In 2022, VMware warned that sovereignty depended on the needs of the customer, more than marketing, more than a logo on a cloud product. At the time, it felt early. Now, the evidence is undeniable: hearings, regulatory framework being prioritized, and market pivots prove that what mattered then matters even more now. Sovereignty has gone from an abstract concept to a key customer consideration. Establishing a compliance requirement around sovereignty is becoming a key discussion point in Europe.
This blog builds on that foundation. We’ll examine why “sovereign by label” clouds fall short, point to real market signals that expose the gap, and lay out a practical checklist that buyers — and vendors — should demand. Because in 2025, the conversation is no longer about who can market sovereignty, but who can prove it.
***
Many traditional public cloud vendors now sell “sovereign” clouds. But a label and local data centers do not erase legal exposure, control-plane dependencies, or auditability gaps. Recent admissions and market moves show the problem: when push comes to shove, control, whether in the form of jurisdiction or on data flows matters more than a marketing name.
Let’s unpack the different aspects of this reality, point to concrete market signals, and discuss a practical checklist that buyers and platform vendors should demand if they mean “sovereign” in anything but name only.
What “sovereign by label” means
“Sovereign by label” is when a vendor advertises an offering as sovereign (local regions, local support, “EU-only” controls) while important levers of control that determine legal and operational sovereignty remain outside the buyer’s reach. These levers can include parent-company jurisdiction, access to keys or metadata, global support staff with cross-border privileges, encryption key control, or legal obligations that compel disclosure despite where the bits sit.
Global hyperscalers have responded to political pressure and procurement demands by branding new EU-focused products (EU data boundaries, local-control joint ventures, “sovereign” cloud SKUs) as “sovereign.” But a label doesn’t equate to immunity from foreign government interference. The label may reassure potential customers; it does not by itself eliminate the structural risks that concern regulators and risk officers in Europe.
A live example: Microsoft’s EU Data Boundary promise vs. reality
Microsoft built the EU Data Boundary and publicly documented commitments to limit processing/storage of customer data to the EU under that program. That’s a clear product-level response to demand for residency and control. But in 2025, Microsoft representatives told a French senate committee they cannot absolutely guarantee that EU data could never be accessed under valid U.S. processes. This admission demonstrates the limits of a label and geography when legal jurisdiction and parent-company obligations remain U.S.-based. In short: Microsoft’s product-level boundary reduces data flows and risk, but it does not—by its own admission—eliminate the legal exposure that drives EU buyers’ wariness.
Market responses illustrate the trust gap
VMware by Broadcom was the first large-scale US software provider that partnered with local EU providers to offer a true sovereign cloud solution. Building on the VMware Cloud Foundation (VCF), a tried and tested industry-leading technology solution that delivers full data center virtualisation EU Providers licensed this technology and supported it locally. This enabled a true sovereign cloud implementation without end-customer data flows of any kind to third countries outside the control of the EU provider.
Since then, two market signals matter:
- Traditional cloud vendors doubling down on EU-specialized constructs. Google has followed VMware by Broadcom’s lead and partnered with Thales to create S3NS.This France-based, Thales-led vehicle is intended to deliver a “trusted” cloud that meets French SecNumCloud expectations. Similarly, AWS and Microsoft have been developing Europe-focused sovereign messaging and product constructs searching for ways to distance themselves from the non-EU jurisdictional control aspects. These moves show the vendors recognize the problem, but they also underscore that customers and regulators remain unconvinced that product labels alone suffice.
- Regulatory/market friction persists. The EU’s institutions are currently considering the introduction of sovereignty requirements. They are not only asking for data residency; they ask for demonstrable local control, certified processes, key custody guarantees, and evidence that critical operational functions are subject to EU law and EU-based governance – How this will materialise is still subject to be debate but it is something we might see very soon with proposals like the Cloud and AI Development Act (CAIDA) or the review of the EU Cyber-Security Act (CSA). This is why third-party, locally governed offers (or true customer-controlled encryption models) remain attractive to risk-sensitive buyers.
Why the label fails to hold up
When buyers treats a “sovereign” SKU as equivalent to real sovereignty, they often overlook these technical and legal failure modes:
- Jurisdictional leverage: Lawful orders to a U.S. parent company can reach data or metadata even when the physical storage is in the EU. The vendor may resist, but the legal mechanism exists.
- Control-plane and metadata exposure: Even if storage is local, control-plane services, management APIs, logs, or metadata may traverse global systems or be accessible to staff outside the EU. Control-plane ≠ data-plane.
- Key and secrets management: Who holds encryption keys? If the vendor or non-EU personnel can access keys or key material, legal demands can produce plaintext even when physical custody is local.
- Contractual opacity and subcontractors: Labels rarely disclose subcontractor rights, gov-to-vendor clauses, or the precise legal model used for responding to foreign process—but procurement teams will be audited on these exact points.
Evidence from the field: What recent headlines tell us
- Microsoft’s EU Data Boundary is a meaningful engineering and policy effort, but Microsoft officials acknowledged limits in a French hearing—a high-profile signal that product constructs can’t by themselves rewrite jurisdiction.
- Google’s Thales-led S3NS shows the path hyperscalers take when they want to credibly address national sovereignty requirements: create or empower locally controlled entities with separate governance. That’s an admission that a vanilla hyperscaler product is not the answer.
What buyers should ask: A practical “sovereignty checklist”
If you’re evaluating a vendor claiming sovereignty, demand evidence across these dimensions:
- Legal model: Signed legal opinion(s) explaining how the vendor will respond to valid foreign legal process and whether any parent-company obligations could override local operational control.
- Staffing and personnel controls: Proof that operational staff for the sovereign SKU are EU nationals employed by an EU legal entity, plus HR and access controls.
- Key custody: Customer-controlled, EU-resident key management (HSMs under the customer or a certified EU trust operator) and contractual guarantees that the vendor cannot access plaintext.
- Control-plane segregation: Technical architecture diagrams showing that management APIs, logging, and telemetry do not leave EU jurisdiction, plus audits to prove it.
- Auditable exit and portability: Playbooks, runbooks, and a live/recorded exit-drill demonstrating tangible portability and recovery within a contractual period.
- Third-party assurance: Independent attestations (Big-4 or national cert body) mapping controls to the buyer’s regulatory obligations.
- Inability to remotely affect changes: One of the key areas of concern for customers is functionality that can remotely make changes to the technology. The concern is that such changes could modify or even disable the technology especially in scenarios of geopolitical turbulence. Therefore capability of technologies to operate disconnected, airgapped or without the involvement of the manufacturer is an important consideration.
- Interoperability, portability and exit: How interoperable is a particular technology with other platforms and the standards it supports is of paramount importance when it comes to sovereignty. Choosing a particular technology should not result in becoming imprisoned in a rose garden. Customers should have the ability to make autonomous choices for the different tools they would want to run. The same considerations apply with porting data of different formats and to other applications as well as to the ease of exit from a particular platform or tool
- Local ecosystem: Often the presence of a local ecosystem is the best guarantee for some degree of autonomy. The existence of local resources with expertise on a particular technology or even the provision of additional services on top of those of the manufacturer by local expertise can be a safeguard that if geopolitical tensions rise the ability to continue to operate the technology unhindered remains.
What vendors (and neutral platform suppliers) should do to be trusted
If you’re a platform vendor or a neutral substrate provider wanting to offer real sovereignty (not just a sticker), here are high-impact moves:
- Deliver legal and auditor materials up front. Publish legal opinions, control mappings, and an audit pack buyers can hand to their compliance teams. (Proof beats PR.)
- Offer customer-controlled keys & air-gapped AI tooling. If customers can ensure models and fine-tuning never see an external key, their risk drops materially.
- Use locally owned operating entities or partner-led models. Joint ventures where a local EU entity operates the service (with limited, verifiable vendor roles) are much more credible. Google/Thales’ S3NS is an example of the JV route.
- Productize reversibility: Put exit drills and portability guarantees in contracts with clear SLAs and published case studies—make reversibility a procurement checkbox.
- Invite third-party attestations: Big-4 control audits, national certs (SecNumCloud, BSI alignment), and published results will beat marketing muscle.
Final word: Labels matter, but proof matters more
“EU-only,” “sovereign,” and “trusted cloud” are no longer sufficient as procurement language. The market has moved past claims; buyers want demonstrable proof: local legal entities, staff, key custody, segregated control planes, auditable artifacts, and contractual exit rights. The vendors that back their labels with those elements—or that partner credibly with EU operators who can deliver them—will win the business that truly matters regulated finance, health, and government workloads.
If you’re a buyer: Treat “sovereign” as a feature set to validate, not a slogan to be accepted.
If you’re a platform vendor: Convert your label into audited artifacts and legal guarantees—and consider whether the fastest credible route is partnership with EU entities that can own the operational narrative.
Discover more from VMware Cloud Foundation (VCF) Blog
Subscribe to get the latest posts sent to your email.