In 2025, European Commission President Ursula von der Leyen announced plans for an EU Cloud and AI Development Act, prioritizing digital sovereignty amidst growing concerns over data security and privacy. These concerns have been fueled by Edward Snowden's 2013 revelations about US surveillance and further intensified by the Trump administration's actions and rhetoric, including its criticism of EU digital regulations and threats to US tech companies.

“Digital sovereignty” refers to the ability of a governing body or organization to control its digital destiny, including its data, infrastructure, software, and standards, free from dependence on foreign entities or external legal systems, and in accordance with its own laws, values, and risk tolerances.

With the growing importance of digital sovereignty, concerns are being raised about its practical implementation. A 2024 study found that sovereignty has become “empty in substance and impossible to implement,” with some coining the term “sovereignty washing” to describe the practice of hyperscalers touting data sovereignty without truly delivering on their promises.

What is sovereignty washing?

“Sovereignty washing” is a marketing practice where companies misleadingly claim to offer sovereign or locally controlled data services, often by emphasizing compliance and local hosting, but ultimately failing to deliver meaningful control, autonomy, or independence to users.

“Sovereingty washing” stemmed from similar terminology such as “greenwashing,” whereby companies misrepresent their offerings to align with local demands. Similarly, sovereignty washing emerged as demand for digital sovereignty accelerated, particularly in Europe, without a shared, enforceable definition of what “sovereign” actually requires.

As digital sovereignty entered mainstream policy discussions, cloud providers responded quickly. According to the World Economic Forum, digital sovereignty broadly refers to the ability of states or organizations to control their data, infrastructure, and digital systems in line with their own laws and values. However, the absence of clear technical and legal benchmarks created space for interpretation, and, in some cases, overstatement.

In practice, many so-called sovereign cloud offerings focus heavily on data residency (where data is stored) while leaving other critical layers untouched. Sovereignty also depends on who operates the infrastructure, who controls encryption keys, where management planes reside, and which jurisdiction ultimately governs the provider. When those elements remain under foreign control, sovereignty is, at best, partial.

For the industry, sovereignty washing has tangible consequences. It erodes trust, complicates compliance, and risks leaving organisations exposed to legal and geopolitical uncertainty.

How are hyperscalers misleading people?

Major hyperscalers have responded to European concerns by launching “sovereign” or “regional” cloud offerings. AWS claims to be ”the only fully featured, independently operated sovereign cloud backed by strong technical controls, sovereign assurances, and legal protections designed for European organizations.” Yet analysts repeatedly point out a structural contradiction: hyperscalers headquartered in the United States remain subject to US laws such as the CLOUD Act and the Foreign Intelligence Surveillance Act (FISA 702), regardless of where data is physically stored.

This means that commitments to keep data in Europe cannot legally override obligations to comply with US government data access requests. As The Register noted in its analysis of European cloud partnerships, data residency alone does not answer where processing occurs, where telemetry flows, or who controls management planes.

This trend of sovereign washing amongst hyperscalers became apparent in 2025 when Anton Carniaux, Microsoft France’s director of public and legal affairs, announced under oath that he couldn’t guarantee French citizen data would never be transmitted to U.S. authorities without explicit French authorization. The result of this trend is a model where infrastructure may sit inside Europe, but authority does not.

“No, I cannot guarantee French data won’t be seized by US authorities.” – Anton Carniaux, Director of Public & Legal Affairs, Microsoft France (Under oath before the French Senate, June 2025)

Beyond the "region": The move to dedicated environments

If sovereignty washing is an architectural flaw in the public cloud, the path to true autonomy often comes down to where the infrastructure physically resides. While a sovereign-first public cloud solves the jurisdictional issue for many, those with the most stringent compliance needs are increasingly looking toward dedicated, private environments.

This isn't about moving away from the cloud; it’s about moving the cloud to your own terms. By shifting to a private cloud model, enterprises can achieve a level of certainty that no shared "region" can match:

  • Physical autonomy: Hosting workloads on-site or through dedicated appliances ensures that data and management planes are physically isolated from foreign influence.
  • Jurisdictional certainty: When infrastructure is hosted within an organization's own perimeter, sovereignty moves from a marketing label to a physical reality, governed exclusively by local law.
  • Consistency through cloud parity: The next generation of cloud infrastructure allows for "cloud parity," meaning teams can get the same speed, Kubernetes features, and AI capabilities in a private environment as they do in the public cloud.

Moving from claims to reality

As cloud costs rise, AI workloads expand, and regulatory pressure increases, organisations are being forced to re‑examine not just price and performance, but risk exposure. Analysts from BCG and IDC have already shown that governance gaps introduce long‑term cost and compliance risk. Sovereignty washing adds another layer: strategic dependence masked as autonomy.

When sovereignty is treated as a marketing feature rather than an architectural principle, customers inherit hidden legal, operational, and political risk.

“Businesses are waking up to the fact that without clear, reliable control over where their data resides, and who has access to it, they’re exposing themselves to unnecessary risk. The cloud needs to evolve to meet this new reality, and that means prioritizing transparency, localized control, and trust at the very core of infrastructure.” - Mark Boost, CEO of Civo

Two models now exist. Hyperscalers retrofit sovereignty onto platforms still governed by foreign law, creating limits on real control. Civo takes a sovereign-first approach: locally owned, locally operated, and built to deliver full cloud parity without jurisdictional compromise. No bolt-ons. No hidden dependencies. Just sovereignty by design.

Discover the Civo Sovereign Cloud

Our sovereign cloud offers a comprehensive suite of cloud services, including public, private, and AI solutions, all hosted within the UK or India and designed to ensure the highest levels of data security, compliance, and control.

👉 Find out more about our UK sovereign cloud
👉 Find out more about our India sovereign cloud

Summary

As governments and organizations rethink their digital foundations, the challenge is not adopting the language of sovereignty, but demanding its substance. In the next phase of cloud adoption, trust will not be built on branding, but on demonstrable control, accountability, and independence.

Over the past few years, we’ve been researching digital sovereignty. If you are interested in learning more about our findings, check out some of these resources: