Europe is currently engaged in an intense debate about digital sovereignty, GDPR data residency, and dependence on U.S. hyperscalers such as Microsoft, Google, and AWS. At the same time, many organizations are considering whether GDPR-regulated data should be moved to European cloud providers or even to fully local platforms. But in today’s modern cloud environment, does the physical location of data actually solve the core problem anymore — or does it instead risk weakening Europe’s competitiveness, AI development, and access to the world’s leading software platforms?

The Cloud Is No Longer a Physical Place

In the traditional datacenter era, the logic was simple:

  • the server was located in one country
  • storage resided in one datacenter
  • operations were local
  • networking was local

Back then, the assumption that data location = data control was relatively reasonable.

In the modern cloud, this is no longer true because data:

  • replicates
  • gets cached
  • is analyzed in distributed systems
  • moves together with control planes
  • is backed up across multiple locations

Even if a virtual machine is located in Frankfurt or Finland, it does not automatically mean that metadata remains in Europe, operations are fully European, support access stays within the EU, or that the service provider itself cannot access the data. This is precisely why the modern digital sovereignty debate emerged.

How Do Governments Actually Access Data?

Public discussion sometimes creates the impression that a foreign government somehow “breaks into” a European datacenter technically. In reality, this happens extremely rarely. The actual mechanism is usually legal: an official court order, national intelligence legislation, or a lawful request directed at the service provider.

For example, under certain circumstances, a U.S.-based company may be legally required to provide data or metadata to U.S. authorities regardless of the physical country where the data is stored. This is where legislation such as the CLOUD Act, FISA 702, and the Schrems II ruling become central to the discussion.

This is the real core issue of modern cloud sovereignty.

The key question is not where the data is located, but:

  • who controls the data
  • who controls the encryption keys
  • who controls identity management
  • who operates the control plane
  • whether the service provider itself can decrypt the data

If the service provider manages the encryption keys, a lawful government request can effectively be directed to the provider itself. In contrast, if the customer fully controls the keys and the provider cannot decrypt the data, a legal request alone does not automatically provide practical access to the actual content.

Key management is significantly more important than datacenter geography.

Europe’s Debate Is Not Only Technical

Germany and France in particular increasingly view the issue as strategic:

  • Europe is too dependent on U.S. hyperscalers
  • digital infrastructure represents strategic power
  • AI and cloud platforms are geopolitical assets

This means the debate is no longer simply about “can someone read the data?” but rather “who controls Europe’s digital infrastructure?”

This is why initiatives such as GAIA-X, Sovereign Cloud projects, Microsoft EU Data Boundary, AWS European Sovereign Cloud, Bleu, and Delos Cloud emerged.

Europe’s dilemma is real — but technological reality is brutal.

AWS, Microsoft, and Google invest hundreds of billions into global datacenter networks, AI GPU clusters, cybersecurity, confidential computing, and software ecosystems. Europe currently has no equivalent provider operating at the same scale, innovation speed, AI ecosystem maturity, or software development capacity.

And this leads to a difficult question:

Is Europe weakening its own competitiveness by attempting to distance itself from hyperscalers?

Poorly Understood Sovereignty Can Become Extremely Expensive

When political and public discussion gets simplified into the idea that “everything must be local,” the likely outcome is:

  • higher costs
  • weaker technology
  • slower AI development
  • poorer user experiences
  • greater operational complexity

In the worst case, organizations may migrate away from modern hyperscaler environments into technically far less advanced platforms without actually solving the underlying control or privacy challenges.

And this is a very real risk for Europe.

What Does “European” or “American” Technology Even Mean?

The discussion often becomes oversimplified into the assumption that European technology is automatically safe and American technology automatically risky.

In reality, the modern technology ecosystem is completely global.

Company ownership, investors, development teams, subcontractors, support organizations, and cloud infrastructure may all span multiple countries regardless of where a company’s headquarters are located.

As a result, a company’s “nationality” alone no longer tells us who actually controls the technology, infrastructure, or data.

The Modern Solution May Be Control Without Technological Regression

The most important question is not:

“Should Europe build its own hyperscaler?”

The real question is:

  • how to maintain control
  • how to manage encryption keys
  • how to avoid vendor lock-in
  • how to build open standards
  • how to protect critical sectors
  • how to preserve portability

In other words: sovereignty without losing access to the world’s best software and AI platforms.

This is where key management, cryptography, and confidential computing may provide a far more realistic and technically robust solution than merely focusing on physical data localization.

The Future May Lie in Compromise

Most likely, the realistic future is neither complete independence from hyperscalers nor total dependence on them, but rather a combination of:

  • hyperscaler cloud platforms
  • sovereign controls
  • customer-managed keys
  • confidential computing
  • EU operational boundaries
  • open standards

It’s About Control, Not Location

Perhaps the single most important realization in this entire debate is understanding that in the modern cloud world, the physical location of data does not equal control of data.

Real security increasingly comes from:

  • cryptography
  • key management
  • identity management
  • auditing
  • control plane governance

—not merely from the physical walls surrounding a datacenter.

And this is precisely where Europe must succeed: preserving control without simultaneously sacrificing its competitiveness in the AI and cloud era.

Hannu Rokka, Senior Advisor
5Feet Networks Oy