The relevance of IT for organizations lies in running systems and data. Risks around IT include the risk of data breach — the loss of data — and the loss of access to data and systems. If the latter happens suddenly, the very existence of an organization is threatened. The story of the Amsterdam Trade Bank is a relevant precedent: it could no longer operate after Microsoft and Amazon suspended cloud services after being ordered to do so by a US court.
Careful risk management by any organization includes identifying existential dependencies and all actors who can activate a kill switch. If an organization cannot run without access to specific data or systems, then anyone who can block that access owns a kill switch. Companies and governments relying on public cloud services for critical data and systems will therefore identify the cloud providers as potential kill switchers — like Microsoft and Amazon in the case of ATB. Of course this risk analysis should then also identify the factors that could cause these actors to actually switch off the services. As stated: US courts, US security agencies and probably Presential decrees are on that list.
Until not long ago, many organizations may have been somewhat aware of the kill switch risk — and other risks associated with a heavy reliance on individual providers of cloud services — but did not consider this a high risk. Recent political developments in the United States of America have caused a change. I do not have data on the entire world or all of Europe. In The Netherlands there is flurry of worry — and I suspect things are similar elsewhere. It is now seen as a real risk that US based providers of cloud services can be forced by their government to suspend services to individual organizations and perhaps entire countries.
An analysis of risks associated with heavy reliance on public cloud services that in my opinion was long overdue is now in full swing. As is an exploration of alternatives. This is where — in addition to European cloud and hybrid cloud (on prem or private cloud next to public cloud) — sovereign cloud is a relevant topic.
Sovereign Cloud
The concept of sovereign cloud model addresses critical concerns related to data sovereignty, software sovereignty, security, and compliance. Sovereign cloud refers to cloud computing services designed to ensure that data remains within the geographical boundaries of a specific country or region. This model emphasizes data residency, meaning that data is stored and processed locally, adhering to the laws and regulations of the host country. Sovereign cloud solutions are typically managed by local providers — EU legal entities — or through partnerships that guarantee data does not leave the jurisdiction without explicit consent of the data owner. Employing only EU staff is an additional measure to prevent US interference
European regulations such as GDPR and NIS 2 describe responsibilities of organizations regarding protecting data and protecting the availability of critical systems and IT infrastructure. For European companies relying on U.S.-based cloud providers and non-sovereign services could mean that their data, intellectual property, and operational continuity are subject to U.S. jurisdiction, potentially leading to disruptions (the kill switch) or unauthorized access (such as dictated by the US CLOUD act).
Sovereign cloud services are offered — by independent local and EU based companies as well as by the US based hyper scalers. The former are very much on the rise. However, they typically offer services that are not as rich or mature as the portfolio available from the AWS, Azure, GCP and OCI. It is of interest to European organizations to explore the sovereign options from these more established providers.
It turns out that every major US cloud provider is active on the sovereign front. The current (March 2025) status is all over the place, from “we will have an offering by the end of the year” to “a fully independent, EU operated and owned, full service offering”. A quick summary of what each of these US cloud providers can currently offer:
- Microsoft Azure EU Data Boundary- see news article 26-feb 2025 — business data and all operational data on cloud management and support interaction are stored in the EU; there is no indication on staff and legal ownership and on the reduction of kill switch risk; if Microsoft (US) has legal ownership , there seems to be a chance that data can be requested by US security services and a risk that cloud services can be suspended forced by US government or court. (I need to contact Microsoft and our own legal experts on this)
- Oracle Cloud Infrastructure — European Sovereign Cloud — data in EU, operations by and access to EU staff only, owned and operated by a fully EU based legal entity: “Regions are operated by EU-based legal entities that own the hardware and data center leases and provide the operations and support. The isolation of the EU Sovereign Cloud realm allows Oracle to restrict support and operations, including physical and logical access to the realm, to EU residents employed by EU legal entities. The EU-based legal entities are backed by a governance committee to ensure integrity and alignment with current and future regulations.” It appears (though again I need to verify with legal experts) that this cloud services is not or at least far less assailable by American law enforcement. (I wonder what happens when the US government would instruct Oracle USA to stop doing business with this Oracle Sovereign Cloud EU ltd because that provides services to the International Criminal Court?)
- AWS Sovereign Cloud — planned for first action by the end of 2025 ; the AWS Digital Sovereignty Pledge is vague and unclear about legal ownership and actual protection against US government interference.
- Google Sovereign Cloud — blog article — several options through EU partners that use Google Distributed Cloud (for example Orange , Clarence, T-Systems, WWT and S3NS; Google does not itself operate a sovereign cloud. It is unclear to me if these partners can operate fully independently of Google and if they are susceptible to suspension of services from Google to them. These GDC based sovereign clouds probably will be able to operate at least some time beyond Google having been forced by US government to stop doing business with them. Again, I need to verify with Google, the relevant partner and our own legal experts
Conclusion
The age of naive cloud computing should be over by now. Availability, cost, capacity, vendor lock in, data sovereignty have been some of the considerations that should have played a bigger role in the purchasing and architecture decisions than they did. In the first quarter of 2025 it has become clear to most organizations that the kill switch is a clear and present danger. The US are currently not a reliable partner with solid government and trusted, fair legal system. There is a risk of not being able to access your data and run your systems. Mitigation of that risk is a responsibility for architects, IT managers and of executive boards in any organization.
Sovereign cloud services from US providers can offer at least some mitigation of the risks. Purely European providers and on prem/private cloud environments go even further. The variation in where the US based hyperscalers currently are with their sovereign offerings is quite large: AWS has a plan (but no execution yet), GCP relies on local partners, Azure has an offering that mitigates (perhaps) some of the risks but seems to leave the kill switch in tact and Oracle Cloud Infrastructure seems to provide the best option with its EU staff operated and EU entity owned operation. I do not believe any of the sovereign offerings have been legally tested. Certainty is not on offer with any of them.
