“Sovereign cloud” has become a loaded term. For some it means a data centre on Belgian soil; for others, a cloud no US law can touch. Both are incomplete. This guide cuts through the marketing: what sovereignty actually means, the real options for Belgian organisations, what each costs in money and agility, and — crucially — when you genuinely need it. It builds on the US Cloud Act vs GDPR, which explains why the question arises in the first place.
TL;DR
- Sovereignty has three layers: data residency, operational control, legal jurisdiction.
- Most workloads do not need full sovereignty — classify first.
- Options run from EU regions of hyperscalers to partner-operated sovereign clouds to European providers and on-prem.
- Higher sovereignty usually means higher cost and less service breadth.
- The right answer is a portfolio, matched to data sensitivity — not one cloud for everything.
First, classify your data
Sovereignty controls are expensive and constraining, so applying them to everything is wasteful. Start by sorting workloads into tiers — for example: public/marketing data; ordinary business data; regulated or sensitive personal data; and state/critical-sector data. Only the top tiers usually justify the strictest sovereign options. This single step often cuts the “sovereign” footprint to a small fraction of the estate and saves a great deal of money.
The options, from least to most sovereign
| Option | What it gives you | Trade-off |
|---|---|---|
| Hyperscaler EU region | Data residency in the EU; full service breadth and agility. | Operator may remain US-controlled → CLOUD Act exposure persists. |
| + Customer-managed keys | You hold encryption keys in EU-controlled KMS; provider cannot decrypt alone. | Operational complexity; metadata and some access paths still exist. |
| Sovereign / partner-operated cloud | A European entity operates the platform under EU law; access controlled locally. | Fewer services, slower feature parity, premium pricing. |
| European cloud provider | Provider outside US jurisdiction entirely. | Smaller ecosystem; you may re-architect and retrain teams. |
| On-premises / private cloud | Maximum control; nothing leaves your walls. | Capex, ops burden, you carry resilience and scaling yourself. |
The honest trade-offs
There is no free sovereignty. As you move down the table you typically gain jurisdictional control and lose three things: service breadth (the newest managed and AI services appear on hyperscalers first), agility (smaller catalogues mean more building yourself), and often cost-efficiency(sovereign and on-prem options carry premiums or capex). The goal is not to maximise sovereignty — it is to buy exactly as much as your risk profile and regulator require, and no more.
When you genuinely need it
Strong sovereignty earns its cost when you handle: special-category personal data at scale (health, biometrics); data under sector rules with localisation or access expectations (parts of finance, public sector, defence, critical infrastructure under NIS2); or data whose exposure to a foreign government would be strategically damaging. For a marketing site, an internal wiki or anonymised analytics, an EU region of a mainstream provider is usually proportionate.
A pragmatic decision path
- Classify workloads by sensitivity and any sector localisation rules.
- Map regulatory drivers — GDPR transfers, NIS2/DORA expectations, contractual clauses.
- Match each tier to the least-sovereign option that satisfies its risk; reserve sovereign/on-prem for the top tiers.
- Add technical controls — EU-held keys, access restrictions, EU-only support paths — before changing provider.
- Plan the exit — portability and reversibility, which DORA explicitly expects for critical functions.
Most Belgian organisations land on a hybrid portfolio: hyperscaler EU regions for the bulk, sovereign or European options for the sensitive minority. That is not a compromise — it is good architecture.
General information, not legal advice. ICTLAB designs cloud architectures that balance sovereignty, cost and agility for Belgian organisations — see our cloud architecture service or talk to our team.