Sovereign Cloud for Defence: EU Alternatives to US Hyperscalers

European defence organisations that rely on US cloud hyperscalers — Amazon Web Services, Microsoft Azure, Google Cloud Platform — face a sovereignty risk that has been largely theoretical until recently: the ability of the US government to compel those providers to disclose data stored by foreign governments and militaries, or to restrict service access under US export control or sanctions regimes.

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US federal law enforcement to compel US-headquartered cloud providers to produce data stored anywhere in the world, regardless of local data protection laws. For European defence data — even unclassified operational data — this creates a legal pathway for US government access that is incompatible with data sovereignty requirements. The risk is not theoretical: EU court systems have repeatedly questioned the legal basis for EU-US data transfers precisely because of CLOUD Act exposure.

The Sovereignty Problem for European Defence

The sovereignty concern for European defence organisations operating on US hyperscaler infrastructure has three dimensions: compelled disclosure (CLOUD Act and similar legal instruments allow US government access to data), unilateral service restrictions (sanctions regimes or political decisions could result in US providers restricting or terminating service to specific European entities), and technology dependence (deep technical integration with proprietary US cloud services creates switching costs and strategic dependencies that are geopolitically problematic for defence organisations).

The first dimension is legal and permanent — it is inherent in the US corporate structure of hyperscaler providers and cannot be mitigated by contractual data residency clauses alone. The second dimension is currently hypothetical for European allies, but the geopolitical environment has shifted enough that defence organisations responsible for long-lived infrastructure decisions must consider scenarios where US-EU political relations deteriorate. The third dimension is manageable through deliberate architectural choices but requires discipline from the start.

EU Sovereign Cloud Landscape

OVHcloud with SecNumCloud certification is the leading French cloud provider with ANSSI's highest cloud security certification (SecNumCloud, qualifié niveau élevé). SecNumCloud requires that the provider be controlled by EU entities, that data processing remain under European legal jurisdiction, and that the provider's infrastructure and operations be auditable by French/EU authorities. OVHcloud operates data centers across Europe and provides IaaS, PaaS, and managed Kubernetes services. Its SecNumCloud certification makes it the most credible EU-sovereign option for French defence and government workloads, and increasingly for EU-wide defence programmes that prioritize sovereignty.

DELOS Cloud (T-Systems/Deutsche Telekom partnership with Microsoft) is a German sovereignty cloud offering that runs Azure services on infrastructure owned and operated by T-Systems (a Deutsche Telekom subsidiary) under German law, with a technical trustee arrangement designed to prevent US-government CLOUD Act access. The DELOS model allows access to Microsoft's cloud service portfolio — including Entra ID, Azure Kubernetes Service, and Azure Monitor — while addressing the data sovereignty concern through the trustee structure. BSI (Bundesamt für Sicherheit in der Informationstechnik) has been involved in the security assessment of the DELOS architecture.

Hetzner and IONOS are German cloud providers offering straightforward EU-jurisdiction IaaS without US corporate parent structures. They lack the breadth of managed services of the major hyperscalers and do not have the depth of security certification of OVHcloud SecNumCloud or DELOS, but for defence workloads with modest cloud service requirements and strong sovereignty constraints, they provide a clean legal posture. Both hold ISO 27001 certification and are pursuing additional EU certification schemes.

GAIA-X: What It Actually Delivers

GAIA-X, launched in 2019 as a Franco-German initiative and expanded to a broader EU effort, aims to create a federated, interoperable European cloud infrastructure ecosystem. It is important to be precise about what GAIA-X is and is not.

GAIA-X is not a cloud provider — it does not operate computing infrastructure. It is a governance and standards framework: a set of specifications for how cloud providers and data services can register their offerings, certify their compliance with data governance requirements, and participate in a federated marketplace. The GAIA-X Trust Framework defines requirements for data sovereignty, portability, transparency, and interoperability that providers must meet to display GAIA-X compliance labels.

For defence procurement, GAIA-X compliance is an indicator — not a guarantee — of EU-aligned sovereignty posture. A provider that has achieved GAIA-X compliance has submitted to a defined governance framework, but GAIA-X compliance does not substitute for national security certifications such as SecNumCloud or BSI C5. Defence organisations should treat GAIA-X status as one data point in a broader supplier assessment, not as a sufficient qualification criterion on its own.

EUCS: European Cybersecurity Certification Scheme for Cloud

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is being developed by ENISA (European Union Agency for Cybersecurity) under the EU Cybersecurity Act. EUCS will create a harmonized cloud security certification scheme across EU member states, replacing the current patchwork of national certifications (France's SecNumCloud, Germany's C5, etc.).

EUCS defines three assurance levels: Basic, Substantial, and High. The High assurance level is the one relevant for defence workloads: it requires EU legal control of the provider, data processing restricted to the EU, technical and organizational measures preventing non-EU government access, and audit by a conformity assessment body accredited by an EU member state national accreditation body.

EUCS High is still being finalized as of 2026, with ongoing political debate about whether US hyperscalers with EU-based subsidiaries should be eligible for the High assurance level. For European defence organisations, the practical guidance is: favour providers that currently hold national High assurance certifications (SecNumCloud qualifié élevé, BSI C5 with sovereignty attestation) and will be well-positioned for EUCS High certification when it is finalized.

Selection Criteria for EU Defence

Selecting a cloud provider for EU defence workloads requires evaluation across five criteria: jurisdiction (the provider must be controlled by EU entities with no legally effective foreign government access pathway); data residency (data must remain within EU territory, contractually and technically enforceable); encryption key control (the defence organisation must retain sole control of encryption keys, preventing provider access to data contents even if compelled); audit rights (the defence organisation must be able to audit the provider's infrastructure, operations, and access logs independently or through an accredited third party); and security certification (the provider must hold a relevant national or EU certification at an appropriate assurance level for the classification of the workload).

Encryption key control is particularly important and often underspecified in procurement. A provider that stores data encrypted with keys the provider controls offers no meaningful protection against compelled disclosure — decrypting the data is trivial for the provider under legal compulsion. The defence organisation must operate its own HSM (Hardware Security Module) or use a customer-managed key service where the provider provably cannot access the keys, and must verify through technical and legal review that this architecture is actually enforced end-to-end.