The sovereignty promises of cloud and AI providers have never been tested as publicly as they have been in the past eighteen months. It has been instructive to observe, and not always in the direction the providers would probably have chosen.
The pattern that has emerged is however consistent enough to be considered structural rather than coincidental. A provider makes a sovereignty commitment — typically in response to regulatory pressure, a high-profile contract loss, or a public statement from a government customer expressing concern.
The commitment appears real in intent but is conditional in its delivery: it will be faithfully honoured when it is operationally convenient to do so and quietly adjusted when it is not. The customers who relied on it discover that conditionality only when circumstances change.
The clearest recent example does not require naming a specific vendor, even though almost everyone knows who was involved. What actually matters is the mechanism of control and the actions taken.
When the International Criminal Court's chief prosecutor had his email and services suspended in direct response to a foreign government's direction, the result was not a failure of technology — but demonstration of where operational control actually resides.
The provider made a choice, under external pressure, that overrode the service commitment to the customer. Shortly afterwards, the ICC announced a transition away from the affected platform towards open-source alternatives developed under European government funding.
That transition is now part of a broader pattern visible across the continent. A December 2025 Gartner survey of 214 Western European CIOs found that 61% intend to shift more workloads to local or regional providers in response to geopolitical concerns; 53% plan to restrict use of global hyperscalers; and 44% had already started.
An April 2026 report by the Open Rights Group described the UK as being in a “crisis of digital dependency”; noting that the Big Three hyperscalers provide cloud services to more than 90% of UK public sector organisations. In January 2026, 45 MPs submitted an Early Day Motion calling for a binding UK digital sovereignty strategy, warning explicitly of exposure to “service withdrawal, sanctions, commercial failure, geopolitical disruption and unilateral changes in service terms”.
The structural problem data boundaries don’t solve
The providers’ response to this pressure has been consistent too. Data boundaries, sovereign landing zones, regional operating models, in-country processing commitments — the vocabulary of sovereignty has expanded considerably. Whether the substance has expanded at the same rate is a different question. The core issue that none of these constructs fully resolves is corporate jurisdiction. A provider incorporated under US law remains subject to US law regardless of where its data centres are located, where its European staff are employed, or what its contractual commitments say. The CLOUD Act, enacted in 2018, enables US authorities to compel access to data held by US-headquartered companies even when stored abroad and even in jurisdictions with conflicting data protection law. In a French Senate hearing in June 2025, Microsoft France’s president acknowledged that the company could not guarantee customer data would never be transferred to US authorities under that Act.
This is not a criticism unique to any single provider. It is a legal reality that applies to every US-headquartered cloud or AI company regardless of their European commitments, their investment in local infrastructure, or the sincerity of their sovereignty marketing. The EU’s European Cloud Sovereignty Framework, introduced in October 2025, uses a sovereignty score that explicitly weights exposure to non-EU legislation — which means every US provider faces a structural ceiling on that score regardless of their European footprint.
The term “sovereignty washing” — coined by critics of providers claiming sovereignty whilst remaining under US corporate jurisdiction — captures the problem precisely. As Cristina Caffarra, founder of the Eurostack Foundation, put it: “A company subject to the extraterritorial laws of the United States cannot be considered sovereign for Europe. That simply doesn’t work.”
What genuine sovereignty requires
The CoPilot inference delays announced earlier this year — with the UK slipping to end-2026, Japan to 2028, EU nations receiving regional rather than the promised (and required) national processing — illustrate a different dimension of the same problem.
Sovereignty is not only about who can access your data under legal compulsion; it is also about whether the provider can deliver what they committed to, on the timescale they committed to, when their own operational priorities change, or influence is exerted at a home government level.
A sovereign capability that exists only when it is convenient for the provider or permitted by decision of a foreign government is not a sovereign capability.
For organisations with genuine sovereignty requirements — whether driven by regulation, national security, or the straightforward desire not to have their AI infrastructure subject to another country’s political decisions — the architecture that resolves these issues is the one described in our earlier blog post on the three levels of sovereignty: air-gapped, nationally controlled, with no persistent dependency on any external provider’s operational decisions or legal exposure.
That architecture is not the most ubiquitous commodity mode of AI infrastructure operation; though it need not be more expensive than public cloud, and is the only one where the answer to ‘can this be switched off or accessed without our consent?’ is unambiguously no.
For the growing number of organisations for which that question now has operational rather than theoretical significance, convenience has started to look like a less important consideration than integrity of your cloud and AI services or the achievement of autonomy.
Axiom Edge designs and deploys the Autonomy Sovereign AI inference infrastructure at air-gapped national level. Learn more at axiom-edge.ai