A Gartner survey of 241 Western European CIOs published November 2025 found that 61 percent plan to increase their reliance on local cloud providers — and they’re doing it for geopolitical reasons. A separate Accenture study found 62 percent of European organisations are actively seeking sovereign cloud solutions. And Airbus has issued a ~€50 million, decade-long tender to migrate mission-critical applications away from US hyperscalers to an EU-native provider.
These aren’t isolated data points. They’re converging signals of a genuine market realignment that is already changing procurement decisions at major European enterprises.
Here’s the context you need: AWS, Microsoft Azure, and Google Cloud still control around 70 percent of the European cloud market. There’s a very long road between stated intent and actual market share change.
But the direction is clear. This article explains what’s driving the shift, where the alternatives actually stand, and what it means if you’re an SMB tech company selling into European enterprises. For the foundational framework on this topic, see our guide to sovereign cloud explained.
What Does the 61 Percent CIO Statistic Actually Tell Us?
The 61 percent figure comes directly from Gartner’s survey of 241 Western European CIOs, published November 2025. The term Gartner uses for what these CIOs are planning is “geopatriation” — deliberately migrating workloads to local providers for geopolitical or jurisdictional reasons. That’s different from migration driven by cost or technical capability. It’s strategic.
The Accenture finding — 62 percent of European organisations seeking sovereign solutions — uses a different methodology and lands within one percentage point of Gartner’s number. Two independent research firms arriving at the same conclusion isn’t a statistical artefact. It’s a credible signal.
And it’s not just intent. Gartner also found that 44 percent of responding CIOs have already restricted their use of global providers. A substantial chunk of that stated intent has already converted into action.
Why Has European Cloud Dependency Become a Strategic Problem?
The core legal driver is the US CLOUD Act (2018). It lets US law enforcement compel American companies to hand over data stored anywhere in the world — including on servers physically inside the EU — regardless of what local data protection laws say. Jurisdiction follows the company’s nationality, not the location of the data.
This is a structural problem that data residency alone can’t solve. Storing data in Frankfurt on AWS satisfies data residency requirements. That same data is still potentially accessible under a US legal order directed at Amazon. Microsoft has publicly acknowledged it can’t guarantee data independence from US law enforcement. FISA Section 702 adds another layer: US intelligence agencies can access data held by US companies under separate surveillance authorities.
EU regulatory pressure makes things worse. DORA requires regulated sectors to demonstrate multi-vendor survivability, which directly penalises concentration on a single non-EU provider. NIS2 requires full visibility and control over infrastructure supply chains. The EU AI Act requires high-risk AI systems to operate entirely under EU jurisdiction. For financial services and healthcare in particular, these regulations directly intersect with sovereignty requirements.
The upshot: for any organisation with genuine sovereignty requirements, using a US-headquartered cloud provider cannot fully address legal exposure — regardless of which sovereign tier that provider makes available.
What Is GAIA-X and Can It Replace US Hyperscalers?
GAIA-X is a European Commission-backed initiative launched in 2019, designed to create a federated cloud ecosystem with shared sovereignty standards. Short answer on whether it can replace US hyperscalers: not yet.
GAIA-X is a standards and governance framework. Rules, interoperability standards, trust mechanisms. It is not a cloud provider. Its objective is to create the conditions for sovereignty-compliant cloud services to emerge — not to deliver them itself.
The near-term limitations are real and documented. US hyperscalers are members of GAIA-X working groups. CISPE, the EU cloud trade association representing EU-native providers, has accused the initiative of being structured to favour American hypercloud providers. The project has experienced significant internal friction and delays. Even GAIA-X chairwoman Catherine Jestin was candid about it: “The idea was more to foster the creation of it and to put in place the conditions for this to emerge. This has not been completely successful.”
GAIA-X still matters as a long-term foundation for EU-native alternatives to scale. But it is not a near-term answer to the operational sovereignty problem CIOs are dealing with today.
What Are EuroStack and CAIDA Adding Beyond GAIA-X?
Two newer initiatives are trying to fill that gap. EuroStack, commissioned by Bertelsmann Stiftung, takes a more stringent approach than GAIA-X — addressing all seven layers of Europe’s digital stack with EU-native governance. Where GAIA-X welcomed US hyperscalers into working groups, EuroStack focuses explicitly on European providers.
CAIDA (Cloud and AI Development Act) is proposed EU legislation that would mandate tripling EU data centre capacity within 5-7 years, aiming to meet EU business and public administration needs by 2035.
Neither is operational yet. But together they signal that the EU has learned from GAIA-X. The next generation combines stricter governance (EuroStack) with actual infrastructure investment (CAIDA). That’s a more complete strategy than the standards-only approach that limited GAIA-X.
What Does the Airbus Migration Tell Us About Where This Is Heading?
Airbus is the clearest signal that the sovereignty shift has moved from survey responses to actual procurement action.
A ~€50 million tender to migrate mission-critical applications from AWS, Azure, and Google Cloud to a sovereign European provider. Decade-long programme. The scope covers data at rest, data in transit, logging, identity and access management, and security monitoring — all of it.
Catherine Jestin, Airbus EVP Digital, put it simply: “We want to ensure this information remains under European control.” That is not compliance language. That is strategic sovereignty reasoning from one of Europe’s largest industrial organisations.
She was also candid about the supply-side challenge: “The question that I have is: is there any existing European infrastructure capable to deliver that service? That’s why we are launching this request for proposal.” That uncertainty tells you exactly where the market gap sits right now.
When a company of Airbus’s scale commits to EU-native cloud for sovereignty reasons, it normalises the decision for other European enterprises and sets a real-world reference point for what procurement sovereignty requirements look like in practice. For readers wanting to understand which providers are positioned to capture this demand, see our analysis of EU-native cloud providers driving this market shift.
What Does the European Cloud Sovereignty Shift Mean for SMB Tech Companies?
If you sell to regulated European enterprises, your cloud sovereignty posture is increasingly a factor in their procurement decisions. Here’s what that means in practice.
The procurement blocker: Regulated enterprises are including sovereignty requirements in RFPs and vendor criteria. Some are specifically requesting natively European cloud providers — not just EU data residency. If your infrastructure is entirely on a US hyperscaler with no sovereignty measures in place, you risk getting screened out before a sales conversation even begins.
The sales enabler: Having a clear sovereignty posture — EU-hosted infrastructure for customer data, documented data residency controls, a CLOUD Act exposure assessment — can differentiate you in competitive enterprise sales. Most SMB tech companies haven’t developed a sovereignty narrative yet. Being ahead of the curve is a differentiator now. In a few years it’ll be table stakes.
For FinTech companies specifically, DORA adds a compliance dimension beyond procurement preference. If your platform depends entirely on a single US hyperscaler and you can’t demonstrate a credible continuity plan, you may be creating a compliance problem for your banking customers.
And then there’s the cascade effect. When large enterprises like Airbus operationalise sovereignty policies, those requirements flow down through their supplier and vendor networks. That reaches further than you might expect.
The practical starting point is a cloud sovereignty assessment. Map where customer data is stored. Identify which workloads are on US-headquartered infrastructure. Evaluate your CLOUD Act exposure. Work out whether your provider’s sovereign tier actually addresses the jurisdictional exposure your customers face — for a detailed breakdown of what hyperscaler sovereign cloud offerings actually deliver, see our assessment of AWS ESC and Azure sovereign options. Then build the narrative to explain your position to procurement teams.
The question isn’t whether this shift is happening — the convergence of data makes that clear. The question is how quickly you get ahead of it.
For a full strategic framework, see our guide to understanding sovereign cloud.
Frequently Asked Questions
Why do 61 percent of European CIOs want to reduce reliance on US cloud providers?
Legal risk from the US CLOUD Act, regulatory pressure from DORA, NIS2, and the EU AI Act, and accelerating geopolitical tensions have combined to make US cloud dependency a strategic liability.
What is the US CLOUD Act and how does it affect European companies?
The CLOUD Act (2018) allows US law enforcement to compel American companies to produce data stored anywhere in the world. For European organisations using AWS, Azure, or Google Cloud, their data may be accessible to US authorities regardless of where it is physically stored. Jurisdiction follows the nationality of the company, not the location of the server.
What is GAIA-X and what are its current limitations?
GAIA-X is a European Commission-backed standards and governance framework for cloud sovereignty — not a cloud provider. Near-term impact is limited because US hyperscalers are members of working groups, which CISPE has criticised as undermining the sovereignty objectives.
What is the EuroStack initiative?
EuroStack is a newer EU initiative taking a more stringent approach than GAIA-X, addressing all seven layers of Europe’s digital stack with EU-native governance. It is currently in development.
What is CAIDA and how does it support European cloud sovereignty?
CAIDA (Cloud and AI Development Act) is proposed EU legislation that aims to triple EU data centre capacity within 5-7 years — the legislative and investment backing for building sovereign cloud infrastructure at scale.
How much of the European cloud market do US hyperscalers control?
AWS, Microsoft Azure, and Google Cloud together control approximately 70 percent of the European cloud market. That structural dominance means the gap between CIO intent and actual market share change will take years to close.
What is the Airbus sovereign cloud migration?
Airbus is preparing a ~€50 million, decade-long tender to migrate mission-critical applications from US hyperscalers to a sovereign European provider. Catherine Jestin, Airbus EVP Digital, stated the goal is to ensure Airbus’s information “remains under European control.”
Does data residency in the EU protect against US government data access?
No. The US CLOUD Act can compel a US-headquartered provider to produce data regardless of where it is stored. Full sovereignty requires addressing both physical location and legal jurisdiction. Microsoft has acknowledged it cannot guarantee data independence from US law enforcement.
What does cloud sovereignty mean for SMB SaaS companies selling to European enterprises?
Your cloud sovereignty posture can be a sales enabler — differentiating you in competitive processes — or a procurement blocker — failing you at screening stage. The dynamic is already operational in regulated sectors.
Is European cloud sovereignty just a compliance trend or a lasting market shift?
The convergence of legal risk, regulatory pressure, enterprise procurement action, and legislative investment indicates a structural market realignment, not a temporary compliance trend.
How can SMB tech companies assess their cloud sovereignty exposure?
Map where customer data is stored, identify workloads on US-headquartered infrastructure, evaluate CLOUD Act exposure for each, and determine whether your provider’s sovereign tier actually addresses the jurisdictional exposure. Then develop a sovereignty narrative for enterprise procurement teams.
What is geopatriation in the cloud context?
Geopatriation is Gartner’s term for deliberately migrating workloads to local or regional providers for geopolitical or jurisdictional reasons — the strategic behaviour that 61 percent of European CIOs are planning.
