9 min read

Ninety percent of German companies use cloud services. Yet 78 percent simultaneously admit: We are too dependent on U.S. providers. This cognitive dissonance shapes cloud strategies in the German midmarket like no other issue. 2026 will be the decisive year for whether European digital sovereignty transitions from political vision to operational reality. The infrastructure to make it possible is being built right now.

Key Takeaways

• AWS European Sovereign Cloud live: Available since January 2026 in Brandenburg, with a 7.8 billion Euro investment and around 90 services at launch
• Market booming: European sovereign cloud spending will rise from 6.9 billion USD in 2025 to 12.6 billion USD in 2026-an 83 percent increase-according to Gartner
• All hyperscalers on board: Microsoft Sovereign Public Cloud, Google Sovereign Cloud Hub in Munich, and Delos Cloud (T-Systems/SAP) now in production
• German alternatives expanding: STACKIT is emerging as a German hyperscaler, while OVHcloud operates the infrastructure for the European Central Bank’s digital euro
• EUCS stalled: The EU Cloud Scheme (EUCS) has been stuck for over four years. BSI C5 remains the de facto standard for cloud security in Germany

The Market Is Shifting: Sovereignty Has Become a Billion-Euro Question

What was dismissed as a political demand just three years ago is now, in 2026, a market defined by concrete figures. Gartner estimates global sovereign cloud IaaS spending will reach $80 billion in 2026, a 35.6 percent increase from the previous year. Europe’s share is growing the fastest: from $6.9 billion (2025) to $12.6 billion (2026), with a projected rise to $23.1 billion by 2027.

What these numbers mean: Europe is expected to surpass North America in sovereign cloud spending by 2027. The continent is no longer just investing in cloud-it’s investing in a different kind of cloud.

The drivers are well known: the NIS-2 Directive, DORA (Digital Operational Resilience Act) for the financial sector, Germany’s Supply Chain Act, and not least, geopolitical uncertainty following the inauguration of the second Trump administration. The Bitkom Cloud Report 2025 quantifies the mood: half of all surveyed companies say they are recalibrating their cloud strategy due to the new U.S. government. And when asked which provider they prefer, 100 percent answered: a German one. Only 6 percent favor a U.S. provider.

“Decision-makers-not just CIOs, but the entire C-suite-are questioning whether they can still rely on digital infrastructure provided by U.S. vendors.”

René Buest, Senior Director Analyst at Gartner, February 2026

AWS European Sovereign Cloud: The Hyperscaler Goes European

On January 15, 2026, the AWS European Sovereign Cloud went live in Brandenburg, Germany. This new offering marks a fundamental departure from AWS’s previous European regions: dedicated infrastructure, independent governance, and separate personnel-organizationally, technically, and legally isolated from AWS’s global regions.

To support this initiative, AWS has established a fully autonomous European entity: a new parent company and three subsidiaries, all registered under German law. All operational staff are EU nationals residing within the European Union. Leading the organization are Stephane Israel as Managing Director (since October 2025) and Stefan Hoechbauer (since January 2026).

The investment totals 7.8 billion Euro over several years. At launch, approximately 90 of AWS’s 240+ services are available, with the portfolio expanding gradually. Additional regions are planned in the Netherlands, Belgium, and Portugal.

For enterprises, this shifts the foundation of the cloud debate: The question is no longer “Can a U.S. hyperscaler be sovereign?” but rather “Is this form of sovereignty sufficient for my needs?” One fact remains unchanged: AWS as a corporation is, and will remain, American. The European Sovereign Cloud addresses operational and legal sovereignty-not the economic dependency on a single provider. IT decision-makers must understand this distinction before signing contracts.

“Europe needs access to the most robust cloud and AI technologies. Customers want the best of both worlds: to leverage the full AWS portfolio while meeting their strict sovereignty requirements.”

Stephane Israel, Managing Director AWS European Sovereign Cloud, January 2026 (translated from German, paraphrased)

Microsoft, Google, Delos: Competitors Follow Suit

AWS isn’t alone. Microsoft has announced its Sovereign Public Cloud for all European regions, including customer-controlled encryption, a European supervisory board, and a Data Guardian for European operations. For highly sensitive workloads, Azure Local has offered an on-premises option with sovereign controls since December 2025.

Delos Cloud, the joint venture by T-Systems, SAP, and Microsoft, has been in production since January 2026. The model: T-Systems operates Microsoft technology within German data centers as a fiduciary, completely separated from Microsoft’s global network. The price premium: 10 to 20 percent more than Microsoft’s public cloud. Notably, Delos and Microsoft have signed an agreement ensuring operational continuity should U.S. sanctions restrict European cloud services.

Google Cloud opened a Sovereign Cloud Hub in Munich in November 2025, paired with a Security & Privacy Engineering Hub. Together with T-Systems, Thales, the Schwarz Group, and other European partners, Google is building a network offering multiple levels of sovereignty: from Data Boundary (data remains in Europe) and Dedicated Cloud (dedicated infrastructure with European operations) to a fully isolated, air-gapped version for the most sensitive workloads.

What stands out across all three hyperscalers: sovereignty is no longer sold as a single product, but as a spectrum. Depending on workload sensitivity and regulatory requirements, enterprises can now choose the appropriate level of control. This marks a fundamental shift from early debates, when “sovereign cloud” was seen as a binary concept-either fully European or not at all.

The European Alternative: STACKIT, OVHcloud, and the Dream of a Homegrown Hyperscaler

Alongside the dominant offerings from U.S. hyperscalers, European alternatives are gaining momentum. STACKIT, the cloud platform from Schwarz Group (Lidl/Kaufland), has been expanding since May 2025 into a “German hyperscaler”-with four data centers in Germany and Austria, a fifth under construction in Lübbenau, certified under BSI C5 and ISO 27001, and built on OpenStack.

OVHcloud operates one of the few European cloud platforms meeting the highest security standards, holding the SecNumCloud certification-the stringent French standard issued by ANSSI. A significant vote of confidence: the European Central Bank has selected OVHcloud as an infrastructure provider for the digital euro. Meanwhile, IONOS-certified under BSI C5 since 2023-offers another fully European alternative, increasingly popular among mid-sized enterprises.

The honest assessment: none of these European providers can currently match the full service portfolio of AWS or Azure. Enterprises requiring 200+ managed services at scale still depend on the major hyperscalers. But for defined workloads-especially IaaS, Kubernetes, storage, and databases-STACKIT, OVHcloud, and IONOS are technically mature and hold a regulatory edge in Europe.

EUCS: Four Years of Debate, Zero Results

While the market is setting facts, regulation remains stuck. The EU Cloud Certification Scheme (EUCS), under discussion since December 2020, has yet to be adopted. At the heart of the dispute: should U.S. hyperscalers be eligible for the highest certification level (“High”), or should that level require majority European ownership?

Several EU member states and the hyperscalers themselves are blocking the sovereignty requirement. The result is a regulatory vacuum: companies making cloud decisions today for the next five to ten years lack a binding European certification framework to guide them.

In Germany, the BSI (Federal Office for Information Security) is stepping in to fill the gap. The Cloud Computing Compliance Criteria Catalogue (C5), with its 121 controls across 17 domains, has been mandatory since July 2025 for the healthcare sector and parts of the public administration. The C5:2025 update introduces new requirements for container management, supply chain risk management, and post-quantum cryptography. AWS, Microsoft, Google, SAP, STACKIT, OVHcloud, and IONOS are already C5-certified.

GAIA-X: Ambition Meets Reality

Then there’s GAIA-X, Europe’s most ambitious cloud initiative. The honest assessment after five years: real-world impact has fallen short of the original promises. That said, GAIA-X has built substantial foundations-particularly for cross-sector data ecosystems in mobility, energy, and healthcare-through its Trust Framework 3.0 and the establishment of more than 180 active data spaces.

However, the inclusion of AWS, Google, and Microsoft as members has raised questions about whether GAIA-X still credibly serves its original mission of advancing European digital sovereignty. To the practical question, “Which cloud should I use?”, GAIA-X has yet to provide an operationally relevant answer. Its value lies more in ecosystem development: trust frameworks for cross-industry data spaces that could become critical for supply chains, mobility, and health data in the future.

Another flagship project deserves mention: in March 2026, SAP and OpenAI announced “OpenAI for Germany,” a sovereign AI service tailored for public authorities, government agencies, and research institutions. This underscores how the sovereignty debate has long expanded beyond cloud infrastructure into the realm of AI services.

What IT Decision-Makers Should Do Now

The sovereign cloud landscape in 2026 is more diverse than ever. This creates opportunities-but also complexity. Five actionable recommendations:

Classify workloads. Not every workload requires a sovereign environment. The key question isn’t “Sovereign or not?” but rather “For which data and processes do I need what level of control?”

Adopt BSI C5 as the minimum standard. Until the EU Cloud Scheme (EUCS) is formally adopted, BSI C5 remains the most robust compliance framework in Germany. Providers without C5 certification should not be considered for regulated workloads.

Plan for hybrid scenarios. Sovereign cloud won’t replace public cloud-it will complement it. Multi-cloud architectures with distinct compliance zones are becoming the new standard.

Secure exit strategies contractually. Delos sets an example with its business continuity clause, demonstrating how geopolitical risks can be mitigated through contractual terms. Such clauses should be standard in every cloud contract.

Evaluate European alternatives. STACKIT, OVHcloud, and IONOS have made significant technical progress. For non-critical and mid-tier workloads, they represent a credible option that reduces dependency on hyperscalers.

Conclusion: Sovereignty Is Not a Product, but an Architectural Decision

The good news for IT decision-makers: the era in which sovereignty meant compromise-having to choose between innovation and control-is coming to an end. By 2026, there will be a genuine dual offering for the first time: US hyperscalers with European governance frameworks, and European providers expanding their service portfolios.

The less encouraging news: there is no one-size-fits-all solution. Digital sovereignty is not a checkbox to tick, but an architectural decision that must permeate the entire IT strategy. Organizations taking it seriously must classify workloads, scrutinize contracts, run through exit scenarios, and build multi-cloud expertise. The infrastructure is ready. The question is whether companies are, too.

Frequently Asked Questions

What sets the AWS European Sovereign Cloud apart from a standard AWS region in Europe?

The European Sovereign Cloud is organizationally, technically, and legally separated from AWS’s global regions. It operates through a standalone parent company under German law, employs only EU nationals, and runs on dedicated infrastructure. In contrast, governance for a standard AWS region in Frankfurt is managed via AWS’s U.S.-based parent entity.

Is a sovereign cloud more expensive than standard public cloud services?

Yes, typically it is. According to reports, Delos Cloud (a joint offering by T-Systems, SAP, and Microsoft) costs 10 to 20 percent more than Microsoft’s standard public cloud. This premium reflects the additional investment in isolated infrastructure, European personnel, and localized governance frameworks. However, for regulated workloads, this cost is often lower than the alternative: maintaining on-premises infrastructure.

Does my company need a sovereign cloud?

Not necessarily. The decision hinges on data classification: personally identifiable information, trade secrets, and regulated workloads (such as those in critical infrastructure, healthcare, or financial services) benefit most from sovereign environments. Standard workloads-like web hosting, development environments, or non-critical SaaS applications-can continue to run efficiently in conventional cloud regions.

What’s the difference between BSI C5 and EUCS?

BSI C5 is a German audit framework comprising 121 controls. It is already in operational use and has been mandatory for certain industries since July 2025. EUCS (European Cloud Services Certification Scheme) aims to become the EU-wide standard but has not yet been adopted-over four years after its initial proposal. Until EUCS comes into force, BSI C5 remains the most relevant compliance benchmark for German organizations.

Which European cloud providers offer alternatives to AWS, Microsoft, and Google?

STACKIT (by Schwarz Group) is emerging as a German hyperscaler, certified under BSI C5 and ISO 27001, and built on OpenStack. OVHcloud offers SecNumCloud, meeting France’s highest security standards, and was selected by the European Central Bank for the digital euro project. IONOS has been BSI C5-certified since 2023. For specific use cases, these providers offer mature, secure, and compliant technical solutions.

 

Header image source: Unsplash / ALEXANDRE LALLEMAND