The Great Cloud Charade: Why “Data Residency” Isn’t “Data Sovereignty”

In the high-stakes world of digital infrastructure and modern sovereign cloud strategy, “sovereignty” has become the ultimate prize. Nations are drafting laws to control their digital territories. Enterprises are scrambling to comply, seeking cloud solutions that promise to keep sensitive data safe within jurisdictional lines. In response, hyperscalers have rolled out a red carpet of “sovereign” offerings for Europe — complete with local data centers, EU-resident staff, and billion-dollar investments.

But a critical and often deliberately obscured distinction lies at the heart of this new landscape: the difference between data residency and data sovereignty. They are not the same. One is a feature linked to geography; the other is a control mechanism that defines autonomy.

Understanding this difference is key to piercing the marketing veil — and recognizing that many so-called “sovereign public clouds” are, in fact, marketing-speak rather than true sovereign cloud compliance.

Data Residency Vs. Data Sovereignty: The Core Distinction: Location vs. Customer Control

To engage in a meaningful discussion, we must first establish clear definitions for these frequently conflated terms.

• Data Residency refers exclusively to the physical, geographic location where data is stored. If a company’s data is housed on servers in Frankfurt, Germany, its data resides in Germany. Data residency is a question of geography. It answers: ‘Where are the servers?’

• Data Sovereignty is a much broader principle tied to digital sovereignty and customer control. It asserts that data is subject to the laws and regulations of the nation in which it is located—or, in some cases, where the data subject resides. Data sovereignty is about legal authority and jurisdictional power. It answers: ‘Whose laws govern the data?’ It creates a jurisdictional link that follows the data throughout its life-cycle.

For years, the simple logic was that residency determined sovereignty. If your data was in Germany, German and EU law applied. That assumption has been shattered by the extraterritorial reach of modern legislation. Location no longer guarantees protection. Extraterritorial rules are not new. Landmark EU laws such as the GDPR pioneered global applicability. But recent geopolitical tensions have deepened uncertainty and amplified the need for sovereignty.

Under the Digital Operational Resilience Act (DORA), financial institutions must assess all ICT supply-chain risks—economic, geopolitical, and operational. They must also manage the length of their supply chains, particularly when third-country service providers support critical functions. These measures form part of Europe’s broader sovereign cloud compliance agenda. At the same time, discussions about defining sovereignty in EU law — such as the upcoming Cloud and AI Development Act (CAIDA) and the revision of the EU Cybersecurity Act (CSA) — are gaining momentum.

Case Study 1: The AWS “European Sovereign Cloud”

Amazon has pledged a €7.8 billion investment in a new “European Sovereign Cloud,” promising it will be “physically and logically separate,” operated exclusively by EU-resident employees, and feature independent billing and control systems.

• The Confusion: The marketing focuses entirely on physical and operational separation—all elements of data residency. It suggests that by building a digital fortress in Europe, the data inside is protected by European law.
• The Reality: Legal experts immediately identified the “fatal flaw”: the entity running this cloud, despite its German parent company structure, remains a subsidiary of a U.S. corporation. As such, it is still subject to U.S. jurisdiction and the CLOUD Act. As one French tech law expert noted, “the location of data was hereafter irrelevant in the applicability of US laws”. 

The issue was never just about physical separation; it’s about legal jurisdiction but also technical and organizational controls that enable autonomy of decision making for the customer.

Case Study 2: Microsoft’s “EU Data Boundary”

Microsoft has heavily promoted its multi-phase EU Data Boundary, a commitment to store and process all customer data, pseudonymized personal data, and even technical support data within the EU.

• The Confusion: The initiative is presented as a comprehensive solution for European data protection, giving customers confidence that their data will not leave the region.
• The Reality: The promise comes with critical exceptions. Microsoft’s own documentation admits that some services, particularly advanced security platforms, transfer data globally for threat analysis. 

Case Study 3: Google’s Partner-Led “Sovereign Cloud”

Google’s strategy relies on partnerships with trusted European entities, such as Thales (via the S3NS joint venture) in France and T-Systems in Germany, to operate its cloud stack locally.

• The Confusion: This model suggests that by placing a European company as the operator, a jurisdictional shield is created, combining European trust with American technology.
• The Reality: While this adds a layer of operational control, it does not change the legal obligations of the parent company. The offering’s control plane will still be under Google which will come into consideration for highly sensitive workloads. 

“Sovereign Washing”: The Hidden Risk in Sovereign Cloud Claims

The term “sovereign washing” describes the practice of marketing a data residency solution as a true data sovereignty solution. Many have become masters of this art, architecting elaborate offerings that create the appearance of sovereignty while failing to address the fundamental areas of conflict.

The Real Question Isn’t “Where,” It’s “Who”

For any organization—be it a government agency, a bank, or a healthcare provider—that is serious about protecting its data, the defining question of sovereignty is not “Where is my data?” but “Who has ultimate control over my data?” whether that is legal or operational.

Data residency is a necessary but insufficient step. Hyperscalers can offer residency, but they cannot offer true sovereignty to their European customers because they cannot exempt themselves from extra-territorial application of certain laws. Unless the claims are substantiated by underlying evidence, they should be treated with a healthy level of doubt, more likely as marketing, than a genuine guarantee.

Real digital sovereignty is not a feature you can buy from a hyperscaler; it is a state that can only be achieved by partnering with an entity that is unambiguously and exclusively subject to your own jurisdiction and one that is offering the customer true capabilities of control and autonomous decision making for its data and data flows.