Europe spends approximately $115 billion annually on cloud services. Roughly 72% of that spending flows to three American companies: AWS, Microsoft Azure, and Google Cloud. This dependency is not merely commercial. It is strategic. When a continent outsources its digital infrastructure to foreign corporations subject to foreign law, the term “digital sovereignty” shifts from policy abstraction to operational vulnerability.

The European response is neither unified nor simple. It spans a federated standards framework (Gaia-X), national cloud programs (France’s Cloud de Confiance, Germany’s BSI C5 ecosystem), homegrown infrastructure providers (OVHcloud, Scaleway, Deutsche Telekom), and billions of euros in public funding. Understanding this landscape is essential for any organization operating in Europe — and instructive for anyone watching the global cloud market fragment along sovereign lines.

Gaia-X: Architecture of a Federated Dream

Gaia-X was announced in October 2019 by French Economy Minister Bruno Le Maire and German Economy Minister Peter Altmaier. The founding premise was straightforward: Europe needed a cloud infrastructure that operated under European rules, without building a single monolithic competitor to AWS.

The architectural decision was federation. Rather than constructing a European hyperscaler — which would require $50+ billion in capital expenditure and a decade of engineering — Gaia-X would create a framework enabling existing European cloud providers to interoperate under common sovereignty standards.

The Technical Framework

Gaia-X’s architecture rests on four technical pillars:

Gaia-X Federation Services (GXFS). The core software layer providing federated identity management, service catalog, compliance verification, and sovereign data exchange. GXFS is open-source, developed primarily by eco (the Association of the Internet Industry) and a consortium of European technology companies.

Gaia-X Trust Framework. A machine-readable specification that defines compliance levels for cloud services. Providers self-declare their compliance, which is then verified through automated checks and third-party audits. Three compliance levels exist: Basic (data protection and transparency), Substantial (EU operational control), and High (no non-EU dependencies in the supply chain).

Gaia-X Digital Clearing House (GXDCH). A decentralized system for verifying provider compliance claims. Rather than a single certification body, GXDCH distributes verification across multiple trusted entities — a design choice that prevents single points of failure and jurisdictional capture.

Data Spaces. Domain-specific data sharing environments built on Gaia-X infrastructure. Active data spaces include Catena-X (automotive supply chain), Agri-Gaia (agriculture), HEALTH-X (health data), and Mobility Data Space (transportation).

Progress and Problems

By early 2026, Gaia-X has achieved measurable milestones: 380+ member organizations, 12 operational data spaces, GXFS software in production, and the Trust Framework finalized at version 22.10. Catena-X, the automotive data space, has connected over 1,000 companies and processes supply chain data for BMW, Volkswagen, and Mercedes-Benz.

The problems are equally real. The membership dispute over US hyperscaler participation consumed two years of governance bandwidth. AWS, Microsoft, Google, and Palantir all hold Gaia-X memberships — a fact that critics argue undermines the entire sovereignty premise. The compromise position is that US companies can participate in Gaia-X ecosystems but cannot achieve the “High” compliance level, which requires EU-only supply chain dependencies.

Funding has been inconsistent. The European Commission allocated approximately $2.1 billion through the Digital Europe Programme and Recovery and Resilience Facility for cloud and data infrastructure between 2021 and 2027, but this funding is distributed across member states and programs, not concentrated on Gaia-X specifically.

The most substantive criticism is execution speed. AWS ships new services weekly. Gaia-X operates on standards-body timelines. The gap between architectural vision and production-ready infrastructure remains wide, and each month of delay strengthens the incumbency advantage of US hyperscalers.

The European Provider Landscape

Gaia-X provides the framework. The infrastructure is built by European cloud providers — a diverse ecosystem ranging from continental-scale platforms to specialized national champions.

OVHcloud

OVHcloud is the largest European-born cloud provider. Founded in 1999 in Roubaix, France, it operates 43 datacenters across Europe, North America, and Asia-Pacific. OVHcloud went public on Euronext Paris in October 2021 with a market capitalization of approximately $5.4 billion.

OVHcloud’s competitive position rests on three differentiators:

  1. Vertical integration. OVHcloud manufactures its own servers, manages its own water-cooling systems, and builds its own datacenters. This vertical integration reduces dependency on third-party supply chains and provides hardware-level control that most cloud providers lack.

  2. Predictable pricing. OVHcloud’s pricing model is simpler and more predictable than hyperscaler alternatives. No egress fees on most products. No complex reserved instance commitments. This pricing transparency has attracted organizations burned by unexpected hyperscaler bills.

  3. European jurisdiction. OVHcloud is a French company, subject to French and EU law, with no structural obligation to comply with US government data requests. For organizations requiring Level 2 data sovereignty, this is a decisive advantage over US hyperscalers operating European regions.

Revenue reached $1.1 billion in fiscal year 2025. The Public Cloud segment (IaaS/PaaS services competing directly with AWS EC2 and S3) grew 28% year-over-year. OVHcloud’s Bare Metal and Hosted Private Cloud segments — which provide dedicated hardware — grew at 12%, reflecting demand from privacy-conscious enterprise customers.

The limitations are real. OVHcloud’s managed service portfolio is a fraction of AWS’s. There is no equivalent to Lambda, DynamoDB, or SageMaker. Organizations migrating from hyperscale clouds must either accept a narrower service catalog or fill gaps with open-source alternatives (Kubernetes for orchestration, MinIO for object storage, PostgreSQL for databases).

The Strasbourg datacenter fire of March 2021 — which destroyed SBG2 and damaged SBG1, resulting in data loss for customers without off-site backups — remains a trust liability. OVHcloud’s subsequent investments in fire suppression, redundancy, and backup infrastructure have been substantial, but the incident is a permanent fixture in competitive evaluations.

Scaleway

Scaleway, the cloud division of Iliad Group (also the parent of Free, France’s fourth-largest telecom operator), operates from datacenters in Paris, Amsterdam, and Warsaw. Scaleway has positioned itself as the developer-friendly European alternative — a European DigitalOcean with sovereignty credentials.

Scaleway’s product portfolio includes bare metal servers, Kubernetes-as-a-Service, managed databases, serverless functions, and object storage. Annual revenue is estimated at $300-400 million (Iliad does not break out Scaleway revenue separately).

Scaleway’s strategic focus has narrowed to AI infrastructure. In 2024, Scaleway announced a $500 million investment in GPU clusters for AI training and inference, targeting European AI companies that need high-performance compute without sending training data to US-controlled infrastructure. This bet aligns with the growing concern about AI training data sovereignty — a topic that AI privacy practices are bringing to mainstream attention.

Deutsche Telekom / T-Systems

Open Telekom Cloud (OTC), operated by T-Systems (Deutsche Telekom’s enterprise IT division), is Germany’s largest domestic cloud platform. Built on OpenStack and Huawei hardware, OTC offers IaaS and PaaS services from datacenters in Germany and the Netherlands.

OTC achieved BSI C5 certification (Germany’s cloud security standard) and is approved for German government workloads. Revenue figures for OTC specifically are not disclosed, but T-Systems’ cloud and infrastructure services generated approximately $4.8 billion in 2024.

The Huawei dependency is the elephant in the room. T-Systems has publicly stated that it maintains full operational control and that Huawei’s role is limited to hardware supply, but the association with a company under US sanctions creates procurement complications for customers with US operations or US government contracts.

Ionos (formerly 1&1)

Ionos, owned by United Internet AG, operates cloud infrastructure from German datacenters. Positioned primarily at SMB and mid-market customers, Ionos offers compute, storage, Kubernetes, and managed services. Cloud revenue reached approximately $650 million in 2025. Ionos achieved BSI C5 certification and participates in the Gaia-X ecosystem.

Infomaniak

Infomaniak, a Swiss company founded in 1994, operates exclusively from Swiss datacenters. Its sovereign cloud offering is positioned at organizations requiring Swiss jurisdiction — benefiting from Switzerland’s strong data protection laws (revFADP) and its position outside the EU (and therefore outside EU surveillance frameworks like the proposed Chat Control regulation).

Infomaniak’s scale is modest — annual revenue of approximately $50 million — but its positioning at the intersection of Swiss privacy law and cloud infrastructure has attracted disproportionate attention. Switzerland’s role as a privacy jurisdiction extends naturally to cloud infrastructure.

EU Funding Architecture

The European Commission has constructed a multi-layered funding architecture for sovereign cloud development:

Digital Europe Programme (2021-2027). Total budget: $8.2 billion. Cloud and data infrastructure allocation: approximately $2.1 billion. Funds distributed through competitive calls for proposals to consortia of European organizations.

Important Projects of Common European Interest (IPCEI). The IPCEI on Cloud Infrastructure and Services, approved in December 2023, channels $1.4 billion in state aid from France, Germany, Italy, and Spain to develop next-generation cloud and edge computing capabilities. Twelve projects across the four countries received approval, including Gaia-X infrastructure development, edge computing platforms, and sovereign cloud management tools.

Recovery and Resilience Facility. Multiple member states allocated RRF funds to cloud sovereignty initiatives. France allocated $1.8 billion for cloud sovereignty through its France 2030 plan. Germany allocated $1.2 billion through its Konjunkturpaket. Italy allocated $1.9 billion through its Piano Nazionale di Ripresa e Resilienza, including significant cloud migration funding.

Horizon Europe. Research funding for advanced cloud technologies, including confidential computing, edge computing, and quantum-safe cryptography. Approximately $400 million allocated to cloud-related research between 2021 and 2027.

The total direct EU public funding for sovereign cloud and data infrastructure exceeds $8 billion through 2027. This figure does not include member state procurement budgets (governments buying sovereign cloud services) or private sector investment.

For context, AWS’s capital expenditure was $63 billion in 2024 alone. European sovereign cloud funding, while substantial, represents approximately 12% of a single hyperscaler’s annual investment. The scale gap explains why European sovereign cloud focuses on differentiation (sovereignty, privacy, compliance) rather than trying to match hyperscale breadth.

The Joint Venture Model

The most architecturally interesting — and most contested — approach to European cloud sovereignty is the joint venture model: US technology licensed to a European-controlled entity.

Bleu (Capgemini + Orange + Microsoft). Bleu operates Azure technology under French operational control. Announced in 2021, Bleu achieved operational status in late 2024 with Cloud de Confiance certification. The entity is structured so that Microsoft provides technology licenses and updates, while Capgemini and Orange operate the infrastructure, employ the staff, and control all customer data. Microsoft has no administrative access to Bleu’s production environment.

S3NS (Thales + Google). S3NS operates GCP technology under French control. Structured similarly to Bleu, with Thales providing sovereignty oversight and operational control. S3NS achieved operational readiness in 2025.

Critics argue these joint ventures are sovereignty theater — the underlying code is American, the hardware dependencies are American, and the ongoing update pipeline creates a persistent dependency on the US technology partner. If the US government imposed technology export restrictions (as it has with China), these joint ventures would be unable to maintain and update their platforms.

Proponents counter that the joint venture model is the only realistic path to providing European organizations with hyperscale-quality cloud services under European jurisdiction within a reasonable timeframe. Building equivalent technology from scratch would take a decade and tens of billions in investment.

The architectural truth lies between these positions. Joint ventures provide Level 2 and Level 3 sovereignty (jurisdictional control and operational control) but not Level 4 (technical independence). For most regulatory requirements, Levels 2 and 3 are sufficient. For strategic autonomy, they are not.

The Edge Computing Dimension

European sovereign cloud strategy increasingly emphasizes edge computing — processing data close to its source rather than centralizing it in distant datacenters. The EU’s IPCEI on Cloud explicitly funds edge computing alongside traditional cloud infrastructure.

Edge computing aligns naturally with sovereignty requirements. Data processed at the edge may never leave the jurisdiction where it was generated. A factory in Stuttgart running AI quality inspection on locally deployed edge infrastructure achieves data sovereignty by architecture, not by policy — the data simply never traverses a network boundary.

The European edge computing market was valued at $18.7 billion in 2025, growing at 26% CAGR. Key European edge providers include SUSE (Germany), Nokia (Finland), Ericsson (Sweden), and Siemens (Germany). The convergence of 5G, IoT, and sovereignty requirements is creating a market where European technology companies have genuine competitive advantages over US hyperscalers.

Ephemeral infrastructure principles — compute that exists only for the duration of a task and leaves no trace — are particularly applicable at the edge, where workloads are often short-lived and privacy-sensitive.

Strategic Assessment

European sovereign cloud is not a single initiative. It is an ecosystem of overlapping and sometimes contradictory efforts:

  • Gaia-X provides the interoperability framework but moves at standards-body speed
  • National champions (OVHcloud, Scaleway, Ionos) offer sovereign infrastructure but lack hyperscale breadth
  • Joint ventures (Bleu, S3NS) provide hyperscale quality under European control but with persistent US technology dependencies
  • EU funding provides billions in capital but fragments across too many programs and member states
  • Regulation (GDPR, Data Act, sector-specific mandates) creates demand but compliance complexity deters adoption

The strategic gap is clear: Europe has the regulatory will, the funding, and the architectural frameworks for sovereign cloud, but lacks a single entity with the scale, capital, and engineering depth to compete with a US hyperscaler on breadth of services. The response has been federation — connecting multiple smaller providers into a collective capability. Whether federation can deliver the reliability, performance, and developer experience of a unified platform remains the central open question of European digital sovereignty.

The Stealth Cloud Perspective

Europe’s sovereign cloud movement correctly diagnoses the jurisdictional vulnerability of US hyperscale dependence. But sovereignty is a jurisdictional solution, not a privacy solution. A European sovereign cloud still requires trusting the cloud operator with plaintext data access. The Stealth Cloud architecture complements sovereign infrastructure by adding the cryptographic layer that makes jurisdiction less relevant: when the operator architecturally cannot access plaintext, the flag on the datacenter matters less than the math protecting the data.