We have explored who regulates artificial intelligence and who controls digital money. There is a more basic, almost physical question underneath both: where do the world’s data actually live? The answer matters more than it seems, because on it depends which laws protect that data, who can access it, and how real the sovereignty is that states claim to exercise over their citizens’ information. And the answer, today, is uncomfortable: most of that data lives on infrastructure that the countries using it do not control.
The starting point is a quiet but near-total transformation. Public administration, banking, e-commerce, health, education — almost all of it now runs on cloud services. By sector estimates, the overwhelming majority of organizations already operate in the cloud. The problem is not the cloud itself, but who owns it: a dominant share of the global market is concentrated in three American corporations — Amazon Web Services, Microsoft Azure, and Google Cloud. Europe, despite its strict privacy regime, owns only about 4% of global cloud capacity; the rest belongs to US hyperscalers. When a government or a company anywhere outside the United States moves its data to the cloud, in the vast majority of cases it is entrusting that data to foreign-controlled infrastructure.
The trap of physical location
Here is the legal-technical fact that reframes the whole conversation, and it is worth stating precisely because it is so often misunderstood. For years it was assumed the problem could be solved with “data residency”: if a country’s data were stored in a data center physically located within that country, it would fall under that country’s jurisdiction. The major providers did open regional data centers — in Frankfurt, in Dublin, in São Paulo — partly in answer to that logic.
The US CLOUD Act dismantled that premise. Enacted in 2018, the law compels US-headquartered technology companies to hand over data they hold to American authorities, by court order, regardless of which country it is physically stored in. The consequence is counterintuitive but precise: even if a European or Latin American organization hosts its information in a US provider’s data center located in its own country, that information could be legally available to foreign authorities without a local court order. What determines the applicable jurisdiction is not where the data lives, but the nationality of the company that controls it.
The law’s origins are illustrative. It grew out of a case — Microsoft v. United States — in which the company refused to hand over emails stored on servers in Ireland, arguing US law had no reach beyond its borders. The CLOUD Act settled the dispute in favor of extraterritorial reach. The point is not academic: in a 2025 French Senate hearing, Microsoft France was asked directly whether it could guarantee that European data would never be requested by US authorities. The answer was unambiguous: no, that guarantee cannot be given.
The “sovereign cloud” answer — and its limits
Faced with this, the industry has responded with what it calls “sovereign cloud.” In January 2026, AWS launched its European Sovereign Cloud, a region physically and logically isolated within the EU, with EU-based operations, EU-only operational staff, and a new EU legal entity. Microsoft and Google have comparable offerings, and the EU itself raised the bar with a Cloud Sovereignty Framework setting out specific requirements, from legal to operational to supply-chain sovereignty.
These are real engineering improvements that reduce many risks. But analysts are blunt about the core limit, and fairness requires stating it: as long as the parent company is US-domiciled, the US government retains reach. The new EU legal entity is still a subsidiary of a US corporation. No hyperscale provider can today offer absolute legal sovereignty, precisely because of extraterritorial jurisdiction. The honest framing, increasingly adopted, distinguishes three layers: data residency (where the data physically sits), data sovereignty (which legal system governs it), and jurisdictional control (who can compel access) — and it is the third that the sovereign-cloud rebranding does not fully close.
Two readings, with comparable weight
The matter admits two legitimate interpretations, worth presenting without tilting the scale, because both describe a real part of the problem.
The critical reading, held by digital-sovereignty analysts and some governments, is that dependence creates a structural vulnerability. If a country’s strategic data — its citizens’, its companies’, its institutions’ — sits under the control of foreign companies, the country cedes a portion of its autonomy: the laws protecting that data are not necessarily its own, and the information is exposed to external jurisdictions. Some go further and speak of “digital colonialism,” noting that many regions import more technology than they produce, that the economic value is captured elsewhere, and that little is taxed locally. The concrete fear is a scenario in which a company’s or a public body’s data is blocked or exposed by a foreign legal decision — a hypothesis that sharpening geopolitical tensions make less abstract.
The industry reading tempers the alarm and makes a valid point. Providers argue that sovereignty “does not mean data residency” and that effective control rests with the customer, who owns the data and has tools — encryption, key management, access controls — to protect it regardless of where it is hosted. And there is a point of intellectual honesty that analysts themselves acknowledge: documented cases of actual extraterritorial access to enterprise data in Europe are rare. Transparency reports suggest US authorities are seldom granted access to enterprise content stored in Europe under the CLOUD Act. The risk is, in large part, structural and potential rather than a proven record of abuse — but the mere existence of the statute is enough to turn sovereignty from an abstract concept into a concrete factor in risk assessment.
It is not for this outlet to decree which reading weighs more. What can be stated is that both are true at once: the technical control providers offer is real, and the legal exposure the CLOUD Act creates is also real. One does not cancel the other.
The alternatives taking shape
A growing response, especially in Europe, is the rise of genuinely local alternatives: providers such as OVHcloud, Scaleway, Hetzner, or Ionos that keep data and corporate control within European jurisdiction. The EU has moved further in this direction than most, financing local data centers and promoting open standards; sovereign-cloud spending in Europe is projected to grow sharply. In other regions, state-backed efforts — national telecoms and public infrastructure operators — represent attempts to move from being mere consumers of global services to holding national capacity, at least for sensitive workloads.
It is best not to idealize these alternatives. Building and maintaining competitive cloud infrastructure is enormously costly, demands scale and specialized talent, and most countries cannot replicate on their own what the global giants offer. Hence the realistic bet that many analysts describe: not abandoning commercial cloud, but a redefinition — which cloud for which data, hosting the most sensitive workloads on sovereign or reinforced infrastructure and leaving the rest in commercial cloud. Total sovereignty is unworkable; selective sovereignty, over what truly matters, is the realistic stance.
What this infrastructure reveals
The case of data sovereignty illuminates the deepest, least visible layer of the debates this coverage has traced. We discuss who regulates AI, who controls digital money; but beneath all of it lies the physical infrastructure — the data centers, the cables, the cloud — on which everything rests, and that infrastructure is mostly in the hands of a few corporations from a handful of countries. Whoever controls the infrastructure holds a lever over everything that runs on top of it.
It is the same logic seen in AI regulation and in digital money: most countries are takers of an infrastructure they neither designed nor control, and the question is not whether they can fully break free — they cannot — but how they manage that dependence so it does not become a vulnerability. Digital sovereignty, understood maturely, is not technological autarky; it is the capacity to decide, with information and with alternatives, what to cede and what to protect.
The verifiable fact is that the overwhelming majority of digital activity runs on foreign clouds, that a US law can reach that data regardless of where it is hosted, and that genuinely sovereign alternatives are only beginning to take shape. Whether this leads to a dependence that erodes autonomy or to a relationship managed intelligently will depend on decisions not yet made: on how much states invest in their own infrastructure for critical data, on what legal frameworks they build, and on whether they act in fragmented fashion or in concert. As in every story of this kind, what is decisive is not the fact that today causes concern — dependence — but what is decided to do with it before the infrastructure finishes defining who rules over information.