The story we were told
For years, we were told a comforting story.
- Put your data in the cloud.
- Hyperscalers will protect it.
- Encryption makes it safe.
- Compliance makes it legal.
That story is now cracking, not because the technology failed, but because reality finally caught up with the marketing
What reality?
Well, most hyperscalers are United States companies. Regardless of where their datacenters are built, they ultimately operate under US jurisdiction. That single fact makes much of the world, and Europe in particular, uneasy about placing strategic data entirely in the cloud.
When the illusion became visible
The moment the illusion broke was not a single event, but a pattern becoming impossible to ignore. Recently, Microsoft publicly acknowledged that it had released BitLocker recovery keys to the FBI under lawful request, while simultaneously positioning itself as a guardian of customer data, confidentiality, and intellectual property. This was not a breach. This was not a hack. This was not negligence. This was the system working exactly as designed. And that is precisely the problem.
This is not a Microsoft problem
Microsoft is not an outlier. It is simply one of the few moments where the mechanics became visible. Years earlier, Microsoft fought a high-profile legal battle over emails stored in Ireland, arguing that US warrants should not apply to data held outside the United States. The case ultimately clarified something uncomfortable for many organizations. Jurisdiction follows the company, not the rack. If a provider is subject to US law, the reach of that law does not stop at a national border.
Same cloud, different control outcomes
Apple offers another instructive example. Apple famously refused to build a backdoor into the iPhone after the San Bernardino case, earning public praise for its stance on privacy. Less discussed is the fact that iCloud backups were, and in many cases still are, accessible to Apple under lawful request. The distinction mattered. Device-level encryption protected data Apple could not access. Cloud-managed encryption did not. Same company, same users, very different control outcomes.
Lawful access at hyperscale
Google publishes transparency reports showing tens of thousands of lawful data requests per year, many of which are partially or fully complied with. This is not wrongdoing. This is legal obligation. But it highlights a core reality. Compliance at hyperscale is not an exception. It is a routine operating condition.
The same reality applies to cloud infrastructure
The same applies to Amazon Web Services. AWS makes it clear in its own documentation that it responds to valid legal demands and can be compelled to provide access to data within its control. Encryption helps, but only to the extent that customers truly control the keys. Where they do not, access remains possible.
Encryption is not sovereignty
This brings us to the most persistent misunderstanding in cloud security. Many organizations still believe, “Our data is encrypted, therefore it is safe.” That is only half true. If your cloud provider controls the key lifecycle, can technically access recovery material, and is legally compelled under its domestic law, then encryption is a feature, not sovereignty. The uncomfortable truth is simple. If a provider can access your keys, a government can eventually access your data. Not everywhere. Not always. But often enough to make regulators, governments, and boards deeply uncomfortable.
Why Europe changed its tone
Europe did not wake up one day and decide it dislikes the cloud. Europe realized something far more serious. Strategic data is sitting on infrastructure governed by foreign law. That realization explains Schrems II, endless GDPR debates, trusted cloud initiatives, and the sudden explosion of sovereign cloud marketing. This is not ideology. It is risk management at a geopolitical level.
The sovereign cloud paradox
To respond to these concerns, hyperscalers are building European datacenters and so-called sovereign regions. But here is the part that rarely gets said out loud. An Amazon Web Services datacenter in Europe does not equal full AWS. In practice, only a subset of services is available. Advanced cloud-native features are missing. Roadmaps are constrained by legal, operational, and architectural limits. This is not reluctance. It is physics and law. Full hyperscale cloud is not just racks and servers. It is deeply centralized control planes, globally integrated services, and legal authority that cannot simply be regionalized overnight.
The unavoidable tradeoff
Organizations are left with a tradeoff. Full power with lower sovereignty, or higher sovereignty with reduced capability. There is no free lunch.
Why on-prem is not the answer
When fear rises, bad advice spreads fast. Just build your own datacenter. Just leave hyperscalers. Just repatriate everything. This ignores reality. You cannot replace elastic scaling overnight. You cannot cheaply rebuild cloud-native architectures. You cannot undo years of platform coupling. You cannot match hyperscaler reliability with small custom operations teams. Once you go cloud-native, you do not simply go back. You refactor, slowly, selectively, painfully.
Where grown-up architecture begins
So what should we actually do? This is where grown-up architecture begins. Stop pretending cloud is binary. This is not cloud versus on-prem. It is degrees of dependency. Separate data control from infrastructure ownership. Owning servers does not mean owning control. Control comes from customer-managed encryption keys, external key management systems, strong data classification, and zero-trust access models. If your provider cannot read your data, subpoenas lose much of their bite.
Sovereignty is selective by necessity
Apply sovereignty where it matters most, and design for exit where it matters most. Not all workloads are equal, and not all systems need the same level of independence. You may never leave a hyperscaler, but you must be able to. That means avoiding unnecessary proprietary lock-in, using open platforms where it matters, keeping business logic portable, and knowing your breaking points before a regulator asks. Exit readiness is not a migration plan. It is leverage.
True sovereignty should focus on identity systems, citizen and patient data, defense and public safety, and core registries and control planes. Trying to make everything sovereign guarantees failure, but failing to design for exit guarantees dependency.
Architecture is now political
Accept that architecture is now political. Law influences design. Jurisdiction influences trust. Power influences risk. Cloud strategy is board-level strategy. Ignoring this does not make it go away.
The uncomfortable conclusion
The uncomfortable conclusion is this. Hyperscalers are not villains. Governments are not paranoid. Encryption is not magic. On-prem is not the future. We are entering an era where technical excellence alone is not enough. The winners will be organizations that understand legal reality, design for uncertainty, avoid dogma, and stop confusing convenience with control.
Cloud sovereignty is not about where your data sits.
It is about who can ultimately compel access.
And that question no longer has a comfortable answer. To be continued.
Paul Emous
Program Director | Security Advisor | Technical Extended Range Instructor Trainer
Focused on mission-critical IT, digital transformation, and sovereign system design. He leads complex multi-prime environments across Europe and the Middle East, acting as a neutral authority to de-risk delivery and ensure predictable outcomes.
Separately, Paul is a Technical Extended Range Instructor Trainer and expedition leader in advanced and remote diving. He teaches Just Culture and decision-making under pressure, where risk is real and accountability is absolute.
Contact: paul@mousemedia.nl