🇪🇺 Digital Sovereignty: Europe and Belgium at a Turning Point

May 29, 2026 ·

On 27 May 2026, the European Commission formally presented its Tech Sovereignty Package — restrictions on US cloud providers for sensitive government data across all 27 EU member states. It marks the moment digital sovereignty stopped being a policy debate and became procurement law. This post analyses what that means for Europe, for Belgium, and for your organisation.

🔍 What Is Digital Sovereignty?

Digital sovereignty is the ability of a state, organisation, or individual to exercise meaningful control over its own data, technology, and digital infrastructure — free from dependency on foreign jurisdictions or corporations.

It covers three interlocking dimensions:

Dimension	Meaning
Data sovereignty	Control over where data is stored, processed, and who can access it
Operational sovereignty	Continuity of operations without reliance on foreign services that could be withdrawn
Technology sovereignty	Ability to develop, adapt, or replace the technology stack you depend on

The concept was catapulted to political prominence after the 2013 Snowden revelations, the Schrems II CJEU ruling (2020), and the US CLOUD Act (2018) — which allows US law enforcement to compel any American-headquartered company to produce data it holds, regardless of where that data is physically stored in the world.

🗺️ The EU Policy Landscape

The Digital Decade 2030

The 2030 Digital Compass, adopted in 2021, sets Europe’s four cardinal targets:

🎓 Skills: 80% of adults with basic digital skills; 20 million ICT specialists
🌐 Infrastructure: Gigabit connectivity everywhere; 5G for all populated areas; 10,000 edge nodes
🏭 Business: 75% of enterprises using cloud, AI, or big data
🏛️ Public services: All key public services fully digitalised; universal eID

The EU Regulatory Stack

The EU has built a dense regulatory framework that collectively defines digital sovereignty. Key instruments include:

Regulation	Applies	Sovereignty Relevance
GDPR	2018	Foundation for data protection; basis for Schrems II
NIS2 Directive	Oct 2024	Cybersecurity obligations for 18 sectors; director liability
Digital Markets Act	2023	Prevents hyperscaler gatekeeping; mandates portability
EU AI Act	2024–2026	Risk-based AI governance; high-risk category restrictions
DORA	Jan 2025	ICT resilience for financial sector; third-party risk management
Data Act	Sep 2025	Data sharing rights; portability; limits on foreign government access
Cyber Resilience Act	2024–2027	Security requirements across the full product lifecycle
Tech Sovereignty Package	May 2026	Sovereign cloud procurement standards; Chips Act 2.0

These regulations don’t operate in isolation — the European Parliament has explicitly acknowledged the overlapping obligations between the AI Act, GDPR, Data Act, NIS2, DORA, and CRA, requiring organisations to adopt integrated governance frameworks.

🔒 The CLOUD Act Problem

At the heart of the sovereignty debate is a structural legal conflict. The US CLOUD Act empowers US authorities to compel any US-incorporated company to disclose data — regardless of where it’s stored.

A European organisation storing data in a Frankfurt data centre operated by AWS, Azure, or Google Cloud has no legal protection against a valid US government warrant.

The Schrems II ruling (2020) already established that contracts cannot override foreign government access laws. A French Senate hearing in 2025 extracted an explicit admission from a US provider: even with European data residency, they cannot guarantee EU data will never be requested by US authorities. The EU’s Tech Sovereignty Package makes this architectural reality binding in procurement law.

The Netherlands underscored this in May 2026 by blocking IBM/Kyndryl’s acquisition of Solvinity — the company hosting DigiD, the Dutch national identity system — specifically on CLOUD Act grounds. It was the first-ever BTI acquisition prohibition based on jurisdictional data access risk.

🌐 GAIA-X: Europe’s Cloud Answer

GAIA-X, launched in 2020 by Germany and France, defines policy rules, technical standards, and a trust framework for a federated European data infrastructure. It doesn’t compete with hyperscalers — it defines sovereignty requirements they must meet to participate.

Source: GAIA-X Association — gaia-x.eu

Real-world adoption is accelerating:

SAP is investing €2 billion in sovereign cloud infrastructure
Airbus is building a Gaia-X Aerospace Data Space connecting 10,000 suppliers by 2026
BMW Group adopted Catena-X (a Gaia-X-aligned automotive data space) with nearly 200 members

⚠️ Key Challenges

Challenge	What it means
Sovereignty vs. innovation	Sovereign cloud options lag hyperscalers in features and scale
No European hyperscaler	OVHcloud, T-Systems et al. hold a small fraction of the market
CLOUD Act can’t be contracted away	Architecture must enforce sovereignty — contracts can’t
Regulatory complexity	GDPR + NIS2 + DORA + AI Act + Data Act + CRA all overlap
Fragmented member-state approaches	27 different national interpretations slow EU-wide coherence

📋 Organisational Impact in the Coming Years

For any organisation operating in Europe, digital sovereignty is reshaping five critical areas:

1. Compliance & Regulatory Burden

DORA (Jan 2025), the AI Act (phased to 2026), the Data Act (Sep 2025), and NIS2 all require integrated governance. A 2026 Kiteworks survey found 32% of European organisations experienced a sovereignty incident in the past 12 months — even though 80% considered themselves well-informed about requirements. The gap is operational, not informational.

2. Cloud & Procurement Strategy

IDC research shows 84% of European cloud users are already using or planning sovereign cloud solutions. With the Tech Sovereignty Package, organisations must tier their workloads: which require full sovereign cloud, which can use compliant public cloud, and which suit a hybrid approach.

3. Data Governance & Architecture

Architecture must enforce sovereignty technically — not just contractually. Key tools: bring-your-own-key (BYOK) encryption, federated learning for AI on sensitive data, and data residency enforced at platform level with auditable evidence artifacts.

4. Supply Chain & Vendor Risk

The Solvinity precedent means M&A and IT procurement now require a CLOUD Act jurisdictional analysis alongside standard due diligence. Investment screening can block deals solely on data sovereignty grounds.

5. Talent & Skills

The EU needs 20 million ICT specialists by 2030. Belgium must address its gender gap and ICT pipeline shortfall. Organisations need professionals who combine technical depth with regulatory literacy — a scarce and increasingly valuable skill set.

🏢 Microsoft’s Sovereign Cloud Offering in Belgium

Microsoft Digital Sovereignty Summit Brussels 2026 Microsoft convened policymakers, CIOs, and regulators in Brussels for its April 2026 Digital Sovereignty Summit. Source: Microsoft Cloud Blog

Microsoft has repositioned its sovereignty offering not as a separate cloud, but as a continuum of controls built into the existing platform — allowing organisations to choose the right posture workload by workload. In Belgium and across the EU, this plays out across four layers:

1. EU Data Boundary

Microsoft’s EU Data Boundary commits to storing and processing customer data for core commercial services (Azure, Microsoft 365, Dynamics 365, Power Platform) within the EU and EFTA. Belgian public-sector and enterprise customers benefit from data residency in EU data centres — including Microsoft’s Belgium North (Ghent) region — without the need to move to a separate sovereign environment.

⚠️ Important caveat: the EU Data Boundary addresses where data is stored, but does not repeal CLOUD Act jurisdiction. As Microsoft itself acknowledged at the April 2026 Digital Sovereignty Summit in Brussels, sovereignty is “a continuous risk management discipline rather than a fixed destination” — contractual and residency guarantees are necessary but not sufficient.

2. Azure Local — Sovereign Private Cloud

Microsoft Sovereign Private Cloud — Azure Local, M365 Local, Foundry Local Sovereign Private Cloud: unifying Azure Local, Microsoft 365 Local and Foundry Local across connected, intermittently connected, and fully disconnected environments. Source: Microsoft Blog, Feb 2026

For workloads that require stricter control, Azure Local (formerly Azure Stack HCI) enables organisations to run Azure services on-premises or in a partner-operated environment, physically within Belgium. Key capabilities:

Disconnected operations — Azure Local can run critical infrastructure with full Azure governance and policy enforcement even with no cloud connectivity, supporting classified or isolated environments
Partner-operated sovereign cloud — in Belgium, certified partners operate sovereign Azure Local environments, providing physical isolation under Belgian jurisdiction while maintaining Azure management consistency
GPU acceleration and large AI models — Azure Local now supports large-scale deployments with GPU acceleration, enabling AI inferencing fully within the customer’s sovereign boundary

For regulated workloads (healthcare, justice, finance), Azure Local combined with Belgian-jurisdiction partner clouds meets the strictest local hosting requirements.

3. Microsoft 365 Local — Sovereign Productivity

Microsoft 365 Local brings core collaboration workloads — Exchange Server, SharePoint Server, Skype for Business Server — into the customer’s sovereign private cloud on Azure Local. Teams remain productive and data stays within the organisation’s controlled boundary, even when fully disconnected from the public cloud. Microsoft has committed support for these workloads through at least 2035.

4. Foundry Local — Sovereign AI

Foundry Local (part of Microsoft Azure AI Foundry) allows organisations to run large, multimodal AI models in fully disconnected sovereign environments. For Belgian organisations in sensitive sectors — defence, intelligence, regulated finance, or healthcare — this enables advanced AI capabilities without any data leaving the national or organisational boundary.

Microsoft’s Sovereignty Posture: Strengths and Limits

Panel discussion at the 2026 Microsoft Digital Sovereignty Summit, Brussels. Source: Microsoft Industry Blog

Capability	What it delivers	Limitation
EU Data Boundary	Data stored in EU; covers M365, Azure, Dynamics	Does not override CLOUD Act jurisdiction
Customer-Managed Keys (CMK/BYOK)	Encryption keys held by customer; operationally inaccessible to Microsoft	Keys may still be subject to compelled disclosure if held by Belgian subsidiary of US company
Azure Local (disconnected)	Full sovereignty, no cloud dependency, partner-operated in Belgium	Higher cost; requires trusted local partner
Microsoft 365 Local	Sovereign productivity, supported to 2035	On-premises management overhead
Foundry Local	Large AI models in disconnected sovereign boundary	Infrastructure investment required

Microsoft’s approach recognises that sovereignty and innovation are not a tradeoff. By offering a hybrid spectrum — from standard cloud with EU residency through to fully disconnected sovereign private cloud — Belgian organisations can apply the right level of control to each workload without fragmenting their architecture or sacrificing access to Microsoft’s global security intelligence and AI capabilities.

For most Belgian organisations, the practical answer is a hybrid strategy:

General business data → Microsoft 365 with EU Data Boundary and Customer Key encryption
Sensitive/regulated workloads → Azure Local via a certified Belgian sovereign cloud partner
Critical classified workloads → Fully disconnected Azure Local + M365 Local + Foundry Local

📌 Conclusion

The EU’s Tech Sovereignty Package is not the beginning of this story — it is the point where years of court rulings, geopolitical wake-up calls, and regulatory evolution converged into enforceable law. The CLOUD Act problem that Schrems II exposed in 2020 is now a procurement criterion. The architectural sovereignty that security teams have been quietly arguing for is now a public-sector standard. And the gravity of those standards is already pulling the private sector in the same direction.

The key insight running through this entire analysis is deceptively simple: contracts cannot fix a legal jurisdiction problem — only architecture can. Whether that means encrypting data with customer-managed keys in Azure, running workloads on Azure Local behind a certified Belgian sovereign cloud partner, or deploying Foundry Local AI models in a fully disconnected environment — the answer is always structural, never contractual.

Microsoft’s response is instructive precisely because it is pragmatic rather than ideological. Rather than building a separate “sovereign cloud” silo, Microsoft has embedded a continuum of sovereignty controls into its existing platform — allowing organisations to calibrate posture workload by workload. EU Data Boundary for general business data; Azure Local for regulated or sensitive workloads; fully disconnected Sovereign Private Cloud for classified or mission-critical environments. That spectrum mirrors what every Belgian and European organisation actually needs: not a binary choice between hyperscaler convenience and total isolation, but a risk-proportionate hybrid architecture with clear governance at every tier.

For organisations, three priorities follow directly from this analysis:

Classify before you procure. Know which workloads carry legal, regulatory, or strategic sovereignty requirements before making cloud decisions. The Tech Sovereignty Package has drawn the line for public-sector data in healthcare, finance, and justice — but every organisation has its own equivalent sensitivities.
Make sovereignty provable, not just assertable. Regulators, auditors, and procurement officers will increasingly demand evidence — audit logs, key management records, architecture diagrams showing data flows — not SLA clauses. Build the evidence layer into your design from day one.
Treat compliance as a floor, not a ceiling. The organisations that gain competitive advantage from digital sovereignty will be those that go beyond minimum compliance: using it to build customer trust, win regulated-sector contracts, and future-proof their architecture against a regulatory landscape that will only tighten through 2030 and beyond.

Digital sovereignty is no longer a future scenario. It is today’s procurement law, tomorrow’s board risk agenda, and the decade’s defining infrastructure challenge. The organisations that act now — with deliberate architecture, not reactive compliance — will be the ones still standing when the next wave of enforcement arrives.