Sovereignty used to be a constitutional argument in Brussels and Berlin. Now it sits inside every serious cloud and AI decision, as regulators, risk committees, and public buyers converge on a tougher, shared checklist for vendors. This piece traces how we got here – and what it means to design platforms for Europe’s highest bar, not its lowest.
In this blog:
European executives are used to navigating complexity. But even seasoned CIOs and CFOs are feeling the strain when a single transformation program has to satisfy a German public-sector tender, a French bank’s risk committee, and a UK regulator’s evolving guidance on AI and cloud.
On paper, these regimes look very different. They stem from distinct constitutional traditions, industrial strategies, and political debates.
Now, "Sovereignty" is no longer a fringe concern for a few ministries or critical infrastructures. It is becoming a mainstream political and technology priority.
This article unpacks how we got here, what is really meant by digital and data sovereignty in practice, and why serious vendors are being pushed to design for Europe’s highest bar, not its lowest common denominator.
The word "sovereignty" carries a lot of political weight. In the European Commission and in national capitals, it has been used to talk about autonomy from foreign powers, control over supply chains, and even cultural identity.
For technology leaders, those high-level arguments now translate into a much more practical set of questions:
● Where does our data live, and under whose jurisdiction?
● Who can operate, administer, and support our systems – and from which territories?
● How are hyperscalers, subcontractors, and AI providers governed and audited?
● What happens when European regulators tighten the rules again?
To navigate these questions, it helps to distinguish a few core concepts.
● Data residency is where data is stored geographically.
● Data sovereignty adds the legal and institutional layer: which laws and courts have authority over that data.
● Operational sovereignty focuses on who can access, administer, and support the environment – for example, whether access is limited to EU-resident personnel.
The path to this point has not been uniform.
In Germany, the shift has been explicitly reframed as an economic and competitiveness agenda. Under Chancellor Friedrich Merz, the federal government has positioned itself as an "anchor customer" for sovereign digital solutions, using public procurement to create scale for European providers and reduce structural dependence on foreign hyperscalers. Initiatives like the proposed European Competitiveness Fund and large-scale modernization investments are designed to back this shift.
In France, the language has historically tilted more toward strategic autonomy and "strategic assets." Yet the outcome is similar: strong expectations that sensitive workloads – especially in the state, defence, and critical infrastructure sectors – run on infrastructure subject to European control.
A joint French-German Digital Sovereignty Taskforce is working toward a shared definition of "European digital services" and a set of sovereignty indicators for cloud, AI, and cybersecurity, designed to influence procurement and state aid across all 27 EU member states. Projects like "Sovereign AI for Public Administration," involving European AI providers and enterprise vendors, are intended to show what that looks like in practice.
Survey data underscores that this is no longer a niche debate. In Germany, for example, 84% of companies report being completely or largely dependent on non‑EU office software, and 77% on non‑EU operating systems – even as legal uncertainty and security concerns top the list of digital hurdles. That combination of dependence and unease is a powerful driver of sovereignty expectations in procurement.
Large European buyers now expect credible answers to the same underlying sovereignty questions.
The routes differ – constitutional law in one country, industrial policy in another, EU‑level regulation in Brussels – but they are pushing toward a similar destination: large European buyers now expect credible answers to the same underlying sovereignty questions. (The country that has introduced legislation and technical standards to drive sovereign cloud is primarily France.)
It is tempting to respond to this complexity with another matrix: country by country, sector by sector, regulation by regulation.
That approach can be useful for legal and compliance teams, but it is not how most executives make platform decisions. What they experience in practice is something closer to a converging checklist of concerns that shows up in RFPs, security questionnaires, and board conversations.
Without turning this into a rigid scorecard, a pattern is clear. European buyers are increasingly asking vendors to demonstrate:
● Data residency: Where exactly is the data stored and processed, and which legal regimes apply?
● Operational control and access discipline: Who can access production systems and customer data, from which territories, under which controls?
● Governance of hyperscalers and subcontractors: How are relationships with subprocessors structured so that European requirements remain enforceable?
No single vendor can credibly promise that one architecture resolves every sovereignty question in every jurisdiction. And buyers, especially in the public sector and regulated industries, know this. What they increasingly require instead is a defensible operating model that gives them leverage: clear commitments on location and operations, transparency about dependencies, and an architecture that can evolve as law and policy do.
In this environment, offering "EU data residency" without addressing operational control, support models, or AI governance is starting to look incomplete.
For a long time, European organizations dealt with sovereignty concerns through local workarounds – additional contracts, isolated deployments, bespoke controls on top of global platforms.
Three shifts are pushing responsibility upstream to vendors.
That model is fraying. It is expensive to maintain, difficult to audit, and often incompatible with the pace of AI adoption.
Three shifts are pushing responsibility upstream to vendors:
1. Public-sector and critical infrastructure tenders are tightening. When a national ministry, health system, or grid operator mandates EU‑resident operations or specific control models, vendors either adapt or step away from the opportunity. Custom exceptions are becoming rarer.
2. Industrial alliances. Cross‑border initiatives are embedding sovereignty requirements into the technical and governance fabric of entire ecosystems, not just single projects.
3. Sovereignty is shifting from cost to competitiveness. In Germany and France, digital sovereignty is now framed as a precondition for long‑term competitiveness and resilience, not a drag on innovation. Public funding and anchor‑customer strategies are aligned with that view.
Workday comes to this conversation from the vantage point of a platform that already runs critical HR and finance processes for organizations across EMEA. In recent years, our customers have expressed interest in sovereign cloud solutions that enable more regionalised data processing, storage and control.
In our blog "Data Sovereignty: From Debate to Design Principle," we have argued that sovereignty should be designed into enterprise platforms – combining data location, access controls, and governance – rather than treated as an afterthought.
The Workday EU Sovereign Cloud is one concrete step in that direction, focused on customers with heightened sovereignty expectations.
Our Workday EU Sovereign Cloud can be described as follows:
● It is a dedicated Workday region hosted within AWS European Sovereign Cloud, located in Brandenburg, Germany, operated under strict data and operational sovereignty controls.
● It is separate from Workday’s existing AWS regions, with its own dedicated infrastructure and network partition, and core Workday environments for HCM, Financials, Planning, Extend, and machine learning workloads.
● Support is handled by dedicated EU‑resident support teams, reflecting customer expectations around operational sovereignty.
● The initial scope concentrates on a defined set of SKUs across core HCM, core Financials, Planning, Build, and selected AI capabilities, with additional services and partner applications scheduled for future phases. Some offerings that customers may use today in other regions will not be available in EU Sovereign Cloud at launch.
● The offer is targeted first at more regulated countries and sectors – including public sector, financial services, healthcare, defence, and energy – where sovereignty has already emerged as a major deal consideration.
These are not absolute claims of universal coverage. They are architectural and operational design choices intended to help customers align their own compliance and risk strategies with the direction European sovereignty policy is taking.
Customers will still need to conduct due diligence, consult legal and regulatory experts, and assess how any cloud deployment – including Workday’s – fits their specific obligations. But the direction of travel is clear: platforms that make it easier to answer sovereignty questions credibly will be better positioned to support European transformation agendas.
Europe will not become a single, harmonised sovereignty regime overnight. National politics will continue to shape how laws are written and enforced. Sector regulators will move at different speeds. Court decisions will add new wrinkles.
Yet from the vantage point of an executive choosing long‑term platforms, the picture is already much clearer than it was a few years ago.
Sovereignty is no longer a collection of edge cases. It is part of the baseline trust equation for cloud, data, and AI in Europe. Different routes are leading to a similar set of expectations about where data resides, who can touch it, how AI is governed, and how resilient critical operations really are.
For Workday, as for other global providers, the task is not to declare sovereignty "solved." It is to design platforms and operating models that align with Europe’s converging expectations, while being transparent about scope, trade‑offs, and limits.
The organizations that succeed will be those that treat sovereignty as a long‑term design principle and a foundation for trust – not a checkbox at the end of a compliance form.
More Reading
Workday shares its ongoing commitment to responsible AI.
Europe is moving data sovereignty from debate to law. Discover how emerging EU rules, procurement standards, and sovereign cloud models—like Workday’s EU Sovereign Cloud—are reshaping how organisations manage, store, and protect data.
Learn how MSEs can stay ahead of EU regulations with automated audits, built-in controls, and smarter, streamlined compliance.
