Tuesday, July 14, 2026 · Week 29 DE · EN · FR · ES Dark
Logistics & Supply Chain

Sovereign Cloud: Who Can Access Supply Chain Data?

With supply chain data, what counts is not where it sits but who can legally compel access. Residency, the CLOUD Act and the EU Cloud Sovereignty Framework.

By Andreas Knols July 11, 2026 5 min read
Sovereign Cloud: Who Can Access Supply Chain Data?

When it comes to supply chain data, the decisive question isn’t where it’s stored-it’s who can legally demand it. This distinction between data residency and data sovereignty separates architectures that hold up from those that suddenly lay exposed under regulatory pressure.

Key Takeaways

  • Residency alone does not protect against the CLOUD Act. Many European companies store their data in EU data centers. With US corporations, however, legal access by US authorities remains possible.
  • US sovereignty offerings do not close the central gap. They improve data residency, operational staff, and parts of telemetry. The ownership structure remains unchanged, so the CLOUD Act continues to apply.
  • The EU Framework 2026 assesses genuine sovereignty. The European Commission evaluates providers against eight objectives, explicitly including the supply chain dimension. The CLOUD Act is named as a risk.

Related:CADA: When Cloud Sovereignty Becomes a Procurement Requirement  /  One Region Falls, Half the Supply Chain Stands

Why Supply Chain Data Is a Special Case

Supplier master data, purchasing terms, origin and customs information, as well as the new due diligence data, together paint a clear picture of a company’s competitive position. They reveal who a company works with, under what conditions, and where risks are concentrated across countries. Germany’s Supply Chain Act (Lieferkettengesetz) and the EU Corporate Sustainability Due Diligence Directive additionally require detailed assessments along the entire chain.

This information is highly sensitive. At the same time, it is generated and stored across multiple jurisdictions. A single cloud provider often manages data that falls under different national laws. Whoever controls this data gains detailed insight into a company’s structure and dependencies. That is precisely why questions around legal access are more acute here than with most other workloads.

Residency is solved, sovereignty is not

Many companies have achieved physical data residency in Europe. The data resides in EU data centers. Sovereignty nevertheless remains unresolved. Under the US CLOUD Act, US authorities can compel any US-based provider to hand over any data over which it has possession, custody, or control. The storage location plays no role anywhere in the world. As long as the ultimate parent company is a US corporation, legal access remains.

How theoretical this remains became clear in June 2025. The French Microsoft subsidiary confirmed under oath before the French Senate that it cannot guarantee data sovereignty toward US authorities. This applies even to data stored in France under an offering marketed as sovereign. The offerings of the US hyperscalers advertised as sovereign reduce risks related to residency, the location of operations staff, and parts of telemetry. They change nothing about the ownership structure. The CLOUD Act gap remains.

// Metric
180 Mio. Euro
That was the size of the sovereign cloud contract the EU Commission awarded in April 2026. It went to four European providers, not to the US hyperscalers.
// Source: EU Commission, April 2026

What’s Moving in 2026

On 1 June 2026, the European Commission published a formal assessment framework for cloud sovereignty. The framework evaluates providers across eight sovereignty objectives. A supply chain dimension is explicitly included. The CLOUD Act is specifically named in it as a legal risk. This caps US-owned providers from above, regardless of how many EU data centers they operate.

This is more than just paper. In April 2026, the European Commission awarded a contract worth 180 million euros for a sovereign cloud solution for EU institutions. The contract went to four European providers rather than the US hyperscalers. The European sovereignty initiative Gaia-X reached more than 400 certified service providers in 2025. The Commission is thus not only defining sovereignty-it is also backing it with funding and an ecosystem.

What Teams Should Do Now

The first step is unspectacular and is nevertheless often skipped: classifying supply chain data by sensitivity. Not every supplier data record is equally critical. The truly competition-sensitive data and the due diligence data deserve the highest attention; the rest can be handled more pragmatically.

Second, portability must be ensured. Contracts and architecture should allow a provider change without prohibitive costs and without data loss. Third, concrete sovereignty requirements belong in procurement: evidence regarding ownership structure, applicable legal jurisdiction, and existing access rights. The marketing label “sovereign” does not replace this review.

Honestly: It remains open how strictly the EU framework will be applied in practice and how quickly European providers can scale for all critical supply chain workloads. Companies with global chains must also clarify how they consistently meet different national sovereignty requirements. A uniform standard for this is still lacking today.

// achieved
  • The distinction between data residency and data sovereignty has arrived
  • The EU framework of June 1, 2026 provides a concrete framework with a supply chain dimension
  • The 180-million-euro contract awarded to European providers sends a clear market signal
// open
  • CLOUD Act risks for US corporations persist, even with “sovereign” offerings
  • Practical enforcement of the framework in procurement and audits is still pending
  • Global chains with data in many jurisdictions still require case-by-case review

Frequently Asked Questions

What is a sovereign cloud?

A sovereign cloud ensures that legal sovereignty over data remains with the using organization or the applicable European jurisdiction. It goes beyond simple data residency. The key requirement is that neither foreign authorities nor the provider itself can enforce access under foreign laws. Control is maintained even if political or legal conditions change.

Which supply chain data is particularly sensitive?

Supplier master data, purchasing terms, origin and customs data, as well as due diligence data required under Germany’s Supply Chain Due Diligence Act and the EU Corporate Sustainability Due Diligence Directive. These datasets reveal supplier relationships, commercial terms and risk assessments, and therefore central elements of competitive positioning.

Why are EU data centers alone not sufficient?

The CLOUD Act allows U.S. authorities to access data held by U.S. companies regardless of storage location. In 2025, Microsoft’s French subsidiary confirmed before the French Senate that even locally stored data offered under sovereign cloud marketing claims remains unprotected against such access.

What does the EU Cloud Sovereignty Framework change in practice?

It evaluates providers systematically against eight objectives. The supply-chain dimension and the CLOUD Act as a risk factor are explicitly included. U.S. providers therefore face a clear upper limit, irrespective of the number of European data centers they operate.

How do companies approach provider selection?

They classify data, ensure portability, and include specific requirements regarding ownership structure and applicable jurisdiction in procurement documents. The label “sovereign” does not replace this due diligence.

Image source: AI-generated (July 2026)

Also available in

FrançaisEspañolDeutsch
MBF Media Newsletter

The monthly briefing for decision-makers

Once a month, the MBF Media Newsletter gathers what matters from cloudmagazin, MyBusinessFuture, Digital Chiefs and SecurityToday, curated by the editorial team.

25,000 IT and business decision-makers read this newsletter. Read along.

Subscribe for free
MBF Media Newsletter, aktuelle Ausgabe auf dem iPhone
Ein Magazin der Evernine Media GmbH