Cloud sovereignty is now fashionable. But most such offerings are anything but.

The recent AWS outage, which disrupted major apps like Snapchat, Duolingo, and several critical banking services, was a wake-up call for C-suite executives everywhere. It exposed the extent to which global businesses rely on hyperscalers, and how fragile that model becomes when things go wrong. The incident has reignited a critical conversation: if a single outage can cause widespread disruption, what does true cloud resilience look like – and who ultimately holds control?

Cloud sovereignty isn’t a new phrase, but the context in which it’s being discussed has evolved dramatically. As cloud adoption accelerates, questions around data sovereignty, surveillance laws, and jurisdictional risk are becoming impossible to ignore. Organisations are increasingly aware that storing sensitive data and running critical workloads on infrastructure controlled by non-European entities exposes them to external legal frameworks and potential government access.

This has led to a surge in demand for so-called ‘sovereign’ cloud solutions – though these, it must be said, cannot be called truly ‘sovereign.’ Many of these cloud offerings still rely on US hyperscalers for core infrastructure and managed services, creating an illusion of independence while maintaining deep dependencies on dominant global players. This practice, often referred to as ‘sovereignty washing,’ is eroding trust and leaving European boards asking: what does true independence look like and how can it be achieved?

The rise of ‘sovereignty washing’

The conversation around cloud sovereignty is getting crowded and increasingly confused. Too often, ‘sovereign’ labels are applied to solutions that change little in practice: product offerings that provide a local partner on paper but still outsource control planes, keys or governance to foreign providers. These ‘sovereign’ cloud services from hyperscalers like AWS, Google and Microsoft can end up resembling Trojan horses – appearing compliant on the surface while leaving critical levers of control outside local reach. 

Legal frameworks like the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act expose these vulnerabilities. Even when data is stored in Europe, if the provider is subject to external laws, authorities can compel access, regardless of physical location. Sovereignty needs to focus on who controls the infrastructure, not simply where the data resides. As long as infrastructure is governed by non-European entities, Europe cannot claim true data sovereignty. 

What real sovereignty looks like

True sovereignty is not a contractual checkbox; it’s a design principle. It requires rethinking how digital infrastructure is built, governed and secured. 

Firstly, it demands plurality by design. Relying on a single provider creates concentration risk. To ensure resilience and avoid vendor lock-in, organisations must embrace multi-cloud strategies, open standards and interoperability.

Secondly, independence requires clear accountability. Organisations need full visibility into who controls their data, encryption keys and compliance processes. This means transparent governance models and auditable controls, rather than vague assurances buried in service agreements. 

Finally, sovereignty depends on strong local ecosystems. Sustainable regional infrastructure, skilled talent pools and independent technology providers are critical. Control cannot be outsourced; it must be cultivated through long-term investment in local capabilities. 

Sovereignty as a differentiator

Once organisations understand what real sovereignty entails, the next question becomes: why invest in it? True sovereignty isn’t a compliance burden; it’s a strategic differentiator. When measurable and governable, it enables organisations to modernise with confidence, reducing vendor lock-in and minimising systemic risk.

The benefits are clear. Multi-cloud sovereignty strategies can significantly reduce the impact of outages, improving uptime and resilience. Recovery times can shrink from hours to minutes, protecting critical services and customer trust. Legal, compliance and operational risks tied to external jurisdictions are also reduced, strengthening overall risk posture. 

It’s time to move beyond smoke and mirrors. To move forward, organisations must cut through the fog of sovereignty washing by demanding clarity, not just claims. Sovereignty must be anchored in transparent controls, local accountability and architectural integrity. The challenge now is to turn the term from a buzzword into a benchmark.

Dmitry Panenkov is the CEO and founder of emma

Read more: How regulation and real-time risk are reshaping fraud prevention