With demand growing among enterprises for tighter control over their internal and customer data, both AWS and IBM have unveiled new data sovereignty offerings initially focused on the EU.
AWS Launches New Company for Independent European Sovereign Cloud
Amazon has announced the general availability of its AWS European Sovereign Cloud, a cloud environment that is separate from other AWS Regions and located completely within the European Union. The first region is live in Brandenburg, Germany, and Amazon plans to extend sovereign AWS Local Zones into Belgium, the Netherlands and Portugal.
The service is purpose-built so that enterprises can to deploy their own secured and compliant automated environments.
According to AWS, the European Sovereign Cloud is operated exclusively by EU residents and keeps all customer metadata within EU borders. There is “zero” operational control outside of the EU’s borders, the company said. It is designed to continue operating independently even in the event of a broader communications disruption.
Amazon has established a new parent company and three local subsidiaries incorporated in Germany, including an advisory board of three Amazon employees and two independent members providing “expertise and accountability on sovereignty-related matters”.
The service will initially offer more than 90 AWS services across compute, storage, networking, security, databases, and AI.
Amazon said that its global cloud and AI infrastructure have been sovereign by design “from day one”, and “most customers are able to meet their requirements using one of the six existing AWS Regions in the EU.” But the growing industry focus on data sovereignty has prompted the company to launch an explicit offering, according to the announcement.
“The AWS European Sovereign Cloud is designed to give customers additional choice to meet the EU’s stringent sovereignty requirements without compromising on the robust capabilities of AWS.”
AWS Local Zones enable customers to store their data in a specific geographic location to comply with requirements for data residency and latency-sensitive applications. The zones will extend the sovereignty controls from the AWS Region in Germany across the EU.
Customers that have more stringent requirements for the data they store will have the option to use AWS Dedicated Local Zones, AWS AI Factories or AWS Outposts in the locations they need, including their own on-prem data centers.
The AWS European Sovereign Cloud allows customers to keep all the metadata they create, such as roles, permissions, resource labels, and configurations entirely in the EU, including sovereign Identity and Access Management (IAM), billing, and usage metering systems.
Like other AWS Regions, the sovereign cloud is powered by the AWS Nitro System, which provides strong physical and logical security to enforce access restrictions. AWS also provides advanced encryption, key management services, and hardware security modules to protect content.
To support customer’s businesses continuity even in the event of extreme incidents, authorised AWS European Sovereign Cloud employees will have independent access to a replica of the source code needed to maintain the services.
Amazon has previously announced plans to invest more than €7.8BN in the German sovereign cloud over the long term. The expansion to Belgium, the Netherlands and Portugal will involve an additional planned investment.
Stéphane Israël, Managing Director of the AWS European Sovereign Cloud and Digital Sovereignty, said:
“Customers want the best of both worlds – they want to be able to use AWS’s full portfolio of cloud and AI services while ensuring they can meet their stringent sovereignty requirements.”
“By building a cloud that is European in its infrastructure, operations, and governance, we’re empowering organisations to innovate with confidence while maintaining complete control over their digital assets.”
Customers across regulated sectors such as healthcare, financial services, defense, energy, and telecoms, have already started using the service, including EWE AG, Medizinische Universität Lausitz – Carl Thiem (MUL-CT), and Sanoma Learning.
Germany’s Federal Office for Information Security (BSI) has a dual strategy to strengthen Europe’s tech innovation and require non-European products to be adapted and integrated to ensure they can be used securely and independently, said Claudia Plattner, BSI’s President.
“The future of hyperscalers in Europe therefore lies in offerings such as the AWS European Sovereign Cloud. As Germany’s cybersecurity authority, we are pleased to be able to contribute to its design.”
IBM Takes a Software-First Approach to Sovereignty
On the same day as Amazon doubled down on its EU data sovereignty provisions, IBM introduced IBM Sovereign Core, which it described as a purpose-built software platform for enterprises, governments and service providers to build, deploy and manage AI-ready sovereign environments under their own authority.
Built on Red Hat’s open source foundation, the software is intended to give organizations direct operational control over infrastructure, identity, encryption keys, compliance evidence, and AI inference within jurisdictions they choose.
Priya Srinivasan, General Manager, IBM Software Products, noted:
“Businesses are facing growing pressure to innovate while meeting tightening regulatory requirements and recognizing the importance of controlling how sensitive data and AI workloads are accessed and operated.”
“This shift is creating an urgent need for sovereign solutions that deliver AI-ready environments…combining openness, compliance, and operational autonomy to meet the demands of the AI era, without the need to sacrifice sovereignty requirements.”
IBM cited a Gartner prediction that more than 75 percent of enterprises will have a digital sovereignty strategy by 2030, often centered on sovereign cloud approaches.
IBM Sovereign Core is designed to bake sovereignty controls directly into the software, rather than adding them as a layer on top of existing cloud architectures. Customers can deploy the platform in the environment they choose, whether in on-premises data centers, supported in-region cloud infrastructure or through IT service providers.
IBM is working with IT service providers around the world, but given the importance of sovereignty in the EU, the vendor is starting with an initial rollout in Europe with Cegeka in Belgium and the Netherlands and Computacenter in Germany.
Customers run their own control plane, make deployment and configuration decisions locally, and keep identity, access management, and encryption keys entirely within their chosen jurisdiction.
That setup is meant to reduce reliance on out-of-region vendors while making it easier to demonstrate who controls systems and data at any given time. The platform continuously generates compliance evidence, such as system telemetry and audit trails, inside the sovereign environment, which helps with ongoing regulatory reporting.
AI workloads are handled under the same model, with model hosting, GPU infrastructure, and inference all governed locally so that data doesn’t need to be exported elsewhere.
“With IBM Sovereign Core, we can focus on configuring the software to each client’s specific use cases rather than spending months piecing together disparate components and validating sovereignty controls,” said Christian Schreiner, Unit Director Cloud, Computacenter. “It can significantly accelerate our time-to-value and let us help clients who previously couldn’t consider AI solutions at all.”
IBM plans to make Sovereign Core available in tech preview from February and plans full general availability for mid-year 2026.
Why Sovereignty is the Cloud’s Next Battleground
In addition to the strict customer data requirements established in GDPR, Europe’s regulatory landscape is evolving under the EU AI Act, the first comprehensive legal framework on artificial intelligence, which came into force in August 2024 and is being phased in over the coming years.
The Act introduces strict requirements for high-risk AI applications, including traceability and transparency obligations that intersect with data governance expectations, requiring organizations to ensure the provenance and management of data used for training and testing in high-risk AI systems.
This reinforces sovereign cloud strategies by incentivizing enterprises to maintain local control of their data and operational processes to make sure that AI workloads remain subject to EU legislative and jurisdictional safeguards.
As GenAI systems are deployed in regulated environments, questions about where models train and run, and who has access to them, have become crucial to enterprise risk management. Data sent to AI systems can be retained and reused for training or fine-tuning, or accessed by external operators, in ways that are difficult to audit and may foul of the organization’s controls.
And given the global reach of infrastructure providers like AWS and recent system outages, as well as growing geopolitical concerns, governments and critical industries increasingly view cloud infrastructure through the lens of strategic independence, rather than technical considerations. Public-sector and regulated enterprises are including sovereignty-related criteria directly into their sourcing requirements, making compliant cloud capabilities a commercial necessity.
This shift was reflected in NiCE’s deal this week with German health insurer AOK Bayern. The contract for CXone running on NiCE’s EU Sovereign Cloud highlights the importance of local data control and compliance as procurement factors in public-sector technology decisions.
As this week announcements indicate, there is a spectrum of sovereignty-related offerings emerging to address different organizational needs as data control becomes a central element of how cloud services are bought and operated in the AI era.
“The sovereign AI conversation has focused on data residency, but that’s only part of the equation,” said Sanjeev Mohan, Principal at advisory firm SanjMo. There is a harder question around “who controls the system and can you prove it to regulators?” Mohan added.
As Erik Fish, Director of Geotechnology at Eurasia Group, put it:
“AI is accelerating the pace at which sovereignty questions move from theory to daily operations.”
As enterprises try to address those questions while navigating increasingly complex compliance and regulatory requirements, there is “strong demand for digital platforms and software that allows sensitive data to remain within controlled, compliant boundaries,” said Gaetan Willems, VP Cloud & Digital Platforms, Cegeka.
For many enterprises and governments, that means moving toward self-managed environments where they can clearly show who operates systems, who can access data, and how decisions are made without relying on third parties.
The conversation is shifting from choosing between open platforms and sovereign control to finding ways to govern data, access, and infrastructure in a way that holds up to regulatory and geopolitical pressure.
“As Europe continues refining its approach to digital sovereignty, solutions embedding security-by-design and sovereign-by-design principles will become increasingly relevant,” said Lukáš Kintr, Director, National Cyber and Information Security Agency (NÚKIB), Czechia.
