Digital sovereignty, understood as protection from unauthorized access to data, systems, and digital processes, is (as of 2025) an official goal of the German government and many other public institutions. The idea is to ensure that organizations are not dependent on external jurisdictions or providers and can shape their digital future independently.
It’s a noble goal, but one that is both challenging and difficult to pin down. What exactly "digital sovereignty" means remains vague, leaving plenty of room for interpretation. This ambiguity is precisely what U.S. hyperscalers use in their marketing strategies: they present their products as sovereign and GDPR-compliant—even though the reality tells a different story. In the following, we explain what lies behind this so-called "Sovereignty-Washing" and how to recognize it.
What is Sovereignty-Washing?
At a Glance
"Sovereignty-Washing" is the digital equivalent of "greenwashing": a marketing promise that claims sovereignty but cannot fully deliver on it.
The term "Sovereignty-Washing" refers to a current practice in which companies or IT service providers give the impression of being particularly data-sovereign, independent, or compliant with EU regulations, without actually living up to this promise in full. It is essentially a variation of greenwashing in the field of digital sovereignty, where marketing claims are used to gloss over reality.
For organizations that value data protection, independence, and long-term planning security (or are required to), sovereignty-washing is particularly dangerous. It creates a false sense of security that is worthless in critical situations—such as legal disputes or geopolitical conflicts. Wrong decisions in the choice of partners or platforms can become costly and difficult to reverse.
How to recognize Sovereignty-Washing
Many providers advertise with terms like "Made in Germany", "100% GDPR-compliant", or "sovereign cloud". However, such claims don’t automatically guarantee true digital independence, especially when core parts of the service rely on infrastructure or software from non-European providers.
The following questions can help assess how truly sovereign a provider’s offering is:
Is the company's headquarters located outside the EU?
❓ Why is this relevant?
If a company’s headquarters are located outside the EU, it cannot be considered sovereign under EU definitions, even if it operates subsidiaries within the EU.
The location of the headquarters determines the applicable legal framework and regulatory oversight. Companies are bound by the laws of their home country, which directly affects the protection of European data.
⚠️ Why is this a risk?
An example: The U.S. CLOUD Act requires American companies to disclose sensitive personal data to authorities upon request, regardless of where the data is physically stored. Similar legislation exists in other non-EU countries as well.
🔍 Where to find answers?
Information on a company’s headquarters can usually be found in the legal notice (Impressum), the Terms and Conditions or the Privacy Policy.
Does the company host its data with a non-EU provider?
❓ Why is this relevant?
Hosting can introduce additional sovereignty risks, the use of US hyperscalers being a well-known example. Even if a company is headquartered in the EU, data may still be processed by data center operators located outside the EU or subject to US jurisdiction.
⚠️ Why is this a risk?
In many cases, providers rely on one of the three major US hyperscalers:
- Microsoft Azure
- Google Cloud
- Amazon Web Services (AWS)
All three are subject to the US CLOUD Act, yet they continue to dominate the European market. However, providers from other regions also offer their services within the EU and come with similar risks. Examples include:
- Alibaba Cloud (China)
- Huawei Cloud (China)
- Tata Communications (India)
While these providers are far less common in Europe than their US counterparts, they are still bound by the national laws of their home countries, which may have implications for data sovereignty and legal protection.
🔍 Where to find answers?
Information about which hosting provider is used is often included in a company’s Privacy Policy or in the Data Processing Agreement (DPA).
Does the company rely on non-European subcontractors?
❓ Why is this relevant?
Even companies headquartered in the EU can lose digital sovereignty if they use non-European subcontractors. This affects not only the hosting providers already mentioned, but also external IT service providers such as firewall vendors or content delivery network (CDN) providers.
⚠️ Why is this a risk?
Subcontractors located in third countries are subject to their respective national laws. As a result, data can legally and practically fall under foreign jurisdictions, even if the contracting company is based in the EU.
🔍 Where to find answers?
Information about subcontractors is usually found in a company’s Terms and Conditions, DPAs, or Privacy Policy. Under the GDPR (particularly Article 28 and Article 30), EU-based organizations are required to provide details about all subcontractors that process personal data.
Why is it problematic if an EU-based company uses non-European subcontractors?
❓ Why is this relevant?
The level of digital sovereignty is not determined by a single factor but by the entire supply chain. That’s why taking a holistic view is so important, especially for organizations that truly value digital sovereignty.
⚠️ Why is this a risk?
Even if an EU company appears to maintain sovereignty on the surface, using non-European subcontractors or hosting data with US hyperscalers can undermine GDPR protections from a legal perspective.
4 examples of Sovereignty-Washing
US Hyperscaler:
Whether Microsoft, Amazon, or Google: the major US hyperscalers are currently (as of October 2025) promoting offerings that seem tailor-made to address Europe’s growing demand for digital sovereignty. Microsoft’s "Sovereign Cloud", Amazon’s "AWS European Sovereign Cloud", and Google’s equivalent all promise that data will be processed exclusively in European data centers and be subject to European law.
However, these initiatives do not change the companies’ headquarters or their legal obligations under US law. All three companies have confirmed this in independent interviews; Microsoft additionally did so before the French Senate. As a result, the core issue remains unchanged: sovereignty is suggested, but not actually guaranteed.
Delos Cloud:
Delos Cloud, a subsidiary of SAP, promotes itself as offering a sovereign cloud for the public sector. In reality, the platform is technically based on Microsoft technologies and relies on regular updates from the US company, creating an ongoing dependency.
Expert bodies such as the "Digital Sovereignty Working Group" of the German Informatics Society (Gesellschaft für Informatik) have warned about this setup. According to Prof. Dr. Harald Wehnes, spokesperson of the society’s presidential working group, such promises may in fact reinforce Germany’s structural dependency on Microsoft.
Gaia-X:
The Gaia-X initiative was launched by Germany and France in 2019 to create a federated, European cloud infrastructure. However, US hyperscalers like Microsoft, Amazon, and Google were involved from the outset. Critics warned early on that their influence could undermine the project.
Today, in the year 2025, Gaia-X is under pressure: delays, conflicting interests, and the strong influence of major US players threaten the project’s ability to deliver true digital sovereignty in Europe.
European Providers with Infrastructure Dependencies:
Several European software and cloud providers use terms like "Made in Germany" or "Hosted in Germany" in their marketing. Behind the scenes, however, they often rely on infrastructure from US hyperscalers. Such claims lose their substance when data ultimately ends up being processed on servers owned by American companies.
As mentioned earlier, it is therefore essential to carefully review a provider’s documentation. This helps identify technical or legal dependencies early on.
How Stackfield ensures genuine digital sovereignty
At a Glance
Stackfield is built on the principle of genuine digital sovereignty: the company is headquartered in Germany, hosts all data exclusively in German data centers, and operates entirely without US hyperscalers. Thanks to client-side encryption, users retain full control over their data at all times.
True digital sovereignty – free from dependencies and without the risk of external data access from outside the EU – is a core principle at Stackfield. To ensure this, comprehensive measures have been put in place to prevent data from ever leaving the European legal sphere.
These measures include:
- Exclusive processing of all data on servers located within the EU
- Exclusive use of European subcontractors only, for example for hosting or email delivery
- Complete avoidance of external tracking or analytics tools
As a purely German company, Stackfield, along with all subcontractors, is subject solely to German and European law. This means that legislation from third countries, such as the US CLOUD Act, simply does not apply.
Stackfield’s strong commitment to security and data protection is further demonstrated by its recognized ISO 27001, 27017 and 27018 certifications, as well as an attestation in accordance with the C5 criteria catalog issued by the German Federal Office for Information Security (BSI).
Conclusion: Sovereign solutions exist, you just need to know how to spot them
Many providers use the vague concept of "digital sovereignty" to build trust, but without disclosing their dependencies or legal obligations. This creates significant risks for customers: relying blindly on such promises can lead to a loss of control over systems and puts sensitive personal data at risk.
Real alternatives do exist, but they require a critical examination of key factors such as the company’s headquarters, the hosting infrastructure in use, and the subcontractors involved. Only when the entire supply chain is transparent can organizations ensure that digital sovereignty is not just a marketing label, but a genuine, lived reality.