← Thought Leadership

Sovereignty

What sovereign compliance actually means

The term is appearing on every European vendor’s website. Most uses describe where data sits, not who controls it.

Martin Foerster
Co-founder
· 3 min read

“Sovereign” has become the most crowded adjective in European enterprise software. It now attaches to cloud, to AI, and increasingly to compliance, often to describe nothing more than a data centre with a German postcode. The word is doing real work for buyers who are genuinely worried about dependence on foreign providers, which makes it worth defining with some care, because the loose version of the idea is close to meaningless.

Residency is a location; sovereignty is a chain of control

Storing European data in Frankfurt is necessary, and it is not sufficient. What determines whether an arrangement is sovereign is not the location of the disk but the chain of control around it: which legal entity holds the data, whose courts can reach that entity, and where the systems that process the data actually run. The reach of those courts is not theoretical. In June 2025, Microsoft’s French legal counsel, asked under oath before the Senate whether he could guarantee that French data would never be handed to the US government, replied: “No, I cannot guarantee that.”

Definition
Data residency versus sovereignty
Data residency is a question of geography: where the data physically sits, and which jurisdiction can therefore compel access. Sovereignty is a question of control: whose law governs the provider, who can be ordered to hand data over or change how a system behaves, and under whose authority the processing occurs. A US-controlled platform with an EU region satisfies residency while failing sovereignty.

For compliance, the distinction is sharper than most

Compliance data is not ordinary business data. It is the record of how an institution reads the law, what it has decided, and the evidence behind those decisions, which is exactly the material a regulator, or an adversary, would most want to see. A platform that pulls that material into its own cloud has taken custody of a bank’s most sensitive reasoning. Under DORA, it can also fall within the scope of that bank’s regulated ICT third parties, so the platform’s exposure becomes the bank’s exposure.

Sovereign compliance answers this at the level of design rather than contract. Two commitments carry most of the weight: the customer’s source documents never leave the customer’s control, and the processing that does occur happens within the EU. Everything else follows from taking those two rules seriously from the first line of architecture rather than adding them as a clause later.

A test you can apply in one meeting

The quickest way to separate the real from the decorated is to ask four questions of any provider: which legal entity holds your data, which courts can compel that entity, where the models that process your data run, and what happens to your evidence if the relationship ends. Vendors offering genuine sovereignty answer plainly. Vendors offering residency with a sovereignty label tend to reach for the brochure.

Sovereignty is not a badge you earn by choosing a region in a console. It is a property of who holds the keys, and it is worth insisting on the difference.

Frequently asked questions

What is sovereign compliance?
Sovereign compliance is the practice of meeting regulatory requirements over infrastructure that stays under European jurisdiction and control. Unlike data residency, which only governs where data is stored, sovereignty governs who can compel access to the data, whose law binds the provider, and where the reasoning about the data is performed.
How is sovereign compliance different from data residency?
Data residency is about geography — where the data physically sits. Sovereignty is about control — whose courts can reach the provider and under whose authority the processing occurs. A US-controlled platform with an EU region satisfies residency while failing sovereignty.
How can I tell whether a provider is genuinely sovereign?
Ask four questions: which legal entity holds your data, whose law governs that entity, which court can compel it to hand data over, and where the models that process your data run. Genuine sovereignty produces plain answers; residency with a sovereignty label reaches for the brochure.
Why does sovereign compliance matter for European banks?
Compliance data is a bank's most sensitive reasoning. Under DORA, a platform that ingests it becomes a regulated ICT third party, so the platform's exposure becomes the bank's exposure.

Sources