Okay, today I want to share some thoughts about a topic that's been coming up more and more in my client conversations. It's called Digital Sovereignty, but for me, it's really just good vendor management and multi-cloud rationalization with a formal new name. I was to be DevOps 10 years before it was named this way. But getting back to the point. This topic became essential when several European customers I work with started asking how they could manage risks related to USA-EU political tensions.

Let's get down to the details. These clients weren't just worried about abstract geopolitical issues - they had practical concerns. They wanted to have at minimum an option B where they could restart operations from European cloud providers without losing operational continuity if something went sideways with their US-based services. It's an authentic story, though I've changed some specifics to keep things anonymous.

The post will be divided into a couple of sections:

• The Reality of Multi-Cloud, taking about how in reality look adaptation of multi-cloud approaches

• Understanding the Regulatory Landscape, which will be about regulatory issues that raise most of the concerns

• 💡Practical Strategies for Digital Sovereignty about what strategies win working on this subject

• 💡Case Study: A Pragmatic Approach to Sovereignty, that will describe how it works for real customer I have chance to work with

• and in the end 💡Looking Ahead: The Future of Digital Sovereignty in Europe, that will take how to approach the future rationally to avoid such surprises later on.

Let's then start from defining what was a problem. The concern itself arrived when the US starts pushing Europe to decisions that will be dumb to take, and honestly speaking, decisions that can be hazardous for European Nations. When it happens, companies recognized that - 100% of our workloads are run on US owned infrastructure, and what worst they recognized that over 92% of Europe's cloud infrastructure is controlled by US companies like AWS, Microsoft Azure, and Google Cloud. This creates real vulnerabilities for European businesses, especially with the clash between GDPR's strict privacy requirements and the CLOUD Act's reach, which I will take in the detail later. The numbers of methods to address this are large, but it's pretty challenging to project how to implement them in a way that's actually useful.

European companies are increasingly recognizing that some diversification is needed in what cloud providers they use. This doesn't necessarily mean migrating everything at once, but rather having a clear plan for how critical workloads could be moved if needed. To conduct this kind of planning, many organizations are bringing in consultants or assigning internal managers to lead the effort. They're conducting workshops to gather strategy and build roadmaps to make this effort real.

Based on analysis of this data, companies are taking a couple of approaches. Some are investing in European cloud alternatives like OVHcloud (France) or IONOS (Germany) or even the new kid in playground STACKIT from Lidl (Germany). Full list here: European cloud computing platforms | European Alternatives (https://european-alternatives.eu/category/cloud-computing-platforms). Others are adopting hybrid or multi-cloud strategies, combining local European providers for sensitive workloads with global hyperscalers for broader scalability and lower prices. The "virt8ra" initiative, launched in early 2025 by eight European tech firms led by OpenNebula Systems, is Europe's first sovereign edge cloud that enhances portability and interoperability. Also, the European Union supports financially such initiatives.

At this moment we can say - big success, we have an option!

Not!

As usual, there is one small thing that has a big impact that is often not considered. Success doesn't come just from selecting alternative providers or building new infrastructure. Vendor lock-in occurs when businesses become heavily reliant on a single cloud provider and their specific features, making it difficult or costly to switch due to proprietary technologies, contractual restrictions, or migration complexities. No one in these projects assumes the space for migration tooling, budget, especially they just spend huge on migration to cloud and time planning for teams handling the migration. Not saying about things related to integrations that current cloud services are part of. No one thinks of things like how applications might need to be redesigned to be portable. It's like reversing the effort of last years, when we're leaving our datacenters to rewrite our solutions to be optimal in chosen cloud environments. Now we need to make them runnable in various environments. Those that chose Kubernetes - usually marginalized by cloud providers as complex and not necessary, are real winners here.

Then what happens often? - we get beautiful plans for digital sovereignty that maybe someday in the long future can be implemented. Somehow, as our previous cloud adoptions. But it will never solve the initial problem: having a viable option B that can be executed quickly if geopolitical tensions escalate. Let's be honest, Well-Architected Cloud solutions financed by Cloud providers, validated by consultants paid by their money are worst in the context of Vendor Lock-in that old school mainframes, our previous running on VMs Legacy Solutions was much more multi-cloud.

The Reality of Multi-Cloud

When I speak to European clients about digital sovereignty, I often find there's a gap between aspiration and reality.

I've seen many organizations start with grand plans to reduce dependency on American hyperscalers, only to discover the practical challenges are much greater than anticipated. It's not just about switching providers - it's about rethinking how applications are designed, how data flows between systems, and how teams operate.

One client I worked with years ago, no one thinks about this topic, those time spent 2 years migrating back workloads that he migrated from Datacenter to AWS into OVH datacenters back. In this case, because of cost, but it shows us scale, and to be clear, this company has one main application, their product - let's compare it with the usual 1000+ apps banking ecosystems.

Going into details, they had executive buy-in, a dedicated team, and even a reasonable budget. But when they started the actual migration planning, they discovered that dozens of their applications had deep dependencies on AWS-specific services like Lambda, DynamoDB, and SQS. The refactoring effort would have been enormous, it's not so simple like moving from monolithic to microservice architecture - this time you have dependency on external SaaS and PaaS solutions and need to rebuild their functionality.

But, and it was they won in this entire story, they're doing smart moves, similar to I have proposing for companies trying to reduce Legacy. What we do together, we design migration stages, building "legacy-proxies" entities that connect the old world with the new one. This way we migrate small parts of the entire microservice stack, one by one, starting from those SaaS and PaaS services, searching for open-source alternatives, or building custom solutions to cover required features. Having migrating around 120 microservices in summary, and replatforming around 15 services.

Each phase was secure thanks to these small-steps approach. Also, thanks to that, they have microservices already on board.

Unfortunately, this was one successful case in an ocean of failures. The push for new features and getting more money from delivered work is usually, so strong companies haven't time to such effort. Such breaking events somehow like pandemic require companies to stop and act differently. It's VUCA world, and they need to treat right now cloud as a black swan rather than a small inconvenience. Compared with technical debt they can manage in long years or even forever, dealing with vendor locking problem can be forced in a couple of weeks, months, or a year, we don't know what can happen. Risk become significant now.

Understanding the Regulatory Landscape

The war we are thinking about here can have multiple forms, and some of them are visible even right now, speaking about intrusive regulations.

The regulatory environment is a major driver of digital sovereignty concerns. The EU has taken significant steps to assert its digital sovereignty through initiatives like the Digital Services Act (DSA) and Digital Markets Act (DMA). These regulations aim to reduce reliance on foreign technologies while promoting fair competition and protecting user privacy.

But here's where it gets complicated - these regulations sometimes create unintended consequences. I had a healthcare client who was so concerned about GDPR compliance that they wanted to move everything to European providers. But when we did a detailed analysis, we found that some European providers actually had less mature security practices than the US hyperscalers they were using. In normal circumstances it can be the right signal - let's move with hyperscaler, but there is a bug here.

The clash between GDPR's stringent privacy requirements and the CLOUD Act's extraterritorial reach creates real headaches. The CLOUD Act gives US authorities access to data, even those stored in Europe when US companies own those infrastructures.

I usually advise clients in regulatory related topics to take a risk-based approach - what data is truly sensitive and subject to regulatory concerns? What workloads are most critical to business continuity? These questions can also help here prioritize what needs sovereignty protection versus what can remain on global platforms with appropriate safeguards and feature lock-out strategy.

It's worth noting that in response to EU demands for greater control over data, some US hyperscalers have introduced "sovereign cloud" offerings tailored to European regulations. Microsoft, for example, has been particularly active in this space. These solutions address some concerns, but they don't fully eliminate dependency on foreign providers. I always tell clients to read the fine print carefully. For every company and hyperscalers are not different here, their business is the most important business.

💡Practical Strategies for Digital Sovereignty

So what actually works when it comes to digital sovereignty? Based on my experience with European clients, here are some practical approaches that deliver real results:

First, adopt multi-cloud vendor-agnostic strategies. Using multiple cloud providers reduces dependency on any single vendor while enhancing flexibility and resilience. Technologies like Kubernetes enable organizations to deploy applications across different platforms seamlessly. I've seen this work particularly well for containerized applications and stateless workloads, I preached it for the last 7 years and feel still valid.

Second, design for portability from the start. This means using open standards and modular architectures that decouple applications from underlying infrastructure. Gartner recommends this approach, and I've seen it pay dividends for clients who invest in it early. Yes, it might take a bit longer to build things this way initially, but the long-term flexibility is worth it. Sorry for Gartner as reference, but I have seen it as a recommendation for 2025, when talking about it from 2016 maybe ;)

Third, leverage hybrid cloud models. A hybrid approach that combines on-premises infrastructure with cloud services can help organizations maintain control over sensitive data while leveraging cloud scalability for less critical workloads. This isn't just theory - I've implemented this successfully with several financial services clients who have strict regulatory requirements plus big owned datacenters - it works.

Finally, be realistic about what you can achieve. Perfect digital sovereignty is probably impossible in today's interconnected world in short notice. The goal should be to manage risks to an acceptable level while maintaining business agility. I've seen too many projects fail because they aimed for a quick deadline instead of focusing on the long-term strategy and maybe quick success for 20% of systems that really matter from a risk perspective.

💡Case Study: A Pragmatic Approach to Sovereignty

Let me analyze what a successful digital sovereignty approach might look like, based on patterns I've observed across multiple organizations.

Consider a hypothetical mid-sized financial services company with approximately 200 applications running primarily on AWS. Their digital sovereignty journey would likely begin with a comprehensive workload assessment - categorizing applications based on data sensitivity, regulatory requirements, and business criticality.

The theoretical approach would involve creating a tiered strategy:

For Tier 1 (most critical/sensitive) applications - perhaps 15-20% of their portfolio - they would develop concrete migration plans to European providers like OVHcloud or IONOS. These would include core banking systems that in modern versions like Thought Machines or Temenos Core can simply run on top of Kubernetes and customer data repositories.

For Tier 2 applications with moderate sensitivity, they might implement a hybrid approach - keeping the applications on AWS but ensuring data residency in European regions, with additional encryption controls managed by the company itself. Plus a strategy for more cloud-agnostic architecture as part of next year's plan.

For Tier 3 (least sensitive) applications like development environments and marketing systems, they could remain on the original cloud infrastructure with minimal changes.

What will make this approach successful is not just the technical consideration but the organizational approach. The company would need to:

1. Establish a dedicated cross-functional program team with both technical and business stakeholders, to handle entire process management and navigating different issues and bottlenecks

2. Develop clear governance processes for determining sovereignty requirements

3. Create standardized patterns for application portability

4. Implement continuous testing of their "Plan B" environments

From my perspective, organizations following this pattern can typically achieve meaningful sovereignty improvements for their most critical systems within 12–18 months, while avoiding the pitfalls of attempting a complete migration all at once. The key success factor is prioritization - focusing sovereignty efforts where they truly matter, rather than treating all workloads equally.

Remember that, in the end, is a kind of Hybrid-Cloud Strategy or Datacenter Exit process, just with more complex dependencies than before.

What also positive in such stories, every migration like this one or Cloud Adoption or Kubernetes implementation makes our system stronger and better described, every of these types of projects require understanding architecture, dependencies, processes, requirements, policies, etc. It makes us stronger and better prepared for the next potential change.

Maybe we can assume it's the next, much broader step in Chaos Testing.

💡Looking Ahead: The Future of Digital Sovereignty in Europe

The push for digital sovereignty in Europe is strong. I expect it to intensify as geopolitical tensions continue and as technology becomes even more central to national security and economic competitiveness, we are living in a digital world right now.

Recent developments, like the launch of virt8ra, show that there's serious momentum behind European cloud alternatives. Engagement of the European Union can give such initiatives strong drive and support existing companies like OVH to reach more global audience and grow to deliver similar level of Cloud Services.

What does this mean for organizations navigating these waters? I believe the most successful approach will be one that balances pragmatism with principle. Yes, reduce your dependency on any single provider or region - this was always true, without dependency on politics, Azure and AWS have a couple of spectacular outages lastly. Yes, ensure you have contingency plans for geopolitical disruptions. But also, be realistic about what's achievable given your resources and business priorities.

Digital sovereignty isn't just a buzzword - it's a real consideration for risk management in an increasingly complex world. But like any other aspect of technology strategy, it needs to be approached with clear eyes and practical goals. The companies that will succeed are those that find the right balance between sovereignty and the benefits of global scale and innovation.

Have you been working on digital sovereignty initiatives in your organization? Did you seen also that this topic raised in public discussion? What challenges have you encountered, and what approaches have worked for you or have you considered?

⚠️Self-Promotion Part

This post normally will be shared with paid subscribers when 💡marks part that will become paywalled, I shared it with you to present you value I have adding. If you like to support my writing and ensure such extended analysis will be delivered to your inbox, please consider my paid newsletter.