Digital Sovereignty in Practice: Building EU-Only Infrastructure

The Sovereignty Gap: Why Data Residency Is Not Enough

Many European organisations have responded to post-Schrems II uncertainty by selecting EU-based data centre regions from major cloud providers. While this addresses data residency—the physical location of stored data—it does not address data sovereignty: the question of which legal jurisdictions can compel access to that data regardless of where it is stored.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) illustrates this distinction. It permits US law enforcement agencies to compel US-headquartered technology companies to produce data in their possession, custody, or control, regardless of where that data is physically stored. A European organisation storing data in an EU data centre operated by a US-headquartered cloud provider remains subject to this extraterritorial reach. The data resides in the EU; sovereignty over that data does not.

For Private Equity firms and their portfolio companies—particularly those in regulated sectors such as financial services, healthcare, and critical infrastructure—this sovereignty gap represents both a compliance risk and a strategic vulnerability. Achieving genuine digital sovereignty requires architectural decisions that go beyond selecting a data centre location.

EU-Only Provider Selection Criteria

The foundation of EU-only infrastructure is the selection of service providers that are not subject to extraterritorial data access legislation. This requires assessment across multiple dimensions: the provider's corporate domicile and ultimate parent company jurisdiction, the location of the provider's operational staff who may access customer data, the provider's subprocessor chain and whether any subprocessor is subject to non-EU jurisdiction, and the provider's legal obligations under their home jurisdiction regarding government data access requests.

A genuinely EU-sovereign provider is one incorporated within an EU or EEA member state, with no parent company or controlling entity subject to non-EU jurisdiction, whose operational staff with access to customer data are located within the EU, and whose subprocessor chain does not include entities subject to extraterritorial access obligations. The European market now offers credible alternatives across infrastructure-as-a-service, platform services, and software-as-a-service categories, though feature parity with US hyperscaler offerings varies by service type.

Provider selection must be approached pragmatically. Not all workloads require the same level of sovereignty protection. A risk-based classification of data and processing activities allows organisations to direct EU-only provider requirements where they are most consequential—sensitive personal data, regulated data, intellectual property, and strategic business information—while accepting lower-sovereignty alternatives for commodity workloads where the risk profile does not justify the premium.

Contractual Safeguards and Legal Architecture

Technical architecture must be reinforced by contractual safeguards that create legal barriers to extraterritorial access. Service agreements should include explicit prohibitions on data access from outside the EU, contractual requirements for the provider to challenge any non-EU government data access request, notification obligations requiring the provider to inform the customer of any such request (to the extent legally permissible), and audit rights enabling the customer to verify compliance with sovereignty commitments.

The European Data Protection Board has provided guidance on supplementary measures to accompany standard contractual clauses, including technical measures such as encryption with customer-controlled keys, organisational measures such as access controls and personnel vetting, and contractual measures that reinforce sovereignty commitments. For organisations processing data subject to regulatory oversight—financial data under DORA^[3], health data under GDPR^[4] Article 9, classified government data—these supplementary measures are not optional but essential components of the compliance architecture.

Architectural Patterns for Sovereign Infrastructure

Building EU-only infrastructure requires deliberate architectural decisions at every layer of the technology stack. At theinfrastructure layer, this means EU-sovereign compute, storage, and networking services, with encryption at rest and in transit using keys managed within EU jurisdiction. At the platform layer, container orchestration, database services, and middleware should be operated within EU boundaries, with no management plane access from non-EU locations.

At the application layer, software dependencies, update mechanisms, and telemetry must be assessed for sovereignty implications. An application running on EU infrastructure that transmits telemetry data to a US-headquartered software vendor creates a sovereignty leakage that undermines the architectural intent. Similarly, software update mechanisms that pull from non-EU repositories or that are controlled by non-EU entities represent supply chain sovereignty risks.

The identity and access management layer deserves particular attention. If authentication and authorisation services are provided by a non-EU entity, that entity effectively controls access to the entire infrastructure. EU-sovereign identity solutions—whether self-hosted or provided by EU-domiciled service providers—are a foundational requirement for genuine sovereignty.

The CLOUD Act and Practical Mitigation

The US CLOUD Act applies to electronic communication service providers and remote computing service providers subject to US jurisdiction. Its practical impact extends to any entity that uses services from US-headquartered providers for the storage or processing of data. The Act's extraterritorial reach has been the subject of extensive legal analysis and political debate within the European Union, and remains a fundamental tension in transatlantic data governance.

Practical mitigation strategies include: where US-headquartered provider services are used, implementing customer-managed encryption that renders data inaccessible to the provider; structuring contracts through EU subsidiaries where legally defensible; maintaining data processing inventories that identify all touchpoints with US-jurisdictional entities; and developing contingency plans for provider transition should the regulatory environment change. The most robust mitigation remains the use of EU-sovereign providers for the most sensitive data and processing activities.

Strategic Implications for Institutional Investors

Digital sovereignty is increasingly a factor in investment decision-making. Portfolio companies that depend entirely on US-headquartered cloud providers face regulatory, operational, and geopolitical risk that should be assessed during due diligence. The ability of a portfolio company to demonstrate genuine data sovereignty—or to articulate a credible roadmap toward it—is becoming material to valuation, particularly for entities in regulated sectors or those serving government clients.

For PE firms, the recommendation is to integrate digital sovereignty assessment into the cyber due diligence framework, to support portfolio companies in developing sovereignty roadmaps aligned with their risk profiles and regulatory obligations, and to consider sovereignty posture as a value creation lever—particularly in preparation for exit processes where buyers increasingly scrutinise data governance architecture. The cost of building EU-only infrastructure is an investment in regulatory resilience and strategic autonomy that the current geopolitical environment makes increasingly prudent.