How Seemingly “Sovereign” Cloud Offerings Disguise Dependencies – and What ZenDiS Clarifies

Digital sovereignty has taken a firm place in political strategies, administrative modernization, and IT planning in recent years. In light of geopolitical tensions, growing cyber risks, and international legal conflicts, the question of control over digital infrastructures is no longer abstract. It determines the ability to act, security, and economic stability.

With its new whitepaper, the Center for Digital Sovereignty of Public Administration (ZenDiS) shows how large the gap between marketing promises and actual technical independence is for many cloud offerings. The term “Sovereign Washing” describes a problem increasingly visible in the market: services are advertised as sovereign but fulfill the necessary requirements only to a very limited extent.

This post classifies the contents of the whitepaper, explains the technical backgrounds, and shows why true digital sovereignty is much more than a data center in Europe.

1. What Digital Sovereignty Means – and What It Doesn’t

Politics and administration in Germany have used a clear definition for years: Digital sovereignty describes the ability to shape, operate, and further develop digital infrastructures and services independently, securely, and autonomously.

This requires four interconnected dimensions:

1. Data Sovereignty Control over data – including legally secure operation, GDPR compliance, and protection against uncontrolled access by third countries.

2. Technological Sovereignty Inspectable, designable technical foundations: source code, interfaces, standards, update processes.

3. Operative Sovereignty Ability to continue operating systems even in the event of a service provider failure or supply chain interruption.

4. Ability to Switch / Interoperability No vendor lock-in, clear migration paths, open standards.

True digital sovereignty arises only when all of these criteria are met. This is exactly where the problem begins.

2. When Marketing and Reality Diverge: What “Sovereign Washing” Means

Many international cloud providers react to European sovereignty requirements with new labels: “Sovereign Cloud”, “Data Boundary”, “European Cloud”, or “National Cloud”.

These terms suggest independence. However, the whitepaper shows that such offerings often only fulfill partial aspects – especially data sovereignty in the narrower sense, for example through local data centers or European operating models.

What is missing, however, are the central technical prerequisites:

• no control over update mechanisms,
• no insight into critical software components,
• no independent operability,
• no structural ability to switch,
• dependency on US law such as the CLOUD Act or FISA 702.

This creates a situation in which customers receive a feeling of sovereignty but remain structurally highly dependent – just packaged differently.

Exactly this is what ZenDiS refers to as Sovereign Washing.

3. Why Proprietary Cloud Infrastructures Remain Technically Unsovereign

The whitepaper explains in detail why this difference is not only politically but technically relevant. The most important factors:

3.1 Update Cycles: Security-Critical Dependency on US Providers

Modern cloud platforms consist of hundreds of components that receive security-relevant updates daily:

• Hypervisors
• Network stacks
• IAM systems
• Container orchestration
• Monitoring and surveillance services
• Encryption services
• Management APIs and dashboards

These updates can only be provided by the platform manufacturer itself.

If this software supply chain fails – for example due to geopolitical conflicts, export restrictions, or political decisions – operators lose the ability to operate their platform securely within a few weeks.

The whitepaper cites examples in which even “isolated” operators would only be functional for a few months before security gaps become uncontrollable.

3.2 Architecture-Driven Vendor Lock-in

Although many hyperscalers support open standards, central services are deeply proprietary:

• Identity and authorization systems
• Orchestration mechanisms
• Management portals
• Cluster management
• Security modules

Data and workloads can therefore only be migrated with considerable effort – both technically and organizationally.

The EU Data Act (from September 2025) obliges providers to interoperability and switching tools. However, the practical implementation is still open, and the reality of many companies shows: lock-ins persist.

3.3 Extraterritorial Effect of US Law

As soon as a service provider is subject to the CLOUD Act or FISA 702, data must be disclosed – even if it is:

• stored in Europe,
• operated by a European company,
• located in “sovereign” data centers.

Metadata, logfiles, or administration accesses are also affected.

Several cases – including recently account blocks at the International Criminal Court – prove the effectiveness of this regulation.

This legal reality stands in direct contradiction to European data protection law and makes full data sovereignty impossible.

4. Political Developments: Sovereignty Becomes Tangibly Measurable

The whitepaper shows that politics and administration are increasingly relying on clearly defined criteria:

• The Data Protection Conference (2023) defines detailed requirements for sovereign cloud use.
• The Digital Ministers Conference (2025) calls for standardized open standards and open source.
• The EU Data Act strengthens interoperability and switching rights.
• The Sovereign Cloud Stack (SCS) establishes open, fully inspectable cloud technologies.

In parallel, ZenDiS is developing a sovereignty check to make IT offerings evaluable along transparent criteria.

This makes sovereignty operationalizable – and providers can no longer retreat into vague terms.

5. What This Means for Organizations

Many companies and authorities today assume that “European data centers” or “local cloud operating models” guarantee sovereignty. The technical and legal facts show a different picture.

The central insight of the whitepaper: Sovereignty does not arise through location, but through control.

And control requires:

• open interfaces,
• inspectable platform components,
• independent operability,
• transparent supply chains,
• interoperability.

Technically mature European alternatives have long existed – often simpler and more cost-effective than expected. Open technologies like the Sovereign Cloud Stack or European platform approaches offer verifiable independence instead of marketing-driven promises.

Conclusion

The ZenDiS whitepaper clearly shows that digital sovereignty goes far beyond isolating individual data points. It is a structural feature of digital resilience – and a central factor for the ability to act of the state and the economy.

Proprietary cloud offerings can partially ensure data sovereignty, but no technological or operative independence. They remain legally vulnerable, technically dependent, and strategically risky.

Those who want to achieve long-term stability and true control over their IT infrastructure need transparently designable, interoperable, openly implemented technologies.

Sovereign washing can only be countered with facts – and ZenDiS provides exactly this transparency.