As smart city ambitions accelerate across the continent, urban administrators are waking up to a hard truth: the digital backbone of European public life is largely owned and legally controlled by companies outside EU jurisdiction. A new wave of sovereign cloud thinking is beginning to reshape how cities, municipalities, and public utilities think about their digital infrastructure.
From Stockholm’s transit management systems to Brussels’ citizen data portals, European cities have spent the better part of the last decade racing to digitize. The results have been impressive — smarter traffic flows, more responsive e-government services, connected utilities, and data-driven urban planning. But beneath the surface of this digital transformation lies a structural vulnerability that is only now receiving the attention it deserves.
The vast majority of European public digital infrastructure runs on cloud platforms owned and operated by American technology companies — Amazon Web Services, Microsoft Azure, and Google Cloud. These platforms offer undeniable capabilities and scale. But they operate under U.S. law, including the CLOUD Act, which grants American authorities the power to demand access to data held by U.S.-controlled entities regardless of where that data is physically stored.
For a hospital storing patient records in Frankfurt, a city council managing citizen benefit data in Lyon, or a water utility running operational systems in Warsaw, this creates a legal exposure that is increasingly difficult to ignore.
The Scale of the Dependency
The numbers are striking. According to recent analysis, American tech companies control more than 70% of Europe’s total cloud infrastructure. In Sweden, over half of public digital services — including those run by city governments — operate on Microsoft mail servers. In Belgium and Finland, the dependency figures are even higher.
This is not merely an abstract geopolitical concern. It has direct, practical consequences for urban governance. When a European municipality’s core systems are hosted on infrastructure governed by foreign law, the city cannot fully guarantee the privacy of its residents’ data, the confidentiality of its operational records, or its ability to maintain continuity of service in the event of geopolitical disruption.
The collapse of the EU-U.S. Privacy Shield agreement — invalidated because American surveillance practices conflicted with European privacy protections — offered an early warning. More recently, cases involving U.S. legal requests for data stored on European servers have pushed the issue firmly onto the agenda of city CIOs and public procurement officers.
What “Sovereign Cloud” Actually Means for Cities
The concept of digital sovereignty is sometimes misunderstood as a call for isolation or a rejection of modern technology. It is neither. The goal is legal and operational control — ensuring that the infrastructure supporting public services is governed by European law, not subject to foreign jurisdiction, and cannot be compelled to expose citizen data to non-EU authorities.
Experts distinguish between three layers of control that cities need to evaluate when selecting a cloud provider. The first is data residency — where data is physically stored. The second is data sovereignty — which legal system governs how that data is processed, backed up, and accessed. The third, and most critical, is jurisdictional control — who has the legal power to compel access to that data.
A city can store its data in a German data center and still be exposed if that data center is owned or operated by a U.S.-controlled company. Residency alone is not sovereignty.
The Regulatory Pressure Is Building
European regulators have moved decisively to close this gap, and the new rules are beginning to bite. The NIS2 Directive requires essential entities — including utilities, public administrators, and health services — to demonstrate full visibility and control over their digital supply chain, including cloud providers. Contracts and assurances are no longer sufficient; demonstrable legal control is required.
The Digital Operational Resilience Act (DORA) imposes similar obligations on financial services, demanding that institutions show they can survive and recover from the failure of any single cloud provider — a direct challenge to the concentration of public sector infrastructure on a handful of hyperscalers.
The EU AI Act adds another dimension. As city governments begin experimenting with AI-driven services — predictive maintenance for utilities, automated permit processing, smart traffic management — those systems must, under the Act’s requirements, operate on infrastructure that remains under EU jurisdiction.
For city procurement officers, this regulatory environment is making the question of cloud provider choice not merely a technical decision but a legal and compliance obligation.
European Alternatives: Smaller, But Growing Fast
The good news is that the European sovereign cloud market has matured considerably. A growing roster of EU-native providers now offers serious alternatives to the American hyperscalers, with a strong emphasis on GDPR compliance, transparent pricing, and open-source compatibility.
OVHcloud, headquartered in France, operates a full-stack cloud platform with more than 30 data centers under European jurisdiction. It has become a reference point for public sector cloud procurement, holding certifications relevant to healthcare, government, and finance, and participating actively in the Gaia-X federated cloud initiative.
Germany’s Hetzner has built a strong reputation for high-performance, cost-efficient cloud and dedicated server infrastructure, with facilities in Germany and Finland. For city governments managing large volumes of operational data — from environmental sensors to traffic management systems — Hetzner offers a compelling blend of performance and affordability.
Scaleway, also French, is particularly well-suited to development-oriented urban tech teams, offering Kubernetes-based container infrastructure, managed databases, and GPU computing capacity for data-intensive applications. T-Systems, backed by Deutsche Telekom, provides enterprise-grade sovereign cloud infrastructure tailored specifically to government compliance requirements.
These are not niche players. They represent a mature, growing ecosystem capable of supporting the digital ambitions of European cities — without the legal exposure that comes with foreign-owned infrastructure.
The Gaia-X Vision: A Federated European Cloud
Underpinning these individual provider choices is a broader European infrastructure initiative that has significant implications for city digital strategy. Gaia-X, launched by the European Commission, aims to establish a federated cloud ecosystem connecting providers, users, and platforms under shared standards of trust, transparency, and interoperability.
The vision is not to create a single European cloud giant to rival AWS, but rather to establish an open framework under which sovereign cloud services can interoperate — allowing cities to move data and workloads between compliant providers without lock-in. For urban administrators managing multi-departmental digital environments, this portability is a significant practical benefit.
The initiative has faced criticism for its slow pace and for including major American tech companies in its governance structures. But its core standards work — on data portability, certification, and federated identity — is beginning to influence how European cities structure their procurement requirements.
Practical Steps for City Administrations
For city governments and public utilities beginning to grapple with sovereign cloud transition, the path does not require abandoning all existing infrastructure overnight. Analysts and practitioners recommend a phased approach.
The starting point is a thorough cloud audit: mapping where data currently lives, which jurisdictions legally govern it, and which workloads involve sensitive citizen data or critical operational systems. Many city administrations discover significant gaps between their assumed compliance position and the legal reality.
From there, a workload classification process determines which systems require full sovereign infrastructure — typically anything involving citizen personal data, financial records, health information, or operational control of critical services — and which can continue to run on hyperscaler platforms without significant legal risk.
Critical workloads are then migrated to EU-sovereign infrastructure, using orchestration tools like Kubernetes and Terraform to maintain the flexibility to move between providers and avoid new forms of vendor lock-in. Non-critical workloads can remain on existing platforms, creating a hybrid model that captures the cost and compliance benefits of sovereignty where they matter most.
This is the kind of structured transformation that firms like Gart Solutions have been helping European organizations navigate — designing sovereign-first cloud architectures that meet NIS2, DORA, and EU AI Act requirements while controlling the migration costs and operational disruption that large-scale cloud transitions inevitably involve.
The Hidden Costs of Inaction
City administrators sometimes resist sovereign cloud transition on grounds of cost. The pricing models of European providers, while generally more transparent than those of American hyperscalers, require upfront migration investment.
But the cost calculus looks different when the full exposure is counted. GDPR violations carry penalties of up to 4% of annual turnover. NIS2 non-compliance can result in significant fines and operational restrictions. And the reputational damage of a data breach involving citizen records — particularly one enabled by foreign jurisdictional access — is difficult to quantify but easy to imagine.
There is also a longer-term economic argument. European cloud providers are, on average, more open to hybrid and multi-cloud architectures and more willing to support open standards. Cities that invest in sovereign cloud infrastructure now are building the flexibility to avoid the proprietary lock-in that has made switching costs so prohibitive for organizations deeply embedded in hyperscaler ecosystems.
Looking Ahead
The trajectory is clear. European regulation is tightening, sovereign cloud infrastructure is maturing, and the geopolitical pressures that have made digital dependency a strategic liability are not going away. Cities that have been early movers — treating cloud provider selection as a governance decision rather than a purely technical one — are better positioned for the regulatory environment ahead.
For urban administrators, the conversation is shifting from “should we think about sovereign cloud?” to “how quickly do we need to move, and where do we start?” The answers will vary by city, by sector, and by the specific sensitivity of the data involved. But the direction of travel is no longer in doubt.
Europe’s cities built their physical infrastructure on European ground, under European law, accountable to European citizens. The digital infrastructure that increasingly runs those cities deserves the same standard.
For organizations seeking guidance on sovereign cloud transition and EU-compliant infrastructure architecture, Gart Solutions provides sovereign-first cloud design, regulatory compliance roadmaps, and migration support for public sector and enterprise environments.
