Research I recently undertook showed that the cloud sector is large and unequal. Reliable estimates indicate that a few thousand cloud firms operate globally. At the same time, the top three suppliers (Amazon, Microsoft, and Google) together account for over 60 percent of the market. While the latter figure might be overestimated according to some accounts, the sector is marked by intense competition, with continuous innovation as the clarion call. That implies that those well ahead of the rest cannot fall asleep at the wheel for even one second. Reading the SEC reports of these companies, which repeatedly emphasize risks and competition, shows their deep concerns in this regard.
My research also uncovered many small cloud providers in advanced and developing economies. They primarily serve local and national markets. Some already offer digital sovereignty as a signature service. In this equation, firm nationality becomes the passport to enter the realm of digital sovereignty. That said, the key point is that this set of small firms is running ahead of the behemoths by responding quickly to government and citizens’ demands for sovereign cloud services. Of course, the big guys promptly took notice and acted decisively.
That is certainly the case for market leader AWS. The opening shot came in the form of its digital sovereignty pledge, which saw the light in November 2022. Here, the emphasis remained on data location, data access controls, and comprehensive encryption tools, including the option to store client keys outside AWS.
Eleven months later, the company announced in Berlin the forthcoming launch of the AWS European Sovereign Cloud (ESC). The press release provided further details, including the assurance that only EU citizens residing in the Union will have access to the data and be responsible for ESC’s daily operations. ESC will also have its own billing system and administrative tools. Moreover, all cloud administrative metadata, such as access control lists, configurations, and resources, will remain within the EU. Customers facing more stringent data residency requirements can deploy AWS infrastructure in the locations of their choice using AWS Outposts and AWS Dedicated Local Zones. That will ensure they have the same quality of access and resilience as all other ESC and overall AWS customers. The document states that ESC will be “sovereign-by-design.” Yet, it does not reveal what sovereignty means in this context.
Equally interesting is the list of governments and businesses already backing ESC. They include the CIO of Germany’s Federal Government, the state secretary of Germany’s Federal Ministry of Digital and Transport, the CIO of Finland’s Ministry of Finance, the deputy director of the National Cyber and Information Security Agency of Czechia, the director of Romania’s National Cyber Security Directorate, SAP, Dedalus, O2 Telefonica, Volksbank, Telia, and AlmavivA. That is how one builds consensus and gets the other side to dance the tango, impeccably, while drinking sovereign wine.
In May 2024, Amazon publicly stated it planned to initially invest 7.8 billion euros in ESC. It also shared that since 2010, the company had invested 150 billion euros in the EU, employing over 150,000 people. That is an average annual investment of 10 billion, which exceeds the new ESC commitment. Nevertheless, such data indicates the level of market lock-in AWS has in the region. Switching costs could be enormous, while the transitional economic impact could be profoundly negative in the short run.
In early June of last year, Amazon stated that ECB would be officially launched by the end of the year, backed by an intricate corporate governance and administrative structure created for this purpose. A new parent company, owned and funded by Amazon and based in Germany, will run ECB. While the parent company will have a high degree of legal and operational independence, it is still subject to Amazon’s corporate demands. The new company will be composed solely of EU citizens residing in the Union. It will have full operational autonomy with no links or dependence on infrastructure located outside the EU. The management team includes a German managing director and a government security and privacy official. In September, Amazon appointed a French national as a second management director.
A four-person “independent” advisory board will support the parent company, with one member not affiliated with Amazon. The board will provide adequate expertise and account for all sovereignty-related issues, including the ability to operate independently in case of disruptions. To further support the parent company’s core work, three subsidiaries are being launched, all based in Germany. Subsidiaries will each have a dedicated focus on infrastructure, R&D, and trust (root certificates and overall trust services), respectively.
Overall, ESC security will be provided by a new and dedicated instance, the European Security Operations Center (SOC), which will closely follow global security standards. SOC will also be headed by a European citizen residing in the region who will provide continuous advice and support to ESC’s managing director and interact with customers and regulators.
The graph below depicts ESC’s organizational structure.
In March 2025, AWS signed a cooperation agreement with Germany’s Federal Office for Information Security (BSI). BSI has already given AWS C5 attestation. The deal is centered on advancing sovereign controls that comply with BSI and other European standards. Piggybacking on this, AWS introduced the AWS European Sovereign Cloud: Sovereign Reference Framework (ESC-SRF), developed to meet sovereignty requirements from customers, regulatory bodies, and implementation partners. The framework includes technical, legal and contractual, and operational controls to meet such demands. It is designed for external verification, providing auditable evidence, supporting third-party independent audits, and furnishing public reporting. In essence, it is a framework that can demonstrate sovereignty in accordance with the parameters set by Amazon and AWS. Most likely, the company will use ESC-SRF to serve other key markets while trying to keep competitors at bay.
An AWS white paper completed in September 2025 provides additional technical details on all of the above. It should thus be consulted by researchers interested in delving deeper into the issue, especially regarding infrastructural arrangements and the inner workings of the purported ESC operational autonomy.
Raul
