Sovereign Cloud and AI: Where Europe Stands in 2025 | Summarising The 3rd European Sovereign Cloud Day

The third edition of the European Sovereign Cloud Day gathered over 200 delegates in person and 300 online and assessed Europe’s progress in implementing sovereign cloud solutions, with a particular focus on the role of evolving and enabling legislative and regulatory frameworks. 

Discussions covered the enforcement of key policies, including the Data Act and the European Cybersecurity Certification Scheme for Cloud Services (EUCS), and cloud convergence amongst other significant files.

The industry and the policy community gathered to share key insights into Europe’s cloud sovereignty landscape and the next steps in ensuring a secure, competitive, and innovation-driven cloud ecosystem.

Watch our highlights video below and read on for a detailed summary of the discussions, plus links to full replays.

In the opening keynote, “Sovereign Cloud: Definitions, Drivers, and Solutions”, David Michels, Researcher at the Cloud Legal Project, Centre for Commercial Law Studies at Queen Mary University of London, defined sovereign cloud in terms of customer autonomy, limiting foreign control, and advancing European strategic goals. He also outlined two key concerns emerging from his research and interviews with experts: the confidentiality of European customer data and the availability of European services to European customers.

“The top three providers, Amazon Web Services (AWS), Microsoft Azure and Google Cloud together hold some 63% of the infrastructure market… When we go down that list of the top eight providers, we see that those are all either US or Chinese companies. There is no single European cloud provider in the top eight.”

“...merely having data stored at data centres within Europe does not protect your data from US Government access if the cloud provider is subject to US Jurisdiction.”

David Michels, Researcher at the Cloud Legal Project, Centre for Commercial Law Studies at Queen Mary University of London

The session also explored the drivers of sovereign cloud demand and presented a range of potential solutions:

• Not using a cloud service at all, opting for on-premises solutions instead
• Creating a federated European cloud
• Developing EU-US hybrid models, combining components from both regions
• Adopting a Hyperscaler Plus model - continuing to use a US hyperscaler with additional protections against foreign government control

Michels concluded that tailored risk management and robust regulation will be critical. He also noted that future research will examine how these issues intersect with the development and deployment of AI.

Elena Santiago Cid, Director General, CEN and CENELEC, delivered the second keynote, highlighting the role of European standardisation in supporting digital sovereignty. She outlined how consensus-based standards underpin EU legislation on cybersecurity, data protection, cloud, and AI.

“The standards that we produce are trying to develop to support people. Technology is here to serve people and not the other way around. And we believe this is the heart of digital sovereignty. That's [also] how we are trying to treat the standards development process in Europe. And the cloud lies in all this digital transformation.”

 Elena Santiago Cid, Director General, CEN and CENELEC

The session emphasised collaboration with EU and international bodies to ensure trusted, interoperable systems without isolating Europe. Santiago Cid also discussed ongoing work on cloud interoperability, the Cyber Resilience Act, and emerging technologies, stressing the need for inclusive, forward-looking engagement.

In a third keynote presentation, Manuel Mateo Goyet, Acting Head of Unit, Cloud and Software, DG CNECT, European Commission, outlined the Cloud and AI Development Act’s goals to increase European cloud adoption from 45% to 75% of businesses and advance edge computing. Challenges include limited data centre capacity, energy access, lengthy permitting, and investment gaps. 

“What is striking is that even doubling [European datacentre capacity] we're not catching up with other regions and that the other regions were not only not catching up, but they're growing even faster.”

 Manuel Mateo Goyet, Acting Head of Unit, Cloud and Software, DG CNECT, European Commission

The Act seeks to simplify regulations, boost R&D in energy-efficient AI, and enhance cybersecurity, aiming to build secure EU-based cloud infrastructure while balancing reliance on non-European providers. The plan also promotes “AI factories” and “gigafactories,” with public consultation ongoing and a final proposal due by March 2026.

The first panel, Sovereign Cloud in Europe: Balancing Innovation, Security and Fair Competition, examined the challenges of reducing Europe’s reliance on non-European cloud providers. Panellists discussed the definition of "sovereign cloud," the need for a competitive business model, and the impact of EU regulations on startups and SMEs. They called for simplified rules and coordinated funding, such as a proposed European Tech Sovereignty Fund. The panel also addressed data control for AI, strategic public procurement, and technical solutions like client-side encryption, concluding that a unified EU strategy is essential for a secure, sovereign cloud ecosystem.

“Although I have nothing against initiatives being being undertaken by different member states, when it comes to scaling up, when it comes to increasing their cloud capabilities and capacities, I have nothing wrong at that. But if we are not well coordinated at EU level, and if we don't channel the right investment, I don't think that we can achieve it. And we will still continue to rely on cloud infrastructure outside our continent, even to host governmental data.”

Alex Agius Saliba, Member, European Parliament

Roger Samdal, Director Hybrid Cloud, Sopra Steria, delivered a presentation on balancing AI innovation with national sovereignty, focusing on Norway’s goal of 80% public sector AI adoption by 2025. He discussed the challenges of adhering to rules and regulations at both the local governmental agency and EU level and dependence on hyperscalers, advocating for hybrid and sovereign cloud models. Real-world examples from Norway’s health sector illustrated these strategies. The session also covered data security, regulatory compliance, and ethical AI use. Samdal concluded that all current implementations use hybrid cloud solutions tailored to specific needs.

“[The Norwegian government] and the customers we are working with need to… strike a balance between sovereignty and national autonomy.... Have both the mindset of sovereignty - be independent of large vendors - but also having the robustness and resiliency of the infrastructure within the country. Those two things are important for Norway as a nation to think of when we are talking about solutions going forward. We can't depend on everything being public cloud or European cloud. We still have to have important pieces of the puzzle within our borders.”

Roger Samdal, Director Hybrid Cloud, Sopra Steria

Christian Scholz, Vice President, Cloud Business, Arvato, presented a case study on the 15-month migration of a German healthcare insurer’s IT infrastructure to a sovereign cloud. Despite early challenges involving legacy systems, complex firewalls, and trust issues, the project achieved zero downtime and a 90% data centre footprint reduction. Key success factors included detailed planning, agile methods, and strong collaboration between Kubus IT and Arvato Systems. The new platform combines private cloud, hyperscaler links, and European interfaces, ensuring flexibility and compliance. Scholz defined "sovereign cloud" as enabling client control over data location and processing, rather than full isolation.

Chris Folkerd, Director, Core Infrastructure, ANS, discussed the complexities of sovereign cloud adoption in the UK in his presentation, How Sovereignty Shapes the Future of Public Services. He outlined drivers such as Brexit, GDPR, and geopolitical risks, along with challenges like multi-cloud data handling, the US Cloud Act, and post-quantum encryption. Falkert highlighted the role of managed CSPs in implementing zero trust security and data governance. While Europe pursues Gaia-X, the UK is developing its own standards. He stressed the importance of strong partnerships, regulation, and a lifecycle approach to balance sovereignty with public sector collaboration.

Guy Bartram, Director Product Marketing and Competitive Intelligence Specialist, VMware, led the panel Building the Sovereign Cloud Ecosystem: Trust, Control, and Collaboration, joined by leaders from Dynamo Cloud, IONOS, and Aruba Cloud. The discussion addressed Europe's weak cloud market, low adoption rates, and regulatory complexity. Panellists emphasised the need for interoperability, open standards, and public-private collaboration through initiatives like Gaia-X, SECA, and Eurostack. Key themes included compliance-by-design, trust-building, and aligning with EU regulations such as the Data Act and DORA. The panel agreed that a collaborative, market-driven strategy is essential to strengthen Europe’s position in the global cloud landscape. 

“...if we build a network, the computer storage network with the power, with sufficient power, maybe even the technology providers will become more relevant because you will need less software - individual software solutions - and more AI computing power… And my hope is that instead of dropping from 10 to 0 [%] in three years’ time, we will stay at 10% and maybe in another couple of years go to 20% of the market share. It's not much, but 20% of 400 billion is a lot of money.”

Francesco Bonfiglio, CEO, Dynamo Cloud

Martin Hosken, Field CTO, Cloud Providers, VCF Division, Broadcom, hosted a customer conversation with Katharina Cordes (Pluscloud VMware) and Emmanuel Finance (Cancom), focusing on data sovereignty in the German public sector. Cancom highlighted the regulatory challenges of building compliant, air-gapped systems, while Pluscloud showcased its partner-cloud model to simplify operations. The discussion stressed the need for modern, scalable infrastructure amid geopolitical pressures and evolving AI and IoT demands. Panellists agreed that close collaboration and choosing providers aligned with national regulations are key to navigating the complex and shifting regulatory environment.

The final panel, The Future of AI is Sovereign: A Strategic Dialogue on Innovation and Trust, explored the rise of sovereign AI and its contrast with hyperscaler services. Panellists discussed the risks of relying on hyperscalers for sensitive data and emphasised the need for controlled, sovereign environments. They covered AI deployment options, shared real-world examples, and examined the impact of the EU AI Act. 

“The AI act, which is being implemented in multiple phases, will certainly have an impact on applications that get deployed both within a sovereign cloud and in public cloud providers. There are many people out there and it's quite a contentious area. There are many people out there that think that even things like Chat GPT wouldn't comply with the AI Act. So there's still a number of open questions about the interpretation of that act and how it'll be implemented in various areas.”

Martin Hosken, Field CTO, Cloud Providers, VCF Division, Broadcom

The conversation also addressed infrastructure needs, talent, and emerging trends like AI agents and Model Context Protocols. The panel concluded that sovereign and hyperscaler AI will likely coexist, serving different levels of data sensitivity.

To end a fruitful and thought-provoking day of discussion, Martin Hosken’s closing summary introduced the VMware Sovereign Cloud Initiative, and emphasised the growing importance of data sovereignty amid rapid global data growth, from 33 zettabytes in 2018 to 572 by 2030. He highlighted concerns over US laws like the Cloud Act affecting European data control, stressing the difference between data residency and true sovereignty. Using a humorous analogy, he illustrated the shared control among governments, providers, and data owners. Hosken outlined sovereignty as security, compliance, and genuine control, extending the topic to sovereign AI and its legal, ethical implications. He noted trends of cloud repatriation driven by sovereignty, cost, and compliance, referencing VMware and Broadcom’s ongoing work in sovereign cloud platforms.

Keep informed about future editions of Forum Europe’s European Sovereign Cloud Day by signing up here.

For further information or specific queries, please contact us at sovereign-cloud@forum-europe.com.