Lately, the term “Sovereignty” seems to be everywhere. It’s on every slide deck and every cloud provider’s homepage. But for Security teams, a dangerous gap is opening between marketing promises and the reality. 

If your cloud provider says “Your data stays in Germany” but their support team in Seattle has root access… You aren’t sovereign. 

If your provider says “Bring Your Own Key” but their platform decrypts your data in memory to process it… You aren’t sovereign. 

If your provider markets themselves as a “European partner” but the underlying stack is closed-source software licensed from a U.S. hyperscaler… You aren’t sovereign. 

We have created a massive industry of “compliance theater.” We are checking boxes, while ignoring the technical reality that U.S. tech stacks are fundamentally under U.S. jurisdiction.  

Sovereignty ≠ Data Residency 

I’ve been seeing “data residency” become a substitute for “sovereignty,” and they are not the same thing. 

Residency is where your data sits. 

Sovereignty answers who controls it: legally, technically, and operationally. 

If foreign engineers can access your environment, if foreign companies control your software stack, or if foreign courts can compel access to your data, then your infrastructure is not governed solely by EU law. 

Why This Suddenly Matters (a Lot) 

For years, European companies relied on U.S. hyperscalers because they were faster, cheaper, and more capable. And that made sense, up until geopolitics changed. 

Under the U.S. CLOUD Act, American authorities can legally compel U.S. companies to provide access to data, even if that data is stored outside the U.S., including in Europe. Providers may not even be allowed to tell you it happened. 

So if your “sovereign” platform: 

• Is owned by a U.S. company, 

• Uses proprietary U.S. software, 

• Or depends on U.S.-controlled control planes, 

Then your data is potentially subject to U.S. jurisdiction, regardless of where it resides. 

There are three main lies of sovereignty washing: 

1. “Your data stays in Europe.”
   Cool. Who runs the control plane? Who can access production systems? 
2. “Bring Your Own Key.”
   Great. Unless the provider still decrypts your data in memory. If their platform can see plaintext, so can the laws governing that platform. 
3. “We’re a European partner.”
   If the stack is closed-source software licensed from a U.S. hyperscaler, sovereignty ends at the logo. Under the CLOUD Act and FISA 702, that U.S. company can still be compelled to cooperate. 

Europe’s Geopatriation  

Europe is changing its approach and growing wary of U.S. hyperscalers. Analysts are already calling this moment a fundamental industry shift. According to Gartner, by 2030, more than 75% of enterprises will have a digital sovereignty strategy based on real architectural independence. They call this shift “Geopatriation”: Relocating workloads to secure, sovereign environments that offer jurisdictional certainty and operational autonomy. 

However, European companies are not trying to abandon hyperscalers overnight. That’s unrealistic.  

The Path Forward 

Sovereignty cannot be bolted onto a foreign platform. It has to be built into the foundation. That’s why many European organizations are moving toward Kubernetes-native private clouds, open-source infrastructure stacks and locally operated control planes. 

Community initiatives like NeoNephos are empowering companies, governments, and developers with resources, best practices, and tools to reduce reliance on foreign hyperscalers and foster a more autonomous cloud ecosystem in Europe. 

It’s a community-driven platform that brings together cloud-native experts, projects, and providers focused on building sovereign cloud infrastructure in Europe. 

At Kubermatic, we build platforms that deliver real data sovereignty. 

We’re working toward a European cloud landscape based on autonomy, portability, and resilience, instead of dependency and hope. So let’s please stop sovereignty washing.