European Push for Digital Sovereignty in Cloud Infrastructure
European governments and organizations are intensifying efforts to achieve digital sovereignty in cloud infrastructure, driven by geopolitical uncertainties and concerns over reliance on American hyperscalers such as Microsoft, Google, and Amazon Web Services. With U.S. policy shifts and potential transatlantic tensions, European leaders are prioritizing the development of domestic alternatives and strategies to ensure control over sensitive data and critical workloads. Despite these ambitions, local cloud providers currently hold only a small share of the market, and experts suggest that a new European hyperscaler is unlikely to emerge soon, with existing players like SAP and Deutsche Telekom each controlling only about 2% of the market.
In response to these sovereignty concerns, cloud providers are expanding offerings tailored to regulatory and data residency requirements. Amazon Web Services, for example, has introduced Dedicated Local Zones to provide customers with greater control over data location, security, and compliance, supporting sensitive workloads for public sector and regulated industries. These initiatives reflect a broader trend of cloud service adaptation to meet the evolving needs of European customers seeking to balance operational flexibility with strict sovereignty and compliance mandates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
EU drafts Tech Sovereignty Package for sensitive public-sector cloud data
The European Commission was reported to be preparing a Tech Sovereignty Package that could restrict Microsoft, Amazon, and Google from processing certain sensitive public-sector data in Europe. The proposed limits were said to potentially cover financial, judicial, and health-related data, though the package had not yet been formally introduced and key implementation details remained unresolved.
ITIF report urges Canada to prioritize cloud control over sovereignty mandates
ITIF published a report arguing that Canada's sovereign cloud debate overemphasizes domestic ownership and data residency, and that sensitive workloads are better protected through technical, operational, legal, and procurement controls. The report recommended reserving strict domestic-control requirements for defense, intelligence, and a narrow set of highly sensitive government workloads.
CISPE launches framework to verify sovereign and resilient cloud services
CISPE launched the Sovereign and Resilient Cloud Services Framework to help enterprises and public authorities assess whether cloud offerings genuinely meet sovereignty and resilience requirements. The scheme introduces auditable badges for sovereign and resilient services, and CISPE said more than 40 services had already been declared against the framework.
Wero disclosed as partly relying on AWS despite sovereignty positioning
European payment service Wero, launched by the European Payments Initiative, was reported to rely in part on Amazon Web Services even as it was marketed as an independent European payment solution. EPI said it uses a mix of European and international providers and maintains control over architecture and operations, while acknowledging extraterritorial access under U.S. law as a relevant risk.
European Commission awards €180M sovereign cloud contract to four providers
The European Commission awarded a six-year, 180 million euro cloud framework contract to Post Telecom, StackIT, Scaleway, and Proximus. The deal allows EU institutions and affiliated agencies to procure sovereign cloud services aligned with security, transparency, technological openness, and limits on non-EU control.
Four European firms launch sovereign disaster recovery package
Four European technology companies unveiled a 'fully sovereign disaster recovery pack' at the European Data Summit in Berlin to help organizations reduce reliance on U.S. technology providers. The package combines storage, multi-cloud orchestration, networking, identity, and observability capabilities and was positioned as aligned with DORA, NIS2, and GDPR requirements.
Gaia-X shifts to operational 'Season 2' for production data spaces
At the 8th plenary session of the Gaia-X France Hub, Gaia-X said it was entering a more mature 'Season 2' phase, moving from subsidized pilot projects toward sustainable production use of data spaces. CEO Ulrich Ahle said Gaia-X was working with Université Dauphine on viable structures and business models, while the initiative emphasized sovereignty-focused cloud labeling and 2026 as a key year for consolidation and adoption.
European Commission backs local infrastructure with AI factory investments
The European Commission advanced investment in domestic digital infrastructure, including AI factories and gigafactories, to support regional cloud and AI sovereignty. Industrial participants such as Schwarz Group were identified as contributing to expanded European data center capacity.
Europe intensifies push for sovereign cloud alternatives to U.S. hyperscalers
European policymakers and industry groups renewed efforts to reduce dependence on U.S. cloud providers, citing geopolitical tensions and the dominance of Microsoft, Google, and AWS. Initiatives such as Gaia-X and EuroStack were highlighted as part of a broader digital sovereignty strategy.
AWS expands Dedicated Local Zones services for digital sovereignty use cases
AWS announced expanded capabilities for Dedicated Local Zones, including support for next-generation EC2 instances, advanced storage, and backup and recovery features. The update targeted public sector and regulated-industry customers seeking stronger data residency, compliance, and operational control.
GovTech Singapore becomes first AWS Dedicated Local Zones customer
GovTech Singapore adopted AWS Dedicated Local Zones to host confidential government data in customer-specified infrastructure, making it the first disclosed customer for the offering. The deployment was positioned to meet strict data residency, sovereignty, and security requirements.
European Commission launches Cloud III sovereign cloud tender
The European Commission launched a sovereign cloud services tender in October 2025 under its Cloud III Dynamic Purchasing System. The procurement was framed around the Commission’s Cloud Sovereignty Framework and aimed to diversify providers, improve resilience, and limit non-EU influence over services used by EU institutions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
EU New Tech Package May Restrict Microsoft, Amazon, and Google From Handling Public Sector Sensitive Data - gHacks Tech News
ghacks.net
Open sourceFrom Sovereignty to Control: A Clear-Eyed View of Canadian Cloud Policy | Reports & Briefings | Apr 27, 2026 | ITIF
itif.org
Open sourceNew framework allows EU firms to check if 'sovereign' cloud services are truly sovereign | IT Pro
itpro.com
Open sourceLa Commission européenne met 180 millions sur le cloud souverain, ...
zdnet.fr
Open sourceGaia-X et la " Saison 2 " des Data Spaces : objectif opérationnal ...
zdnet.fr
Open sourceMeet digital sovereignty needs with AWS Dedicated Local Zones expanded services
aws.amazon.com
Open sourceEurope's Quest for a Domestic Alternative to US Hyperscalers
govinfosecurity.com
Open sourceEurope's Quest for a Domestic Alternative to US Hyperscalers
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cloud Providers Expand European Data Sovereignty Offerings
Microsoft and Amazon Web Services (AWS) have announced significant enhancements to their cloud services aimed at addressing European data sovereignty and compliance requirements. Microsoft is introducing new features such as end-to-end AI data processing within Europe as part of the EU Data Boundary, in-country processing for Microsoft 365 Copilot interactions in select countries, and expanding Azure Local capabilities to support larger, more sovereign private clouds. These measures are designed to reassure European customers amid ongoing concerns about the reach of US laws like the CLOUD Act and shifting geopolitical dynamics, particularly following recent changes in US leadership. AWS has released a whitepaper detailing the design and objectives of its upcoming AWS European Sovereign Cloud, which will launch its first region in Brandenburg, Germany by the end of 2025. The new infrastructure will feature dedicated physical resources, logical isolation from other AWS regions, independent operational controls, and a distinct EU-based corporate governance structure. Both providers are responding to increasing demand from public sector and highly regulated industries in Europe for greater control over data residency, operational autonomy, and protection from extraterritorial legal requests.
Mar 21, 2026
AWS Launches EU Sovereign Cloud Amid European Data Sovereignty Concerns
Amazon Web Services announced the general availability of its **European Sovereign Cloud**, a physically and logically isolated cloud region designed to meet EU data residency and sovereignty requirements. The offering is operated within the EU by EU-resident staff under a new German parent company, with supporting systems such as **metadata, billing, and identity management** kept inside the EU; AWS said it will start with roughly **90 services** available from Germany and later expand via *Local Zones* in Belgium, the Netherlands, and Portugal, plus *Dedicated Local Zones* for single-tenant, highly sensitive workloads. The launch is positioned as a response to European customer concerns about exposure to **U.S. extraterritorial authorities** (e.g., the **CLOUD Act**) and broader geopolitical risk influencing cloud procurement decisions. Commentary in the accompanying opinion piece frames this as part of a wider “tech dependency” problem in which reliance on U.S.-based providers can become a geopolitical vulnerability, reinforcing why EU organizations are seeking stronger sovereignty controls and alternatives—even as some industry leaders remain skeptical that technical and legal measures (including AWS’s references to protections like the **Nitro System**) can fully eliminate foreign-jurisdiction risk.
Mar 21, 2026
EU Push for Digital Sovereignty and Reduced Reliance on US Technology
European policymakers and industry voices are intensifying a **digital sovereignty** push aimed at reducing reliance on non-EU technology and services, framing the issue as both a strategic and practical dependency problem. A G DATA commentary argues that “sovereignty” should be approached pragmatically—expanding options and reducing single-vendor or single-region dependencies through incremental changes rather than unrealistic “all-or-nothing” shifts (e.g., total withdrawal from online services or immediate replacement of global hardware supply chains). In the defense domain, reporting indicates the EU is planning a secure **military data-sharing** capability designed to avoid **U.S.-made technology**, driven in part by concerns about external control or “**kill switch**” risk and broader geopolitical uncertainty. The proposed *Defense Artificial Intelligence Data Space*—described as a sovereign military cloud to improve interoperability and data flows for AI-enabled and automated battlefield systems—is reportedly targeted to be operational by **2030**, aligning with earlier European Commission planning and the EU’s wider effort to build alternatives to U.S. hyperscalers for sensitive workloads.
Apr 10, 2026