For most of the 2010s, European cloud sovereignty lived in policy papers. In 2026 it’s a procurement decision being made every week across the continent. Gartner projects worldwide sovereign cloud spending will hit $80 billion in 2026, with European spending growing 83 percent year over year from a $6.9 billion base. Sixty-one percent of Western European CIOs say they want to increase their use of local cloud providers. The shift away from US hyperscalers is no longer hypothetical – it’s quietly reshaping how AI, data, and infrastructure decisions get made.
What changed in the past 12 months
Three forces compounded.
Regulatory enforcement crossed a threshold
Cumulative GDPR fines reached €7.1 billion as of January 2026. Austrian, French, and Italian data protection authorities have ruled against US-based tools for transatlantic data transfer violations, establishing precedent that routine US cloud usage can itself create compliance exposure. The EU Data Act, in force since September 2025, requires cloud providers to support switching and block unlawful third-country data access – making CLOUD Act exposure a legal, not theoretical, problem.
Geopolitical risk became a board-level concern
After last year’s US cloud outages and trade frictions, policymakers increasingly frame US infrastructure as a strategic vulnerability. The European Commission committed €180 million to sovereign cloud services through a procurement tender in October 2025, and the Cloud and AI Development Act is expected to formalize “sovereign cloud” in EU law during the first half of 2026.
The economics shifted
European providers have closed enough of the cost gap that migration is no longer financially punishing – and rising US SaaS costs have flipped the equation for many use cases.
Where the workloads are going
The European cloud landscape has stratified into three meaningful tiers, each addressing a different threat model.
| Tier | Examples | Best for |
| Hyperscaler-grade EU providers | OVHcloud, Hetzner, IONOS, Scaleway | General-purpose workloads, Kubernetes, dev/test, cost-sensitive production |
| EU-based specialty platforms | STACKIT, Mistral, Outscale, regional sovereign clouds | Workloads requiring full EU operational control, AI Act high-risk classifications |
| Switzerland-based independent providers | Privacy-focused offshore hosting providers | Workloads where even EU-based hosting under GDPR isn’t enough |
Most public discussion focuses on tier one – OVHcloud and Hetzner are absorbing meaningful migration from AWS and Azure for general compute. For stricter threat models, tiers two and three matter more.
The Switzerland question
Switzerland sits in an unusual position – outside the EU, but with a data protection regime that’s GDPR-aligned and arguably stronger in specific dimensions. The revised Federal Act on Data Protection, in force since September 2023, establishes data protection as a statutory right with constitutional backing. Crucially, Switzerland is outside the reach of both the US CLOUD Act and the EU’s evolving sovereign cloud framework – meaning Swiss-based providers can offer a layer of legal independence that even the most “sovereign” hyperscaler EU regions cannot. Providers like PrivateAlps offshore hosting have built their entire product around this gap.
This matters for workloads with elevated threat models: politically motivated takedown attempts, commercial espionage, regulated AI inference on sensitive data, or genuine concern about jurisdictional reach. Swiss jurisdiction becomes the product itself – paired with no-logs policies, encrypted storage, and infrastructure designed to refuse cross-border legal demands by default.
The trade-off is clear: tier-three providers don’t match the breadth of managed services hyperscalers offer. What you’re getting instead is a defensible legal posture for the workloads where that posture actually matters.
The “sovereignty washing” trap
US hyperscalers have responded with a wave of “sovereign-flavored” offerings. AWS launched its European Sovereign Cloud, operated within the EU with leadership in Germany. Microsoft, Google, and Oracle have followed with similar regional structures.
The problem is structural. CISPE – the Cloud Infrastructure Services Providers in Europe association – has publicly warned about what it calls “sovereignty washing.” Their argument: sovereignty must be defined by control, not by EU presence. A US-headquartered company operating an “EU sovereign” region is still ultimately subject to extraterritorial laws like the CLOUD Act. Microsoft admitted under oath at a French Senate hearing in 2025 that it could not guarantee data sovereignty for European customers facing a legally justified US injunction.
The test is simple: who can be legally compelled to hand over your data, and which courts have the final say? If the answer involves any US corporate parent, you do not have sovereignty – regardless of which datacenter the disks sit in.
What workloads to move first
A practical migration sequencing:
- High-sensitivity AI training data. Models trained on regulated personal data, customer IP, or anything with privilege implications should move first. The downside risk of future legal compulsion is asymmetric.
- Internal collaboration and documents. Migrating from Microsoft 365 or Google Workspace to Nextcloud-style stacks on EU infrastructure is well-trodden ground. The Swiss Federal IT Steering Unit has already approved Nextcloud for federal use.
- Customer-facing applications under GDPR scrutiny. Public websites and analytics touching EU personal data benefit most from a clean sovereignty story.
- Specialty workloads with elevated threat models. Journalism platforms, legal services, regulated healthcare AI – these are where Switzerland-based providers have the strongest argument.
What can wait: dev/test environments, non-personal analytics, public content delivery. The cost of moving these now usually exceeds the risk-adjusted benefit.
The honest outlook
The European sovereign cloud movement won’t dethrone US hyperscalers in two years. AWS, Azure, and Google Cloud hold roughly 70 percent of the European cloud market, and untangling existing workloads is a multi-year effort. Most non-hyperscaler providers remain limited to specific services or geographic niches.
But that misses the point. The shift isn’t a wholesale exodus – it’s a reallocation: keep the hyperscalers for what they’re good at, and move specific workload classes to providers whose legal architecture matches the risk profile. For European tech and AI teams in 2026, the question isn’t whether sovereign cloud matters – it’s which workloads should already be there.
