If you are a C-level executive making cloud decisions for your organization, digital sovereignty is now a board-level topic. Not because regulation says so, although it does. Because the agility, speed, and pay-as-you-go flexibility that made cloud valuable in the first place are at risk if you get sovereignty wrong. This article explains what digital sovereignty requires in practice, why protecting your access to the best technology is the real strategic objective, and what Nordic companies should do about it now.
Why cloud access and agility are the real stakes
The business case for cloud has always been about access. Access to world-class compute, storage, AI services, and developer tools without building and maintaining them yourself. Access to a pay-as-you-go model that lets you scale up on Tuesday and scale down on Friday. Access to a technology stack that evolves faster than any internal team could replicate.
That access is now under pressure from two directions. European regulation demands greater control over where data lives and who can reach it. Geopolitical tension between the US and the EU raises questions about the long-term reliability of services provided by US-headquartered companies. The risk is real, but the response matters more than the risk itself.
The wrong response is to abandon the hyperscaler technology stack entirely. That means losing access to the services, the pace of innovation, and the operational efficiency that gave cloud its value. The right response is to design sovereignty into your architecture, so you keep the access and the agility while meeting every regulatory and business requirement.
This is what sovereignty by design means: not retreating from the cloud but building the controls that let you use it on your terms.
The regulatory landscape that demands action
European regulation has moved from talk to enforcement. The EU Data Act became fully applicable on 12 September 2025, and member states are now designating enforcement authorities and defining penalties. Germany’s draft implementation act designates the Bundesnetzagentur with authority to impose fines of up to 4 percent of global turnover (European Commission, Data Act). A critical deadline for data access by design obligations arrives in September 2026. Cloud provider switching rights are now legally mandated, with full elimination of switching charges required by January 2027.
NIS2 applies to essential and important entities across the EU, covering sectors from healthcare and energy to digital infrastructure. DORA establishes ICT resilience requirements specifically for financial services. The EU AI Act arrives with its next major compliance deadline in August 2026.
In Denmark, there are numerous government agencies that have shown interest in replacing Microsoft Office with something else. Two of Denmark’s largest municipalities, Copenhagen and Aarhus, are exploring to make similar moves. This is a government procurement decision driven by concerns about technology dependency, not legislation that restricts the use of hyperscaler cloud services.
The point is not that regulation will ban US cloud providers. The point is that regulation now requires you to demonstrate genuine control over your data, your infrastructure, and your ability to switch providers if needed. Organizations that cannot demonstrate this control face compliance risk, and compliance risk is business risk.
What digital sovereignty actually requires
Sovereignty sounds straightforward. Store data in Europe. Use European providers. Check the box.
In practice, sovereignty has four dimensions, and most organizations only address the first.
Data residency means your data is physically stored within a specific jurisdiction. Most organizations have this covered, but data residency alone creates a false sense of security. Storing data in a Frankfurt data center owned by a US corporation does not automatically protect it from a US CLOUD Act request.
Operational sovereignty means the people who operate your infrastructure are subject to the same legal jurisdiction as your data. The AWS European Sovereign Cloud, which launched in January 2026, addresses this directly: a physically and logically separate infrastructure operated entirely by EU-resident personnel, designed to continue operations independently even if communication with the rest of AWS were disrupted (AWS, January 2026).
Jurisdictional sovereignty means no foreign government can legally compel access to your data. The conflict between the US CLOUD Act and EU data protection law remains fundamentally unresolved. The EU-US Data Privacy Framework provides a temporary arrangement, but the underlying legal tension persists. A new EU e-evidence regulation will apply across EU member states from August 2026, adding another layer to the jurisdictional picture.
Technical sovereignty means you control the encryption keys, the access policies, and the exit strategy. This is where architecture decisions become decisive. If your cloud provider holds your encryption keys, they can technically comply with a data request regardless of what your contract says. Customer-managed encryption, where your organization holds the keys in your own European infrastructure, means a legal demand yields only encrypted data the provider cannot read.
The conclusion is clear: partial sovereignty creates a false sense of security. Organizations that address only data residency while ignoring operational, jurisdictional, and technical dimensions are exposed. Getting this right requires deliberate architecture, not a single vendor selection.
The Nordic approach: access through governance, not restriction
Inside the EU, member states take different positions. France favors strict European-only requirements for public sector cloud procurement. The European Commission’s Cloud Sovereignty Framework, published in October 2025, establishes a sovereignty ladder where providers are ranked by their degree of EU legal control.
The Nordic countries, the Baltics, and the Netherlands favor a risk-based approach. This does not mean sovereignty matters less in the Nordics. It means the objective is different: maintain access to the best available technology stack while ensuring genuine control through governance, contracts, and architecture.
At Cloud2, we see this pragmatic approach in practice across Finland and Denmark every day. Our customers in healthcare, energy, and critical infrastructure need to run regulated workloads under strict sovereignty requirements. They also need access to AI services, analytics platforms, and developer tools that only the major hyperscalers provide at the required scale and pace. Both needs are legitimate, and both can be met in the same architecture.
The question is not European provider versus US provider. The question is: what level of control do you have, and can you demonstrate it? A hyperscaler sovereign cloud offering with EU-resident operations, customer-managed encryption keys, and contractual protections verified by independent audit may provide stronger actual protection than a smaller European provider with weaker security practices and limited operational maturity. What matters is the verified level of control you can demonstrate to regulators, auditors, and your board, not the corporate headquarters address of your provider.
This is not an argument against European cloud providers. It is an argument for making decisions based on verified capability rather than assumption. Some workloads will be best served by European providers. Others will be best served by sovereign offerings from major hyperscalers. The right answer depends on the workload, the regulation, and the risk profile.
What your organization should do now
Sovereignty is not something you buy. It is something you design. And design starts with knowing what you need.
The most common mistake we see is treating sovereignty as binary. Everything runs on a sovereign cloud, or nothing does. Both extremes are expensive and unnecessary. In practice, when organizations map their workloads against actual regulatory requirements and business risk, they typically find that 15 to 25 percent of their environment needs strict sovereign controls across all four dimensions. The rest runs well on standard infrastructure with appropriate contractual and security measures.
A Cloud Review with Cloud2 gives you this clarity. Here is what it includes and what you walk away with.
We start by mapping your current cloud architecture: which services you use, where your data lives, who operates your infrastructure, and what contractual protections are in place. We then classify your workloads against the four sovereignty dimensions and your specific regulatory requirements, whether that is NIS2, DORA, the EU AI Act, or industry-specific rules.
The output is a concrete sovereignty architecture recommendation. This is not a theoretical exercise. It is a practical plan with specific steps, timelines, and cost implications. Our customers typically complete the review in two to four weeks and walk away with a document they can present to their board.
Evaluate your exit capability for your most critical workloads. The EU Data Act now requires cloud providers to support data portability, but having the legal right to leave is different from having the technical ability to leave quickly. Test your portability. Know what it would take to move your critical workloads to a different provider within a defined timeframe.
And involve your legal team early. Sovereignty is as much a legal question as a technical one. Your contracts need to reflect the protections your business requires.
What sovereignty means for the Nordics going forward
The Nordic countries have a real opportunity here. Strong digital infrastructure, high institutional trust, pragmatic regulatory culture, and growing expertise in sovereign cloud implementation. Denmark’s push to reduce technology dependency on US providers signals a direction. Finland’s advanced digital public services demonstrate what trusted infrastructure looks like. Together, the Nordics can define how sovereignty works in practice.
We work with AWS, Azure, and GCP. We design multi-cloud architectures that give organizations the sovereignty they need without sacrificing the technology access that makes cloud valuable. That combination of sovereignty and access is what the Nordic approach offers.
The organizations that get this right will not just be compliant. They will be more resilient, more trusted by their customers and partners, and better positioned for whatever geopolitical or regulatory changes come next.
That is what sovereignty by design means. Not a retreat from the global cloud. A deliberate commitment to using it on your own terms, with genuine control over your digital future.
Start with a Cloud Review. We map your architecture, classify your workloads, identify your gaps, and deliver a concrete plan. Two to four weeks from first conversation to concrete recommendations.
