US enterprises are not far behind. The SEC’s cybersecurity disclosure rules, CISA’s AI security guidance, proposed state-level AI regulations and growing board-level scrutiny of AI governance are creating comparable pressures on this side of the Atlantic. If your organization runs AI workloads on behalf of EU clients, operates EU subsidiaries or simply faces the question of where sensitive AI training data and model outputs should live — you are already in this conversation. The European experience is your preview.
What has not arrived is clarity on what you actually get — and what you do not. At the European Identity and Cloud Conference in Berlin this May, the mood among practitioners had shifted measurably from previous years. The cheering for the sovereign cloud concept was over. What was happening on stage and in the corridors was a careful, sometimes uncomfortable, dissection of the gap between marketing slides and operational reality. (EIC returns to Berlin in May 2027.)
The conference agenda made the shift visible. Where previous years centered on sovereign cloud architecture and vendor selection, the 2026 program’s trending themes — as mapped in the closing session — were AI security, identity fabric, workload identity management, and crypto agility. Sovereign cloud had become assumed infrastructure. The practitioner conversation had moved to what you build on top of it, and who controls that layer.
Martin Kuppinger, distinguished analyst and co-founder of KuppingerCole, observed the same shift: “Cloud sovereignty had a much larger role at this year’s EIC, with a differentiated discussion about whether and where it is needed. There is common sense that sovereignty is not a value in its own right — the required level depends on the use case and a proper risk assessment. There is no binary model for sovereignty.”
