Sovereign Clouds and the VMware Earthquake: Dependency Isn’t Just a Hyperscaler Problem

Sovereign Clouds and the VMware Earthquake: Dependency Isn’t Just a Hyperscaler Problem

Jul 29, 2025 | Alibaba Cloud, AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Sovereign Cloud, VMware Cloud Foundation

The concept of “sovereign cloud” has been making waves across Europe and beyond. Politicians talk about it. Regulators push for it. Enterprises (re-)evaluate it. On the surface, it sounds like a logical evolution: regain control, keep data within national borders, reduce exposure to foreign jurisdictions, and while you are at it, maybe finally break free from the gravitational pull of the U.S. hyperscalers.

After all, hyperscaler dependency is seen as the big bad wolf. If your workloads live in AWS, Azure, Google Cloud or Oracle Cloud Infrastructure, you are automatically exposed to price increases, data sovereignty concerns, U.S. legal reach (hello, CLOUD Act), and a sense of vendor lock-in that seems harder to escape with every commit to infrastructure-as-code.

So, the solution appears simple: go local, go sovereign, go safe.

But if only it were that easy.

The truth is: sovereignty isn’t something you can just buy off the shelf. It’s not a matter of switching cloud logos or picking the provider that wraps their marketing in your national flag. Because even within your own datacenter, even with platforms that have long been considered “sovereign” and independent, the same risks apply.

The best example? VMware.

What happened in the VMware ecosystem over the past year should be a wake-up call for anyone who thinks sovereignty equals control. Because, as we have now seen, control can vanish. Fast. Very fast.

VMware’s Rapid Fall from Grace

Take VMware. For years, it was the go-to platform for building secure, sovereign private clouds. Whether in your own datacenter or hosted by a trusted service provider in your region, VMware felt like the safe, stable choice. No vendor lock-in (allegedly), no forced cloud-native rearchitecture, and full control over your workloads. Rainbows, unicorns, and that warm fuzzy feeling of sovereignty.

Then came the Broadcom acquisition, and with it, a cold splash of reality.

As Hock Tan , our President and CEO, shared in today's General Session at VMware Explore Barcelona, European customers want control over their data and processes. | Broadcom

Practically overnight, prices shot up. In some cases, more than doubled. Features were suddenly stripped out or repackaged into higher-priced bundles. Longstanding partner agreements were shaken, if not broken. Products disappeared or were drastically repositioned. Customers and partners were caught off guard. Not just by the changes, but by how quickly they hit.

And just like that, a platform once seen as a cornerstone of sovereign IT became a textbook example of how fragile that sovereignty really is.

Sovereignty Alone Doesn’t Save You

The VMware story exposes a hard truth: so-called “sovereign” infrastructure isn’t immune to disruption. Many assume risk only lives in the public cloud under the branding of AWS, Azure, or Oracle Cloud. But in reality, the triggers for a “cloud exit” or forced platform shift can be found anywhere. Also on-premises!

A sudden licensing change. An unexpected acquisition. A new product strategy that leaves your current setup stranded. None of these things care whether your workloads are in a public cloud region or a private rack in your basement. Dependency is dependency, and it doesn’t always come with a hyperscaler logo.

It’s Not About Picking the Right Vendor. It’s About Being Ready for the Wrong One.

That’s why sovereignty, in the real world, isn’t something you just buy. It’s something you design for.

Note: Some hyperscalers now offer “sovereign by design” solutions but even these require deeper architectural thinking.

Sure, a Greenfield build on a sovereign cloud stack sounds great. Fresh start, full control, compliance checkboxes all ticked. But the reality for most organizations is very different. They have already invested years into specific platforms, tools, and partnerships. There are skill gaps, legacy systems, ongoing projects, and plenty of inertia. Ripping it all out for the sake of “clean” sovereignty just isn’t feasible.

That’s what makes architecture, flexibility, and diversification so critical. A truly resilient IT strategy isn’t just about where your data lives or which vendor’s sticker is on the server. It’s about being ready (structurally, operationally, and contractually) for things to change.

Because they will change.

Open Source ≠ Sovereign by Default

Spoiler: Open source won’t save you either

Let’s address another popular idea in the sovereignty debate. The belief that open source is the magic solution. The holy grail. The thinking goes: “If it’s open, it’s sovereign”. You have the source code, you can run it anywhere, tweak it however you like, and you are free from vendor lock-in. Yeah, right.

Sounds great. But in practice? It’s not that simple.

Yes, open source can enable sovereignty, but it doesn’t guarantee it. Just because something is open doesn’t mean it’s free of risk. Most open-source projects rely on a global contributor base, and many are still controlled, governed, or heavily influenced by large commercial vendors – often headquartered in the same jurisdictions we are supposedly trying to avoid. Yes, that’s good and bad at the same time, isn’t it?

And let’s be honest: having the source code doesn’t mean you suddenly have a DevOps army to maintain it, secure it, patch it, integrate it, scale it, monitor it, and support it 24/7. In most cases, you will need commercial support, managed services, or skilled specialists. And with that, new dependencies emerge.

So what have you really achieved? Did you eliminate risk or just shift it?

Open source is a fantastic ingredient in a sovereign architecture – in any cloud architecture. But it’s not a silver bullet.

Behind the Curtain – Complexity, Not Simplicity

From the outside, especially for non-IT people, the sovereign cloud debate can look like a clear binary: US hyperscaler = risky, local provider = safe. But behind the curtain, it’s much more nuanced. You are dealing with a web of relationships, existing contracts, integrated platforms, and real-world limitations.

The Broadcom-VMware shake-up was a loud and very public reminder that disruption can come from any direction. Even the platforms we thought were untouchable can suddenly become liabilities.

So the question isn’t: “How do we go sovereign?”

It’s: “How do we stay in control, no matter what happens?”

That’s the real sovereignty.

Oracle’s EU Sovereign Cloud Is Real. AWS’s Is Still a Roadmap

Oracle’s EU Sovereign Cloud Is Real. AWS’s Is Still a Roadmap

Jul 28, 2025 | AWS, Oracle Cloud Infrastructure, Sovereign Cloud

The digital sovereignty debate in Europe is evolving fast. As data privacy regulations tighten and public sector requirements become more explicit, the race among hyperscalers to deliver truly sovereign infrastructure has entered a new chapter. AWS’s recent unveiling of its European Sovereign Cloud, set to arrive in late 2025, has generated considerable attention. But when it comes to choosing a sovereign cloud today that meets regulatory, operational, and architectural requirements, Oracle Cloud Infrastructure (OCI) is not only ahead, it’s already delivering for two years.

Note: The German version of this article can be found here.

Not Just a Data Center in Europe

Many cloud providers claim “sovereignty” by operating a data center in the EU. But true sovereignty extends beyond location. It encompasses who operates the infrastructure, who can access the data, how services are isolated, and how control is governed.

This is where Oracle has drawn a clear line in the sand.

Oracle’s EU Sovereign Cloud, launched in 2023, was designed specifically to meet the stringent legal, operational, and security requirements of European governments and regulated industries. It doesn’t simply retrofit an existing model but delivers a fully isolated cloud realm, physically and logically separated from Oracle’s global infrastructure, governed by EU laws, and operated exclusively by EU personnel.

A graphic depicting OCI realms with separation.

AWS, by contrast, has announced a sovereign model with similar goals but it’s still under development. The first region, located in Brandenburg, Germany, won’t be operational until late 2025, and much remains to be proven about how it will be implemented, governed, and audited.

Oracle is Shipping, AWS is Promising

Let’s be clear: AWS’s European Sovereign Cloud announcement is comprehensive and well-articulated. It lays out a future where services will be operated by EU-based subsidiaries, under EU laws, and with controls in place to maintain data independence from AWS’s global infrastructure. Their governance structure even includes an independent advisory board and EU-based trust services.

But for CIOs and CTOs making infrastructure decisions today, those promises offer little operational value.

Oracle’s two sovereign regions (Frankfurt and Madrid) are already live and serving customers. These regions are:

  • Controlled by separate legal entities based in the EU.

  • Operated by EU-resident staff with no external or global personnel access.

  • Physically and logically isolated from Oracle’s global commercial cloud, including separate networking, control planes, and identity services.

  • Offering identical services, SLAs, and pricing to Oracle’s standard OCI regions without sovereignty surcharges or trade-offs.

This level of readiness provides certainty. For public sector agencies, financial services institutions, healthcare providers, and others operating under GDPR or national sovereignty laws, Oracle’s offering is deployable today and auditable under real-world conditions.

Governance and Transparency – Built-In, Not Promised

AWS has made bold commitments around its future governance model. Its European cloud will be operated by German-incorporated subsidiaries, employ EU-resident personnel, and adhere to a Sovereign Requirements Framework (SRF) backed by independent audits. These measures are vital, and if delivered as described, they will represent a meaningful step forward in how cloud sovereignty is implemented.

However, the keyword is “if”. At this stage, AWS is still laying the foundation, and the structure – however promising – remains untested.

Oracle, on the other hand, has already passed this test. Its governance model is active today. Customers have full audit visibility, complete operational transparency, and confidence that their data never leaves the EU, either technically or legally. Oracle’s setup has passed certifications including SOC 1, 2, and 3, CSA, STAR, PCI, HIPAA, C5, HDS, ENS, and ISO 9001, 20000-1, 27001, 27017, 27018, and 27701. External key management (including customer-controlled keys outside of Oracle’s access) further strengthens the platform’s trust envelope.

Service Parity Without Sovereignty Tax

A common concern with sovereign clouds is the trade-off in features and performance. AWS says it plans to deliver full service parity with its global cloud, but again, that’s a roadmap, not a guarantee.

Oracle’s sovereign cloud offers over 150 OCI services – from autonomous databases to Kubernetes, from serverless functions to AI/ML tooling – without compromise. Pricing remains consistent with OCI’s commercial regions. There’s no premium, no second-tier treatment, and no degraded performance due to isolation. Sovereignty isn’t an upsell; it’s an expectation.

Isolation That’s Architectural, Not Just Geographic

Oracle’s architecture reflects a deep understanding that sovereignty is a technical state, not just a geographic one. Its sovereign cloud is:

  • Part of a distinct cloud realm, meaning no shared control plane, no global peering, and no cross-realm data leakage.

  • Accessible via FastConnect or VPN, with inter-region replication supported over a dedicated sovereign backbone.

  • Designed for infrastructure resilience, with separate fault domains and the ability to replicate workloads across regions while staying within the EU realm.

AWS has pledged to build similar isolation into its new cloud, but the full details, and whether it can match Oracle’s realm-level segmentation, remain unclear.

VMware in a Sovereign Cloud? Oracle Makes It Possible Today

One of the biggest challenges for organizations with deeply integrated VMware environments is finding a sovereign cloud that allows for seamless migration without rearchitecture. Oracle Cloud VMware Solution (OCVS) delivers precisely that. And it’s available within Oracle’s EU Sovereign Cloud, a capability unmatched by other hyperscalers at this time.

OCVS is a fully customer-managed VMware environment running on dedicated baremetal infrastructure inside Oracle Cloud. It includes VMware Cloud Foundation (VCF) and HCX – all running natively, with full control and administrative access maintained by the customer. 

In the context of data sovereignty, OCVS offers distinct advantages:

  • Runs inside Oracle’s isolated sovereign realm – ensuring that your VMware workloads remain within the EU, under EU jurisdiction, and operated only by EU-resident staff.

  • No dependency on shared control planes or global services, which means your VMware environment is as isolated and sovereign as the underlying cloud infrastructure.

  • No need to retrain teams or re-platform applications – existing tools, automation, and skill sets transfer directly.

For organizations planning sovereign migration strategies, OCVS provides a low-friction, high-control path to the cloud, while ensuring compliance and other sovereignty mandates. It’s particularly appealing for highly regulated sectors such as government, banking, insurance, and critical infrastructure where both operational continuity and auditability are essential.

Oracle Compute Cloud@Customer – Now with EU Sovereign Operations

Oracle has extended its EU Sovereign Cloud model to Compute Cloud@Customer (C3) bringing cloud infrastructure and EU governance directly into your data center. This is a game-changer for organizations with strict data residency and control requirements that cannot move workloads to the public cloud.

The updated C3 model is now:

  • Deployed on-premises

  • Managed only by EU-based personnel

  • Operated entirely under EU jurisdiction

No global cloud involvement. No shared control planes. Just full-stack OCI services, physically hosted on your site and governed like the sovereign cloud regions in Frankfurt and Madrid.

For public sector bodies, critical infrastructure, or industries like defense and healthcare, this means deploying modern cloud infrastructure without compromise.

Oracle Compute Cloud@Customer with EU Sovereign operations closes the gap between private cloud and true sovereignty. That’s something only Oracle can offer at the moment.

Note: Please note there’s also an air-gapped version of C3 available now.

Conclusion – The Time to Act is Now, and Oracle is Ready

AWS’s European Sovereign Cloud will be an important development when it arrives. But for European organizations operating under strict data localization and control mandates, the ability to deploy, scale, and audit sovereign infrastructure today is critical.

Oracle’s EU Sovereign Cloud is here, certified, compliant, and production-ready. It aligns with the reality of European data sovereignty.

For CIOs and CTOs, the choice is between planning for the future or executing in the present. In this case, the best strategic move is to choose a provider that isn’t just promising sovereignty but already delivering it.

Additional Resources:

Cloud Exit Triggers – What Happens When the Exit Button Isn’t Optional?

Cloud Exit Triggers – What Happens When the Exit Button Isn’t Optional?

Jul 20, 2025 | OCI Dedicated Region, Oracle Alloy, Oracle Compute Cloud@Customer, Sovereign Cloud

It is becoming clearer by the day: geopolitical realities are forcing CIOs and regulators to revisit their cloud strategy, not just for performance or innovation, but for continuity, legal control, and sovereignty. The past few years have been a story of cloud-first, then cloud-smart, and then about cloud repatriation. The next chapter is about cloud control. And with the growing influence of U.S. legislation like the CLOUD Act, many in Europe’s regulated sectors are starting to ask: what happens when we need to exit?

Now add another layer: what if your cloud provider is still technically and legally subject to a foreign jurisdiction, even when the cloud lives in your own country and your own data centers?

That’s the fundamental tension/question with models like Oracle Alloy (or OCI Dedicated Region), a promising construct that brings full public cloud capabilities into local hands, but with a control plane and infrastructure still operated by Oracle itself. So what if something changes (for example, politically) and you need to exit?

Let’s explore what that exit could look like in practice, and whether Oracle’s broader portfolio provides a path forward for such a scenario.

Local Control – How Far Does Oracle Alloy Really Go?

Oracle Alloy introduces a compelling model for delivering public cloud services with local control. For providers like cloud13 (that’s the fictitious company I am using for this article), this means the full OCI service catalogue can run under the cloud13 brand, with customer relationships, onboarding, and support all handled locally. Critically, the Alloy control plane itself is deployed on-premises in cloud13’s own data center, not remotely managed from an Oracle facility. This on-site architecture ensures that operational control, including provisioning, monitoring, and lifecycle management, remains firmly within Swiss borders.

But while the infrastructure and control plane are physically hosted and operated by cloud13, Oracle still provides and maintains the software stack. The source code, system updates, telemetry architecture, and core service frameworks are still Oracle-owned IP, and subject to Oracle’s global governance and legal obligations. 

Please note: Even in disconnected Alloy scenarios, update mechanisms or security patches may require periodic Oracle coordination. Understanding how these touchpoints are logged and audited will be crucial in high-compliance sectors.

Oracle Alloy

So, while cloud13 ensures data residency, operational proximity, and sovereign service branding, the legal perimeter around the software stack itself may still inherit external jurisdictional influence.

For some sectors, this hybrid control model strikes the right balance. But for others, particularly those anticipating geopolitical triggers (even highly unlikely!) or regulatory shifts, it raises a question: what if you need to exit Alloy entirely?

What a Cloud Exit Really Costs – From Oracle to Anywhere

Let’s be honest and realistic: moving cleanly from Oracle Cloud Infrastructure (OCI) to a hyperscaler like AWS or Azure is anything but simple. OCI’s services are deeply intertwined. If you are running Oracle-native PaaS or database services, you are looking at significant rework – sometimes a full rebuild – to get those workloads running smoothly in a different cloud ecosystem.

On top of that, data egress fees can quickly pile up, and when you add the cost and time of re-certification, adapting security policies, and retraining your teams on new tools, the exit suddenly becomes expensive and drawn out.

That brings us to the critical question: if you are already running workloads in Oracle Alloy, what are your realistic exit paths, especially on-premises?

Going the VMware, Nutanix, or Platform9 route doesn’t solve the problem much either. Sure, they offer a familiar infrastructure layer, but they don’t come close to the breadth of integrated platform services Oracle provides. Every native service dependency you have will need to be rebuilt or replaced.

Then There’s Azure Local and Google Distributed Cloud

Microsoft and Google both offer sovereign cloud variants that come in connected and disconnected flavours.

While Azure Local and Google Distributed Cloud are potential alternatives, they behave much like public cloud platforms. If your workloads already live in Azure or Google Cloud, these services might offer a regulatory bridge. But if you are not already in those ecosystems, and like in our case, are migrating from an Oracle-based platform, you are still facing a full cloud migration.

Yes, that’s rebuilding infrastructure, reconfiguring services, and potentially rearchitecting dozens or even hundreds of applications.

And it’s not just about code. Legacy apps often depend on specific runtimes, custom integrations, or licensed software that doesn’t map easily into a new stack. Even containerised workloads need careful redesign to match new orchestration, security, and networking models. Multiply that across your application estate, and you are no longer talking about a pivot.

You are talking about a multi-year transformation programme.

That’s before you even consider the physical reality. To run such workloads locally, you would need enough data center space (image repatriation or a dual-vendor strategy), power, cooling, network integration, and a team that can operate it all at scale. These alternatives aren’t just expensive to build. They also require a mature operational model and skills that most enterprises simply don’t have ready.

One cloud is already challenging enough. Now, imagine a multi-cloud setup and pressure to migrate.

From Alloy to Oracle Compute Cloud@Customer Isolated – An Exit Without Downtime

Oracle’s architecture allows customers to move their cloud workloads from Alloy into an Oracle Compute Cloud@Customer environment (known as C3I), with minimal disruption. Because these environments use the exact same software stack and APIs as the public OCI cloud, workloads don’t need to be rewritten or restructured. You maintain the same database services, the same networking constructs, and the same automation frameworks.

This makes the transition more of a relocation than a rebuild. Everything stays intact – your code, your security model, your SLAs. The only thing that changes is the control boundary. In the case of C3I, Oracle has no remote access. All infrastructure remains physically isolated, and operational authority rests entirely with the customer.

Oracle Compute Cloud@Customer Isolated

By contrast, shifting to another public or private cloud requires rebuilding and retesting. And while VMware or similar platforms might accommodate general-purpose workloads, they still lack the cloud experience.

Note: Oracle Compute Cloud@Customer offers OCI’s full IaaS and a subset of PaaS services.

While C3I doesn’t yet deliver the full OCI portfolio, it includes essential services like Oracle Linux, Autonomous Database, Vault, IAM, and Observability & Management, making it viable for most regulated use cases.

Alloy as a Strategic Starting Point

So, should cloud13 even start with Alloy?

That depends on the intended path. For some, Alloy is a fast way to enter the market, leveraging OCI’s full capabilities with local branding and customer intimacy. But it should never be a one-way road. The exit path, no matter what the destination is, must be designed, validated, and ready before geopolitical conditions force a decision.

This isn’t a question of paranoia. It’s good cloud design. You want to have an answer for the regulators. You want to be prepared and feel safe.

The customer experience must remain seamless. And when required, ideally, the workloads must move within the same cloud logic, same automation, and same/some platform services.

Could VMware Be Enough?

For some customers, VMware might remain a logical choice, particularly where traditional applications and operational familiarity dominate. It enables a high degree of portability, and for infrastructure-led workloads, it’s an acceptable solution. But VMware environments lack integrated PaaS. You don’t get Autonomous DB. You get limited monitoring, logging, or modern analytics services. You don’t get out-of-the-box identity federation or application delivery pipelines.

Ultimately, you are buying infrastructure, not a cloud.

The Sovereign Stack – C3I and Exadata Cloud@Customer

That’s why Oracle’s C3I, especially when paired with Exadata Cloud@Customer (ExaCC) or a future isolated variant of it, offers a more complete solution. It delivers the performance, manageability, and sovereignty that today’s regulated industries demand. It lets you operate a true cloud on your own terms – local, isolated, yet fully integrated with Oracle’s broader cloud ecosystem.

C3I may not yet fit every use case. Its scale and deployment model must match customer expectations. But for highly regulated workloads, and especially for organizations planning for long-term legal and geopolitical shifts, it represents the most strategic exit vector available.

Final Thought

Cloud exit should never be a last-minute decision. In an IT landscape where laws, alliances, and risks shift quickly, exit planning is not a sign of failure. It’s considered a mark of maturity!

Oracle’s unique ecosystem, from Alloy to C3I, is one of the few that lets you build with that maturity from day one.

Whether you are planning a sovereign cloud, or are already deep into a regulated workload strategy, now is the time to assess exit options before they are needed. Make exit architecture part of your initial cloud blueprint.

Why Switzerland Needs a Different Kind of Sovereign Cloud

Why Switzerland Needs a Different Kind of Sovereign Cloud

Jul 17, 2025 | OCI Dedicated Region, Oracle Alloy, Oracle Cloud Infrastructure, Sovereign Cloud

Switzerland doesn’t follow. It observes, evaluates, and decides on its own terms. In tech, in policy, and especially in how it protects its data. That’s why the typical EU sovereign cloud model won’t work here. It solves a different problem, for a different kind of political union.

But what if we could go further? What if the right partner, one that understands vertical integration, local control, and legal separation, could build something actually sovereign?

That partner might just be Oracle.

Everyone is talking about the EU’s digital sovereignty push and Oracle responded with a serious answer: the EU Sovereign Cloud, which celebrated its second anniversary a few weeks ago. It’s a legally ring-fenced, EU-operated, independently staffed infrastructure platform. Built for sovereignty, not just compliance.

That’s the right instinct. But Switzerland is not the EU. And sovereignty here means more than “EU-only.” It means operations bound by Swiss law, infrastructure operated on Swiss soil, and decisions made by Swiss entities.

Oracle Alloy and OCI Dedicated Region – Sovereignty by Design

Oracle’s OCI Dedicated Region and the newer Alloy model were designed with decentralization in mind. Unlike traditional hyperscaler zones, these models bring the entire control plane on-premises, not just the data.

That allows for policy enforcement, tenant isolation, and lifecycle management to happen within the customer’s boundaries, without default exposure to centralized cloud control towers. In short, the foundation for digital sovereignty is already there.

But Switzerland, especially the public sector, expects more.

What Still Needs to Be Solved for Switzerland

Switzerland doesn’t just care about where data sits. It cares about who holds the keys, who manages the lifecycle, and under which jurisdiction they operate.

While OCI Dedicated Region and Alloy keep the control plane local, certain essential services, such as telemetry, patch delivery, and upgrade mechanisms, still depend on Oracle’s global backbone. In the Swiss context, even a low-level dependency can raise concerns about jurisdictional risk, including exposure to laws like the U.S. CLOUD Act.

Support must remain within Swiss borders. Sovereign regions that rely on non-Swiss teams or legal entities to resolve incidents still carry legal and operational exposure – but this data can be anonymized. Sovereignty includes not only local infrastructure, but also patch transparency, cryptographic root trust, and full legal separation from foreign jurisdictions. 

Yes, operational teams must be Swiss-based, except at the tier 2 or tier 3 level.

Avaloq Is Already Leading the Way

This isn’t just theory. Switzerland already has a working example: Avaloq, the Swiss financial technology provider, is running core workloads on OCI Dedicated Region.

These are not edge apps or sandbox environments. Avaloq supports mission-critical platforms for regulated financial institutions. If they trust Oracle’s architecture with that responsibility, the model is clearly feasable. From a sovereignty, security, and compliance perspective.

Avaloq’s deployment shows that Swiss-regulated workloads can run securely, locally, and independently. And if one of Switzerland’s most finance-sensitive firms went down this path, others across government, healthcare, and infrastructure should be paying attention.

Sovereignty doesn’t mean reinventing everything. It means learning from those already building it.

The Bottom Line

Switzerland doesn’t need more cloud. It needs a cloud built for Swiss values: neutrality, autonomy, and legal independence.

Oracle is closer to that model than most. Its architecture is already designed for local control. Its EU Sovereign Cloud shows it understands the legal and operational dimensions of sovereignty. And with Avaloq already in production on OCI Dedicated Region, the proof is there.

The technology is ready. The reference customer is live.

What comes next is a question of commitment.

Why Sovereignty Needs Both Centralization and Decentralization

Why Sovereignty Needs Both Centralization and Decentralization

Jul 14, 2025 | OCI Dedicated Region, Oracle Alloy, Oracle Cloud Infrastructure, Oracle Compute Cloud@Customer, Sovereign Cloud

Europe’s cloud strategy is at a crossroads. There’s pressure to take control, to define sovereignty in infrastructure terms, and to reduce exposure to non-European hyperscalers. But somewhere along the way, the conversation fell into a binary trap: either centralize for control or decentralize for autonomy.

That’s not how modern systems work. And it’s not how sovereignty is going to work either.

Europe’s reliance on U.S. hyperscalers remains a security and sovereignty risk. While countries like France, Germany, and Italy invest in local providers, their efforts remain siloed. Without alignment, Europe is left with patchwork sovereignty.

I said it many times already, but let me repeat it. Sovereignty in the cloud isn’t a matter of choosing one path or the other. It’s about building an architecture that combines both centralized coordination with decentralized execution. Anything else either fragments too fast or becomes too rigid to function in a sovereign context.

Centralization Is About Structure, Not Control

Centralization plays a role. A central governance framework helps define what sovereignty means: where data can move, who operates the infrastructure, how compliance is enforced, how identity is managed. Without some level of central alignment, sovereignty collapses into 27 different interpretations with no common ground.

This is where Europe still struggles. They are good at setting principles – GDPR, data residency, trusted cloud labels – but they lack shared operational infrastructure. What they do have is fragmented: agencies, member states, and industry sectors each building their own versions of sovereignty with little interoperability between them.

Centralization brings order, but order alone isn’t resilience.

Sovereign Microzones: Fragmented by Design

The current trajectory in many parts of Europe is toward what could be called sovereign microzones, individually defined, locally controlled, often incompatible cloud environments built by national or sector-specific entities.

These microzones are born out of good intentions: protect critical data, maintain legal oversight, reduce dependency. But most of them don’t scale well. Each implementation introduces its own stack, its own compliance logic, and often its own interpretation of what “sovereign” really means.

In practice, this results in technical fragmentation and governance friction. Cross-border collaboration becomes harder. Data sharing between sectors stalls. Innovation slows as cloud-native capabilities are stripped back to meet narrow compliance targets.

Sovereignty was never meant to be a bunker. If these microzones can’t interoperate, they may become silos. Silos with flags on top.

Operational Autonomy vs. Strategic Realism

One idea gaining momentum is operational autonomy, ensuring that European workloads can continue to run even in the event of a political embargo or legal dispute with a non-EU provider. It’s a serious concept, grounded in real geopolitical concerns. The fear is that U.S. cloud vendors could, under extraordinary circumstances, be forced to restrict services in Europe. I get it.

But let’s be honest: the probability of a coordinated embargo cutting off hundreds of cloud regions across Europe is extremely low. Not zero. But close. The legal, economic, and political blowback would be enormous. The U.S. has more to lose than gain by treating Europe as an adversary in this space.

Still, operational autonomy has value. It’s about having options. The ability to reassign workloads, shift operational control, and decouple governance when needed. But building that autonomy doesn’t mean rejecting foreign technology outright. It means investing in layered sovereignty: trusted deployment models, contractual separation, technical isolation when necessary, and above all – control over the control plane.

Note: Operational autonomy is not the same as autarky.

What Oracle Cloud Enables

Oracle Cloud fits this model in ways that are often overlooked. Not because it’s European, it isn’t, but because it supports the technical and operational diversity that sovereignty requires.

With OCI Dedicated Region and the Cloud@Customer portfolio, institutions can run full-featured or a subset of Oracle Cloud environments inside their own data centers, with some/complete control over operations, updates, and access.

Oracle’s EU Sovereign Cloud further separates European workloads from global infrastructure, with EU-based personnel and compliance boundaries. And unlike some providers, Oracle doesn’t require full-stack standardization to make it work. It’s open, modular, and designed for interoperability.

A good example of this approach is the new partnership between Oracle and Nextcloud. It brings together a leading European open-source collaboration platform with Oracle’s sovereign cloud infrastructure. The result is a deployment model where public sector organizations can run Nextcloud in a scalable, cloud-native environment while maintaining full data control and legal jurisdiction within the EU. It’s an antidote to sovereign fragmentation: a solution that respects both European values and operational pragmatism.

This kind of flexibility matters. It respects the complexity of European sovereignty rather than trying to erase it.

Conclusion: Not Either/Or – Both

Europe shouldn’t have to choose between centralization and decentralization. In fact, it can’t. Real sovereignty (political, technical, operational) lives in the tension between the two.

The false choice only leads to false confidence. The reality is more difficult, but also more durable: structure without rigidity, autonomy without fragmentation.

Sovereignty isn’t built in isolation. It’s coordinated. Together.

Rethinking Digital Sovereignty – From Decentralized Control to a “Cloud NATO” for Europe

Rethinking Digital Sovereignty – From Decentralized Control to a “Cloud NATO” for Europe

Jul 12, 2025 | Oracle Cloud Infrastructure, Oracle Compute Cloud@Customer, Sovereign Cloud

Cloud infrastructure has quietly become one of the most strategic layers of modern sovereignty. The ability to store, process, and control data within national or regional boundaries isn’t just a regulatory preference anymore. It’s a matter of economic security, political leverage, and systemic resilience.

Across Europe, the pressure is mounting to find alternatives to centralized cloud dependencies, especially on non-European hyperscalers. But the response doesn’t have to be isolation or reinvention. A new kind of architecture is emerging, one that combines local control with collective strength.

This article explores two major ideas driving the conversation forward: decentralized digital sovereignty and the potential for a NATO-style model of cloud governance. It also looks at how Oracle Cloud aligns with this vision as a modular enabler of sovereignty, interoperability, and trust.

The Shift Toward Decentralized Sovereignty

When digital sovereignty first entered the mainstream conversation, it was often framed in binary terms: own the stack, or remain dependent. Control your cloud, or get locked in. But real-world infrastructure isn’t built on such clean lines. Across Europe, what’s emerging is a decentralized approach to sovereignty – one that accepts technical diversity, regulatory pluralism, and federated execution.

A decentralized model doesn’t reject sovereignty, it redefines it. Each country, or even each sector, can set and enforce its own policies around data protection, infrastructure, and compliance. But instead of operating in isolation, these systems connect through shared governance, open standards, and secure interoperability. It’s not about building a pan-European hyperscaler but about creating a European cloud ecosystem.

This is the principle behind initiatives like Gaia‑X, which doesn’t aim to replace existing infrastructure, but rather to standardize how participants exchange data, certify services, and establish trust. It’s sovereignty is maintained at the edge, but coordinated at the core.

This model is particularly well-suited to the European context, where data protection laws like the GDPR already offer a common legal framework, but where political and operational control must remain localized. Sovereignty, in this sense, becomes a set of enforceable guarantees, not a monolithic stack.

From Decentralization to Collective Defense – A “Cloud NATO”?

Decentralized control brings autonomy, but what about defense? In a digital world, resilience isn’t just about uptime. It’s about coordination. Europe needs to think beyond who hosts the data and start asking how we defend, recover, and coordinate our digital responses as a unified front.

The idea of a “Cloud NATO” is more than a metaphor. Like its military counterpart, it would be built on the principle of shared responsibility with local autonomy. Each country would operate its own cloud environment: certified, secured, and governed by its own rules. But all participants would align on common protocols for interoperability, auditing, security standards, and incident response.

Think of it as a federation of sovereign clouds: decentralized in ownership, but unified in execution when needed. Such a model would preserve the diversity of national approaches and offer a collective backbone for coordination and trust.

In moments of crisis, whether regulatory, technical, or geopolitical, a NATO-style alliance would allow sovereign clouds to mutually support each other, share threat intelligence, and even mirror critical workloads across trusted jurisdictions. In a time of rising cyber threats, digital fragmentation is not an option, but neither is centralization. A federated alliance may be the only workable path.

Where Oracle Cloud Fits In

To make these models viable, Europe needs cloud providers that don’t force one mode of operation. It needs platforms that support sovereignty by design, federation by architecture, and trust by default. Oracle Cloud brings several elements to this table.

Oracle offers one of the most modular and flexible cloud deployment models in the hyperscaler landscape. With Dedicated Region and Cloud@Customer, Oracle enables governments and critical industries to deploy full-featured Oracle Cloud environments within national borders or sovereign facilities. That means local control over infrastructure, compliance, and operations- without giving up cloud-native scalability or modern service architectures.

Crucially, Oracle’s architecture emphasizes openness. It supports Kubernetes, open APIs, and multi-cloud integrations, ensuring sovereign environments aren’t isolated silos but nodes in a larger ecosystem. Whether connecting ministries across borders or bridging data domains between sectors, this openness makes decentralized coordination feasible at scale.

Building Blocks for a “Cloud NATO”

For a federated governance model to work, interoperability isn’t enough. Providers must support auditable governance, strong identity management, transparent encryption controls, and legal separation of sovereign workloads. Oracle’s EU Sovereign Cloud does exactly that: operating independently from its global infrastructure, with EU-based support, operations, and compliance.

Oracle also demonstrates multi-cloud execution through its partnership with Microsoft Azure, Amazon Web Services and Google Cloud, where Oracle Database services run natively in Azure, AWS or GCP data centers. It’s a working example of what a trusted, cross-platform alliance can look like. Tech giants respect the sovereignty of each other’s platforms while delivering real interoperability.

These technical capabilities are supported by a broader strategy: Oracle doesn’t push for lock-in or exclusive dependencies. It supports coexistence and federation. The very principles that would make a “Cloud NATO” not just possible, but resilient.

Sovereignty Is Evolving. So Should the Cloud

The old model of sovereignty – one state, one data center, one stack – is no longer viable. Europe needs an approach to cloud that is both locally governed and globally coordinated.

Decentralized sovereignty gives each country the autonomy it needs. A “Cloud NATO” gives the continent the collective strength it lacks. Together, they offer a roadmap not just for compliance, but for cloud independence with integrity.

And for this to work, cloud providers must be more than platforms, they must be partners in sovereignty. Oracle’s architecture, deployment flexibility, and governance tooling place it in a unique position to support this shift. Not by dominating the stack, but by enabling distributed trust.

The future of Europe’s cloud may not belong to a single player. It may belong to an alliance.