The 8 layers of European digital sovereignty explained
-
About
- Type
- Blog
Digital sovereignty is a critical topic in Europe today, driving significant market activity. Organizations are actively assessing their technology stacks, searching for sovereign solutions, and planning migrations.
In this article, we will examine sovereignty as many organizations understand it now, why this approach is misleading, and the proper strategy for achieving a sovereign stack. Finally, we will discuss the options available and whether we can achieve 100% sovereignty in Europe.
Misleading picture of sovereignty
Our experience indicates a significant gap in the understanding of digital sovereignty. Let’s break down the core issues.
First, consider data sovereignty. Many organizations traditionally viewed the location of data storage as the primary determinant, seeking to store data within European regions, such as Frankfurt-based data centers. However, as we will explore, this leads to a far more complex evaluation than initially anticipated.
The second area concerns the software an organization utilizes. Obvious targets for transition include ecosystem-heavy office suites like Microsoft or Google. However, replacing these often reveals a “Pandora’s box” of multilayered software systems, complex tools, and deep-seated dependencies.
Finally, organizations are increasingly scrutinizing their primary infrastructure vendors. Hyperscalers like Amazon Web Services (AWS), Google Cloud, and Microsoft Azure are primary targets for assessment due to their market dominance and widespread use.
In summary, the traditional view of sovereignty is often limited to these three components:
If this seems incomplete, you are correct. These three elements represent only a fraction of a much broader and more nuanced landscape, as illustrated below:
Here we can see the full puzzle, but these three elements we defined before are just a small part of the full picture.
Moreover, these elements aren’t the main parts of the overall sovereignty framework; they fall within broader areas.
Cloud Sovereignty Framework defined by the European Commission
The previous illustration highlights significant gaps in the common understanding of digital sovereignty.
Recognizing this, the European Commission released the Cloud Sovereignty Framework in October 2025.
This framework serves as a foundation for Cloud Sovereignty assessments, designed to evaluate an organization’s posture across eight key domains.
Let’s take a look at the picture below.
Now we have 8 puzzles which surround the center one – digital sovereignty. Let’s discuss the importance of each of these domains.
Strategic sovereignty
The objectives of this domain focus on the strategic choices and decisions organizations make regarding providers and technologies. This domain assesses whether the provider aligns with European strategic interests, including ownership, corporate governance, investment structure, decision-making power, and long-term stability.
A great example here is ownership. The vendor we selected can be European-based, using European datacenters, etc. But it is also important who owns the vendor. If this vendor is a subsidiary of a non-EU organization, different jurisdictions may apply. For example, if the parent organization belongs to US jurisdiction, then the Cloud Act and FISA 702 apply.
This domain describes more than governance. It describes whether Europe has a meaningful influence over the digital infrastructure. And who else has it too?
Legal and jurisdictional sovereignty
This domain explores the topic we introduced in the previous domain in greater depth. It covers exposure to foreign laws, enforceability of customers’ rights, data access requests, and so on. This is especially important for the public sector, regulated industries, critical infrastructure, and the military.
This might imply not only to the direct vendor but also to the subcontractors of our vendor, especially if that entity processes our users’ data.
Data and AI sovereignty
This domain covers data and AI sovereignty by focusing on the protection, control, and independence of data assets and services.
It means we need to assess where data is stored and processed, how it is encrypted, and how we deal with encryption keys and tools.
As this domain also covers AI, it encompasses not only data storage and processors but also prompts, embeddings, training data, processes, inference pipelines, and dependencies. We must assess whether the models and inferences we use are used for training new models. How? How do we ensure data security? How do we design the service to ensure the process does not allow data to be leaked?
Data sovereignty is often considered as storage sovereignty. This is a very misleading perspective, as the domain is much broader than that. Data processing, data transfer, and most importantly today, the AI toolset and its processing pipelines are also in scope.
Operational sovereignty
This domain focuses on migration processes. Or rather, how easy is it to migrate workloads from one vendor to another, especially when considering EU vendors and the problem of vendor lock-in? This also covers the vendor’s capacity and technology, including how much they rely on non-EU solutions.
We need to define our needs and understand the vendor’s capabilities in running, supporting, and evolving the technologies independently and without foreign control.
And here is an important catch. We consider here not just applications, software, or whole systems, but also hardware, including the middle layer, operating systems, backups, and encryption processes, which becomes very tricky from the EU organization perspective.
Supply Chain sovereignty
Supply chain security was not in the scope of interest for many years. It changed several years ago, and today we are increasingly aware of the importance of proper security across CI/CD, coding, and delivery. Recent breaches and supply chain infections have heightened awareness of it.
But what about the sovereignty of the supply chain? Where do we run our processes? Who owns the tools we use to deliver our product? These questions must be answered in this domain, as the supply chain is one of the most vulnerable processes: it starts with code that becomes the product.
This is the process where all secrets are injected and configured. This is the system that has access almost everywhere in our organization with elevated privileges.
Technology sovereignty
This domain evaluates the openness, transparency, portability, and independence of the technology stack used in the organization.
We need to know if we are vendor-locked and how to avoid it. How to preserve the interoperability, auditability, and ability for migration and evolution of the systems.
It includes questions about the use of proprietary and open source solutions, documentation, and architectural decisions.
Security and Compliance sovereignty
This domain measures the extent to which all security operations, compliance obligations, and resilience metrics remain within the EU. This includes security monitoring, incident response, vulnerability management, certification, regulatory alignment, access control, encryption, and so on.
We think here about GDPR, NIS2, or the incoming AI Act, but it is more than just the documents and regulations; it also involves how the processes are organized and who uses, controls, and owns the toolset used in these processes.
Environmental sustainability
Although this doesn’t sound like something we should consider, but in today’s world these topics like energy consumption and effectiveness, dependency and raw material scarcity become very important.
We see many questions about the energy we use in datacenters – is it green energy? Also, the most powerful equipment consumes a lot of energy and generates significant heat. How do we deal with it? Global warming isn’t a conspiracy theory; it is a reality, and we must act responsibly to care about our environment.
Not to mention who delivers this energy? This also requires consideration, and this question is connected to the previously explained domains.
More than data residency
We see that digital sovereignty, or cloud sovereignty (which can be described as subset of digital sovereignty) is much broader than just the question of where you store your data, or do you use AWS, Azure, GCP or something else.
If the provider is European, it has data centers in Europe but does not comply with legal and supply chain requirements; selecting this vendor might be risky. Because we still cannot be sure what will happen with our data and how the vendor will react in the event of an incident or data breach.
Sovereignty is not a rejection
But sovereignty isn’t about isolation. First of all, we are not able to be isolated today. We are dependent on the global market and on the specialization of different regions.
We don’t reject global technologies; we need to better understand and control them. Make sure we have plans and remediations for risks and that we can preserve the ability to act independently when it matters.
For us in Europe, it isn’t just the compliance topic. It is an economic, industrial, legal, and strategic necessity.
A sovereign digital future is not created by slogans
But by the real work done by many companies, like UpCloud. Test our services, deploy your workloads using UpCloud’s infrastructure, and prepare yourself to use a European cloud provider.
If you wish to learn more, explore our offering, and check out our demo control panel, where you can interact with our Hub and services. And let’s stay in touch!
