Why 2026 is a turning point: the regulatory drivers
The pressure on companies to design their cloud strategy in a sovereign way doesn’t come from abstract IT considerations. It comes from regulation—and it has increased significantly over the past 18 months.
NIS2 (in force since December 2025): The NIS2 implementation act obliges around 30,000 companies in Germany to demonstrably implement cybersecurity measures, including requirements for cryptography, data protection, and supply chain security. Anyone running critical workloads with a provider without European jurisdiction has a structural compliance problem. More on NIS2: NIS2 in practice: Personal liability, obligation to provide evidence, and what managing directors need to do now – Manage Now
EU Cloud Sovereignty Framework (since October 29, 2025)
The Cloud Sovereignty Framework serves as a standardized assessment framework for cloud sovereignty. The framework defines eight sovereignty objectives (SOV-1 to SOV-8) covering strategic, legal, operational, technological, data and AI sovereignty, as well as sustainability and supply chain resilience. For assessment, a five-level system called Sovereignty Effective Assurance Levels (SEAL 0-4) is used. Cloud providers must meet defined minimum levels to be considered in tenders
In addition, a Sovereignty Score is calculated that evaluates the provider’s quality and integration into the EU ecosystem, including ownership structure, governance, investments, and legal exposure to third countries such as the US CLOUD Act
EU Data Act (since September 12, 2025): The EU Data Act regulates who may access data under which conditions and strengthens the right to data portability. For companies storing data in proprietary cloud environments, new obligations to provide evidence and potential switching barriers arise.
DORA (since January 2025): For the financial sector, the Digital Operational Resilience Act also applies, setting explicit requirements for the resilience of IT service providers and cloud providers, including exit strategies and rights of control.
Geopolitical fragmentation: Beyond regulation, the geopolitical risk landscape has changed. IT decision-makers who have concentrated their entire critical infrastructure with a single hyperscaler from a third country face a risk that was still theoretical three years ago.