+31 (0)43 30 88 400 | office@comex.eu
Cloudwashing
Every European organization wants to be digitally sovereign today. Independent, compliant, and in full control of its data. For many, the logical step seems to be a
It sounds reassuring. But the reality is a lot more complex.
The Promise of the Sovereign Cloud
According to providers, a sovereign cloud offers everything European organizations want: (1.) data storage within European data centers, (2.) management by local employees, (3.) contractual guarantees that data will not be shared outside the EU, (4.) full GDPR compliance.
In theory, this sounds like the perfect balance between compliance and flexibility. But as soon as you look beyond the promises, the first cracks appear. Let us explain it to you.
The Legal Reality
As long as a cloud provider is located in a country outside Europe – take the United States as an example – that organization remains subject to its national legislation. In concrete terms, this means that American laws such as the CLOUD Act or FISA 702 may require the provider to grant access to European customer data, even when that data is physically located in a European data center.
In other words, the legal sovereignty of the data remains outside Europe.
No technical wall or contractual clause can completely prevent that.
Cloudwashing in Practice
The term cloudwashing refers to the phenomenon whereby non-European providers call their cloud “European,” while the ownership, management, or supervision still falls outside the European legal order. It seems like a sovereign solution, but in fact, it is a sham sovereign model.
In France, this recently became painfully clear: during a parliamentary hearing, a top executive from Microsoft could not guarantee that French government data is protected against American access. “Non, je ne peux pas le garantir,” was his answer.
A sentence that has significantly damaged confidence in the concept of a “sovereign cloud.”
The Risks of Sham Sovereignty
The problem of cloudwashing is not only legal, but also operational and strategic:
- Continuity: what if delivery conditions, licenses, or support suddenly change?
- Access: what if geopolitical tensions lead to blockades or sanctions?
- Compliance: how do you prove to regulators that data really remains within the EU jurisdiction?
- Transparency: how do you know for sure where data really lives and who has access? How do you tell this to your customers with complete certainty?
As long as the underlying infrastructure, software, and management structure are not in European hands, “sovereign” is primarily a marketing term.
Towards True Digital Sovereignty
True digital sovereignty means control, not just compliance. Control over where data is stored, who manages it, and how it is recovered in the event of incidents.
That is why more and more organizations are opting for a hybrid strategy:
- Critical and sensitive data remain stored locally, on European hardware.
- The cloud is used for scalability and less risky workloads.
- Data is protected by immutability, airgapping, and Zero Loss architecture, independent of internet access or external providers.
This creates an infrastructure that does fit within the European legal order and that enables organizations to maintain control themselves, regardless of political or legal shifts.
Lessons Learned
A sovereign cloud is still a promise for the time being. As long as the legal, technical, and operational control is not entirely in European hands, it remains primarily a matter of trust.
A European cloud may sound tempting, but true sovereignty requires tangible infrastructure, transparent processes, and conscious choices about data storage. On-prem, under own management.
📘 Want to know more? Read our whitepaper“Cloudwashing – Why digital sovereignty with American partners is an illusion”.
