Sovereign by design: How Europe’s Data Sovereignty movement is rewriting the Cloud, the Software stack, and the future of AI

For a long time, sovereignty in European IT felt like a political slogan, something policymakers said during press conferences while CIOs quietly signed another contract with a US hyperscaler. That era is ending. In 2026, sovereignty stopped being a talking point and became a procurement requirement, an architectural principle, and, quietly, a competitive advantage.

The numbers tell the story clearly enough. Around 72 percent of cloud services in Europe are delivered by AWS, Microsoft Azure, and Google Cloud, and up to 90 percent of European data sits on infrastructure outside EU control. That is not a balanced relationship. It is a structural dependency, and it is the dependency that the European Commission, national governments, and an entire new generation of European providers are now actively dismantling.

The interesting part for those of us who build and advise on enterprise architecture is that this movement does not stop at where data centers are located. It reaches deep into the software stack, into the way AI models are trained and deployed, and crucially into how autonomous agents will operate across European enterprises in the years ahead. Sovereignty is turning into a full-stack question, and the organizations that understand this first will define the next decade of European technology leadership.

From data residency to data sovereignty, a distinction that matters

The old mental model was simple. Put the data in Frankfurt or Paris, tick the GDPR box, move on. That model is dead, and the European Commission has now made its death official.

In April 2026, the Commission awarded four contracts under its Sovereign Cloud Framework, worth up to €180 million over six years, and introduced a measurable scale called SEAL, running from SEAL-0 (no sovereignty) to SEAL-4 (a fully European supply chain, from chips to software). Post Telecom with OVHcloud and CleverCloud and my personal favorite; StackIT (Schwarz Digits Cloud part of the Schwarz Group) all reached SEAL-3, meaning their services are immune from supply chain disruption by non-EU actors. For the first time, sovereignty can actually be measured, compared, and procured against.

This matters because the legal ground under every transatlantic cloud contract has shifted. The US Cloud Act allows American authorities to compel any US-based provider to hand over data stored anywhere in the world, and a Microsoft executive acknowledged under oath before the French Senate that the company could not guarantee that French customer data would never be disclosed under US legal orders. That single sentence changed the risk calculation in every European boardroom I walk into.

So we now have three layers, and they are not interchangeable. Data residency is about where the bytes live. Data sovereignty is about which legal system governs them. Jurisdictional control is about who can compel access. A cloud can sit in a German data center and still fail all three tests if the operator is subject to foreign law. Europe has finally stopped confusing the three.

The new European cloud map

A new landscape is taking shape, and it is more sophisticated than the old hyperscaler versus local narrative suggests.

At one end, you have native European providers, companies like OVHcloud, Scaleway, StackIT and T-Systems. These are legally, operationally, and technically European. If you need a clean legal profile, particularly for public sector workloads, critical infrastructure, or regulated industries such as healthcare and finance, these are the providers that pass the hardest scrutiny.

At the other end, the US hyperscalers have built sovereign editions. AWS European Sovereign Cloud is physically and logically separate, operated by EU-resident staff. Microsoft Cloud for Sovereignty partners with entities like Bleu in France and Delos in Germany. Google operates through S3NS, a joint venture with Thales, and through T-Systems. Oracle EU Sovereign Cloud runs as an isolated realm with EU-incorporated legal entities.

These hyperscaler offerings genuinely improve data residency and operational isolation. They also make the strategic question sharper, not softer. If your board needs absolute immunity from extraterritorial US law, a sovereign edition of a US platform is not the same as a native European platform, no matter how elegant the technical architecture. The SEAL framework now makes that distinction legible, and procurement officers across Europe are starting to use it.

The practical outcome is that the European cloud market is pluralizing. A single enterprise might run general workloads on a hyperscaler, sensitive workloads on a native European provider, and edge workloads close to where the data is generated. The days of the single-vendor cloud strategy are over. Multi-sovereign, multi-cloud, and portability by design are the new defaults.

The software layer is where sovereignty gets real

Here is where the conversation usually stops, and where it should actually start.

Moving your data center from Virginia to Frankfurt changes the postcode. It does not change your software stack. If the databases, the integration platforms, the message brokers, the identity providers, the observability tools, and the AI services on top are all controlled by companies based outside Europe, you have not moved the sovereignty needle meaningfully. You have just made your dependency harder to see.

The software audit is the next big project for European CIO’s, and it is a far more uncomfortable exercise than the data center audit. Most enterprises discover that their so-called sovereign stack is a mosaic of American SaaS, American licensing, American support contracts, and American update cycles. Cut any one of those, and the stack does not function.

This is where the European, or Non-US, software ecosystem is entering its most interesting phase in two decades. Companies like SAP are consolidating their sovereignty offerings through initiatives like the EU AI Cloud. Open source projects, long the backbone of European infrastructure, are being reevaluated as strategic assets, not just cost savings. And a new category is emerging, the sovereign platform layer, which treats portability, auditability, and jurisdictional control as first-class architectural concerns rather than afterthoughts.

For anyone who has lived through the SOA, API-first, and Event-Driven architecture waves over the past two decades (which I was talking about my whole Yenlo journey), the pattern is familiar. Every time enterprise architecture went through a foundational shift, the winners were the organizations that treated the shift as an opportunity to rebuild on better primitives, not as a compliance cost. Sovereignty is that kind of shift. The primitives being rebuilt right now include Event Meshes, Agent Meshes, identity fabrics, and data pipelines. The choices made this year will shape what European enterprises look like in 2030.

The AI layer changes everything, and sovereignty changes AI

Now we get to the part that most boardrooms have not fully absorbed yet.

AI is not just another software category you can procure sovereignly or not. AI rewires the entire relationship between data, software, and decision-making. When a generative model answers a question or an autonomous agent executes a workflow, your most sensitive operational data, your customer records, your legal documents, your industrial telemetry, your strategic plans, all of it, flows through that model. If the model is hosted outside European jurisdiction, so is the context. If the training data is extraterritorial, so is the provenance. If the inference runs on infrastructure subject to the Cloud Act, so does the reasoning.

This is why sovereign AI is not a niche concern for defense ministries. It is the natural next chapter of the sovereignty movement, and the European response is already taking shape with surprising speed.

Mistral, based in Paris, is building what it calls a sovereign AI stack, with open-weight models, an $830 million debt facility for a Paris data center, the Mistral Forge platform that allows enterprises to train custom models on their own data, and a growing roster of regulated-industry customers. Mistral has become, for European enterprises, what no US provider can be by definition, a frontier-capable model under European jurisdiction. Yet a sovereign model is only half the equation. The moment it needs to act, retrieving context, calling tools, coordinating with other agents, or triggering enterprise workflows, the orchestration layer underneath it must be equally sovereign. That is precisely where Solace Agent Mesh steps in, providing the real-time, event-driven backbone that lets Mistral operate at enterprise scale without routing decisions, context, or agent coordination through infrastructure outside European control.

Aleph Alpha in Heidelberg has pivoted from competing at the frontier to offering PhariaAI, a sovereign AI operating system that lets enterprises govern any underlying model within European legal and operational constraints. That pivot is telling. The real sovereignty question for most enterprises is not which model you use, it is how you govern it, how you audit it, where it runs, who can see its inputs and outputs, and how cleanly you can swap the underlying provider when the landscape shifts. Solace Agent Mesh is built around exactly that insight. Sitting between the models and the enterprise systems rather than inside any single model, it enforces governance policies, audit trails, and jurisdictional boundaries at the infrastructure level. Swap Mistral for Aleph Alpha, or run both in parallel for different workloads, and the Agent Mesh governs the handoff between them cleanly and verifiably.

Around these anchors, a wider ecosystem is forming. LightOn for long-context document intelligence. H Company for computer-use agents. Apertus, developed by ETH Zurich, EPFL, and CSCS, purpose-built for EU AI Act compliance. SAP consolidating its EU AI Cloud with Aleph Alpha and Mistral as core partners. These are not just vendors, they are the components of something larger, a European AI supply chain that can be reasoned about, regulated, and relied upon without extraterritorial exposure. What this ecosystem has lacked until now is a common connective layer that lets these components work together at runtime, exchanging events, coordinating agents, and enforcing sovereignty boundaries across every integration point. Solace Agent Mesh, running on the Solace Event Mesh, is that layer. It is not a model and not a platform in the classical sense. It is the nervous system that turns a collection of sovereign AI components into a coherent, governed, enterprise-grade architecture.

Sovereign agents, the architectural challenge of the decade

Generative AI was the warm-up. Agentic AI is the main event, and it raises the sovereignty bar dramatically.

An autonomous agent is not a chatbot. It is a piece of software that perceives, plans, decides, and acts. It calls APIs, writes to databases, sends messages, triggers workflows, and increasingly coordinates with other agents to achieve multi-step goals. In an enterprise context, a fleet of agents is effectively a new kind of workforce, one that operates at machine speed, reads every relevant system, and leaves traces in every data store it touches.

Ask the sovereignty questions about that workforce. Where does each agent run? Whose model powers it? Which data does it see, and who controls the logs of what it saw? When it calls another agent, who governs the contract between them? When it makes a decision that affects a citizen, a patient, or a counterparty, which jurisdiction owns the audit trail?

This is why the sovereign cloud discussion and the agentic AI discussion are converging into the same conversation. An agent running on a US-based model, orchestrated by a US-based platform, exchanging events over US-controlled infrastructure, is a sovereignty event regardless of where you think your data lives. The only architecturally honest answer is to build agent platforms where the model layer, the orchestration layer, the event layer, and the governance layer are all under verifiable European control.

Event-Driven architecture becomes strategically central here, not as a nice-to-have integration pattern but as the nervous system of a sovereign agent estate. A real-time event backbone that moves data and decisions across clouds, regions, and agent fleets, while keeping control of where each event lives and who can see it, is the foundation that lets agents work at enterprise scale without leaking the enterprise out of Europe. Agent meshes running on top of event meshes, with sovereign models plugged in as interchangeable components, is the architectural pattern that is going to define the next wave of European enterprise AI.

What this means for leaders making decisions this year

The strategic implications are sharper than most roadmaps currently reflect.

First, sovereignty is now a measurable attribute, not a sentiment. The SEAL framework gives you a ruler. Use it, for your infrastructure, your software vendors, and your AI providers. If a supplier cannot tell you where they sit on the scale, they have just told you something important.

Second, the sovereign choice is no longer a trade-off between compliance and capability. European providers have closed most of the gap on infrastructure, are closing it fast on frontier AI, and are leading on governance, explainability, and regulatory alignment. Framing sovereignty as a compromise is a leftover from 2022, not a 2026 reality.

Third, agentic AI and sovereignty must be designed together, not bolted together later. The cost of retrofitting sovereignty onto an agent estate that was architected around US platforms will be far higher than designing for sovereign operation from day one. Portable models, event-driven orchestration, pluggable governance, and clear jurisdictional boundaries are the architectural primitives that make this possible.

Fourth, the system integrators, ISVs, and technology leaders who will matter in the next five years are the ones helping European enterprises execute this transition, not the ones selling the same US-only stack with a sovereignty sticker on the box. The conversations I am having across EMEA right now, with partners, with customers, with fellow builders, all point in the same direction. Europe is not just protecting its data. It is rebuilding its digital foundations.

That is the real story of the sovereignty movement. It is not about pulling up drawbridges. It is about building something better, on European terms, with European values baked into the architecture, ready for an AI era where trust, transparency, and jurisdictional clarity are competitive assets rather than regulatory costs.

The winners of this decade will be the organizations that see sovereignty not as a constraint to satisfy, but as an architectural principle to embrace. The technology exists. The regulatory frameworks are in place. The European providers are credible. The only question left is how quickly leaders are willing to act on a truth that has become impossible to ignore.

Interested in discussing this further? I’d be happy to connect.

---

Update, April 24th 2026: the Dutch central bank migrates to STACKIT

Read the full story here: https://www.computable.nl/2026/04/22/dnb-stapt-in-lidl-cloud/