“Don't worry, it's hosted in Europe” has become the reflex reassurance for any data question. It sounds decisive. It often isn't. EU hosting and GDPR compliance answer one question; sovereignty answers a different one. Confusing them is how businesses end up surprised about who can reach their data.
Two different questions
GDPR governs how personal data is handled: lawful basis, consent, retention, the rights of the people the data is about. A US hyperscaler with an EU region can be entirely GDPR-addressable. That is a real and worthwhile standard — but it is about data protection, not jurisdiction.
Sovereignty asks a blunter question: which laws, and which governments, can compel access to this data? That depends far less on where the bytes sit and far more on who controls the company holding them.
Why “EU-hosted” can still mean foreign reach
When the provider is a US corporation, two pieces of US law reach across the Atlantic regardless of the datacentre's postcode:
- The CLOUD Act, which compels US-based providers to produce data they control, wherever it is stored.
- FISA Section 702, the surveillance authority at the heart of the Schrems II ruling that struck down Privacy Shield.
This is not a hypothetical or an anti-American point — it is simply how extraterritorial law works. An EU region operated by a US parent reduces some risks and addresses GDPR residency. It does not remove the foreign legal reach, because the parent company is still subject to its home jurisdiction.
What sovereignty actually requires
Genuine data sovereignty has less to do with a flag on a map and more to do with control:
- A provider incorporated and operated under the law of a jurisdiction you trust — not a subsidiary of one that isn't.
- Infrastructure you hold the contract to, with the ability to move providers.
- Control of your own encryption keys, so access is your decision, not a default.
- Documentation and exit paths, so there is no lock-in dressed up as a feature.
A universal point, not a European one
It is tempting to read this as a “Europe vs the US” argument. It isn't. A business in Zurich, London, Oslo or São Paulo has the same interest in knowing who can compel access to its data. European law and infrastructure happen to give us strong, credible tools for delivering sovereignty — but the principle that your technology should stay yours is universal. The question to ask any vendor isn't “is it hosted in Europe?” It's “whose law governs the company that controls it, and can you move if you need to?”
Frequently asked questions
- Is GDPR compliance enough for sensitive data?
- It is necessary, not always sufficient. GDPR governs how personal data is handled; it does not stop a foreign government from compelling a provider subject to its laws. For sensitive or strategic data, sovereignty — who can compel access — is the additional question to ask.
- Does “hosted in the EU” make a US cloud sovereign?
- No. EU hosting satisfies data residency, but a US-owned provider remains subject to US law such as the CLOUD Act, wherever the datacentre is. Residency and sovereignty are different guarantees.
- Is this only relevant to European companies?
- Not at all. Any business, anywhere, benefits from knowing whose laws govern its data and whether it can change providers. European tooling is a strong way to achieve sovereignty, but the principle applies universally.