The conversation about digital sovereignty keeps landing in the same place: data residency, GDPR, server locations. These are real concerns. But they're symptoms. The actual system underneath is larger, more consequential, and harder to reverse than most policymakers are treating it.

The Legal Fiction of "EU-Hosted" Data

Europe has built serious regulatory infrastructure — GDPR, NIS2, DORA, the AI Act. The instinct is right. But one structural problem none of it resolves: the US CLOUD Act allows American law enforcement to compel any US-owned company to produce data stored anywhere in the world — including Frankfurt or Amsterdam. FISA Section 702, reauthorized in 2024 with expanded scope, lets US intelligence agencies collect data on non-US citizens outside US borders.

The critical word is ownership, not location. If your provider is American, your data is never fully beyond US legal reach — regardless of what the "EU sovereign cloud" marketing says. AWS launched its European Sovereign Cloud in Brandenburg in 2025, backed by €7.8 billion. The servers are local. The ownership isn't. The legal exposure doesn't disappear.

The Double-Payment Trap

The standard framing: hyperscalers invest billions in European data centres, Europe gets infrastructure, everyone wins. What gets missed is who pays for what.

When a hyperscaler builds a large data centre in your country, the grid infrastructure — transmission lines, substations, capacity upgrades — is built by the state, the utility, or the ratepayer. The data centre is a private asset generating returns for its American owners. The grid is a public cost shared by everyone.

Then the hyperscaler sells services back to European governments, hospitals, schools, and companies at significant markups. The European sovereign cloud market was estimated at $26.8 billion in 2024 and is projected to reach up to $321 billion by the early 2030s. Those revenues flow to American balance sheets and get reinvested — mostly in the United States.

You pay twice: once as a co-funder of the infrastructure through public grid costs, and again as a customer paying for the services that infrastructure runs. The value extracted doesn't circulate in your economy. It concentrates elsewhere.

The Switch Gets Flipped

When Russia invaded Ukraine, the Western cloud stack that Russian organizations had embedded deeply into their operations stopped working. Microsoft cut off over 50 cloud products. Oracle left abruptly, triggering litigation. Amazon stopped new AWS sign-ups. Microsoft had reportedly been used by up to 90% of Russian corporate and state clients at the time.

The Russia case involved a government that started an illegal war. That's not the debate. The debate is what this demonstrated for every other country watching: if your critical infrastructure is built on a foreign technology stack controlled by companies in a single jurisdiction, your operational continuity is conditional on that jurisdiction's goodwill.

Conditions are not always normal. Administrations change. Strategic interests diverge. History does not support betting on geopolitical stability.

Capturing the Next Generation of Builders

AWS offers startups up to $100,000 in credits. Microsoft offers up to $150,000. Google offers up to $350,000 for AI-focused companies. These aren't small numbers for an early-stage team watching its runway — and the hyperscalers know exactly what they're buying: architectural dependency at the moment of maximum formability.

A startup that builds on AWS proprietary services makes choices that become increasingly expensive to reverse as it scales. By the time the credits run out, migration is often prohibitive. The structural result: Europe's most promising startups get locked into American infrastructure at their most critical growth phase, before they're large enough to evaluate alternatives.

European providers hold roughly 15% of the European cloud market. Hyperscalers hold around 70%. That gap wasn't inevitable. It was built, incrementally, through credits, lock-in mechanics, and ecosystem gravity — compounding over a decade.

What Sovereignty Actually Requires

Not a wall. The goal isn't autarky — it's the ability to make choices, maintain leverage, and prevent the critical dependencies that eliminate freedom of action when the stakes are highest.

That means: regulatory clarity on ownership, not just location; genuine investment in European alternatives at a scale that matches the Draghi report's flagged requirement of €50 billion per year in fresh CapEx; honest accounting of hyperscaler data centre deals that includes public grid costs and energy pricing pressure; and portability and interoperability treated as non-negotiable standards, not aspirational guidelines.

Most importantly: sovereign AI infrastructure as a strategic priority. As AI becomes the infrastructure layer of the economy — touching healthcare, finance, public services, education — who controls that layer is not a technology policy question. It's an economic sovereignty question in the same category as energy or financial independence.

The Actual Question

Every time digital sovereignty gets discussed in a committee room, it gets framed as a compliance challenge. That framing is downstream of something larger.

The real question is: where does value get created, and where does it accumulate?

Europe has hundreds of millions of sophisticated users, world-class enterprises, leading research institutions, and genuinely strong entrepreneurs. All of that generates data, economic value, and structural leverage. The question is whether that value stays in the system — or gets extracted through the infrastructure layer and reinvested somewhere else.

Right now, the answer is mostly the latter. Not because Europeans are less capable. Because the legal frameworks, investment flows, procurement habits, and startup credit programmes are all structured to make extraction the path of least resistance.

The problem is never the problem. It's a symptom of a system. And this system has a clear shape: Europe pays to use infrastructure it doesn't control, co-funds that infrastructure through costs it doesn't fully account for, trains its next generation of builders on tools that lock them in, and watches the leverage accumulate elsewhere.

Changing it requires seeing it clearly first.

This article is based on the publication on MoreThanDigital and my blog article.