• Simon Gooch, Field CIO at Saviynt


• 15.04.2026 01:15 pm
#SovereignCloud #IdentitySecurity

When people search for “sovereign cloud,” they find content from Oracle, Google, AWS, and IBM. These are infrastructure vendors and platform conversations because the sovereign cloud is, at its foundation, a platform debate. But that picture is incomplete and leaves European security leaders without the full context needed to make sound decisions.

Identity is not separate from data. Identity security is the mechanism through which people, systems, and, increasingly, AI agents gain access to data. Questions about who can access your data, under what jurisdiction, and with what guarantees, are identity questions. The two cannot be cleanly separated; any sovereign cloud strategy that treats them as separate entities leaves a significant gap in its risk model.

The  digital sovereignty debate is intensifying, and identity security is squarely at the centre of it, whether the industry has caught up to that fact or not.

What is driving the sovereign cloud conversation? 

The sovereign cloud conversation in Europe is driven by multiple factors, including US jurisdiction and the 2024 EU Cloud.  

The EU Cloud Act produces security and commercial outcomes that matter to CISOs and technology leaders. Treating it as purely a compliance or procurement matter misses that dimension entirely.

The sovereign cloud identity question no one is asking yet 

Knowing how you are going to govern access to the systems you put into a sovereign cloud is arguably a more important and more urgent question than which systems you put there. The access control layer touches everything. As AI agents, machine identities, and third-party integrations proliferate inside enterprise environments, that access governance question becomes even more complex.

The organisations that think about identity governance early in their sovereign cloud planning will be in a materially better position than those who treat it as a downstream implementation detail.

The sovereign cloud trade-off European leaders must navigate

I want to be direct about something. Sovereign cloud is not a free lunch. There are genuine trade-offs.

Sovereign cloud environments, particularly highly localised ones, are generally more expensive to operate and currently lag behind the major hyperscalers in depth and breadth of services. The pace of innovation, including AI capabilities that are increasingly embedded into enterprise platforms, is directly tied to the scale of investment that comes with operating at hyperscaler size. A sovereign cloud that operates at a smaller scale will, by definition, have a slower rate of innovation. For organisations in competitive markets, that gap is a material risk.

The question every European CISO and technology leader should be asking is not, “How do I become sovereign?” but rather “What is the right balance between data and technology control and operational capability for my organisation and industry? What regulations apply to me? What competitive environment do I operate within?”

The answers to those questions differ greatly for a French government agency, a mid-market financial services firm, and a pan-European technology company. Assuming otherwise is a disservice to all three.

Three questions worth asking your sovereign cloud provider

When I advise CISOs working through sovereign cloud decisions, I always suggest starting with the business, not  the platform. I ask:

1. Are you clear on your technology enablement strategy for the next two to three years? If your business intends to leverage AI, you need to understand what cloud capabilities that AI dependency requires. Some of those capabilities may not be available in certain sovereign environments today. That is not a reason to abandon sovereign cloud thinking, but it is a reason to be clear-eyed about the dependency before you commit.

2. Which of your services are genuinely critical, and what providers can actually meet those requirements at the required standard? This is about matching your risk tolerance and regulatory obligations with a realistic assessment of what is available. 

3. How will you govern access to the systems you deploy in that environment? This is the question that brings identity back into focus. The platform is only as sovereign as the access governance model sitting on top of it. 

The future of sovereign clouds

Five years from now, I believe the current tensions will have largely resolved into a workable framework. The hyperscalers will have EU-compliant sovereign offerings at scale. Organisations will have clearer guidance on what “sovereign” actually requires for their sector and jurisdiction. The extreme positions – total localisation at one end, complete disregard for data residency at the other – will be moderated by the practical realities of running competitive businesses in a global economy.

Between now and then, we will feel some friction. Organisations will make choices based on incomplete information. Some markets will push toward highly restrictive local requirements before the economic and operational consequences become apparent. There will be pushback, course corrections, and a gradual settling towards something more sensible.

What will not change is that identity will be central to all of it. Every sovereign cloud deployment, every access governance decision, every AI agent operating within a regulated European environment will be required to clearly answer: who has access to what, and how do we know?