Achieving cloud sovereignty: Building organizational resilience against US hyperscaler dependence

Organizational sovereignty is rapidly shifting from an abstract concept to a strategic imperative that sits at the intersection of governance, risk management, and digital autonomy. Geopolitical uncertainty, tightening EU regulations, and growing reliance on non-European cloud providers increasingly threaten the resilience of core business processes.

We speak with Marcel Blommestijn, Partner Sourcing Advisory at Eraneos, about current market trends and the practical implications for directors and managers. 

Geopolitical tensions drive resilience to the top of the agenda

“There is a high degree of dependence on non-European technology providers,” Blommestijn said. “Geopolitical tensions, including the war in Ukraine and developments involving the US, are clearly exposing the risks inherent to this reliance. Organizations are increasingly recognizing the vulnerability stemming from the approach. Through legislation like the Data Act, NIS2, and DORA, Europe is decisively focusing on enforcing digital autonomy, resilience, and control.”

Our research partner Whitelane surveyed over 300 organizations in Northern Europe, revealing that two-thirds consider sovereignty to be a strategic priority. The urgency is highest in the public sector (85%) and the financial sector (75%), where social responsibility and stringent regulations converge.

Europe fuels new cloud initiatives

“The demand for sovereignty is most palpable among organizations using cloud infrastructure,” Blommestijn explained. “These organizations are actively seeking strategies to reduce their dependence on US hyperscalers. The reality is that European alternatives remain in the early stages of development, hampering supply. When available, these options are often significantly more expensive or less functionally mature.

The supplier market acknowledges this limited supply. Increasing demand for sovereign IT services is driving new European initiatives and boosting existing ones. Examples include STACKIT, a European cloud offering born from Lidl’s IT organization, and IaaS/PaaS services from established EU suppliers. European SaaS providers are also investing heavily in sovereign cloud capacity to deliver competitive alternatives for the European market. 
On the other hand, American suppliers are not passive; US hyperscalers are exploring how to establish European entities that satisfy stricter sovereignty requirements by implementing ownership separation and sovereign key management. The supplier playing field is rapidly evolving, and its ultimate configuration remains unclear.”

Navigating an immature market: The core challenges

Organizations must now make difficult choices in an immature market where options are limited and more costly. European alternatives currently command higher rates. Furthermore, switching to a different IT supplier necessitates a costly organizational transition, while the scalability and functionalities generally do not yet match the maturity of the large US hyperscalers.

“Achieving 100% sovereignty in the short term is virtually impossible,” Blommestijn added. “Even so, perhaps complete sovereignty is unnecessary; focusing on the most sensitive business processes may suffice. However, even achieving this demands targeted steps and a long-term strategic vision. Building organizational resilience requires a carefully structured process, which starts with clearly defining what sovereignty means for your organization.”

The EU Cloud Sovereignty Framework: A shared reference point

The EU Cloud Sovereignty Framework provides essential guidance. This framework introduces distinct ‘seal levels’ to categorize the degree of sovereignty, including clear standards and definitions. This gives organizations and suppliers a shared conceptual framework for action.

“For example, Seal 0 represents complete non-European control, while Seal 4 is the highest level, indicating full European control has been achieved,” Blommestijn explained. “Organizations can use this framework to determine their sovereignty ambition for each business process or application.”

The EU Cloud Sovereignty Framework: A shared reference point

How can organizations make themselves sovereign? Blommestijn admitted that it is not necessarily an easy process.  Nevertheless, there are a few steps businesses would be wise to follow:

1. Start with a baseline measurement: Identify exactly which business processes require a sovereignty component, as not all data demands the same protection or autonomy. 
2. Identify dependencies: Once critical processes are determined, link the risks to the underlying applications and platforms to expose existing and emerging dependencies. 
3. Determine seal level: Based on that insight, determine the desirable and realistic seal level. The EU Cloud Sovereignty Framework provides a common frame of reference for defining ambitions and legal requirements. 

After establishing inventory and goals, the organization must set its strategic direction and prepare appropriately, securing the necessary people and resources to execute its chosen course. 

This process requires a constant feedback loop with periodic monitoring in this rapidly developing market to assess whether sovereignty goals are being met and what new alternatives the market offers. Regulators are intensifying their focus; the Dutch Authority for Financial Markets (AFM), for instance, has already announced it will ask more explicit questions about resilience within the financial sector. This underscores the need for proactive organizational action – it is strategic to move now rather than waiting for formal, written obligations.

Sovereignty criteria reshaping IT service procurement

“More organizations are integrating sovereignty criteria into their Requests for Proposal (RFPs), demanding specific seal levels, sovereign key management, and operational autonomy,” Blommestijn noted. “The EU itself leads this trend; recent tenders explicitly require suppliers to meet certain sovereignty levels, establishing a de facto market standard.”

Your strategic advice: Start with clarity

“Start by creating clarity,” Blommestijn said. “Sovereignty is not merely an IT problem; it is a strategic decision concerning independence, resilience, risks, and governance. By clearly defining critical processes, setting ambitions, and inventorying available sovereign alternatives, you can create a future-proof strategy. 

This process demands time and energy, of course. Organizations must bring together expertise in technology and business processes to accurately assess the degree of sovereignty and anticipate needs. While this expertise is often lacking internally, organizations taking steps now are building resilience, flexibility, and agility for the long term.”

Would you like to explore what cloud sovereignty concretely means for your sourcing strategy, critical processes, and contracts with hyperscalers? The specialists at Eraneos are ready to help you define your strategy and take action. Contact us now.