headquartered company subject to US law. Cloudboostr is an EU-built platform based entirely on open-source components, giving organizations full control over infrastructure governance, data jurisdiction, and technology choices-without dependency on proprietary hyperscaler APIs or commercial ecosystems.