A data center in Frankfurt does not mean that you have full control over your data. The crucial question is not where the server is located – but who manages the keys, can view the metadata and who has what rights in a legal dispute.
2. View Sovereign Cloud as a blanket strategy
The most expensive and common mistake is to migrate all workloads to a sovereign cloud environment – without first looking at which workloads actually need it. For development environments, internal tools and non-regulated data, the Sovereign Cloud means one thing above all: additional charge without added value.
3. Neglect identity governance
A technically perfect sovereign cloud infrastructure is of little use if access control is inadequate. Who is allowed to access which systems determines the actual level of security – especially when it comes to AI agents and automated processes. An AI agent with write access to production systems running on sovereign cloud infrastructure but operating with inadequate identity governance is a vulnerability – no matter where the server is located. Identity governance is the critical gap in most cloud security architectures in 2026.
4. Not thinking about the exit strategy
Anyone migrating to a hyperscaler sovereign cloud today needs to know that the exit is more complex and more expensive than with the standard offer. Three cost traps are regularly underestimated:
- Switching costswhich the EU Data Act has capped since September 2025 and will completely abolish from January 2027. However, only the costs for the provider change itself are recorded, not the ongoing egress costs in multi-cloud architectures.
- Minimum contractual terms and volume commitmentswhich sovereign offers often require and which the Data Act expressly leaves unaffected.
- Dependence on proprietary servicesthat cannot be “taken with you” but must be recreated by the new provider. The Data Act doesn’t help at this point.
Exit costs are therefore part of the overall cost calculation from day one – and a documented exit strategy should be part of every cloud decision.
5. Confusing compliance with security
NIS2 compliance and ISO 27001 say nothing about whether a company is able to act in an emergency. Compliance certifies that processes are documented. Security comes from technical controls and clear responsibilities.
Find the right cloud model in 5 steps
Every project shows me that cloud sovereignty is a workload decision, not a question of faith. Those who migrate across the board are paying for sovereignty where none is necessary and often overlooking gaps where it counts. A reliable strategy comes primarily from asking which regulations apply, how sensitive the data is and who controls keys and identities. Everything else is marketing.
The following five steps can help you choose the right cloud model for your needs.
- Check regulatory obligations: Are your cloud workloads subject to DORA, NIS2, the EU AI Act or other regulations? If so, a standard hyperscaler solution is only justifiable with additional controls, documented risk assessment and a robust exit strategy.
- Classify sensitivity of data: Personal data with Schrems II relevance or operational data of critical infrastructures is sensitive information. In general, the higher the sensitivity of the data, the stronger the arguments for sovereign or private cloud.
- Check service dependencies: If you need cloud services that are only available from hyperscalers, such as AI/ML platforms or specialized databases, hyperscalers’ sovereign clouds are often a better compromise.
- Assess internal resources realistically: Private cloud sounds like control – but it is complex. To manage this, you need the right people and expertise to run this model professionally.
- Calculate cost-benefit ratio: According to market experts, the Sovereign Cloud typically costs 15 to 30 percent more than a standard hyperscaler offering. Calculate which model makes the most economic sense for your workload mix.
You can find out when which cloud model makes sense in the following table:
| Situation | Recommended model | Justification |
| KRITIS operators under NIS2 | Sovereign Cloud | Obligations to provide proof of risk management and supply chain, personal liability of management |
| Financial service providers under DORA | Sovereign Cloud (Hyperscaler) | wide range of services and regulatory compliance |
| High-risk AI under EU AI Act | Sovereign Cloud | Duties from August 2026; Data governance credentials easier to maintain |
| AI/ML development, anonymized data | Hyperscaler (Standard) | full service offering, no regulatory pressure |
| Interne Tools, Dev/Test | Hyperscaler (Standard) | no regulatory need, optimize costs |
| Highly sensitive data, authorities | EU provider / private cloud | maximum legal clarity, no residual risks |
| Constant workloads, in-house expertise | Private Cloud | more economical in the long term if demand is foreseeable |
(fm)
This article was published as part of Foundry’s German-speaking expert network. Would you like to join in? Apply now!
