7 min read. In this piece:

• Why "sovereign cloud" misses the point

• The one question that exposes real sovereignty

• What Europe should build instead

A few weeks ago I was at GovTech Day, where the senior ranks of the Dutch government come together to talk about public technology. One of the talks was from SAP, about building ecosystems with sovereignty. The pitch, boiled down, was this: all of you become customers in our datacenter, and then you can form an ecosystem in there.

The room caught it immediately. The talk got a frosty reception, people were sharp, and honestly I was glad to see it. Because all of us becoming customers in SAP's datacenter is not sovereign. It's the exact opposite.

And yet this is what we've started calling sovereignty. As I write this, Amazon is opening a "European Sovereign Cloud". Europe is trying to copy America: our own large AI models, our own datacenters, our own hyperscalers. The instinct is understandable. After the last few years, depending on American tech companies feels less like comfort and more like exposure. But the answer the market hands us is to rebuild the same companies with a European flag.

I know this pattern from up close. I work with cryptography every day, and "crypto" as a word has been completely hijacked by web3 and casino speculation. So I know how it feels when a term gets taken over by something that has nothing to do with it. The word stays, the meaning leaks out. It's happening again, now with sovereignty.

Sovereignty isn't about where your servers stand. It's about whether you have agency, whether you keep your options open, whether you're tied to a single supplier. One question exposes all of it: can I leave?

Can I leave?

Can I take my data to another service and keep working, or am I trapped?

You don't get that by putting your data inside a border. You get it by making your data portable, by decoupling the application from the data underneath it. The data moves freely, the customer moves freely with it, and different applications can read the same data to do something useful. Want to switch to a better service tomorrow? You take your data with you.

Today it works the other way around. The data and the application ship as one package, and that's the whole point. Lock-in isn't a side effect, it's the business model. The key to your data is hidden inside the software, not in the location of the server. As long as that key isn't yours, you're not a customer, you're a hostage, however friendly the supplier is.

Anyone who has ever tried to move off a CRM or an accounting package knows the feeling. On paper it's your data. In practice there's an export button with a half-broken file format, a migration project that runs for months, and a quote for "help with the transition." The barrier is kept high on purpose. A customer who can't leave is one you don't have to keep with a better product.

Europe's own rulebook already agrees with this. The EU Data Act, in force since 2024 and applying since September 2025, makes switching cloud providers a legal right and bans data egress fees outright by 2027. The law already defines sovereignty as the ability to walk away. The procurement conversation is still arguing about the postcode of the datacenter.

Full circle

The funny thing is that we've come round in a complete circle.

First we had our own server at home. Then we moved everything to the cloud, because it was easier and cheaper. And now, with the call for sovereignty, we're putting the server back "at home." Except it's still the cloud, only now the sovereign cloud, a server in your own datacenter.

Except you don't really have it in your own house. You buy a datacenter, you put it down, and you have it provisioned by a specialist. In practice that specialist is Amazon or Microsoft, because they can do it at scale and reliably and you can't. You pull your dependency and your risk right back in, only now it's called "your sovereign cloud" and you pay the same party to run it for you.

This isn't a thought experiment. Amazon's European Sovereign Cloud opened in Brandenburg, backed by a 7.8 billion euro investment and run through a separately incorporated German company. Deutsche Telekom and Nvidia are building one in Munich. Gartner expects worldwide sovereign-cloud spending to top 80 billion dollars this year. It's a product category, not a principle. Even Gaia-X, Europe's flagship attempt, gets called a trojan horse for Big Tech, because the American giants sit inside it.

And the datacenter doesn't touch the deeper problem at all. The US CLOUD Act and FISA 702 reach your data wherever it physically sits, because they follow the company, not the server. If your provider is American-owned, data in Frankfurt is just as reachable as data in Virginia. This isn't theory: the Schrems II ruling struck down the EU-US data deal over exactly this. So the location doesn't save you, just for a different reason than you assumed.

Which leaves you two ways to lose your data. Lock-in, where you can't leave. And jurisdiction, where someone else can be compelled to open the door. Jurisdiction is the exposure you carry today, and portability is how you stop signing up for it again. A European datacenter run by an American company solves neither, and it can make lock-in worse by handing you a new monopoly to depend on.

An open ecosystem, actually open

Both ways of losing have the same cure, and it's older than the cloud.

The original internet was sovereign by default. You had your own server on your own machine, no intermediary, no dependency. That was the starting point, before we traded control for convenience without noticing.

Getting sovereignty back isn't rebuilding the cloud behind a national border. It's returning to that original principle with the techniques we've learned since. Peer to peer, cryptographic, data that moves freely over open protocols.

The clearest analogy is the email you send every day. SMTP is an open protocol, and the data sits in a standard any application can read. That's why someone on Google can email someone on Microsoft and it just arrives. Nobody owns the protocol, so everyone can build on it. Compare that to WhatsApp and Telegram, which can't reach each other at all. Same message, a wall in between.

At mintBlue we build protocols of the email type, not the WhatsApp type. Data exchanged confidentially, over an open standard, so an open ecosystem forms instead of a walled garden with a supplier at the gate.

Confidential and open don't fight each other here. You can encrypt the data and still send it over an open protocol, the way a sealed envelope goes through the post without the postman reading it. The key stays with sender and receiver, the protocol only handles transport. The host can be compelled to hand over only ciphertext, never the contents, because the keys live with sender and receiver, not with the host. That answers the jurisdiction problem the EU datacenter can't.

An open ecosystem is only trustworthy if the data is traceable to its source: the authentic author, or the mandated organisation, person, or AI agent that created it. That matters more as more agents join in. If an agent records something on behalf of your organisation, the receiver has to be able to check whether it was mandated, and by whom. And that has to work without a central authority deciding where data comes from, because that authority would just be one more party to trust. The cryptography records the origin, instead of an institution vouching for it. Who gets to issue those mandates is the genuinely hard question, and a better thing to fight about than the postcode of a datacenter.

I'm not alone in this. Bert Hubert, probably the sharpest Dutch voice on digital autonomy, keeps warning that talking about standards isn't enough, that somebody actually has to build the European alternative. He's right. That's the work. I’ve been writing about this for years, back when I called it data ownership. It's the same thing now called sovereignty. The term changed, the problem didn't.

So tldr is the sovereign cloud is not sovereignty. It's the same dependency in a different wrapping (with a more reassuring label). “All of you become customers in our datacenter and we'll form an ecosystem there”’; that wasn't one SAP speaker's slip. It's the assumption underneath the whole European sovereignty debate, just usually better packaged.

The room at GovTech Day saw through it. Will the rest of Europe see through it in time, before we build our own walls and call them sovereignty?

Sources

• AWS European Sovereign Cloud, 7.8 billion euro investment through 2040 and EU-controlled operation (Amazon newsroom): https://www.aboutamazon.eu/news/aws/aws-plans-to-invest-7-8-billion-into-the-aws-european-sovereign-cloud

• EU Data Act, switching and egress fees (European Commission): https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained

• Gaia-X as a "trojan horse for Big Tech" (academic analysis): https://www.tandfonline.com/doi/full/10.1080/1369118X.2025.2516545

• US CLOUD Act and FISA 702 reach over EU-stored data: https://www.civo.com/blog/is-your-cloud-truly-sovereign

• Bert Hubert, Demystifying European Digital Sovereignty: https://berthub.eu/articles/posts/demystifying-european-digital-sovereignty/