Sovereign Clouds and Data Residency: Why Startups Are Quietly Leaving the Hyperscalers
Not for ideology. For a procurement question buried around item forty of every European security questionnaire — and for a bandwidth bill that stopped making sense a long time ago.
A Series A founder in Berlin gets the same email every quarter now. A prospective enterprise customer's security team sends over a vendor questionnaire, and somewhere around question forty, after the SOC 2 boilerplate and the usual encryption-at-rest checkboxes, sits the one that actually decides the deal: can any non-EU government compel access to our data?
If the honest answer is yes, it doesn't matter that the servers sit in Frankfurt. The deal stalls, or it dies quietly in procurement, and nobody on the founder's side ever quite understands why the "we're GDPR compliant" slide didn't land. It didn't land because the buyer wasn't asking about residency. They were asking about sovereignty, and those are not the same question — a distinction that's now costing early-stage companies real revenue, and one that most explainers on this topic still get wrong.
The Residency Illusion
For years, "sovereign cloud" was a phrase a hyperscaler's sales team used to close a nervous European buyer. Pick an EU availability zone, check the GDPR box, move on. Most companies — startups especially — believe that settles the matter. It doesn't, and the gap between what they think they've solved and what they've actually solved has a name: the residency illusion.
Data residency is a geography question. Where do the bytes physically sit? Choose an EU region on AWS, Azure, or GCP, and the answer is Frankfurt, or Dublin, or Amsterdam. That's easy to buy — it's a dropdown menu.
Data sovereignty is a control question. Which legal system governs the company running that infrastructure? Who can compel it to hand data over, and under what process? Who actually holds the encryption keys? Does the customer retain the operational ability to walk away if political or legal conditions change?
The two diverge sharply the moment a provider is incorporated in the United States. The US CLOUD Act lets American authorities compel a US-headquartered cloud company to produce data it controls, no matter which country the servers physically sit in. No EU regional deployment changes that exposure, because the law reaches the corporate entity, not the data center. Even Microsoft's own 2026 compliance guidance concedes it cannot give an absolute guarantee that EU customer data will never be the subject of a US access request. A Frankfurt zone run by a US company satisfies residency. It does not, on its own, satisfy sovereignty.
That distinction sat mostly in the footnotes of legal briefings until this year. In 2026, it moved into the boardroom — and into the term sheet.
What Actually Changed in 2026
Three things converged to turn an abstract legal nuance into a live commercial risk for anyone selling software into Europe.
1. Brussels put a number on it
On June 1, 2026, the European Commission published its Cloud Sovereignty Framework — the first formal, graded method for scoring how sovereign a cloud provider actually is, rather than how sovereign its marketing claims to be. Providers are scored across eight dimensions — legal jurisdiction, operational independence, supply chain, security, and more — and rolled up into a single rating on what's called the SEAL scale, short for Sovereignty Effectiveness Assurance Level. It runs from SEAL-0, meaning no meaningful sovereignty, up through SEAL-2 (genuine data sovereignty) to SEAL-4, full digital sovereignty. The CLOUD Act is written into the scoring methodology by name, as a structural risk factor that quietly caps any US-owned provider near the bottom of the ladder no matter how many EU regions it operates.
This isn't an academic framework sitting in a policy PDF. The Commission built it around a real procurement decision: a €180 million contract to supply sovereign cloud infrastructure to EU institutions, awarded that same April to four European providers instead of any US hyperscaler. When the largest buyer in Europe writes "US-owned need not apply" into a tender of that size, the signal travels straight down into every enterprise security questionnaire that follows — including the ones landing in early-stage startups' inboxes.
2. The regulatory stack finally has teeth
The SEAL framework didn't arrive in isolation. The EU Data Act became fully applicable in September 2025, tightening switching and interoperability obligations for cloud providers. DORA has been in force for financial services since early 2025, and NIS2 layers on data-location and resilience requirements for critical infrastructure sectors. The EU AI Act's obligations for high-risk systems are set to land in August 2026. None of these, on their own, mandate residency — but together they make sovereign deployment the path of least resistance for satisfying all of them at once, because the enterprise retains the full audit trail instead of trusting a foreign vendor's attestations. Cumulative GDPR fines had already reached roughly €7.1 billion by early 2026, with cross-border data transfer violations remaining one of the highest-risk enforcement categories — a number every general counsel in Europe has memorized.
3. Enterprise buyers stopped accepting the old answer
Seventy-two percent of European organizations now list data sovereignty as a key criterion in vendor selection, not a nice-to-have. For a startup selling into banks, healthcare systems, or the public sector, that's not a compliance detail — it's the gate the deal has to pass through before pricing is even discussed.
It's Not Only Compliance. It's the Math.
Most coverage of this shift stops at regulation, which makes it sound like a problem only enterprise-facing startups have. It isn't. The economics of the hyperscaler model have quietly stopped working for a much broader set of founders, and the mechanism is a line item most teams don't look at until it's too large to ignore: egress.
Cloud providers charge nothing to bring data in and a great deal to take it back out — a pricing asymmetry that funds their backbone but also functions as a retention mechanism. AWS charges roughly $0.09 per GB for standard internet egress, Azure around $0.087, Google Cloud up to $0.12. Those numbers look trivial on a pricing page. They stop looking trivial once a product has real usage.
That multiplier compounds with scale. A team storing 100 terabytes on S3 faces roughly $8,700 in egress fees just to move that data to another provider — a cost incurred before the migration even starts, which is precisely why it functions as lock-in rather than a byproduct of infrastructure. Industry analysis puts data transfer at 6 to 12 percent of a typical cloud bill, and considerably higher for any product with active egress — API responses, media delivery, cross-region replication, log shipping to observability tools. One estimate from an IDC survey found 45 percent of organizations had repatriated at least some workloads off the major hyperscalers in the prior twelve months, citing unpredictable data-movement costs as a primary driver, right alongside compliance.
European-headquartered and regional providers have built their pitch directly around this gap. Scaleway and OVHcloud offer developer-focused, EU-domiciled infrastructure with materially lower and simpler transfer pricing. Hetzner has built a reputation among cost-conscious founders on generous included bandwidth and low overage rates. None of them will match the breadth of a hyperscaler's managed-service catalog — but for a startup whose workload is stateless, bandwidth-heavy, or storage-bound, that trade increasingly pencils out on cost alone, before sovereignty even enters the conversation.
What "Moving Away" Actually Looks Like
Almost nobody is doing a wholesale migration off AWS in one motion, and the founders getting good outcomes aren't trying to. What's actually happening is more deliberate — a pattern of intentional hybridity rather than a clean break.
- Classify before you migrate. Not all data carries the same exposure. Customer PII, health records, and financial data belonging to EU users are the workloads under real regulatory and procurement pressure. Marketing analytics and internal tooling usually aren't.
- Move the regulated slice, not the whole stack. The common pattern is keeping compute-heavy, less-sensitive workloads on the hyperscaler where the managed-service ecosystem is genuinely faster to build on, while routing regulated customer data through an EU-domiciled provider with customer-held encryption keys and a local legal entity.
- Own the keys, not just the region. A provider that manages your encryption keys on your behalf can be compelled to hand them over along with the data. Customer-managed or bring-your-own-key setups are what actually changes the legal exposure — this is the single highest-leverage architectural decision in the whole conversation.
- Build a control plane that isn't locked to one cloud. Founders using Kubernetes, open-standard object storage APIs, and infrastructure-as-code from the start find the eventual multi-region or multi-provider move is a configuration change, not a rewrite. This is the "software sovereignty" layer — using open, portable stacks so a jurisdictional decision doesn't become an engineering emergency two years later.
A Founder's Decision Framework, Not a Vendor List
Most articles on this topic end with a table of providers. That's the wrong deliverable for a founder, because the right provider depends entirely on what you're actually protecting and who's asking. Work through these questions before you touch a migration plan.
Before you move anything, answer these
- Who is actually asking? If it's a European enterprise, public-sector, financial, or healthcare buyer, sovereignty is likely a hard procurement gate, not a preference. If your buyers are US mid-market SaaS teams, this may not be your fight yet.
- What's the SEAL level your prospects expect? A regulated enterprise deal may require SEAL-2 or above. A general commercial deal may only need documented residency. Don't over-engineer for a bar nobody's asking you to clear.
- Where does your egress spend actually concentrate? Pull ninety days of billing data before making an architectural decision on sovereignty grounds alone. Sometimes the honest driver is cost, not compliance, and the fix is different.
- Who holds the keys today? If your cloud provider manages encryption keys on your behalf, that's your biggest single exposure — and usually the cheapest one to fix.
- Can you actually leave if you need to? Price out what a full data exit would cost in egress fees right now, before you're forced into it under deal pressure. If the number is shocking, that's information.
The Honest Counterpoint: Don't Over-Rotate
It's worth saying plainly, because most content on this topic won't: full sovereignty everywhere is usually the wrong target for an early-stage company. The regional and sovereign-cloud providers filling this gap generally offer a narrower catalog of managed services — less mature AI tooling, thinner global edge networks, fewer one-click integrations. Rebuilding a stack around EU-only infrastructure before you have EU enterprise revenue to justify it is a real cost with no matching benefit yet.
The founders handling this well aren't choosing a side. They're classifying workloads by actual exposure, keeping the parts of the stack that benefit from a hyperscaler's depth where they are, and moving only the regulated, buyer-sensitive slice to infrastructure that can prove sovereignty rather than merely claim it. That's a smaller, cheaper, more defensible project than the framing "leaving AWS" suggests — and it's the version that actually survives a security questionnaire.
The Bottom Line
The sovereign cloud market is projected to reach somewhere around $195 billion globally in 2026, on its way toward figures several times that by the early 2030s, according to multiple industry forecasts. That growth isn't being driven primarily by government mandates anymore — it's being driven by procurement teams at ordinary enterprise buyers who've learned to ask a sharper question than "where's the data center." For a startup trying to close its first serious European enterprise logo, or trying to explain why its AWS bill doubled without a matching jump in users, the honest move in 2026 isn't picking a side in a hyperscaler-versus-sovereign-cloud debate. It's knowing precisely which of your workloads needs to answer to which law, and being able to prove it — with a straight answer to question forty, not a slide about GDPR.
