Understanding European Data Sovereignty (Part 6): Evaluating Cloud and Platform Providers
The previous post examined how to design infrastructure that maintains control over data while using cloud services. It covered sovereign cloud concepts, multi-cloud and hybrid strategies, and the role of containers, encryption, and interoperability in enabling sovereignty-aware architectures.
Cloud platforms are now structural components of enterprise IT. Infrastructure, platforms, and software services are deeply interwoven into daily operations, often across multiple providers and jurisdictions. This brings undeniable benefits—elastic scalability, rapid innovation, and operational resilience—but it also introduces systemic dependencies that directly affect control over data, compliance posture, and long-term strategic flexibility.
Provider selection is therefore not just procurement—it is a sovereignty decision. If evaluation criteria focus only on cost and features, organisations risk embedding constraints that are difficult to unwind later.
Due Diligence Beyond Performance Metrics
A credible evaluation process must integrate legal, technical, and operational perspectives. Consider this as a structured risk assessment, not mere a checklist exercise.
Jurisdictional exposure should be the starting point:
- Where is the provider headquartered?
- Which legal entity delivers the service?
- What national laws govern potential access to data?
Even if infrastructure is located within the EU, corporate ownership can extend legal exposure beyond it.
Infrastructure architecture must be examined in detail:
- Where are data centers and processing systems located?
- Can workloads be isolated regionally?
- How are replication and disaster recovery implemented?
These factors determine whether sensitive workloads can realistically remain within a defined jurisdiction.
Security and governance capabilities are equally critical:
- Encryption models and key management control
- Identity and access management frameworks
- Logging, monitoring, and auditability
- Compliance certifications and regulatory alignment
In addition, resilience is not optional. Incident response maturity, disaster recovery design, and supply chain dependencies all influence whether a provider can support long-term governance requirements.
Metadata and Telemetry
Most organisations evaluate where their primary data resides. Far fewer examine where their metadata and telemetry go.
Modern cloud platforms generate extensive operational data:
- Usage logs and performance metrics
- Authentication and identity records
- API interaction logs
- System diagnostics and configuration data
This information can reveal system architecture, user behaviour, and business operations—sometimes with more clarity than the primary datasets themselves.
The critical questions are straightforward:
- Where is this data processed and stored?
- Is it transferred outside the EU?
- Who has access to it?
- How long is it retained?
In many platforms, telemetry flows through global systems regardless of workload location. This creates implicit cross-border data movement, which may conflict with regulatory expectations and internal governance policies.
If governance frameworks only cover primary data, they are incomplete.
Lock-in Risk Is a Strategic Constraint
Vendor lock-in is often treated as a technical inconvenience. In reality, it is a strategic limitation.
Lock-in typically emerges from three sources:
- Proprietary services that rely on provider-specific APIs and tooling
- Data gravity, where large datasets become operationally difficult to move
- Integrated ecosystems that tightly couple infrastructure, development, and operations
These dependencies can make migration slow, expensive, or practically infeasible. Thus exit strategy must be designed before adoption. Effective mitigation approaches include:
- Containerisation and portable workloads
- Standardised, non-proprietary data formats
- Explicit documentation of dependencies and migration paths
- Selective use of open source technologies
If you cannot realistically exit, you have accepted long-term dependency—whether intentionally or not.
Interpreting “Sovereign Cloud” Claims
“Sovereign cloud” has become a widely used term, but its meaning varies significantly across providers. Some offerings genuinely address sovereignty concerns. Others primarily offer data residency without meaningful governance control.
Evaluation should focus on architecture and control, not branding:
- Who operates the infrastructure in practice?
- Which jurisdiction governs the provider?
- Who controls encryption keys and identity systems?
- Are operations and support isolated from global systems?
Frameworks such as the EU Cloud Sovereignty Framework provide useful structure, defining levels of independence across legal, operational, and technical dimensions.
A recurring pattern is that hyperscale providers offer strong regional isolation but remain subject to non-EU legal frameworks due to ownership structures. In contrast, EU-headquartered providers may offer greater jurisdictional independence, though sometimes with trade-offs in scale or service breadth.
There is no universal “correct” choice—but there must be an informed one.
Transparency as a Control Mechanism
Without transparency, risk cannot be properly assessed—or governed. In the context of data sovereignty, transparency is not simply a reporting feature; it is an operational prerequisite for maintaining control over data, access, and legal exposure.
Organisations should demand clarity on:
Government access requests
- What legal thresholds must be met before data is disclosed?
- Are requests challenged when they conflict with applicable law (e.g. EU data protection requirements)?
- Are customers notified before or after disclosure, and under what constraints?
- Are transparency reports sufficiently granular to distinguish between jurisdictions and types of data?
Even when providers report low volumes of government access, the process matters as much as the numbers. A provider’s willingness to challenge overbroad or extraterritorial requests is a meaningful indicator of how it will behave under pressure.
Operational access
- Which roles within the provider organisation can access customer environments?
- Are access events logged, monitored, and auditable by the customer?
- Is access time-bound, approval-based, and subject to segregation of duties?
In mature environments, operational access should follow a “zero standing privilege” model—no persistent access rights, only temporary, fully audited escalation when required.
Subprocessors and supply chains
- Is there a complete and up-to-date list of subprocessors?
- Can customers restrict or approve the use of certain subprocessors?
- Are subprocessors bound by equivalent legal and security obligations?
Each additional actor in the delivery chain expands the jurisdictional and operational risk surface. Without full visibility, organisations cannot accurately map their exposure.
Compliance evidence
- Are certifications (e.g. ISO, SOC) current and relevant to the services used?
- Can the provider supply audit reports or allow independent verification?
- Are compliance claims mapped to concrete technical and organisational controls?
Compliance should not be treated as a binary state (“certified” vs. “not certified”), but as evidence of how controls are implemented and maintained in practice.
Balancing Innovation and Sovereignty
Global cloud platforms are not going away, nor should they. They remain central to modern digital architectures.
However, their adoption must be deliberate:
- Define architectural boundaries
- Implement governance controls
- Establish contractual safeguards
- Maintain operational visibility
Sovereignty is not about rejecting cloud—it is about using it with intent and awareness.
The next post explores infrastructure, standards, and collaborative initiatives Europe is developing to strengthen digital sovereignty. We discuss how these initiatives are shaping the European cloud ecosystem, where they are succeeding, where they are falling short, and what they mean for organisations making long-term infrastructure decisions.