Sovereign cloud used to be a policy-circle topic. It is now a priority for enterprises and governments across Europe. The premise is simple: critical data and infrastructure should answer to the laws of the jurisdiction where it originates, not the one where the provider happens to be headquartered. That changes how organisations choose infrastructure, and it is one of the larger shifts in the cloud market since the hyperscalers arrived.
Government initiatives driving the movement
European governments have been the most visible proponents of sovereign cloud. The Gaia-X initiative, launched in 2019 by France and Germany, aims to establish a federated, open data infrastructure ecosystem based on European values of transparency, portability, and interoperability. While Gaia-X has faced criticism for slow progress and the involvement of non-European hyperscalers, it has succeeded in establishing a framework for what sovereign cloud should look like: open standards, clear governance, and verifiable compliance with European data protection principles.
France's "Cloud de Confiance" strategy took a more prescriptive approach, introducing the SecNumCloud certification for cloud providers handling sensitive government data. This certification requires that infrastructure be operated by EU-headquartered entities, immune from extraterritorial legislation, and subject to French security audits. Germany's BSI C5 certification serves a similar function, establishing baseline security requirements for government cloud procurement. Belgium, where Anchras is headquartered, has aligned its digital strategy with these European frameworks while maintaining its own pragmatic approach to cloud adoption in the public sector.
Data localization as a global trend
Data localization is not exclusively a European phenomenon. A growing number of countries now require certain categories of data to be stored and processed within their borders. Russia's data localization law has been in effect since 2015. India's Digital Personal Data Protection Act introduced conditions on cross-border data transfer. Vietnam, Indonesia, and Nigeria have all implemented or proposed data residency requirements. Even within the United States, sector-specific regulations increasingly favor domestic data processing for sensitive categories like defence, healthcare, and financial services.
For multinational organisations, this patchwork of localization requirements creates operational complexity. Hosting workloads on a single hyperscale platform that spans dozens of jurisdictions does not automatically satisfy localization requirements, particularly when the provider's corporate structure subjects the data to foreign government access. Organisations are increasingly turning to regional sovereign cloud providers to simplify compliance while maintaining operational efficiency within each jurisdiction.
European digital sovereignty in practice
The concept of digital sovereignty extends beyond data storage. It encompasses control over the entire technology stack: hardware, operating systems, virtualisation layers, application platforms, and the software running on them. This is where open-source software plays a critical role. Organisations that rely on proprietary, single-vendor platforms are sovereign in location but not in capability. If the vendor changes pricing, discontinues a feature, or is subject to sanctions, the customer has limited recourse.
True sovereignty requires open standards and the practical ability to migrate between providers. This principle drives the Anchras self-hosted catalog, which curates open-source applications scored on the Anchras Sovereignty Score across five axes: license strength, open-source posture, active maintenance, data portability, and resistance to vendor lock-in. By selecting applications that score high across these axes, organisations build a software stack that remains under their control regardless of which infrastructure provider they use.
Where Anchras fits in
Sovereignty was a founding principle for Anchras, not something we bolted on once the market asked for it. Our infrastructure runs from our EU region under Belgian corporate governance, which keeps it inside EU legal jurisdiction and out of reach of extraterritorial data access laws. The platform is built on open standards, so there is no proprietary lock-in to escape later. And because we run the operations, you get the day-to-day benefits of cloud without handing over control of your data or your hardware.
Sovereign cloud is still early, but the direction is clear enough. Organisations that start aligning their infrastructure with it now will have an easier time with the regulations and procurement rules already taking shape. The ones that wait tend to pay for it later, when the gap between what they run and what they are expected to run has widened. The Anchras Platform is one place to see what sovereign infrastructure looks like in practice.