What is the Sovereign Cloud?

• Sovereign Cloud ensures that data processing and cloud operations take place within clearly defined national or European jurisdictions.
• It combines cloud technologies with strict requirements for data protection, data sovereignty and compliance (e.g. GDPR, NIS-2).
• Companies retain control over data access, key management and governance – even when using hyperscalers.
• Sovereign Cloud is particularly relevant for regulated industries, critical infrastructure companies and public sector organisations in Europe.

A sovereign cloud is a cloud environment. Operations and data processing take place within defined national or European jurisdictions. This ensures data sovereignty, legal control and security.

Today, the cloud is a key driver of digitalisation and innovation. At the same time, many companies are faced with the question of how public cloud models can be reconciled with requirements for sovereignty, data protection and control.

This is where the sovereign cloud comes in as a solution – especially for companies and organisations with high data protection requirements.

The term sovereign cloud describes a cloud computing model that is specifically designed to ensure digital sovereignty, legal control and technical self-determination, even in cloud operations.

The focus is on complete sovereignty over data, processes and access within a cloud infrastructure.

In contrast to traditional public cloud models, a sovereign cloud is subject to clearly defined national or supranational legal frameworks, such as European data protection and security law.

A characteristic feature is that all relevant levels of the cloud – from the physical infrastructure to the platform services and operations – are designed in such a way that no uncontrolled dependencies on non-European legal systems arise. This applies in particular to:

• the storage location of the data
• access options by third countries
• governance and control mechanisms
• technical and organisational operational responsibility

From a technical perspective, this overall concept is often described as a sovereign cloud stack. What does that mean?

It refers to a multi-layered structure that integrates the following factors:

• Infrastructure
• Platform
• Security mechanisms
• Identity management
• Governance rules

In the European context, the sovereign cloud is closely linked to initiatives for digital independence, strengthening cloud data security and compliance with regulatory requirements such as the GDPR, NIS-2 or industry-specific regulations.

A sovereign cloud is not a traditional public cloud, where data and operational responsibility are distributed globally and potentially subject to access by non-European jurisdictions.

Nor is it a pure private cloud, which is operated entirely in the company's own data centre and often entails limitations in terms of scalability and speed of innovation.

Furthermore, a sovereign cloud is not a purely technical product that can be defined solely by the location of a data centre. Rather, the decisive factor is the interaction between infrastructure, operating model, governance, legal framework and organisational measures.

Marketing terms such as "EU cloud" or "local cloud" do not automatically meet the requirements for true data sovereignty if access rights, key management or operator responsibility are not clearly regulated.

A sovereign cloud addresses several strategic and operational challenges of modern IT environments, which often only become apparent in practice once cloud projects are already underway.

Above all, it brings the issues of independence, data sovereignty and cloud data security to the fore. This provides companies with a framework for using innovative cloud services without relinquishing control over particularly sensitive or regulated data.

The most important advantages of the sovereign cloud at a glance:

• Independence and control over data
• Data sovereignty and legal security
• Flexibility and adaptability
• Integration capability with other systems (provider-dependent)
• Economic advantages and risk minimisation

These aspects are described in more detail below.

Independence and control over data

A key promise of the sovereign cloud is to give companies more control over where data is stored, processed and accessed. This is achieved through defined regions and strict access models, which significantly reduce the risk of unwanted data leaks or external interference.

The most important features in this area are:

• Fixed data locations (data residency) in specific countries or groups of countries
• Technical and organisational measures to limit or exclude access from third countries
• Transparent audit and reporting functions that facilitate verification by supervisory authorities

Data sovereignty and legal certainty

Data sovereignty means that a company retains legal, organisational and technical sovereignty over its data. The Sovereign Cloud aims to achieve precisely this by combining encryption, role and rights models, and contractual provisions into a consistent overall picture.

Important components of data sovereignty are:

• Encryption of data at rest and in transit
• External or company-side control over keys in the Sovereign Cloud Stack
• Clear separation of clients and restrictive access rights for provider employees

Flexibility and adaptability

Despite high sovereignty standards, a sovereign cloud can be just as flexible as conventional public cloud models in many respects. Scalability, self-service provisioning and automatable platform services are also available in a sovereign environment if the design is created accordingly.

Modern platform approaches are often used to achieve this. Some examples are:

• Container orchestration (e.g. with Kubernetes) within a sovereign cloud stack
• Platform-as-a-service components for databases, integration and analytics
• Automated lifecycle management of workloads with infrastructure as code.

Integration capability with other systems

Depending on the provider, ERP systems, industry-specific applications and identity management solutions can be integrated into sovereign cloud environments.

The SAP Sovereign Cloud is a typical example of such an integration strategy. It enables secure connection to existing SAP systems while also mapping regulatory requirements on the system side.

Economic advantages and risk minimisation

From an economic perspective, a sovereign cloud is not a short-term cost-saving model, but rather a tool for risk minimisation and long-term stability.

Although the initial costs are often higher than those of a simple public cloud, the long-term costs for compliance, legal protection and audit processes are reduced. Companies also gain planning security and reduce dependencies that could prove costly later on.

Although sovereign clouds and public clouds are often based on similar underlying technology, they differ significantly in terms of governance, operation and legal framework. The key difference lies in the extent to which national and regional requirements are integrated into architecture and management processes.

A public cloud uses globally distributed data centres, global personnel and standardised contract models that are primarily designed for efficiency and scalability. In contrast, a sovereign cloud deliberately limits locations, access and control. It also links cloud data security more closely to legal requirements at the user company's location.

A typical sovereign cloud stack consists of several layers that differ in detail from conventional public cloud stacks. These include:

• Physical layer: Data centres in specifically defined countries, including physical protection and access control
• Infrastructure layer: Compute, storage and network with strict tenant separation and regional restrictions
• Platform layer: Container platforms, databases, integration services, often specially certified
• Security and governance layer: Identity & access management, encryption, key management, monitoring, audit functions
• Compliance and legal framework: Country-specific contracts, certifications and regulations on jurisdiction

In comparison, traditional public cloud services are usually structured uniformly worldwide and are less specifically tailored to individual countries or jurisdictions. They often provide a more comprehensive catalogue of services, but without an explicit focus on sovereignty.

The market for sovereign cloud solutions is dominated by international hyperscalers, software manufacturers and telecommunications companies.

Some examples of providers are T-Systems, Oracle, Amazon and SAP. The latter two will be examined in more detail below due to their particular relevance for SAP customers.

Contact us here

The AWS European Sovereign Cloud is the EU version of the AWS Sovereign Cloud. It meets specific European requirements for data sovereignty, data protection and regulatory security. It is operated in EU countries – with independent legal entities and European staff. This means that access and control remain within the European legal area.

The most important features of the AWS European Sovereign Cloud are:

• Physical and logical separation from global AWS regions (such as US East or Asia-Pacific)
• Focus on compliance with the GDPR and other EU regulations
• Provision of a broad portfolio of AWS services within a sovereign framework

The EU version of the AWS Sovereign Cloud is therefore aimed in particular at public authorities, operators of critical infrastructures (KRITIS) and companies that prioritise cloud data security and sovereignty within Europe.

SAP Sovereign Cloud is aimed at companies that map business-critical processes and sensitive data in SAP solutions such as SAP S/4HANA. The focus here is on a sovereign end-to-end stack that ranges from the data centre to the infrastructure and platform to the SAP applications.

There are several deployment options for SAP Sovereign Cloud:

• Via proven hyperscalers (e.g. AWS)
• Via the SAP cloud infrastructure (infrastructure-as-a-service platform in EU SAP data centres)
• Via SAP Sovereign Cloud On-Site (data centre selected by the customer)

Specifically for the public sector, the Delos Cloud (a sovereign cloud specifically for public services) will also be available as an option shortly (as of January 2026).

Contact us

In direct comparison to conventional public cloud solutions, the sovereign cloud not only places great emphasis on technical security, but also extends this to include special organisational and legal components. The aim is to create a level of security that is geared towards the requirements of particularly sensitive workloads and critical infrastructures.

Technical measures such as encryption, network segmentation, zero-trust architectures and continuous monitoring are also established in classic public clouds. However, additional mechanisms are added in a sovereign cloud. Examples include:

• Regionally limited operating and support personnel
• Special certifications
• Contractually defined access restrictions

All in all, this is a security concept that not only reduces the scope for cyber attacks, but also minimises the risk of politically motivated access to sensitive data.

The architecture of sovereign clouds is generally designed to support and simplify compliance with the GDPR. This includes technical, organisational and contractual frameworks that are centrally based on data protection principles such as purpose limitation, data minimisation and integrity.

Important aspects of GDPR support for sovereign clouds include the following:

• Data processing within the EU or defined EU countries, exclusion of data transfers to non-EU regions
• Use of strong encryption, access controls and logging to secure personal data
• Functions to support data subject rights and deletion concepts
• Options for creating evidence for supervisory authorities

Nevertheless, it should be noted that GDPR compliance is always a combination of technical platform, organisational measures and correct use of cloud services by the company.

Industries that are subject to strict regulatory requirements and high data protection standards benefit particularly from this. The same applies to companies and organisations that are essential to the functioning of government, society and the economy.

For all these target groups, the sovereign cloud is a good way to use modern IT services while ensuring a high degree of sovereignty, control and security.

Typical areas of application for a Sovereign Cloud are:

• Public sector and administration with sensitive citizen and registry data
• Healthcare and life sciences with sensitive health information and research data
• Financial service providers and insurance companies with extensive reporting and supervisory requirements
• Operators of critical infrastructures in areas such as energy, transport or telecommunications

But even in less regulated industries, a sovereign cloud can be useful if, for example, intellectual property, R&D data or strategic project information needs to be specially protected.

Companies also benefit from a sovereign cloud when it comes to artificial intelligence. Until now, legal requirements have prevented many organisations from implementing AI initiatives in the cloud. With a sovereign cloud, however, it is possible to comply with EU requirements for handling data in AI projects (e.g. the AI Act).

Contact us

Implementing a sovereign cloud is a step with far-reaching implications for processes, organisation and legal issues. A structured approach helps to limit risks and gradually unlock the added value of sovereign cloud models. Although there is no magic formula, one possible approach can be outlined as follows.

1. Requirements definition and data classification

First, all applicable regulatory requirements as well as the organisation's own security goals and compliance requirements are recorded. At the same time, the existing data is classified according to sensitivity. This foundation is crucial for defining the target architecture and the necessary degree of sovereignty.

2. Target definition and provider selection

Based on the requirements, a target vision for the sovereign cloud stack is defined. This includes:

• Data and workloads to be migrated to the sovereign cloud
• Governance
• Identity and access management
• Integration scenarios

Based on this, a provider can then be selected. The following criteria should be taken into account in particular:

• Compatibility of data centre locations (including disaster recovery locations) with your own locations
• Level of sovereignty of the operating model
• Certifications
• Experience in regulated industries, references
• Performance of cloud services (should be on par with public cloud offerings)
• Integration capability with your own systems (e.g. SAP S/4HANA)
• Costs

3. Pilot, migration and operation

Once the provider has been selected, implementation of the sovereign cloud can begin. A step-by-step approach is recommended for this:

• Conduct a pilot with selected workloads (e.g. data archiving, analytics or individual business processes)
• Test architecture assumptions, integration paths, security mechanisms and governance rules and readjust if necessary
• Gradual migration of systems and workloads
• Adaptation of business processes
• Accompanying implementation of tests, audits and training

After project completion: continuous monitoring of security, compliance and costs; regular updates and adaptation to changes in legislation

Cost and licensing models for sovereign clouds are often based on familiar public cloud principles. These include usage-based models, flat rates for dedicated resources, and tiered service levels.

Typical elements of the cost structure of sovereign cloud services are:

• Pay-per-use for computing power, storage, network and platform services
• Surcharges for dedicated or physically separated resources, for example in highly sensitive scenarios
• Costs for support and operating models (SLAs) with different response times and availability commitments, particularly relevant for critical infrastructures

For a sound assessment of cost-effectiveness, a total cost of ownership analysis should be carried out. The total costs should be weighed against the consolidation effects, automation gains and financial benefits resulting from risk reduction.

Contact us

Despite their many advantages, sovereign cloud models also entail a number of risks and challenges. These relate to technical, organisational and strategic aspects.

The following points are particularly noteworthy:

• High demands on the provider's legal knowledge and adaptability, as regulatory requirements are constantly changing
• Possible restrictions in the scope of services compared to global public cloud regions
• Dependence on individual providers or regional joint ventures and the associated lock-in risks
• Need for in-house expertise in the areas of governance, security architecture and compliance.

However, many of these risks can be significantly reduced with clear exit strategies, multi-cloud approaches and a solid governance model.

The development of sovereign clouds is strongly influenced by regulation, geopolitical conditions and technological innovations. It can be assumed that sovereign cloud offerings will gain in importance worldwide.

The following trends can be expected:

• Further tightening of regulations and sanctions for violations
• Greater relevance of digital sovereignty, also due to geopolitical events
• This will lead to growth in the number of sovereign cloud services – particularly in Europe, but also in other regulated markets
• Increased use of future technologies such as AI, analytics and automation functions in sovereign cloud environments

As a result of these trends, sovereign clouds could evolve from a niche solution to a regular component of modern cloud strategies.

The sovereign cloud bridges the gap between the need for modern, scalable IT and strict requirements for data sovereignty, data protection and compliance.

Solutions such as the AWS European Sovereign Cloud or the SAP Sovereign Cloud show that this balancing act is possible – that innovation, cloud data security and compliance can be organised within a common framework.

Whether using a sovereign cloud is the right move depends largely on how stringent the regulatory requirements are, the strategic importance of data, and how consciously a company wants to manage risks.

For companies in highly regulated industries, critical infrastructures, and organisations with intellectual property that is particularly worthy of protection, adopting a sovereign cloud strategy is often the logical next step in their development.