A Dutch "sovereign" cloud almost became American overnight. Only a last-minute government veto stopped it.
Real digital sovereignty was never just about where your data lives. It is about whose government can force the company holding it to hand it over. Europe is about to spend billions and still miss it.
On June 3rd, the European Commission is finally due to present its plan for digital independence. It has been pushed back three times since March, with no official reason for the latest delay. And the goal is smaller than it sounds. In Brussels' own words, the aim is to make sure Europe "could" do without American technology if it ever had to. Not to actually do without it. Just to keep the option open, on paper.
Here is why that misses the point.
You can keep every file on a server in your own country, run by a company from your own country, and still not control it. If that company is owned by an American parent, a US court can order the data handed over, wherever it sits, and the company has to comply. No European judge has to agree. You might never even be told.
The Netherlands almost learned this the hard way. Several Dutch public bodies had deliberately chosen Solvinity, a Dutch cloud provider, to stay clear of American law. Solvinity also runs DigiD, the login that millions of Dutch citizens use to reach government services. Then, last November, the US firm Kyndryl announced it was buying the company. Nothing would have moved. The servers would have stayed put. But that "sovereign" Dutch cloud, national identity system and all, would suddenly have answered to a US owner, and through that owner, to US law.
Last week, the Dutch government pulled the emergency brake and blocked the sale. It took a minister stepping in at the last moment, and only because it touched something as visible as the national ID system. A sovereignty you rent can be bought out from under you while you sleep, and you cannot count on a minister to notice in time. Blocking one sale is not the same as removing the dependency. It is still sitting there.
The organisations that take this seriously are not waiting. They are not renting a sovereign label, they are changing what they run. Austria's armed forces moved 16,000 computers off Microsoft Office onto software they host themselves, and said openly it was about sovereignty, not cost. The city of Lyon is doing the same. France's national police have run their own version of Linux across more than 100,000 machines for years. None of that can be bought, relicensed, or switched off by someone on the other side of an ocean.
That is the real test of sovereignty. Not what a government promises this week, but whether you still control your systems when the politics turn against you.
So here is the real question. If the company holding your data answered to a foreign court tomorrow, would you even know? And what would you do about it?
