The Trojan Horse of the ‘Sovereign Cloud’

The Trojan Horse of the “Sovereign Cloud”

Why Europe’s new sovereignty is often just American-painted

The meme is brilliant in its simplicity:

A Trojan horse rolls up to the gates of Europe.

On it is written: “Sovereign Cloud”.

Inside sit: AWS, Microsoft, Google – smiling happily.

And at the gates of the city stand two European men pulling the rope, saying: “Let’s bring it in - it looks safe.”

This cartoon captures what is currently happening in Germany and Europe:

We talk about digital independence, yet we build our sovereignty on the same foundations that made us dependent.

We call it progress, but often it’s just a rebranding of old structures – politically desired, technically polished, strategically convenient.

Delos Cloud: A Microsoft Core in German Clothing

The most prominent example is Delos Cloud.

It is supposed to become the “sovereign cloud for public administration” – developed by Arvato Systems (Bertelsmann) in partnership with Microsoft.

The federal government, specifically the Federal Employment Agency, is already testing it.

And the promise sounds convincing:

All data remains in Germany, operations are subject to German law, personnel is security-checked, Microsoft has “no direct access”.

But a closer look reveals: The architecture remains the same.

The basis is Azure – the same platform, the same API structures, the same update mechanisms.

Delos is an intermediary layer – a German mediator that localizes, regulates, and secures Microsoft’s technology.

This is not deceit, but neither is it independence.

It is a pragmatic crutch to cover economically inevitable dependencies with politically viable vocabulary.

Or, to stay with the meme: We built the horse out of wood, but the soldiers inside are allowed to stay.

StackIT + Google Workspace: Sovereignty Light

A second approach comes from the Schwarz Group, which has launched a “sovereign” productivity offering for Germany and Europe with its cloud brand STACKIT in collaboration with Google Workspace.

The principle:

The data is stored in STACKIT’s German data centers, the encryption keys remain with the customer, Google itself has no access to content.

Everything sounds like control, self-determination, and GDPR compliance.

But here too: The code remains American.

The software logic, the APIs, the integrations – all of this lies outside European capability.

What we call “sovereignty” is often just a smart compromise: We can decide where the data is stored, not how the platform functions.

One might say: We sit on the horse, but someone else holds the reins.

The Reflex: Outsource Trust, Along with Responsibility

Both projects show how strong the desire for control is – and how deep the fear is of actually exercising this control.

True digital sovereignty is uncomfortable.

It requires technical know-how, long-term investments, political consistency.

And it contradicts short-term efficiency logic.

That’s why we’ve become accustomed to a dangerous reflex in Europe:

We outsource trust.

We delegate responsibility to providers, certificates, audits, labels.

And call it governance.

“Sovereign Cloud” is often less a technical advance than a semantic trick:

We shift the boundary of control without truly possessing it.

The result is a perceived shield – and a real dependency in elegant packaging.

The Legal Fig Leaf

The common arguments always sound the same:

“Our data is stored in Germany.”

“The company is organized under German law.”

“There are no transatlantic access possibilities.”

All of this is correct – but also incomplete.

Because legal sovereignty is not the same as technological control.

If the code remains proprietary, the update pipelines are centralized, and the platform logic is externally managed, then the legal jurisdiction is of little use.

A contract does not replace understanding.

And a German data center does not make a European architecture.

Sovereignty, properly understood, means:

You can decide for yourself, check for yourself, change for yourself.

Everything else is supervised independence.

The Economic Magnetism of Convenience

Of course, there are good reasons for this path.

US hyperscalers offer massive economies of scale, a global pace of innovation, and service quality that few in Europe can replicate.

A sovereign solo effort would be expensive, risky, and politically hard to sell.

But therein lies the dilemma:

The convenience of integration is stronger than the will to control.

We use the same tools, just in different packaging – and call it a “strategic partnership”.

But in the end, the same developers in Redmond, Mountain View, and Seattle work on the codebase.

We operate sovereignty in the frontend – and dependency in the backend.

The Structural Misunderstanding: Sovereignty as a Product

Sovereignty cannot be bought.

And it cannot be licensed.

It arises from competence, control, and continuity – from the ability to understand, operate, and change things ourselves.

Yet the industry – and increasingly politics – treats sovereignty like a feature that can be “activated”.

A subscription model for independence.

Delos, STACKIT, Google, AWS – they all now deliver these narratives along with their offerings:

“We make you sovereign, you just have to sign.”

That’s convenient.

And dangerous.

Because it suggests that independence is a service – not a capability.

The Dangerous Intermediate State

Europe is currently in an in-between world:

too dependent to be sovereign – too regulated to remain innovative.

The “Sovereign Cloud” projects are an expression of this tension.

They are not wrong, on the contrary: They are important steps.

But they must not be the endpoint, but a transition.

If we settle for this, we will find ourselves in the same situation as in the last technological cycle:

We standardize foreign innovation and later wonder why value creation and control lie elsewhere again.

What True Sovereignty Would Mean

True digital sovereignty would be uncomfortable, but achievable.

It would mean:

• Promoting our own open-source stacks, which are reproducible, audited, and interoperable.
• Building European build and deploy infrastructures – not as a showcase, but as a production base.
• Securing long-term funding for maintenance – so that critical components are maintained, not just developed.
• Creating competence centers that are not consultants, but operators.
• And above all: Understanding technology policy not as a security issue, but as industrial policy.

Only in this way can a foundation be created that is more than a new label on an old dependency.

Between Irony and Seriousness

The Trojan horse meme is funny, but the truth behind it is bitter.

Europe has a rich history of wanting the right thing – and doing the convenient thing.

“Sovereign Cloud” could become the next chapter in this history:

A concept with noble aspirations, driven in practice by the same forces it seeks to escape.

But it is not too late yet.

Delos and STACKIT can – if they are developed openly, transparently, and structurally boldly – become the seeds of a true European cloud.

But for that, they would need the courage to dismantle the horse and send the soldiers out.

Conclusion: Sovereignty Begins Where Trust Ends

Sovereignty is not a label.

It is the ability to say “No” when necessary – technically, legally, and operationally.

As long as we cannot do this, we remain politely hosted guests in foreign systems.

Europe cannot afford symbolic independence.

Not in a time when technology is not just infrastructure, but identity.

The Trojan horse is already in the city. The question is: Who dares to push it back out?