Tech’s ‘Sovereignty Washing’ in Europe Will Ripple in the Global South

Tech companies’ promises of digital sovereignty in Europe warrant skepticism—and could have pernicious impacts on the Global South.

Tech’s ‘Sovereignty Washing’ in Europe Will Ripple in the Global South
Global internet (Mohamed Hassan, https://pxhere.com/en/photo/1451419; CC0 1.0, https://creativecommons.org/publicdomain/zero/1.0/).

The siren song of digital sovereignty may have lured its most prized target yet. In response to rising pressure in Brussels and European capitals to decouple their markets from the services of U.S. hyperscalers, MicrosoftAmazon, and Google have all reintroduced “sovereignty cloud” offerings to mollify regulators and customers. These offerings are not only disingenuous—they also pose serious risks for digital infrastructure and the openness of the internet in countries in the Global South. Hyperscalers contribute to internet standards and shape national cybersecurity and data governance norms through their market reach, especially in developing economies where digital regulations are still evolving. Attempts by technology companies to tinker with network architecture—as well as advocating for state involvement in the governance of such products—are highly problematic: They foreclose the possibility of regulatory movement or reform toward open networks and cross-border data flows in emerging markets.

“Digital sovereignty” has long been a buzzword in EU circles. It is both an analytical frame used by scholars to explain increasing territorial controls exerted by states over digital infrastructure, as well as an aspirational policy ideal for many countries. As a policy ideal, digital sovereignty is pursued for different reasons. Authoritarian regimes such as Russia and China have pursued technical and policy measures to control transboundary data flows and regulate digital content accessible to their citizens. For these states, digital sovereignty connotes a total control over the information environment, which is presented as necessary for regime continuity or social stability.

But it is no longer just authoritarian states that aspire to digital sovereignty. As Rachel Hulvey and Beth Simmons note in a new paper, liberal democracies, including the U.S. and EU, have “long departed to some extent from a vision of open digital borders.” The United States is concerned about the ability of strategic adversaries, particularly China, to weaponize the open internet and use digital networks to launch cyberattacks on critical infrastructure, conduct cyber espionage operations, and engage in influence operations against the United States. Europe, meanwhile, has embraced digital sovereignty to strengthen its overall goal of “strategic autonomy” from supply chains and companies in the U.S. and China that they believe are unreliable in an age of rising geopolitical tensions.

In response primarily to EU policymakers’ quest for digital sovereignty, U.S. hyperscalers have introduced “sovereign cloud” offerings in recent years. The basis of sovereign cloud services are several technical and policy-driven changes to how European data is handled. Essentially, these services assure European clients that their data will not (in most cases) leave the continent’s shores and will be processed in line with the EU’s data protection and cybersecurity standards. Since 2020, every U.S.-based hyperscaler has offered a “sovereign cloud” service for Europe.

Such cloud services have been heavily criticized for engaging in “sovereignty washing”—that is, offering a service that cosmetically addresses data governance without any meaningful sovereign control for European regulators. The label of “sovereignty,” Rebecca Adler-Nissen and Kristin Eggeling note, has been invoked as a compliant standard by cloud companies—but it has turned out to be “empty in substance and impossible to implement.” Critics who level the charge of sovereignty washing note that the major hyperscalers are, after all, U.S. companies, and service-level agreements and commitments to keep data stored in Europe cannot stand in the way of their legal obligations under the CLOUD Act or the Foreign Intelligence Surveillance Act.

In recent months, U.S. hyperscalers have once again been thrust into the spotlight, as they unveiled a renewed set of cloud offerings for the European market. This time, the context is different. If in their first iteration, “sovereignty cloud” products were launched mainly to address privacy concerns around cross-border data flows, they have been repackaged this time to address geopolitical tensions. Indeed, much of the debate around U.S. Big Tech in Brussels today builds on European anxieties about a fraying transatlantic relationship. The unpredictability involved in dealing with the Trump administration on trade and technology issues is what is driving EU policy on defense and cross-border data flows. In other words, the EU’s concerns around digital sovereignty are now driven by the prospect of U.S. technology companies pulling the plug on their European clients, including those running critical infrastructure services.

For this reason, the sovereignty cloud services that Microsoft, Amazon, and Google have offered in recent months—specifically, after the second Trump administration took office—differ in significant ways from their previous iterations of the product. In some form or another, the sovereign cloud solutions that these companies have been marketing since 2020 have offered “data residency”—that is, storage of data at rest within the physical confines of a territory or region (such as the EU)—as well as greater control over what cloud service providers could access from their customers. Some cloud services went further to assure customers that their data would be processed by staff “based” in—but not necessarily “citizens of,” a crucial distinction—their respective regions. Many original features of these sovereignty cloud offerings were genuine proposals meant to ease General Data Protection Regulation (GDPR) compliance for businesses. More pressingly, they addressed restrictions on cross-border data flows following the Court of Justice of the European Union’s invalidation of the EU-U.S. Privacy Shield framework (the “Schrems II” judgment).

But these offerings have been criticized as sovereignty washing because several important aspects of their operation remained unclear. As analysts pointed out, data residencies are fine, but where would data be processed, for example? Many sovereign cloud products relied on innovations like “confidential computing,” which allow for processing data without decrypting it, thereby ensuring the integrity of sensitive data. The deployment of confidential environments or “secure enclaves” to process data only reinforces the view that some of it continued to occur in the United States. This time around, U.S. Big Tech has dialed the “sovereignty” level of its cloud offerings up a notch. There are two worrying aspects to this approach by the hyperscalers, which have profound consequences for developing countries of the Global South.

First, some of the updates proposed by Amazon, Google, and Microsoft to their sovereignty cloud offerings potentially interfere with the underlying routing, resolution, and security architecture of the internet. In May 2025, Google introduced its “cloud air-gapped” service, offering “completely isolated” tenancy services for those customers with “stringent sovereignty and regulatory requirements.” “The solution does not require connectivity to Google Cloud or the public internet to manage the infrastructure, services, APIs, or tooling, and is built to remain disconnected in perpetuity,” notes the company. Microsoft’s EU Data Boundary service will ensure clients’ metadata—which includes Domain Name System (DNS) information—is stored within the EU. Amazon has promised to create a dedicated version of Amazon Route 53, its global DNS resolution service, for Europe, whose ownership and operation will be based entirely on the continent.

Second, Amazon will also create an EU-based “root certificate authority.” Details about this body are not fully sketched out, but from Amazon’s announcement, it seems the certificate authority will be one of three European subsidiaries managed by a parent company. The parent company, Amazon notes, will be managed by a team that includes “a government security and privacy official.”

Both proposals challenge the open and interoperable character of the internet—ironic, considering major technology companies have long been votaries of U.S. efforts to promote the “free flow of information” globally. Even if companies’ attempts to carve out sovereign digital enclaves may be driven by short-term commercial factors, the long-term impact of these proposals cannot be ignored, especially on the Global South. As I detail below, they undermine a decades-long and difficult diplomatic effort to get major emerging markets such as India and Brazil to support a global, multistakeholder model of internet governance. Such diplomacy was backed up with policy commitments from global standards and internet governance bodies. The technical and policy measures now presented by U.S. hyperscalers before the EU make it apparent to developing countries that geopolitical pressure on private actors to isolate their national internet infrastructure does work. Sovereign cloud solutions invite government overreach in Global South countries with serious consequences for security and cross-border data flows. While sovereign cloud services will likely run on the same set of network and security standards as “regular” cloud offerings by Google, Amazon, and Microsoft for now, those standards have been put on a path toward fragmentation along national or regional lines in the future.

Background

At the heart of the European digital sovereignty debate is the cloud services ecosystem. Influential voices in EU policymaking circles argue that cloud services are the “operational core” of a digital economy and, like other strategic assets, should be protected against “structural dependencies and systemic bottlenecks.” Even as the EU has begun to incentivize the development of European players in this sector, U.S.-based hyperscalers have constantly tweaked their offerings to address EU’s sovereignty concerns. But it is one thing to meet regulatory concerns around privacy through sovereign clouds, and another to present them as a solution to an essentially geopolitical crisis. If anything, some actions by U.S. companies have only fueled fears that European digital infrastructure is vulnerable to political headwinds.

Two separate events throw into sharp relief the ongoing churn in EU-U.S. technology relations and demonstrate how Big Tech has been caught in its crosshairs. Microsoft’s decision to restrict access by the chief prosecutor of the International Criminal Court to his email accounts—Karim Khan, the chief prosecutor, was sanctioned by the U.S. in February over his investigation of Israel—has generated a huge controversy in the Netherlands, among the friendliest American allies. Bart Groothuis, a Dutch member of the European Parliament and among the more influential European voices on cybersecurity, tweeted following the news of Microsoft’s “digital blockade”: “[L]et’s keep all other dependencies on US IT alive. What could possibly go wrong?” Dutch regulators have reportedly begun thinking about a systematic migration of public-sector organizations out of American cloud services. Then, in June, the EU unveiled its International Digital Strategy that remarkably makes no reference to the United States as a partner. In her speech announcing the strategy, European Executive Vice-President on Tech Sovereignty, Security and Democracy Henna Verkunnen emphasized the need for deeper partnerships with Japan, Canada, Singapore, India, and South Korea but skipped Washington, D.C., altogether.

It is understandable why, in light of such events, U.S. companies want to be seen as backing Europe’s digital sovereignty aspirations. The EU is a critical market and, equally, an indispensable interlocutor in any transatlantic effort aimed at keeping data flows and digital economies open. To be sure, U.S. companies are not the only ones offering sovereignty-centric cloud solutions. Chinese cloud providers such as Alibaba and Tencent have similarly sought to convince Southeast Asian governments that their local operations meet regulatory requirements and sovereign interests—a strategy Binyi Yang and Mingjiang Li call “offshore embeddedness.” In Europe, however, the market is dominated by U.S. hyperscalers, and Google, Microsoft, and Amazon have been specifically called out and lambasted by policymakers, businessesacademics, and technical experts.

Impact on the Internet’s Openness

The focus on these companies’ motivations to offer sovereign cloud solutions and their adequacy to European aspirations of strategic autonomy obscures their broader impact on the global internet. In a world where Domain Name System resolution—the simple act by which any machine connected to the internet looks up and retrieves IP addresses to access online content—is increasingly centralized in the hands of a few powerful players, such “sovereign” solutions generate serious concern about the internet’s openness. As Farzaneh Badiei notes in a March 2025 report, the use of public or recursive DNS resolvers, that is, DNS resolvers that on paper can be used by anyone to look up any other machine on the internet, are on the decline. In their stead, “Big DNS”—DNS resolution by Big Tech cloud companies and content delivery networks (CDNs)—has taken over. Cloud services run their own authoritative name servers, addressing resolution only of the DNS records of their customers. Within the authoritative DNS market, Amazon dominates with a 35 percent global market share. A 2023 study by the Regional Internet Registry for Asia Pacific indicated signs of moderate to high concentration in the market for both authoritative and recursive resolvers.

The long-standing argument for using global DNS services—whether they are recursive or authoritative—over those offered by local or regional internet service providers (ISPs) has been that these are more secure, less susceptible to censorship, and, by dint of their scale, more resilient than local DNS resolvers. Now those players are attempting to localize their resolution services in a bid to appease sovereign concerns, which opens them up to the same concerns of insecurity and lack of resilience. DNS censorship and outages of major cloud and CDN services have become increasingly common. With their decision to localize DNS resolution through “dedicated” and “air-gapped” services, it seems cloud services are not only ceding their global appeal but also potentially subjecting their infrastructure to manipulation by autocratic governments.

Amazon’s proposal to create a European Root Certificate Authority is especially concerning in this regard. Compelling certificate authorities to meet regulatory standards or security and intelligence needs creates serious cybersecurity risks and undermines trust in a cryptographic mechanism that is core to the modern internet. Having government security officials involved in decisions on routing and cryptography is an invitation to state control over aspects of core internet infrastructure, which some of these companies have themselves opposed in the past.

Then there is the impact of these measures on internet routing. The internet is famously described as a “network of networks,” but a more appropriate characterization of it today is as a “small network of big networks.” Gone are the days when Tier 1 autonomous systems—big telecommunications-owned networks like those of AT&T and Verizon that could reach every other network on the internet—shaped internet routing. Cloud services and CDNs with their own DNS infrastructure and global network of data centers can retrieve and process information on the edge, completely flattening internet topography. One assessment suggests cloud services cater to 76 percent of the internet without relying on Tier 1 networks. Although flattening is considered beneficial for internet availability in various corners of the globe, it has also reshaped internet routing and security policies. Hyperscalers manipulate routing paths for practical reasons of efficiency and costs but also expose their vast user base to major outages and security risks from third-party vendors. This is not a hypothetical concern: Cloud outages caused specifically by routing leaks and BGP hijacks have occurred before.

These companies have also been singularly instrumental to the development of new DNS security standards, some of which have been rapidly deployed at scale without a clear assessment of potential risks. For example, the encryption of DNS queries via the DNS-over-HTTPS (DoH) protocol circumvents ISP filtering and inspection of DNS packets but limits the visibility of network and enterprise security administrators. Once again, the onus of routing and DNS security falls on hyperscalers—in the past this may have been an acceptable trade-off for those who believed global DNS services were more secure than ISPs and less susceptible than the latter to government pressures. A number of worldwide and regional disruptions, along with increasing instances of state-compelled DNS blocking by global resolvers, has challenged that assumption. Now, with cloud companies offering “sovereign” solutions that, inter alia, localize routing, root key certification, and other aspects of DNS security, it is worth asking how they are any different from much maligned ISPs.

Implications for the Global South

What do these sovereign cloud offerings portend for the Global South? For one, the weaponization of digital platforms and underlying internet protocols is no longer a hypothetical concern for developing countries. In July, the India-based oil refiner Nayara Energy, which is partly owned by Rosneft, announced that Microsoft had restricted access to its “own data, proprietary tools, and products.” In cutting off Nayara’s access to its services, Microsoft was reportedly complying with EU sanctions against Russia. India has also moved to tighten regulations on ownership and operation of subsea cables and satellite internet services, with a view to ensure geopolitical developments do not impede the availability of such essential internet infrastructure. The political pressure brought to bear on the guardians of core internet infrastructure—namely, ICANN, the London Internet Exchange, Amsterdam Internet Exchange, and RIPE-NCC, the Regional Internet Registry for Europe—to cut off Russia from the internet in the aftermath of its invasion of Ukraine has surely not gone unnoticed in the Global South.

Governments in major emerging markets will therefore be closely following announcements by Microsoft, Amazon, and Google to understand how they respond to political pressure from Europe. Some companies already offer a version of “data residency” services in emerging markets, either by themselves or through a local partner. None of them go as far as the sovereignty cloud solutions they have offered Europe. The EU is admittedly an important market for cloud services (about 15 percent of the global market share), but developing countries such as India, Brazil, and those of the Association of Southeast Asian Nations (ASEAN) region together account for more than a third of that market. These are all countries where digital sovereignty debates are raging, and data localization and cybersecurity regulations have not fully crystallized. Most important, they are geopolitically influential entities whose statements and policies are tracked by others in the Global South.

Unfortunately, these cloud service solutions actualize a vision of “cyber sovereignty” that resembles Chinese and Russian approaches to the internet. Democracies such as Brazil and India have long sought stronger regulations for digital platforms, whether it be on content, addressing criminal and terrorist activities, or antitrust measures. While there have been legitimate concerns around the use of unchecked executive powers on matters of surveillance and internet shutdowns, it is no exaggeration to say that banner moves on digital regulation have come mostly from legislative and judicial institutions in these countries. It is important to focus on both countries because they are lodestars for Global South economies, which also aspire to be robust democracies.

Although they have been painted with a broad brush alongside Russia and China—by dint of their membership in the BRICS grouping—Brazil and India have arguably been a moderating influence in this now 10-country bloc. One needs to look no further than the 2025 BRICS summit hosted by Brazil, and the ensuing Rio Declaration, to illustrate this point. The 2025 Rio Declaration calls for cooperation in the “field of digital infrastructure to ensure the integrity, stability of the functioning and security of national segments of Internet while avoiding Internet fragmentation” (emphasis added). The reference to “national segments” of the internet is borrowed from the 2024 BRICS summit declaration, which was hosted by Russia in Kazan. The emphasis on avoiding internet fragmentation was likely added by Brazil, which held the pen as the BRICS host this year. Brazil has long been a champion of the open and unfragmented internet and, in particular, its multistakeholder governance model. India, with its traditional emphasis on multilateral governance and UN-centric processes, took longer to be sold on that vision.

To their credit, technical internet bodies as well as the U.S. government undertook several concrete steps in the past decade—more root server instances in India, promoting greater participation of Indian stakeholders in the I* organizations, championing a seat for India in the 2016 UN Group of Government Experts, etc.—to induce New Delhi’s support for the global internet governance model. Even on security goals, there was for a brief period greater alignment between the U.S. and India on Chinese digital technologies. The first Trump administration got Jio, India’s largest 5G network provider, to sign up for the Clean Networks Initiative, a multistakeholder commitment to keep Chinese players out of their telecommunications infrastructure. Nudged by the U.S. and Japan, India warmed up to the concept of “trusted data flows” via diplomatic forums such as the Quad—subscribing to the notion of freer cross-border data while restricting its transfer and storage by Chinese entities.

These commitments from India not only align with U.S. geopolitical goals but also arguably advance its own interests. The Indian government has signaled that if legitimate concerns around information sharing on trans-border cybersecurity incidents and cybercrime can be addressed, it feels confident enough to commit to an open and freer internet. To take it a step further, New Delhi has even suggested that it is willing to support the exclusion of Chinese actors from key internet infrastructure, primarily for reasons of security, while also acknowledging its geopolitical consequences. Some of these trade-offs make economic sense—a fifth of India’s national income in five years is projected to come solely from the digital economy, and a lion’s share of that in turn will be generated by servicing markets abroad. And while framing the “openness” of the internet as a trickle-down benefit of commercial interests may seem politically incorrect, it is the cold reality in India and major markets of the Global South. Governments in developing countries, confronted with internet-enabled social instability and polarization, would readily assume greater sovereign powers over digital infrastructure and content but refrain from doing so because of its economic implications.

With hyperscalers willing to assure through their sovereign cloud services that cross-border data will be reduced to a minimum, what incentives do Global South countries have to champion a freer internet? If anything, their proposed offerings for Europe are tantamount to cloud companies reconfiguring—under geopolitical pressure—internet architecture through routing and certificate policies. Their actions sit awkwardly with some of these companies’ own calls to protect the “public core” of the internet that ensures its global availability and integrity. Then there is the matter of government involvement in sovereign cloud management. Many developing countries will handily accept a role for a “government and security official” in managing hyperscalers’ sovereign clouds. Their acceptance may have to do with managing cybersecurity or crime, but this is how mission creep is likely to occur.

No country or government has a golden approach to technology policy: This is true of advanced economies as it is for developing countries. Global South countries are gradually identifying their policy priorities and iteratively refining them. That said, heavy-handed regulation on any internet-related matter often attracts pushback from a rainbow coalition of global internet companies, human rights organizations, and local civil society. Each actor in this coalition understandably has its own motivations, but the turn to “sovereignty” of U.S. Big Tech seriously imperils their common goals. Their actions open a number of worrying questions relating to trust and integrity of the global internet: Will these companies bend the knee on encryption standards? Will internet standards, the development of many of which are today piloted by major U.S. companies, be subject to local approvals? While short-term proposals to address what is essentially a larger trust deficit between Europe and the U.S. may keep operations going for major cloud companies, they must seriously revisit their approach, or risk pernicious impacts on the Global South.

– Arun M. Sukumar is an assistant professor of international relations at Ashoka University, India. Published courtesy of Lawfare

No Comments Yet

Leave a Reply

Your email address will not be published.

©2025 Global Cyber Security Report. Use Our Intel. All Rights Reserved. Washington, D.C.