This study examines the challenges and implications of European digital sovereignty in the context of cloud services dominated by US-based hyperscalers. It explores the legal, technical, and governance dimensions influencing data control, focusing on the impact of extraterritorial legislation such as the US CLOUD Act and FISA 702. The analysis highlights the limitations of physical data localisation without corresponding operational and administrative isolation from foreign jurisdictions. Key aspects include encryption and key management practices, administrative access controls, infrastructure segmentation, and the role of corporate governance structures in shaping sovereignty claims. The investigation also addresses public sector and critical infrastructure adoption patterns, regulatory frameworks like GDPR and NIS2, and the influence of market concentration on sovereignty objectives. Furthermore, it assesses the effectiveness of current assurance mechanisms, including certification standards and audit practices, in verifying compliance with European strategic autonomy goals. The study concludes with policy recommendations emphasizing enforceable jurisdictional isolation, enhanced procurement criteria, and support for domestic cloud providers to reduce dependency on foreign-controlled infrastructures. Emerging technologies such as AI and edge computing are considered for their dual potential to both support and challenge sovereignty efforts, underscoring the need for integrated technical and legal safeguards to maintain autonomous digital governance within Europe.
Johannes Maria van Hamond (Mon,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: