Quick Take
- “Sovereign cloud” often means data residency, not real control
- Most providers are still subject to foreign legal access (e.g., CLOUD Act)
- Real sovereignty requires control over data, infrastructure, and encryption – not just location
- If providers control encryption keys, they may retain the technical ability to access customer data.
- The real shift is from where data sits – who can access it and how access is prevented
- Duality solves this gap by enabling cryptographically enforced sovereignty
- Data stays encrypted even during computation
- Providers never access plaintext or keys
- Enables secure cross-border collaboration without exposing sensitive data
- Sovereign cloud requirements are increasingly complex, requiring organizations to balance innovation, regulatory obligations, jurisdictional risk, and operational efficiency.
- Bottom line: true sovereign cloud is not a deployment model – it’s a cryptographic control model
Quick Definition: A sovereign cloud is a cloud computing environment designed to align data, infrastructure, and operational controls with a defined jurisdiction and governance framework, with the aim of reducing exposure to foreign legal access and unauthorized access, regardless of where the servers physically sit.
Sovereign cloud (sovereign cloud meaning / sovereign cloud definition) has become a strategic priority for governments, critical infrastructure operators, healthcare systems, financial institutions, and other highly regulated sectors.
As organizations accelerate cloud adoption and deploy increasingly sensitive workloads, regulatory expectations around data governance, security, and control continue to grow.
Decisions about cloud architecture now carry implications that extend beyond technology into compliance, risk management, and national policy.
This article examines what is sovereign cloud, why many sovereign cloud offerings fall short, and what organizations should evaluate before making sovereignty-dependent decisions.
What Makes a Cloud Truly Sovereign?
Many sovereign cloud definitions emphasize data residency, but in practice requirements vary depending on regulatory, operational, and jurisdictional constraints. That framing is often incomplete for regulated organizations operating across multiple jurisdictions.
Real cloud sovereignty operates across three dimensions:
- Data sovereignty means your data is governed by the laws of its origin, not a foreign jurisdiction. A US company’s EU server is still subject to US legal compulsion, regardless of geography.
- Operational sovereignty means you control who operates the infrastructure and under which legal framework. Contractual promises between you and a provider do not override national law when a government compels disclosure.
- Digital sovereignty means you govern your own digital assets, AI models, and software supply chain. Vendor-managed encryption keys are not your keys.
A sovereign cloud must satisfy all three. Most commercial offerings satisfy one, sometimes two. That gap is where regulatory exposure lives.
| Dimension | What it means | Where most providers fall short |
|---|---|---|
| Data sovereignty | Data governed by origin jurisdiction, not provider’s home country | US providers hold legal obligations that override EU storage location |
| Operational sovereignty | Local entity controls infrastructure with no foreign parent access | Parent company staff often retain admin access |
| Digital sovereignty | Customer controls encryption keys, not the provider | BYOK still routes keys through provider infrastructure |
Why Does Sovereign Cloud Matter So Much Right Now?
Over the past several years, sovereign cloud has evolved from a niche compliance concern into a strategic priority for governments and regulated industries. The combination of stricter data protection requirements, increasing geopolitical tensions, and growing reliance on cloud infrastructure has forced organizations to examine who ultimately controls access to their data.
The debate intensified in 2025 when major cloud providers publicly acknowledged the limits of sovereignty guarantees. In June 2025, Microsoft France confirmed during a French Senate hearing under oath that it could not guarantee European data would never be accessed by US authorities, even when stored in France under a sovereign cloud offering.
The regulatory environment evolved in parallel. GDPR enforcement continued to expand, the EU Data Act introduced new obligations around cloud portability and unlawful third-country access, and European regulators maintained scrutiny of cross-border data transfers.
How the CLOUD Act Impacts Data Sovereignty
The CLOUD Act, signed into US law in 2018, amended the Stored Communications Act to allow US law enforcement agencies to compel US-based technology companies to provide access to data stored on servers anywhere in the world.
For organizations evaluating sovereign cloud solutions, the implication is significant. If a cloud provider is incorporated or headquartered in the United States, the CLOUD Act may apply regardless of where customer data is physically stored.
AWS, Microsoft Azure, Google Cloud, Oracle Cloud, and IBM Cloud all remain subject to US legal jurisdiction. A European data center, local data residency, or a sovereign cloud label does not change that underlying legal reality.
This creates a challenge for organizations operating under regulations such as GDPR. On one hand, they are expected to protect personal data from unauthorized access and comply with strict data protection requirements.
On the other, their cloud provider may be subject to legal obligations that extend beyond the jurisdiction where the data is stored.
This is why discussions about sovereign cloud frequently focus on the relationship between the CLOUD Act and GDPR. The question is no longer where data resides, but who can ultimately access it and under what legal authority.
Contractual commitments and compliance certifications can help reduce risk, but they do not eliminate the jurisdictional issue. Meaningful cloud sovereignty depends on technical controls that prevent providers from accessing sensitive data, even if they receive a legal request.
This is where encryption architecture becomes critical. If a cloud provider does not possess the encryption keys needed to decrypt customer data, access to the underlying information becomes significantly more limited.
As a result, modern sovereign cloud architectures increasingly focus on customer-controlled encryption, confidential computing, and privacy-enhancing technologies (PETs) that minimize provider access to plaintext data.
For a detailed breakdown of how encryption key architecture maps to GDPR obligations, see Duality’s guide on data sovereignty under GDPR.
What Are the Core Requirements for True Sovereign Cloud?
When you strip away marketing language and look at what regulators, auditors, and security architects actually require, sovereign cloud comes down to four non-negotiable properties.
Customer-Controlled Encryption Keys
- Vendor-managed encryption means the provider holds the keys and can technically comply with a legal order to decrypt your data.
- Bring Your Own Key (BYOK) models move in the right direction but often still route keys through provider-managed infrastructure at some point in the process.
- Hold Your Own Key (HYOK) architectures and hardware security modules maintained entirely outside the provider’s control plane are the strongest positions available today.
Genuinely Local Operational Control
Who has administrative access to the infrastructure matters as much as where it is located. If a US-based parent company’s staff can log into systems holding your data, the sovereignty claim is structurally weakened regardless of the contract terms.
Genuine sovereign cloud infrastructure requires that the entity holding access rights is not subject to foreign legal compulsion.
Cryptographic Separation of Storage and Access
The most robust sovereign cloud architectures do not rely on geography at all. They use cryptographic controls that make data mathematically inaccessible to anyone without the correct keys, including the provider.
This is the property that privacy-enhancing technologies deliver, and it extends sovereignty from storage into active computation.
Alignment with Cross-Border Legal Frameworks
The EU Data Act’s Chapter VII and GDPR Chapter V together establish that EU-stored data is protected from unlawful non-EU government access.
These provisions directly conflict with US CLOUD Act disclosure requirements. Any sovereign cloud provider that cannot clearly explain how they navigate that conflict is not ready to serve regulated industries.
Sovereign Cloud vs Public Cloud: What Actually Differs?
- Public cloud is built for efficiency, scale, and multi-tenant economics. Data may be co-mingled across customers, managed by vendor tooling, and subject to the provider’s full legal obligations in their home country. It is optimized for cost and convenience, not jurisdictional independence.
- Sovereign cloud, at minimum, introduces controls around residency, access rights, and local legal compliance. In practice, sovereign cloud products from major US hyperscalers are most often layered controls on top of the same public cloud infrastructure, not architecturally separate environments.
The test question is simple:
can your provider guarantee, through a technical explanation rather than a contract, that no foreign authority can compel access to your data? If they cannot, you have a public cloud with a sovereignty label.
Genuine sovereign cloud infrastructure typically involves one or more of the following: EU-only legal entities with no US parent company access; air-gapped deployments isolated from global networks; cryptographic key management held entirely outside the provider’s control; privacy-enhancing technologies that make data computationally inaccessible during processing.
Duality’s approach to sovereign data and AI collaboration is built on the principle that sovereignty must extend into computation, not just storage.
How Do Privacy-Enhancing Technologies Enable Sovereign Cloud Collaboration?
The most common objection to strong sovereign cloud requirements is that they prevent useful collaboration. If data cannot leave its jurisdiction, how do organizations share insights, train models, or run joint analytics with partners in other countries?
Privacy-enhancing technologies dissolve that tradeoff. They allow organizations to compute on data without ever exposing the underlying records, which means sovereignty can be maintained during active use, not just at rest.
The core technologies are:
- Fully Homomorphic Encryption (FHE) performs computation directly on encrypted data. Results come back encrypted. The party running the computation never sees plaintext at any point.
- Federated Learning trains AI models where the data already lives. Only model updates cross organizational or national boundaries, never raw records.
This is how a hospital in the UK and a research institution in the US can collaborate on a cancer detection model without either party’s patient records ever leaving their jurisdiction. - Confidential Computing uses Trusted Execution Environments to create secure processing enclaves where even the hardware operator cannot inspect what is being computed.
- Secure Multi-Party Computation allows multiple parties to jointly compute results over their combined datasets without any party seeing the others’ raw data. Two banks can train a shared fraud detection model. Two defense agencies can run joint intelligence analysis. Neither sees the other’s underlying records.
Together, these technologies support what is increasingly called sovereign AI: the ability to run AI workloads on sensitive, distributed data while maintaining full jurisdictional control.
Read Duality’s full explanation of sovereign AI and why it matters for regulated industries.
What Are the Real Challenges of Sovereign Cloud?
Sovereign cloud is not without genuine difficulties, and honest coverage of the topic requires acknowledging them.
- Cost and complexity are higher. Dedicated sovereign cloud infrastructure costs more than shared public cloud. Organizations that need genuine operational sovereignty often require separate legal entities, local staff, and independent audit frameworks. That overhead is real.
- Innovation velocity is slower. Hyperscalers invest hundreds of billions annually in new capabilities. Sovereign cloud environments, whether self-built or third-party, rarely match that pace. Organizations accepting sovereign cloud constraints accept some lag in access to cutting-edge features.
- The label is unregulated. There is no universal certification standard for sovereign cloud. Any provider can apply the term to any product. This makes procurement genuinely difficult. The only reliable test is technical: can the provider demonstrate cryptographic controls that make legal compulsion moot?
- Self-built sovereign cloud carries its own risks. Building entirely sovereign infrastructure eliminates third-party legal exposure but requires deep engineering capability, significant capital, and sustained operational investment. For most organizations outside national security, a hybrid approach that combines sovereign controls for the most sensitive workloads with PET-based collaboration for everything else is more realistic.
How Can Duality Help You Achieve Real Sovereignty Without Sacrificing Collaboration?
Most sovereign cloud offerings give you a location. Duality gives you control over computation, not just storage.
Duality’s platform is built on privacy-enhancing technologies that allow you to run analytics and train AI models on sensitive, distributed data without ever moving or exposing it.
Encryption keys are generated as ephemeral, post-quantum-secure keys within attested Trusted Execution Environments, with no persistent storage in the cloud and no dependency on the provider’s control plane. This moves sovereignty from contractual promises to cryptographic and technical controls that reduce reliance on provider access.
Organizations across defense, healthcare, and financial services already use Duality to collaborate across sensitive data without exposing it, to deploy sovereign AI on regulated workloads, and to stay compliant across jurisdictions without sacrificing the analytical capabilities they need.
Duality’s recent partnership with Red Hat extends this capability to governments and enterprises building sovereign AI infrastructure on open hybrid cloud.
