1. Introduction

Cloud computing has become a cornerstone of digital infrastructure in Europe, with U.S. hyperscalers such as Amazon, Microsoft, Google plus Oracle dominating the market. Over 90% of German companies use cloud services by now, and many have adopted a cloud-first approach. The appeal lies in on-demand provisioning of resources, a broad catalogue of managed services, global reach, efficiency gains, and substantial investments in security – capabilities that European providers can barely match at comparable breadth and scale.

However, this dependency creates strategic, legal, and operational risks.

Europe’s structural reliance on U.S. providers is a critical issue. Roughly two-thirds of all European cloud services are delivered by U.S. firms, and 67% of German companies state they could not operate without them. This exposes businesses to potential disruptions from provider outages, geopolitical conflicts, or even legal challenges such as the U.S. Cloud Act, which conflicts with EU data protection laws. While sovereign European alternatives exist, their functional scope, scalability, and service integration remain far behind hyperscalers, particularly in advanced platform services, data analytics, AI, and workplace solutions.

Recognizing these risks, hyperscalers themselves have introduced “sovereign cloud” offerings in the EU – ranging from data residency controls to joint ventures with European partners. These initiatives address compliance and sovereignty concerns but do not fundamentally reduce Europe’s dependence on U.S. technology. At the same time, European providers are attempting to catch up, but limited economies of scale, fragmented approaches, and lack of investment hinder progress.

Moving forward, three groups of stakeholders must act. Companies need to reassess cloud risks, prepare contingency plans, and diversify their providers, balancing hyperscaler benefits with sovereign alternatives. European cloud providers must close functional gaps, pursue alliances to achieve scale, and target competitive service portfolios, particularly in data management and AI. Policymakers should establish stable framework conditions and support European initiatives with substantial funding – without overregulation that would undermine competitiveness.

Ultimately, Europe faces a strategic crossroads: continue relying on foreign hyperscalers for speed and functionality or invest in building sovereign cloud capabilities to secure long-term digital independence. Success will depend on aligning user demand, provider innovation, and political support into a coherent European cloud strategy.

2. Strong dependency of European companies on U.S. providers

Cloud infrastructures provided by American hyperscalers[1] has seen widespread adoption by companies in Germany and across Europe in recent years. The primary reasons for migrating IT services to the cloud include simplified access to new technologies, quick and easy provisioning of IT resources (elasticity), global availability close to customers, and efficiency gains through economies of scale.

The main reasons for using services offered by U.S. cloud providers (hyperscalers) are the following:

• Easy to use on-demand resources: IT-resources (hardware, infrastructure, software runtimes, platform services) can - after an initial contractual and technical setup (landing zone) - easily be ordered and instantiated via self-service portals. This allows for easy provisioning of new systems and services, as well as elastic up/down-scaling of IT-resources. From the user point of view the offered IT-resources are (technically) unlimited. It’s just cost. 

• Managed resources / skills: Technological developments in the IT sector have introduced a wide range of new technologies in recent years (such as Kubernetes, Kafka, NoSQL databases and recently LLMs.). Leveraging these technologies is not always easy for companies, as there is often a shortage of qualified personnel to manage them, especially for professional 24/7 operations. Hyperscalers provide attractive offers to circumvent these challenges.

• Platform services: Hyperscalers also provide Platform as a Service offerings with a higher degree of integration (e.g., managed Kubernetes, managed Kafka, managed databases of various flavours). This is especially prevalent for advanced data management and analytics technologies.

• Global reach: Through the global reach of the offered IT-services, applications build on hyperscaler infrastructure can be deployed in various global regions, without major changes and adaptations.

• Efficiency gains: The provisioning of IT services in a standardized way has very high economies of scale. However, market experiences of significant cost implications indicate that the benefits from economies of scale are not distributed equally between hyperscalers and their customers, i.e., the hyperscalers are retaining a significant share.

• Substantial investments in security: Hyperscalers invest heavily in IT security and offer it as a configurable service (e.g., Microsoft Office Security, DLP, network segmentation). Achieving a similar level of security requires extensive specialist knowledge and dedicated experts. For companies that operate their own IT landscapes, this involves a great deal of effort and high costs, and is almost impossible to achieve, especially for small and medium-sized enterprises.

• Higher value services: Services that go beyond Infrastructure-/Platform-as-a-Service enable fast prototyping and rapid usage.

According to Bitkom Research 2025[2], currently 90% of German companies use some kind of cloud service, compared to 81% in the last report in 2024. The remaining 10% are discussing or planning to use cloud services in the upcoming years. Other estimates indicate that around 50 % of all workloads and data from European companies have been migrated to various cloud infrastructures already. It is also noteworthy that 50% of companies have established a cloud only or cloud first strategy, while an additional 31% pursue a “cloud too” approach driving further cloud usage.

Figure 1: Cloud usage of German companies

Looking at the details reveals cloud usage across specific services. More than three out of four companies already rely on cloud solutions for email, HR/finance, file storage, and office software. The largest growth potential for hyperscaler usage lies – unsurprisingly – within AI-services.

However, there are also areas, where companies expect to use fewer cloud services compared to today, mainly in the areas of collaboration tools, ERP and IoT.

U.S. companies are dominating the market for cloud services in Europe: Approximately 66% of all cloud services in Europe are offered by U.S. companies:

Figure 2: Market share of cloud providers (European Union)

In addition to the services offered by hyperscalers and infrastructure providers, other Software-as-a-Service providers such as Salesforce, SAP, ServiceNow, etc. have entered the market. While some SaaS providers such as Salesforce or ServiceNow still operate their own data centres (including in Europe), others such as SAP (via the Business Technology Platform/BTP and RISE with SAP) or Atlassian also offer their services via hyperscalers or use IaaS from hyperscalers.

3. Risks and challenges of hyperscaler usage

The strategic importance of cloud infrastructures has continued to grow in 2025, particularly considering the dominant role played by U.S. hyperscalers.

However, this widespread adoption comes with increasing dependency: 67% of German companies say they would no longer be able to operate if their cloud service provider were to fail. This highlights a structural lock-in effect, which is particularly favoured by the performance and global reach of U.S. hyperscalers. European companies are thus facing a critical challenge – between technological necessity and strategic dependence.

There are six major risk categories with U.S. cloud providers:

Figure 3: Exemplary risk assessment for cloud usage by a specific user. Every company that uses cloud services should assess the risks associated with cloud usage for the intended use cases

3.1. Operational risks

Various events (e.g., natural disaster, political or business decisions) could lead to a situation in which operational requirements/SLAs regarding performance, availability, and IT-security are not met by the provider in one availability group or region. In such an event data and workloads might need to be migrated to another region of the same provider. This may involve significant effort but is generally manageable due to the homogeneity within one provider’s ecosystem.

3.2. Cost risks

Costs are “managed” by the hyperscalers following the lock-in effect of its offerings, yielding to a significant disadvantage for the client. Recently, a new risk has emerged in the form of potential EU taxes for all U.S. hyperscalers in response to U.S. tariffs.

3.3. Legal risks

Legal requirements/SLAs regarding performance, availability, IT-security are not met by the provider in multiple regions. This can be considered as a provider-wide failure. If this is not mitigated by the provider within a reasonable time frame, critical services might become unavailable or degraded, requiring a full-scale migration to another provider. This is especially complex for cloud-native services tied to proprietary interfaces, leading to short- or medium-term disruptions in performance and functionality.

3.4. Data privacy risks

There is a risk in data and information security triggered by the U.S. Cloud Act[3], which has been in force since March 2018. This law obliges U.S. companies to hand over stored data upon request by U.S. law enforcement authorities, regardless of whether the data is physically located in the U.S. or abroad. On the EU side comprehensive data security and data privacy regulations are in place, and breaching these regulations carries a high financial and reputational risk.

After controversial debates, the EU and the U.S. have put the Data Privacy Framework (DPF) in place, allowing the use of American hyperscaler infrastructure under specific conditions. The validity of the DPF was recently confirmed by the General Court of the EU. Furthermore, the EU Data Protection Officer has confirmed to the EU Commission that the use of MS365 is permitted under data protection law and has discontinued proceedings against it. This was preceded by improvements to the data protection clauses in the Microsoft licence agreement and the implementation of the EU Data Boundary by Microsoft.

If these data privacy rules are changed or invalidated by an EU court decision, and the storage of personal data in non-EU controlled companies is no longer permitted, hyperscalers could no longer be used legally for a wide range of purposes.

3.5. Espionage risks

Transferring data and documents stored in cloud services generally entails the risk of espionage. In the usual setup, the encryption keys to access the data are managed by the hyperscaler rather than retained in-house. Thus, customers need to trust in the hyperscalers’ critical security functions and technology. At the same time, hyperscalers are prime targets for foreign intelligence agencies due to their scale and central role in global IT. Moreover, U.S. law enables government authorities to compel these companies to grant access to customer data – even if stored outside the U.S. – creating a persistent risk of state-mandated exposure. To mitigate the risk of espionage, a careful assessment of the specific sensitivity of the data transferred to the cloud must be conducted.

3.6. Geopolitical and strategic risks

Changing geopolitical circumstances (e.g., sanctions, tariffs) may prevent the use of cloud providers from certain countries. If this risk materialises all services of hyperscalers might become obsolete within a short timeframe. This would have severe implications for IT continuity, since the service offerings of EU cloud providers still lag significantly behind in terms of capabilities and available capacity.

While the first three categories typically affect only a single provider if they arise, data privacy and geopolitical risks have the potential to impact all U.S. based cloud providers simultaneously.

Given this context, there is a growing focus on “finding” sovereign cloud services within Europe.

4. European Sovereignty – with or without American hyperscalers?

The demand for sovereign cloud alternatives in Europe is clearly evident and openly articulated by companies. According to the Bitkom Cloud Report 2025, 82% of the companies surveyed no longer want to be technically dependent on U.S. cloud providers. At the same time, 78% consider themselves to be dependent in practice.

However, most companies do not want to make any compromises in terms of the breadth and quality of available services, e.g., 65% are not willing to accept functional limitations in order to switch to European providers. Responses also indicate that 50% of companies are currently rethinking their cloud strategy based on the new U.S. administration's policies.

Figure 4: Do we need a European or German hyperscaler?

Another aspect of this seemingly contradictory result might be that data residency is less important for the users of cloud services than service offering and availability. Important criteria for selecting a cloud provider include performance and stability, a high level of trust in IT security, data protection and compliance, as well as the option of data encryption. Data centre location in the EU, country of origin for the provider, and interoperability are important for 2/3 of the respondents. An easy way to change the provider is less important in the market (40% of respondents).

This leads to a structural deadlock: companies recognize the risks of continued dependence but, due to the lack of mature European alternatives, cannot pursue a viable technological realignment without accepting operational and functional losses. A sustainable solution therefore requires either a significant innovation push from European cloud providers or a fundamental change in strategy when dealing with digital dependencies.

Current European or German cloud offerings are not functionally competitive. Many of the existing initiatives are specifically aimed at certain sectors, such as public administration, and are not designed to meet general business needs. Furthermore, the range of functions often lags far behind that of U.S. hyperscalers – modern, scalable platform services, APIs, and AI-supported services are either missing or only available in a rudimentary form. Instead, alternatives to well-known products such as Microsoft Office 365 are often offered, but these are not equivalent in terms of functionality or ecosystem.

4.1. Sovereign EU cloud services from hyperscalers

On the other hand – recognizing the demand for sovereign European cloud services – hyperscalers (Amazon, Microsoft, Google plus Oracle) have increasingly invested in EU data centres and various sovereign solutions in recent years, in particular to cater to user groups with high data privacy and security requirements (e.g., public sector, defence, financial services). Since Donald Trump took office, the importance of sovereign solutions has increased even further, reflecting a shift towards policies with a more national and protectionist orientation.

U.S. hyperscalers offer various models for “more” sovereign cloud solutions in the EU:

Figure 5: Sovereign cloud delivery models of U.S. hyperscalers

All hyperscaler offer controls about data residency in European or even country specific data centres to comply with European or local data residency laws. Data are stored in the respective EU cloud region and are not transferred outside this region. This option is used by most companies to ensure basic compliance with the GDPR and local legislation.

The next level of sovereignty is a sovereign controls layer either implemented by the hyperscaler or by a European partner in a partner managed cloud. In this scenario the cloud technology stack of the hyperscaler is either deployed and operated in an EU based data centre of the hyperscaler or the partner. Cloud operations are performed by EU-resident staff from the hyperscaler or a partner, and additional levels of governance are established. Key management for data encryption is supported either by the client or by a European partner to ensure that the hyperscaler cannot access the data. Microsoft[4] announced a sovereign European public cloud in June 2025. Google offers partner managed cloud services with T-Systems[5] in Germany and other partners in different locations.

Oracle and Amazon offer their customers dedicated sovereign regions, where the cloud services are operated by dedicated European subsidiaries (e.g., Oracle Deutschland GmbH, Amazon European Sovereign Cloud GmbH) with a certain level of independence from their mother companies (including a dedicated European leadership team). Amazon plans to offer this model in the Brandenburg region by end of 2025[6].

Microsoft[7] and Google provide their services also in Joint Venture Clouds. In this case the hyperscaler provides the software to a third-party company which is operating the cloud services In Germany, Delos, a joint venture between SAP and Arvato, offers MS365 services to public sector customers. In France, Bleu, a joint venture between Capgemini and Orange, also provides MS365 services to certain customer groups. Google has established a similar model in France through a joint venture with Thales, in which Thales holds 51% and Google 49%. This model provides a high degree of sovereignty, as the hyperscaler acts only as a technology supplier to an independent company and has limited, controlled technical or legal access to customers’ workloads and data. However, most of these services are offered exclusively to specific customer groups, such as public sector organizations or defence clients.

Google announced a partnership with StackIT (Schwarz Gruppe) for Google Workspace. In this model, Google provides the Workspace software, which is deployed in StackIT data centres and operated by StackIT. Enhanced encryption mechanisms allow customers to secure their data, preventing third-party access – including by Google itself[8].

The highest level of sovereignty is obtained by using dedicated “cloud @ customer” models. Here, the hyperscaler provides the cloud service stack (hardware and software, often in preconfigured racks) which are then installed in the client data centre and operated by the client or a partner. In many cases, these services can also be obtained air gapped, with no direct access from the hyperscaler to the dedicated cloud. Recently, Germany’s Bundeswehr has announced to use Google Distributes Cloud Services with BWI as partner[9]. The offering of the dedicated “cloud @ customer stack” can be very broad. Google for instance offers their Gemini AI services via this model. Microsoft offers local MS365 services in addition to its Azure local stack.

A brief overview of the hyperscalers’ sovereign cloud offering is shown in the following table:

Figure 6: Sovereign cloud offerings by U.S. hyperscalers in Europe

4.2. European cloud providers

Several cloud providers have established themselves in Europe in recent years. These began as data centre operators, web hosting or email providers and offered classic IT outsourcing services. Over the past few years, they have expanded towards offering highly standardized cloud services with increasing self-service and easy-to-use provisioning. An overview of a representative but not comprehensive list of providers and their services is depicted in figures 7 and 8.

Figure 7: Service offerings of European cloud providers in areas of infrastructure, platform, data analytics and AI services; listing is based on publicly available information

4.2.1. Compute (IaaS) and fundamental PaaS services

All mentioned European providers offer scalable compute services (virtual, bare metal server for CPU and GPU), network, and storage services (managed relational database, block storage, NoSQL database). Most of the services are available via self-service for easy provisioning.

They also offer fundamental PaaS services, in particular managed container orchestration platforms services (e.g., Kubernetes) and managed database service (managed relational database, block storage, NoSQL database, some also offer S3 compatible APIs).

Cloud-agnostic applications that run in containers (e.g., Docker) can therefore be transferred to a European provider with reasonable effort.

The offer of GPU computing services for training and inference of AI models has expanded recently and most of the European providers offer such services.

4.2.2. Advanced Platform-as-a-Service offerings

Additional Platform-as-a-Service offerings (e.g., managed streaming or queuing services, in memory databases etc.) are scarce and distributed by various providers. Newer concepts like serverless functions are not yet available from European providers.

The use of PaaS services from a hyperscaler is very often a simple and efficient way to solve a given IT problem. For this reason, these services are very popular with developers, even if they are not interoperable. While each hyperscaler offers a comparable, portfolio of PaaS services, they aren’t interoperable though migration is still possible with reasonable effort. Migration to a European provider that does not have an adequate service in its portfolio is therefore more complex.

4.2.3. Data management and analytics

In the area of data management and analytics, switching to a European provider is far more complicated. On the one hand, many applications in this field were created in recent years using the proprietary PaaS services of hyperscalers, such as advanced streaming, data storage and machine learning services. Additionally, popular solutions such as Databricks are only available as PaaS solutions, but not for on-premise or private cloud deployments.

Most European alternative cloud providers do not offer corresponding data management and analytics PaaS solutions and usually refer to the fact that clients create their own architecture based on open-source frameworks (e.g., Hadoop, Spark, etc.) and deploy them on the cloud providers' IaaS services. OVH, Ionos and T-Systems (in partnership with Huawei) offer partial coverage of PaaS services.

4.2.4. AI capabilities

Most European cloud providers offer options to prepare and store data for GenAI models and to run inference on various models – either open-source models such as Llama, Mistral, or Hugging Face, or commercial models available as a service via API, such as Google’s Gemini, OpenAI’s GPT, Anthropic’s Claude, and others. In addition, some providers have begun to offer their own AI models as a service.

4.2.5. Managed office suite

With MS365 and Google Workspace, Microsoft and Google offer comprehensive and integrated solutions for the user workplace. These include solutions for groupware (email, calendar, contacts), chat, voice- and video conferencing, file storage and a comprehensive office suite that is suitable for the simultaneous editing of documents. In Europe, MS 365 has a market share of around 55% and Google Workspace of around 15%. If you add the hosted Exchange and on-premise installations for email, Microsoft has a share of around 80% in the groupware sector and 80% in the office software sector[10].

Integrated Office services from alternative European cloud providers are currently scarce but developing. Most providers offer managed services for groupware (email, calendar, contacts), either via custom or open-source solutions or as hosted instances of Microsoft Exchange. These are accompanied by services for sharing chat, videoconferencing and office based on the Nextcloud product stack (or similar), but not well integrated yet.

Figure 8: Services offerings of European cloud providers for workplace services; listing is based on publicly available information

Recently, the development of cloud-hosted office suites similar to MS365 has gained momentum. OpenDesk, an open-source based office alternative is developed, by integrating various open-source products to one office suite with functionality comparable with MS365. Furthermore, Ionos and Nextcloud have recently announced plans to develop a European alternative to MS365.

However, both alternatives have yet to proof that they are competitive with MS365 or Google workspace in terms of functionality, performance and convenience.

Another scenario for more sovereignty for workplace solutions promoting data privacy is to stay on (or go back to) a hosted Microsoft Exchange solution combined with Microsoft Office for on-premise use. This can be accompanied by another chat and video conferencing solution, such as Zoom, GoTo Meeting, WebEx – although most of these are also provided by American companies from the cloud. WebEx still offers an on-premise hosting option.

4.2.6. Identity and access management, security and data loss prevention

In addition to their functional offerings, hyperscale cloud providers have made significant investments in identity and access management, IT security, and data loss prevention. They dedicate substantial resources to securing their infrastructure against threats such as intrusions and DDoS attacks, with support of well-established security organizations that can swiftly identify and respond to incidents.

Microsoft, in particular, plays a pivotal role due to its dominance in the office productivity space through Microsoft 365. With Entra ID and Active Directory, Microsoft has established core components widely adopted across organizations, often integrated with additional identity and access management tools.

Hyperscalers also offer advanced end-user access controls, including multi-factor authentication, single sign-on, and location-based access services. Microsoft provides a notably comprehensive data loss prevention solution, especially for email and office documents. Google offers similar services, which work well in a Google centric environment while Microsoft has the broader offering in more heterogeneous setups.

By contrast, European cloud providers lag in these areas. While they generally offer basic directory services and key management, features like single sign-on (particularly to third-party SaaS) and advanced zero-trust controls remain patchy or absent, leaving them behind the hyperscalers in identity services depth and breadth.

4.2.7. Scalability and regional coverage

Beyond functional features, the scalability, elasticity, and global availability of hyperscalers are key advantages – especially for large, global enterprises and software providers that rely on distributed infrastructures to deliver IT services close to their customers.

4.3. Traditional data centre and IT service providers

Beside European cloud providers, there are further data centre and IT providers (e.g., FI-TS, DATAGROUP, noris network) that offer their customers a focused range of managed IT services. These typically include the provision of managed physical and virtual servers on the infrastructure side, as well as virtual desktop services and managed services for email and file sharing for workplace-related services (e.g., managed Exchange, managed SharePoint).

The engagement model follows a more traditional approach, whereby the provider responds to specific customer wishes and requirements rather than offering a highly standardised range of services. The commissioning processes also follow the traditional customer/supplier model rather than a comprehensive self-service model.

Furthermore, information about the services offered and pricing models is not widely publicised, and getting access to that information requires a closer client relationship with the provider.

5. Ways to improve European cloud sovereignty

The use of cloud services in Europe has grown steadily in recent years to a significant level. Companies have migrated their workloads to the hyperscaler infrastructure and are using advanced PaaS and SaaS offerings. The U.S. providers have made significant investments in the last 10 years and stand out due to their comprehensive range of services, global availability, and a high level of IT security at an acceptable cost.

The hyperscalers excel in the most important categories for users – availability, performance, stability, and IT security – and offer an acceptable level of data protection for most applications. Data sovereignty played a subordinate role in the risk/benefit assessment by most using companies. Exceptions can be found in specific industries such as the public sector, with its exacting requirements regarding data protection, and the defence sector, which still largely rely on private cloud and on-premise solutions in Europe.

As a result, only a limited market for sovereign cloud services has developed and the offerings of European alternative providers have remained sparse.

This has changed since Donald Trump took office for his second term and at the latest since the ubiquitous tariffs were announced. The question now is whether President Trump intents and is able to ‘switch off’ European companies' access to cloud infrastructure or whether the negotiations on tariffs between the EU and the U.S. could result in special levies on digital services that would make cloud services significantly more expensive.

We would like to give some advice to users, European cloud providers and policy makers on how to deal with this situation:

5.1. Companies using cloud services

Companies who are currently using cloud services by U.S. hyperscalers or intend to use them in the foreseeable future should reconsider their strategy based on their specific risk profile. In general, a step-by-step path towards cloud sovereignty is proposed:

• Risk re-assessment: Companies should re-assess the risk of their cloud usage on a service or application level reflecting the changed risk profile. This should also include considerations regarding acceptable levels of degradation in service functionality or service levels, whether originating from European providers or from the sovereign offerings of hyperscalers.

• Emergency plans: For business-critical services, a contingency plan should be drawn up to ensure continuity in the event of a rapid, forced hyperscaler exit – albeit with restrictions. This is in additional to the usual exit strategy, which covers an orderly exit within a time horizon of 12-15 months.

Figure 9: Strategies for risk mitigation of current cloud usage and towards a more sovereign cloud usage in the future

• Local backups: Where possible, users should consider backing up their important cloud data either locally (on-premise) or to a different cloud provider. This is easiest for office documents and emails because the data volumes are manageable. However, this is not always practical for larger data volumes (e.g., multi-TB data warehouses). In particular, the costs of extracting data from hyperscaler infrastructures are high.

• De-risking: If the use of an EU sovereign alternative – either from a European provider or a sovereign hyperscaler offering – is considered for all or part of the cloud services in use, an alternative provider should be established both legally (contracts, etc.) and technically (landing zone, connectivity, etc.). First services should be piloted, migrated, and tested.

• Exit strategy: According to the risk assessment, the exit strategy for each service should be verified and updated based on an assumed exit horizon of 12–15 months. Ideally, this should include alternative services to be used (e.g., other cloud services or a return to on-premise). It may also require accepting functional or non-functional deterioration or higher migration effort when moving to a different platform. Support for potentially new deployment and operational models (e.g., IaaS or on-premise instead of PaaS) should be underpinned by a strategy to ensure the required skills and personnel are available in case of an exit.

• Cloud agnostic development: If applications are developed cloud agnostic, they can be migrated to another hyperscaler or a European provider with significantly less effort. However, this advantage comes at a cost during development (time, costs, skills) if the hyperscaler’s PaaS offerings cannot or must not be used in the new environment. This is particularly relevant in the areas in which PaaS is frequently used, i.e. for data management applications.

• Cloud usage diversification: Until the EU cloud providers have closed the gap to the U.S. Hyperscaler, a mixed usage of advanced hyperscaler services and sovereign cloud services in a multi-cloud scenario is a promising option, depending on the specific requirements of the individual use case.

5.2. EU cloud providers

To offer a wide range of sovereign cloud services to EU users we consider two options:

• European companies can partner with hyperscalers and offer technically comprehensive, efficient cloud services – with the hyperscaler acting as a technology provider. This approach mainly addresses the mitigation of data privacy risk and the risk of a sudden suspension of operations but still relies heavily on the hyperscaler’s technology. Companies who currently offer their sovereign cloud services only to limited user groups (e.g., Delos in Germany, which focuses on public sector companies) should consider offering their services to a broader user group.

• European cloud providers still lack many of the advanced services offered by U.S. hyperscalers and must catch up on a decade of technological advances as a direct consequence of the lack of market pressure to date.

Switching to a European provider often entails reduced functionality, limited PaaS availability, longer development times, and higher total costs.

While they address and advertise local data residency and 100% compliance with the EU data privacy regulation (GDPR), this is not the feature that convinces a large number of users given the functional drawbacks. To catch up and provide a competitive offering for a wider user group, functional gaps must be systematically closed, accompanied by improvements in non-functional requirements such as convenience to use, embedded security services, and integration with identity and access management solutions.

Figure 10: Service offering of EU cloud providers compared to the offering of U.S. hyperscalers

Since the provisioning of cloud services benefits from significant economies of scale, European cloud providers need to join forces to create sufficient traction for specific solutions (e.g., data management or workplace). To achieve this, they should form alliances and consortia with strong a market presence across national borders and ultimately establish a competitive European hyperscaler. In contrast, a fragmented focus on building interoperable services by individual EU cloud providers leads to unnecessary duplication of efforts, wastes resources, and slows down progress in catching up.

European providers and cloud users must signal to each other that they want to go down the path to sovereign European cloud solutions together to open funding opportunities outside the public sources.

5.3. Politics/public policy makers

Politics can create framework conditions for modern, competitive IT services to emerge and be used in Europe. What providers and users need right now are reliable, long-term conditions that will enable them to catch up with global market leaders and strengthen confidence in European solutions.

However, care should be taken not to achieve this through excessive regulation that forces users to adopt European alternatives (e.g., stricter interpretations of data privacy regulation or restrictive rules on AI). Such measures can prevent companies from using the latest and most efficient services, leaving them less competitive than their non-European peers. The ongoing debate about whether MS365 can be operated in compliance with data protection regulations – as argued by some data protection advocates – is similarly of little practical help to companies.

Forming a European hyperscaler is a strategic and long-term endeavour and should be mainly driven by the cloud service providers. Politics can help with a coherent strategy and aligned purchasing within the EU, to enable a significant revenue stream for the upcoming hyperscaler.

One key element is substantial financing of European initiatives – not only for sovereign clouds but even more for upcoming AI services. In the absence of large multi-billion-dollar corporates able to invest heavily in new services, Europe’s diverse landscape of medium-sized and large companies requires alternative funding models. This should include significant EU funds with efficient and practical application processes, avoiding unnecessary control bodies, bureaucratic hurdles, or lengthy coordination loops.

This is currently even more important in the field of AI, where Europe still has realistic chances of keeping pace in the global innovation race. However, every month without a competitive EU alternative to established AI services results in millions of dollars in usage fees being transferred to U.S. companies.

6. Conclusio

The debate around hyperscaler dependency and European cloud sovereignty is no longer an abstract question of technology strategy, but a pressing issue with direct implications for competitiveness, resilience, and digital independence. The analysis in this paper has shown that while U.S. providers continue to dominate through unmatched functionality, global reach, and economies of scale, their position creates significant structural dependencies and vulnerabilities for European enterprises.

A sustainable path forward will not emerge from an “all-or-nothing” approach. Instead, progress depends on pragmatic diversification, risk-aware cloud strategies, and the creation of credible alternatives that go beyond symbolic sovereignty. Companies must recognize their responsibility to critically reassess exposure, prepare contingency options, and foster cloud-agnostic architectures. At the same time, European providers need to close persistent functional gaps and pursue scale through alliances, if they want to compete on equal terms. Policymakers are called to create stable conditions and provide targeted support without suffocating innovation through overregulation.

The coming years will be decisive. If Europe succeeds in aligning business demand, provider innovation, and political will, the continent has a realistic opportunity to establish a more balanced cloud ecosystem – one that safeguards strategic autonomy while still benefiting from the strengths of global hyperscalers. Failure to act, however, risks cementing a dependency that could become increasingly costly under shifting geopolitical and economic conditions.

References:

[1] Microsoft, Google, Amazon Web Services plus Oracle

[2] Bitkom “Cloud Report 2025: Status Quo und Trends in Wirtschaft und Politik
https://www.bitkom.org/sites/main/files/2025-06/bitkom-pressekonferenz-cloud-report-2025-praesentation.pdf

[3] Clarifying Lawful Overseas Use of Data Act

[4] https://blogs.microsoft.com/blog/2025/06/16/announcing-comprehensive-sovereign-solutions-empowering-european-organizations/

[5] https://cloud.google.com/t-systems-sovereign-cloud?hl=de

[6] https://www.aboutamazon.de/news/amazon-web-services/aws-european-sovereign-cloud-brandenburg

[7] https://blogs.microsoft.com/blog/2025/06/16/announcing-comprehensive-sovereign-solutions-empowering-european-organizations/

[8] https://gruppe.schwarz/en/press/archive/2024/companies-of-schwarz-group-and-google-to-sign-partnership

[9] https://www.bwi.de/magazin/artikel/google-cloud-und-bwi-geben-partnerschaft-bekannt

[10] Source: Statista Market Insights Office Software, May 2025