Skip to content

Is your "sovereign cloud" actually sovereign? Follow the chain all the way down

A plain-language companion to the working paper "Path Sovereignty: Dependence, Control, and Options in the European Digital Stack" (v0.15, July 2026). The paper carries the sources, the model, and the caveats; this text carries the ideas.

The short version. Two different goals hide under the words "digital sovereignty". One is keeping data out of the reach of foreign courts and agencies: a security goal, addressed by certifications, with catches. The other is being able to choose your technology, run it, and switch away at a bearable price: an economic goal, and the one the word "autonomy" actually names. Europe has instruments for the first and no measurement for the second. We built the measurement: a sourced map of the whole digital supply chain, from raw materials to app stores, and a way of pricing what Europe actually holds at each layer. The headline: what matters is never who owns the shop; it is everything the shop stands on.

The passport at the counter

Suppose you want a "sovereign" cloud, so you check the provider's passport: incorporated in Europe, owned by Europeans. Done? The shop may be local while the warehouse, the wholesaler, and the factory all sit abroad. A cloud service stands on software it licenses, hardware it buys, chips inside the hardware, a fab that made the chips, and materials that fed the fab. Dependence travels down that whole chain, and so does exposure to foreign law and foreign pricing power. Checking the top of the chain checks almost nothing.

The measured version of this is stark. Amazon's "European Sovereign Cloud" is incorporated in the EU, staffed by EU residents, and wholly owned by Amazon: on the legal coding it scores exactly as exposed as Amazon, because it is Amazon. The French-qualified ventures (Thales running Google's cloud technology, Orange and Capgemini running Microsoft's) close the ownership route, and their roadmaps, features, and code updates still come from Seattle and Mountain View. Across twenty-one European-owned providers and deployments we documented, nineteen reach US-controlled technology somewhere down their dependency paths. A European passport at the counter, a foreign supply line behind it.

Two kinds of pressure, one chain

Why does the chain matter? Because two kinds of pressure run down it.

The everyday kind needs no crisis. A supplier you cannot leave can reprice you: Microsoft raised list prices on six product suites by 8.6 to 25 percent in one 2022 move; Broadcom's repricing of VMware sent European datacenter operators scrambling for exits; cloud providers long charged steep fees just for taking your own data out. Even states join in: the US government now collects 15 percent of the revenue on certain Nvidia chip-export licenses. These are rents, and they flow every day.

The emergency kind is rarer and sharper: laws that compel data disclosure (the CLOUD Act, FISA), and export controls that can cut supply. Both exist, and both have been used on allies: a January 2025 US rule placed 17 of 27 EU member states under computing-power caps before being walked back four months later. Nobody can promise this channel away; under oath before a French Senate inquiry, Microsoft France's own legal director declined to guarantee that French citizens' data would never be handed to US authorities.

Sovereignty is a stock of options

So what should "sovereign" mean? The definitions in circulation converge on a simple idea: the capacity to choose your digital means, operate them, and choose again later, at a price you can pay. That capacity has three components you can actually measure. How many real alternatives exist, under genuinely different control? What would switching cost today? And how fast is the set of alternatives shrinking? A wrapper that adds no alternative adds no autonomy, whatever it does for the legal file. And autonomy is compatible with openness: three solid foreign suppliers you can switch among beat one fragile domestic monopolist.

What the map shows

We mapped 52 categories of the stack with sources on every link (revised twice in July 2026: first to add the layers a cloud-centered first pass had buried, client operating systems, browsers, enterprise demand, and industrial IoT; then to split the conflated actors, wire six isolated nodes, and complete the legal-reach coding after a full review). Three findings organize it.

Control is spread out. Of the thirty-three production-and-distribution categories, thirteen are US-controlled, six European, and the rest split among Taiwan (chip fabrication), Korea (memory), Japan (materials), China (raw-material processing), open-source communities, and mixed cases. Nobody owns the chain; even the US layers stand on an Asian base that no ownership transfer can move. What the US holds that nobody else does is legal reach: its law can compel twenty-one of the 52 categories, against thirteen for the EU (mostly conduct rules on its own soil) and three for China.

Alternatives exist where the substrate is open. Across the proprietary layers of the map, domestic escape routes are rare (four cases out of twenty-two); across the open, forkable layers they always exist. The history backs the pattern: when Oracle bought MySQL, the open code was forked into MariaDB within months and the alternative survived the acquisition; when the US cut Huawei off, the open half of its Android dependence was replaced almost immediately while the proprietary half took a state-scale, multi-year effort.

And the three layers we measured supplier-by-supplier price the options concretely. Commodity cloud is genuinely plural: OVHcloud, Hetzner, Scaleway, IONOS, StackIT and others are independently European, though the option set thins fast as you climb toward managed services. Office software has few alternatives and a demonstrated exit: the German state of Schleswig-Holstein moved roughly 80 percent of its administration to LibreOffice and migrated 44,000 mailboxes off Exchange, in about six months, while Munich's earlier reversal shows such exits also need political staying power. AI accelerators are the hard case: exit from Nvidia is nearly free for running models and very expensive for training them, and no European alternative exists on any near horizon.

What the certificates do, and what they cost

France's SecNumCloud and the Commission's new Cloud Sovereignty Framework name exactly the right concepts: the French text requires that a provider could keep operating from its own competences or two other companies, the Commission's top grade requires "no critical non-EU dependencies". But a rule on paper is an upper bound on protection, for three reasons the paper prices. Scope: where "control" ends for a venture running its licensor's code is a question for engineers and courts, and the incorporation papers do not settle it. Enforcement: the tests bind only where someone applies them; the French government committed in 2020 to move its national Health Data Hub off Microsoft Azure within two years, and it was still there when the Senate inquiry revisited the matter in 2025. Cost: qualification took the Thales-Google venture four years, its change-control slows every new feature, and both burdens weigh most on exactly the small European providers the rules were meant to help.

Policy, sorted by layer

The map sorts the instruments by where each one works. Rules that cut switching costs work everywhere at once and are cheap to enforce: the cloud egress fees died across the market in 2024, in the shadow of the EU Data Act, before its ban even binds. Procurement can buy European where options actually exist, and the machinery is live: the Commission's own 2026 sovereign-cloud tender was won across four lots by European consortia. Public investment has its clear case exactly where no buyer on any continent has an alternative: fabrication, memory, materials, the floor. And the legal shield is worth holding at its weight, with its scope, enforcement, and cost carried on the ledger.

One caveat closes it, as in the paper. The map is documented and incomplete, so exposure counts are floors; the graded numbers are reported as signs and rankings, never as precise magnitudes; and "can be cut" describes capability, never anyone's intent. Every number traces to a source and a script anyone can rerun.