In an era of geopolitical instability, the discussion in Europe about IT infrastructures has seen a fundamental shift from a cloud-first mindset to that of the sovereignty-first mindset. For a very long time, European enterprises have been dependent on a few hyperscalers from outside of Europe, who seemed to offer economies of scale, efficiency, and robustness without considering the question of sovereignty. However, a number of high-profile outages toward the end of 20251, along with continued geopolitical conflict and increasing EU legislation, have made IT leaders to stop and re-examine their options.
Central to this shift is the Commission’s Cloud Sovereignty Framework. This is no longer just a theoretical policy; as of 2026, it has become the practical benchmark for multi-million euro tenders, designed to give European entities full control over their digital destiny.
In effect, data sovereignty is no longer just a compliance checkbox – it is now a matter of operational resilience and business continuity for organisations in Europe.
European Commission Regulations – tightening controls and insulation
The European Commission has taken action to codify digital independence, and organisations now need to be aware of the changing regulatory environment. While previous efforts focused on where data was stored, the Commission’s Cloud Sovereignty Framework evaluates sovereignty across several pillars such as legal jurisdiction, operational independence (ensuring services are managed by EU-resident personnel), and technological openness to prevent vendor lock-in.
Currently, these codified acts are:
1. The EU Data Act came into force in September 2025 and is one of the most important developments. Salient points are:
a. Reduces vendor lock-in by making switching between cloud providers easier with open standards and interoperability.
b. Improve customer control over data access and portability.
Boiling this down, it means sovereignty is not just about where data resides, it is also about how easily an organisation can move, recover and regain control of its data.
2. The EU AI Act – although it is already in force, applicability is being expanded in phases throughout 2026 and beyond. In short, high-risk AI systems face stricter governance expectations, including stronger controls over the quality, provenance, storage, and handling of data. In effect, for IT departments, this means storage strategy is now part of AI compliance.
3. European Cybersecurity Certification Scheme for Cloud Services (EUCS). Launched in 2022, it is evolving into a sovereignty-focused framework. In essence, its mandate is to drive the European cloud market to one where the most sensitive services are not only secure but also insulated from non-European legal and operational control.
Taken together, these measures show that the sovereignty conversation is no longer theoretical. It is becoming embedded in procurement, architecture, and risk management.
The EU Digital Omnibus 2026 – resolving Acts conflict and complexity (perhaps)
For organisations, managing compliance with items (1) and (2) has become a headache, primarily because the Acts often overlap or conflict in their finer details. To resolve these contradictions, the European Commission is proposing the EU Digital Omnibus 2026.
Designed as a “simplification” package, it serves as a legislative bridge to align the requirements of the GDPR, the Data Act, and the AI Act into a single, consistent “rulebook”.
· The Upside: To harmonize conflicting definitions (such as what constitutes “non-personal data”) and streamline how companies prove compliance across multiple laws.
· The Downside: This may actually introduce new auditing requirements as the EU attempts to “close the loop” on data leaving the continent under the guise of AI training.
Cloud Resilience and Data Sovereignty – inextricably intertwined?
The “outages outrage” of 2025 starkly showed organisations that the cloud is a dependency model. When glitches happen, the impact can be huge and affect far more than a single application or region. Identity services, storage APIs, backup links, and control planes can all become part of the outage blast zone. For example, the AWS DynamoDB/US-EAST-1 Incident2 on 20th October 2025 originated in a US region. The failure of core identity and database services had a far-reaching impact across the world. The European Commission was hit (which likely as the catalyst for fast-tracking the Commission’s Cloud Sovereignty Framework), along with Odido (Netherlands), L’Oreal and the European Financial Services Network amongst others. In UK, organisations such as HMRC, Lloyds Bank, Vodafone and BT were also affected.3
How does this connect into data sovereignty? Basically, technical dependency can quickly turn into legal and operational dependency. For example, if a critical workload sits on a platform controlled outside the EU, then an outage is not just a service problem. It becomes a question of who controls recovery, where data can be accessed, and whether the organisation can continue operating under such outages.
For many organisations, this became a critical convergence point when cloud resilience and data sovereignty stopped being separate conversations – they became the same conversation and drawing on-premises data management into that conversation.
In the red corner: Public Cloud. In the blue corner: On-Premises Environments
The “cloud versus on-prem” argument has always been a point of debate with the pendulum swinging between both extremes. In the context of European data sovereignty, the stakes are higher and more urgent.
Public cloud remains compelling for agility, scale, and speed of deployment. It can help IT teams become more efficient due to the ease of scaling up infrastructure effortlessly by the very nature of public cloud. However, by its very nature, it also amplifies jurisdictional and operational risk, especially when the cloud provider is based outside of Europe.
Even if data is hosted in Europe, the provider may still be subject to foreign legal obligations. That means residency alone is not enough to guarantee sovereignty. In fact, 2025 saw the first high profile example of a jurisdictional outage where US sanctions forced a major cloud provider to suspend services for specific international legal entities4. For Europeans, this highlighted the danger that a foreign government or entity could, in theory, unplug critical infrastructure for political or legal reasons5. This “kill switch” action may very well act as further impetus behind the European drive towards sovereign systems.
On-premises environments and sovereign private cloud offers a compelling and different value proposition. It enables organisations to have direct control over storage, access, encryption, and recovery without the underlying anxiety compared to public cloud storage (from a financial perspective, costs of on-premises solutions are predictable in comparison to variable
ingress/egress cloud costs). That control makes it easier to enforce legal boundaries, keep data within a defined jurisdiction, and maintain independence from external providers. Conversely, the trade-off is that the organisation must own the complexity of data management including security, updates, backup, and disaster recovery processes.
The Winning Punch: Storage as a Sovereign Fortress
At the data storage layer, sovereignty is now a physical reality, not just a policy ideal. In 2026, IT leaders are asking a different question: “Who truly holds the keys?”
True sovereignty relies on three essential pillars of storage design:
1. Physical Custody: This means that primary data and backups must stay on hardware that cannot be “switched off” by a foreign court order or a major CSP failure.
2. Access Autonomy: Organisations need to control who can access a snapshot or initiate a recovery without involving a non-European provider as a required middleman.
3. Exit Route: This allows organizations to move, restore, and scale data without incurring “data gravity” fees or waiting for help from a third party during a global outage.
Hybrid is the foundation of resilience. By placing regulated, sensitive or mission critical workloads into on-premises systems or independent private clouds, organisations are creating a “Sovereign Core.”
This strategy does not mean abandoning the cloud; it’s about smart placement. While the public cloud can still be helpful for extra capacity and non-critical services which would benefit from the elasticity, the data that gives you a competitive edge and meets legal requirements needs to be in an environment you directly control. To avoid even the possibility of a
jurisdictional “kill switch,” your most critical assets need to be within your physical reach. On-premises data storage is not an outdated choice; in 2026, it is the best way to ensure digital independence.
…Of course, a blog article is not complete without a plug for Tintri 😊
The Tintri Advantage: Reclaiming Autonomy Without Compromise
In this new era of digital borders, Tintri serves as the critical bridge for organisations seeking true independence. Its hypervisor-agnostic, workload-aware data management platform provides IT teams with surgical control at the virtual machine and application level, rather than tethering them to a rigid hardware layer. This ensures that your digital estate remains fluid, visible, and perfectly aligned with the high-performance demands of modern hybrid architectures.
For organisations pursuing sovereignty, Tintri’s unique value lies in its ability to deliver cloud-like simplicity within a secure, on-premises, or Europe-based environment. This allows teams to maintain absolute locality and direct operational oversight while still leveraging sophisticated automation, rapid recovery, and granular intelligence. In a landscape where the ability to prove data residency and immediate recoverability is a legal mandate, this combination is indispensable.
Perhaps most importantly, Tintri empowers organisations to sever their dependency on non-European providers without sacrificing operational agility. For teams navigating the interoperability requirements of the EU Data Act and the stringent governance standards of the EU AI Act, Tintri’s balance of visibility and performance provides the exact foundation a sovereignty-aware infrastructure requires. It isn’t just about where your data lives – it’s about ensuring you, and only you, retain the power to manage it.
1 “Critical cloud outage risk remains significant despite decline in occurrence: Parametrix”, 7 April 2026, Reinsurance News
2 “A single DNS race condition brought Amazon’s cloud empire to its knees”. 23 Oct 2025. The Register
3 “Amazon says AWS cloud service back to normal after outage disrupts businesses worldwide”, 21 Oct 2025. Reuters
4 “Microsoft throws spox under the bus after Parliament testimony on ICC email kerfuffle”, 18 Feb 2026. The Register
5 “A ‘Kill Switch’ Could Shutter Europe’s Access to US Tech. Here’s How.”, 28 Aug 2025. TechPolicy Press
