For decades, Europe’s ambitions of possessing truly “sovereign cloud” solutions—platforms supposedly placed beyond the reach of foreign powers—have collided with a technological and economic reality: America’s hyperscaler giants, especially Microsoft, Google, and Amazon Web Services, have become the linchpins of global cloud infrastructure. While European policymakers and enterprises drum up public assurances of data autonomy and watertight compliance, genuine sovereignty remains elusive. In practice, these “European” clouds are more akin to hybrids—Franco-American or Euro-American fusions—than truly independent entities. The deep-rooted dependencies, highlighted by Microsoft’s position at the heart of so-called sovereign clouds, raise important questions about where true control, and thus true sovereignty, actually reside.
The push for sovereign clouds in Europe did not arise in a vacuum. Over the last decade, growing reliance on foreign—primarily American—cloud providers sparked concerns among regulators, national governments, and privacy advocates regarding the security, autonomy, and legal control of critical data and infrastructure. Some of the fundamental motivations for sovereign cloud initiatives include:
According to Orange’s official statements, all Bleu data centers sit on French soil, owned and operated by French entities. Microsoft is formally denied access to commercial and customer data—the legal controls and contractual fences appear robust. But the contract’s bedrock is unmistakable: “Bleu’s cloud infrastructure is entirely independent of Microsoft, and Microsoft does not have access to the service platform or customer data,” Orange emphasized. Nevertheless, the computing stack itself consists “specifically [of] Microsoft 365 and Microsoft Azure,” with Microsoft as the essential technology partner powering the platform.
This situation underscores a core contradiction: while the French partners hold the keys to the data halls and the legal documentation attests to control, the cloud’s technical lifeblood—its codebase, updates, and security patches—remains Microsoft’s intellectual property. As critics point out, it is as if France owns a state-of-the-art sports car but relies on Microsoft for the only key that can start the engine.
This assurance, designed to calm European nerves, is itself telling. Nowhere does Microsoft explicitly deny it possesses the technical means to terminate service or prevent access to core cloud features. In effect, the sword of Damocles—a remote but real possibility of US-imposed lockout—remains suspended above any supposedly “sovereign” deployment using US-origin technology.
If such an event did occur, the fallback provisions become almost farcical. Microsoft’s terms reportedly specify that backup copies of software code, for disaster recovery, will be held in Switzerland. But as Light Reading wryly notes, mere access to source code does not equate to the ability to instantly rebuild or operate cloud services at enterprise scale—a feat highly unlikely without continuous support, documentation, and integration with the broader Microsoft ecosystem.
Dag Peak, CTO of Alianza, described the complexity of migrating workloads from AWS to Azure in a recent Telecoms.com podcast. Alianza, having “used 37 different prebuilt AWS services...to build [a] highly scalable, highly reliable call-control platform,” found there were “no like-for-like equivalents” available in Azure. The process of disentangling core business functionality from unique cloud-native services is time-consuming, costly, and fraught with compatibility issues.
European regulators have long been wary of this dependence. Nonetheless, the competitive reality cripples native alternatives. Microsoft reported a staggering $44.5 billion in capital expenditure in its last fiscal year—a scale of investment entirely out of reach for any would-be European rival. Even with the backing of governments and the EU, the technical and economic moat encircling US platforms is immense.
Elsewhere on the continent, most major telcos—Deutsche Telekom, Orange, and others—have established their own private cloud infrastructure (e.g., Orange’s “Orange Telco Cloud” or Deutsche Telekom’s “T-CaaS” offering) specifically to sidestep the risk of public cloud lock-in. The exception among large European telecoms appears to be Telefónica Germany, which has embarked on a phased migration of core network workloads onto AWS, having confirmed successful scaling on AWS Outposts at its own facilities. According to Telefónica CTO Mallik Rao, the allure is the “features and artificial intelligence services” that hyperscalers provide—services not easily replicated internally.
Yet even as isolated exceptions flirt with greater hyperscaler usage, the overall trend is one of caution, not expansion. European telecom workloads, for now, overwhelmingly avoid AWS, Google Cloud, or Azure for core functions—reflecting both national policy and broader nervousness about ceding operational autonomy.
Microsoft’s polite, carefully hedged assurances are unlikely to fully dispel such concerns. The refusal to confirm technical incapacity for disabling or degrading a sovereign cloud, should legal obligations require it, exposes a hard truth: ultimate power resides not with nominal platform owners, but with whoever holds the master keys to the source code and operational tooling.
Europe’s policy approach has been to cajole, regulate, or subsidize local alternatives, but results thus far have been modest. Projects like GAIA-X, once heralded as the blueprint for next-generation European data infrastructure, have struggled to attract significant market share or innovation velocity comparable to their US counterparts. Reports of internal governance disputes, unclear commercial value, and tepid partner engagement shadow the initiative, even as it seeks to define standards for interoperability and data sovereignty.
The most successful “European” cloud ventures to date, including Bleu, are in practice joint undertakings with US hyperscalers, not stand-alone indigenous giants.
Yet, this analogy also lays bare the weakness in Europe’s position. Unlike paper records or physical children, software code is not merely a thing to be retrieved and restored. It requires constant updates, technical support, and a running, compatible operational environment. In the event of a political rupture, the “code in Switzerland” fallback is an illusion: without Microsoft’s willful, ongoing support, a European operator would be left with nothing more than inert bytes—a Ferrari with neither keys nor a manual.
Microsoft’s pragmatic balancing act—supplying technology while ceding operational and legal control in contracts—reflects an awareness that European markets want assurance, but not at the expense of usability, support, or innovation cadence. The company’s declaration to contest any forced cessation of service is legally sound but not, ultimately, an absolute guarantee of availability.
The risk for Europe is twofold: severe disruption, should political winds turn, and strategic stagnation, should it fail to invest ambitiously enough in alternative platforms, even if these are more costly or less feature-rich in the short term.
It is a compromise with notable benefits: compliance with GDPR and other European data protection mandates, deep pools of innovation borrowed from hyperscalers, and business continuity options better than nothing at all. But the accompanying risks—of lock-in, remote disablement, and strategic helplessness—are likewise real, not hypothetical.
Ultimately, Europe’s sovereign cloud is a work in progress, a pragmatic patch rather than a principled stand. For enterprises and governments alike, honest reckoning with the limits of sovereignty—and renewed investment in genuine innovation—will be the only way to close the yawning gap between cloud PR and cloud reality. The lesson for policymakers, customers, and technologists is clear: in the cloud, as in politics, true autonomy is hard-won, never granted—and all too often, more illusion than fact.
Source: Light Reading Microsoft shows who really controls Europe's 'sovereign clouds'
The Emergence of the ‘Sovereign Cloud’: Origins and Motivations
The push for sovereign clouds in Europe did not arise in a vacuum. Over the last decade, growing reliance on foreign—primarily American—cloud providers sparked concerns among regulators, national governments, and privacy advocates regarding the security, autonomy, and legal control of critical data and infrastructure. Some of the fundamental motivations for sovereign cloud initiatives include:- Legal jurisdiction and data protection: With legislation such as the General Data Protection Regulation (GDPR), Europe enshrined stringent rules regarding where data should physically reside and who can access it. Sovereign cloud proposals often promise that data remains strictly within national borders and subject only to European law.
- Geopolitical uncertainty: The volatile tenor of US politics—particularly during the Trump administration—placed the issue of technological dependence in sharper relief. An unpredictable American president wielding executive orders or trade measures could, in theory, give US tech companies little choice but to cut off European clients.
- Resilience in the face of conflict or disaster: Russia’s invasion of Ukraine pushed the need for secure, resilient cloud environments up the agenda. Migrating Ukrainian government data out of the country—with the help of US hyperscalers—showed both the benefits and the vulnerabilities of cross-border cloud reliance.
Examining the French ‘Cloud de Confiance’: A Case Study in Hybridity
Arguably the most high-profile example of Europe’s “sovereign cloud” efforts to date is Bleu, a joint venture launched in 2023 between French telecoms titan Orange and IT consultancy Capgemini. Branded as a “cloud de confiance” (trusted cloud), Bleu was designed to meet stringent French government demands for national data residency, legal control, and independence from foreign interference. Yet a closer look reveals that Bleu’s deep technical foundations—and, crucially, its operational viability—are inextricably linked to Microsoft.According to Orange’s official statements, all Bleu data centers sit on French soil, owned and operated by French entities. Microsoft is formally denied access to commercial and customer data—the legal controls and contractual fences appear robust. But the contract’s bedrock is unmistakable: “Bleu’s cloud infrastructure is entirely independent of Microsoft, and Microsoft does not have access to the service platform or customer data,” Orange emphasized. Nevertheless, the computing stack itself consists “specifically [of] Microsoft 365 and Microsoft Azure,” with Microsoft as the essential technology partner powering the platform.
This situation underscores a core contradiction: while the French partners hold the keys to the data halls and the legal documentation attests to control, the cloud’s technical lifeblood—its codebase, updates, and security patches—remains Microsoft’s intellectual property. As critics point out, it is as if France owns a state-of-the-art sports car but relies on Microsoft for the only key that can start the engine.
Lock-In or Lock-Out? The True Stakes
The criticality of this dependence becomes palpable in scenarios involving geopolitical or legal conflict. Microsoft acknowledges this in its own communications, describing a scenario in which, for example, an order arrives from US authorities demanding suspension of services to European customers. While “unlikely,” Microsoft asserts that it would “promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court.”This assurance, designed to calm European nerves, is itself telling. Nowhere does Microsoft explicitly deny it possesses the technical means to terminate service or prevent access to core cloud features. In effect, the sword of Damocles—a remote but real possibility of US-imposed lockout—remains suspended above any supposedly “sovereign” deployment using US-origin technology.
If such an event did occur, the fallback provisions become almost farcical. Microsoft’s terms reportedly specify that backup copies of software code, for disaster recovery, will be held in Switzerland. But as Light Reading wryly notes, mere access to source code does not equate to the ability to instantly rebuild or operate cloud services at enterprise scale—a feat highly unlikely without continuous support, documentation, and integration with the broader Microsoft ecosystem.
The Nature of Dependency: Technological and Economic Barriers
Cloud lock-in is not a problem unique to Microsoft. All hyperscaler platforms rely on proprietary features, APIs, and toolchains—services finely tuned for high scale, high reliability, and heavy automation. As recent migration efforts illustrate, the gap between hyperscaler platforms is significant, especially for core services.Dag Peak, CTO of Alianza, described the complexity of migrating workloads from AWS to Azure in a recent Telecoms.com podcast. Alianza, having “used 37 different prebuilt AWS services...to build [a] highly scalable, highly reliable call-control platform,” found there were “no like-for-like equivalents” available in Azure. The process of disentangling core business functionality from unique cloud-native services is time-consuming, costly, and fraught with compatibility issues.
European regulators have long been wary of this dependence. Nonetheless, the competitive reality cripples native alternatives. Microsoft reported a staggering $44.5 billion in capital expenditure in its last fiscal year—a scale of investment entirely out of reach for any would-be European rival. Even with the backing of governments and the EU, the technical and economic moat encircling US platforms is immense.
The Regulatory Pushback: Legislative and Policy Efforts
In reaction to these structural dependencies, several European countries have sought to carve out at least a narrow set of critical digital infrastructure that must remain under European control. The United Kingdom offers a notable example—legislation now prohibits domestic telecom operators from hosting core network applications in the public cloud. BT and Three, two of the UK’s big four mobile network operators, must keep vital network functionality on-premises or within strictly defined private infrastructure.Elsewhere on the continent, most major telcos—Deutsche Telekom, Orange, and others—have established their own private cloud infrastructure (e.g., Orange’s “Orange Telco Cloud” or Deutsche Telekom’s “T-CaaS” offering) specifically to sidestep the risk of public cloud lock-in. The exception among large European telecoms appears to be Telefónica Germany, which has embarked on a phased migration of core network workloads onto AWS, having confirmed successful scaling on AWS Outposts at its own facilities. According to Telefónica CTO Mallik Rao, the allure is the “features and artificial intelligence services” that hyperscalers provide—services not easily replicated internally.
Yet even as isolated exceptions flirt with greater hyperscaler usage, the overall trend is one of caution, not expansion. European telecom workloads, for now, overwhelmingly avoid AWS, Google Cloud, or Azure for core functions—reflecting both national policy and broader nervousness about ceding operational autonomy.
The Hyperscaler Advantage: Features, Scale, and the Illusion of Choice
The reality is that American cloud giants have earned their dominance. Their platforms deliver unmatched economies of scale, innovation cadence, machine learning capabilities, and operational resilience. For enterprise users, especially those in fast-evolving or resource-constrained sectors, the hyperscaler value proposition is compelling:- Instant access to global infrastructure: Provisioning resources worldwide, on-demand.
- Reliability and redundancy: Uptime and durability measured in “nines.”
- Continuous innovation: A steady flow of new features, security enhancements, and integrations.
- Artificial Intelligence as a Service: Advanced analytics, natural language processing, and automation tools unavailable from homegrown vendors.
The Misleading Facade of Sovereignty
Given the breadth of these dependencies, the phrase “sovereign cloud” sometimes appears to perform more of a PR function than provide a literal description. Legal frameworks and contractual language notwithstanding, true technological self-sufficiency eludes most European cloud buyers. The risk is not theoretical: recent history is replete with examples of geopolitical events shaping access to critical digital infrastructure. From US bans on exporting semiconductors and chip manufacturing technology to China, to Russia’s abrupt exclusion from payment networks and software platforms, the precedent for weaponizing access to digital infrastructure is established.Microsoft’s polite, carefully hedged assurances are unlikely to fully dispel such concerns. The refusal to confirm technical incapacity for disabling or degrading a sovereign cloud, should legal obligations require it, exposes a hard truth: ultimate power resides not with nominal platform owners, but with whoever holds the master keys to the source code and operational tooling.
Economic Realities: Can Europe Build an Indigenous Hyperscaler?
Microsoft’s latest earnings report illustrates the scale at which hyperscaler dominance is maintained: $70.1 billion in quarterly revenue (up 13% year over year), with net profit surging 18% to $25.8 billion, fueled by both rapid cloud adoption and relentless capital investment. A European challenger seeking to match this—with hundreds of data centers, global reach, a steady drumbeat of innovation—would require both the financial muscle and the culture of continuous technological risk-taking that only a handful of US firms have shown.Europe’s policy approach has been to cajole, regulate, or subsidize local alternatives, but results thus far have been modest. Projects like GAIA-X, once heralded as the blueprint for next-generation European data infrastructure, have struggled to attract significant market share or innovation velocity comparable to their US counterparts. Reports of internal governance disputes, unclear commercial value, and tepid partner engagement shadow the initiative, even as it seeks to define standards for interoperability and data sovereignty.
The most successful “European” cloud ventures to date, including Bleu, are in practice joint undertakings with US hyperscalers, not stand-alone indigenous giants.
The Resilience Question: Disaster, War, and the Limits of Cloud Autonomy
Microsoft’s reference to storing backup copies of cloud service code in Switzerland alludes to contingency plans in case of catastrophic disaster—a nod to both data resiliency best practices and the specter of geopolitical instability. The idea has its historical echoes, reminiscent of strategies during World War II, when nations sent children abroad or hid cultural treasures in vaults to shield them from destruction.Yet, this analogy also lays bare the weakness in Europe’s position. Unlike paper records or physical children, software code is not merely a thing to be retrieved and restored. It requires constant updates, technical support, and a running, compatible operational environment. In the event of a political rupture, the “code in Switzerland” fallback is an illusion: without Microsoft’s willful, ongoing support, a European operator would be left with nothing more than inert bytes—a Ferrari with neither keys nor a manual.
Potential Risks and the Path Forward
Key Risks:
- Geopolitical weaponization: Cloud access could be wielded as a lever in future trade, legal, or military confrontations, imperiling European autonomy over essential digital infrastructure.
- Vendor lock-in and switching costs: Unique, non-standard features make transitions between platforms prohibitively expensive or technically infeasible.
- False sense of security: The sovereign cloud label may lull both enterprises and governments into overestimating their operational independence.
Notable Strengths:
- Regulatory compliance: Joint ventures like Bleu and others genuinely achieve strong legal compliance with European privacy and data residency statutes, even if technological sovereignty is diluted.
- Hybrid resilience: By embedding local control over physical infrastructure and operations while leveraging US technological know-how, European cloud offerings can attain high standards of reliability and security.
- Gradual upskilling: Even partial control and localized joint ventures may facilitate learning and technology transfer, preparing European firms for a more assertive cloud role in the future.
Critical Analysis: The Sovereign Cloud Dilemma
Europe’s struggle with cloud sovereignty is both a matter of immediate operational necessity and a deeper question of technological self-sufficiency in a multipolar world. On one hand, there is no credible, fully “sovereign” hyperscaler outside the US or China; on the other, the imperative to safeguard critical infrastructure from political whim or international conflict has never been more urgent.Microsoft’s pragmatic balancing act—supplying technology while ceding operational and legal control in contracts—reflects an awareness that European markets want assurance, but not at the expense of usability, support, or innovation cadence. The company’s declaration to contest any forced cessation of service is legally sound but not, ultimately, an absolute guarantee of availability.
The risk for Europe is twofold: severe disruption, should political winds turn, and strategic stagnation, should it fail to invest ambitiously enough in alternative platforms, even if these are more costly or less feature-rich in the short term.
Conclusion: Pragmatism, Not Purity
The story of Europe’s “sovereign clouds”—as embodied by Bleu in partnership with Microsoft—is emblematic of the broader digital and industrial dilemma facing the continent. Complete technological independence may be unattainable, at least in the short to medium term; economic logic and decades of underinvestment have left Europe vulnerable to US tech hegemony. What remains is not pure sovereignty but, rather, a form of managed dependence—clouds that are “European” by compliance, but not by code.It is a compromise with notable benefits: compliance with GDPR and other European data protection mandates, deep pools of innovation borrowed from hyperscalers, and business continuity options better than nothing at all. But the accompanying risks—of lock-in, remote disablement, and strategic helplessness—are likewise real, not hypothetical.
Ultimately, Europe’s sovereign cloud is a work in progress, a pragmatic patch rather than a principled stand. For enterprises and governments alike, honest reckoning with the limits of sovereignty—and renewed investment in genuine innovation—will be the only way to close the yawning gap between cloud PR and cloud reality. The lesson for policymakers, customers, and technologists is clear: in the cloud, as in politics, true autonomy is hard-won, never granted—and all too often, more illusion than fact.
Source: Light Reading Microsoft shows who really controls Europe's 'sovereign clouds'
