Sovereignty washing: Microsoft’s Sovereign Cloud and Europe’s quest for digital sovereignty

In an attempt to honour its ‘digital assurances’ for Europe, Microsoft has now released distinct sovereign cloud services. As well as launching a new Sovereign Private Cloud, it intends to further expand the Sovereign Public Cloud and is also working with local providers on national partner clouds. This once again brings the topic of digital sovereignty to the forefront, with the sovereign cloud touted as the antidote to growing concerns around US hyperscalers.

However, it remains to be seen whether these assurances are anything more than window dressing. The irony inherent in the Microsoft Sovereign Cloud has not been lost on critics: a US company that has trapped European users into license chains, cloud lock-ins and proprietary services is now purporting to be a guarantor of European independence, opening itself up to accusations of sovereignty washing.

The Microsoft Sovereign Cloud – assurances, programs, boundaries
In June 2025, Microsoft announced its sovereign cloud for Europe with great fanfare. The company is promising that all customer data will remain within EU borders, that encryption keys will be exclusively managed by customers, and that its ‘Data Guardian’ program will ensure that full administrator rights can only be granted to staff residing in Europe. In addition, Microsoft 365 Local, the Sovereign Private Cloud and air-gapped scenarios are intended to ensure that sensitive government workloads can be managed without requiring a connection to the global Azure environment.

This package is Microsoft’s response to an increasing loss of trust in US hyperscalers among public bodies and businesses following the introduction of the US CLOUD Act, the uncertain legal situation in the wake of the Schrems II ruling and geopolitical tensions. Programs such as Data Guardian and the EU Data Boundary project that was completed in February 2025 are specifically designed to address these concerns, based on an assumption that a sovereign cloud and digital sovereignty can be achieved by implementing technical and organisational measures that do not diminish the convenience of modern cloud operating models.

Sovereignty washing and digital sovereignty: who controls what?
At first glance, the Sovereign Cloud appears to meet long-standing demands for digital sovereignty. Yet the fact remains that the software company retains control in key areas, and it is precisely this that gives rise to the accusation of sovereignty washing. Critics are sceptical as to whether setting up a local subsidiary, spinning off a distinct business segment or only granting administrator rights to European staff will ultimately shift the underlying balance of power so long as the foreign parent company is the one in charge of making the rules, updates and core services. Thus a number of key questions that lie at the heart of the notion of sovereignty remain unanswered: who is responsible for the source code? Who determines update intervals? Who decides on pricing models and the functionalities included? And who is ultimately responsible for the future development of services? Simply labelling a product as ‘EU’ does not automatically result in a transfer of decision-making power. Products such as Microsoft 365 Local also raise a number of additional questions in this regard. Since on-premises (perpetual) products are available on local infrastructure anyway, why not focus on this as an avenue for boosting sovereignty instead of presenting customers with a ‘local’ variant of subscription and cloud products and touting it as a new solution? The debate around the Microsoft Sovereign Cloud and the concept of sovereign clouds in general is thus closely linked to the question of how digital sovereignty can actually be achieved in practice, rather than just being ‘assured’.

Another reason for the fierce criticism is that Europe’s own solutions have been rather piecemeal to date. Projects like Gaia-X and initiatives launched by Deutsche Telekom (T-Systems), SAP, IONOS and OVH were unable to come up with a satisfactory common platform, and collaborations with hyperscalers have repeatedly been resorted to out of convenience. In June 2025, Reuters reported that Telekom, IONOS and Schwarz would not be submitting bids for new EU programmes as a consortium after they proved unable to agree on a common concept and would instead be submitting separate bids. This is indicative of the structural deficit that is making digital sovereignty an increasingly relevant issue.

What’s more, another race to obtain the sovereign seal of approval is also taking place at Amazon Web Services (AWS) and Google. In June 2025, AWS announced a ‘European Sovereign Cloud’, and back in 2024 Google was awarded a high-security cloud contract by the German military. There is thus a growing trend towards certification and assurances; but the feeling of unease remains. In these cases, too, Europe rarely has total sovereignty, since technology updates and core services still originate from the USA – even if providers commit to appealing against requests to access data.

The European alternative for public bodies and businesses
However, there is an often-underestimated alternative: the European Court of Justice ruling of 3 July 2012, which confirmed that perpetual software licenses may be sold on without restriction after initial purchase. This has led to the creation of a market in second-hand licenses where identical products can be purchased at a lower price, and to an obligation for used licenses to be considered in public calls for tender. Particularly in cases where older versions of software are required for compatibility reasons, public bodies can opt for exactly the version they need rather than purchasing expensive new licenses and then having to carry out a downgrade. This does not mean that cloud computing is to be ruled out; but there does need to be a plan B. Hybrid and multi-cloud strategies, using on-premise licenses as leverage in negotiations, perpetual licenses and open-source software are all elements that create freedom of choice and prevent ‘IT monocultures’. After all, digital sovereignty is measured by the availability of alternative options. For public bodies, this means ensuring sovereignty by maintaining their ability to change providers while retaining existing data and software, and by diversifying in order to reduce dependencies, instead of relying on labels like ‘sovereign cloud’.

In summary, this will be a crucial test for Europe; and it should be acknowledged that Microsoft’s charm offensive is a double-edged sword. The Microsoft Sovereign Cloud may help in the short term but could ultimately result in dependencies being locked in if Europe is too slow to strengthen competencies, local providers and legal frameworks. Digital sovereignty is therefore reliant on finding answers to tough questions relating to infrastructure, code and access rights. As long as these issues remain unresolved, any assurances about a sovereign cloud could be regarded as nothing more than sovereignty washing.