Sovereignty, residency and location: three concepts not to confuse
These three terms are often used interchangeably, even though they describe very different guarantees — a common confusion that leads to provider choices poorly aligned with the actual need.
Data location
Location simply designates the geographic place where data is physically stored. It's the weakest of the three guarantees: it says nothing about which law applies to that data, or who can legally access it.
Data residency
Residency goes further by contractually or regulatorily guaranteeing that data stays within a defined geographic area (for example the European Union), usually including commitments on outbound data flows.
Digital sovereignty
Sovereignty is the most complete guarantee: it covers legal, administrative and technical control over data, generally ensured by an entity operating under a specific jurisdiction. A fully sovereign cloud is operated by an EU-incorporated entity, which eliminates exposure to extraterritorial legislation like the US CLOUD Act — even if the data is physically hosted in Europe.
Data stored in Europe at a local subsidiary of a US company remains potentially subject to the CLOUD Act, which allows US authorities to request access to data under certain conditions, regardless of its physical location. Location alone therefore doesn't guarantee sovereignty.
The Data Act regulation: a structural shift since 2025
The European Data Act, fully applicable since September 12, 2025, concretely transforms the conditions for switching between cloud providers — going beyond the principles already set by GDPR on personal data protection.
Concrete portability obligations
The regulation requires providers to facilitate quick and smooth switching, without loss of data or application functionality. PaaS and SaaS providers must offer open interfaces and export data in a commonly used, machine-readable format. IaaS providers must ensure materially comparable outcomes for features shared between both services.
The scheduled end of egress fees
Data egress fees charged when switching providers must disappear by January 2027 for most transfers concerned — a change that directly removes one of the most concrete barriers to portability, often cited as the main argument in favor of sticking with a single provider.
Obligations that vary by service model
The level of obligation directly depends on the service model involved: the more layers a provider manages (PaaS, SaaS), the more precise and binding the portability requirements set by the regulation, particularly around data export format. In IaaS, the requirement leans more toward overall functional equivalence than a single mandated export format.
The Data Act isn't just a statement of intent: it imposes precise technical obligations on cloud providers operating in the European Union, with a compliance timeline already underway. It's one of the most structuring regulatory changes for cloud portability since the emergence of public cloud.
European Commission, Data Act (Regulation (EU) 2023/2854)The European sovereign cloud landscape
Several initiatives currently structure the European sovereign cloud ecosystem, at different levels — technical certification, interoperability framework, or dedicated national infrastructure.
- Gaia-X, a European initiative aiming to define common interoperability and trust standards between cloud providers, rather than a provider itself.
- SecNumCloud, the security qualification issued by France's national information systems security agency, notably requiring protection against non-European extraterritorial legislation.
- Equivalent national initiatives in several European countries, such as dedicated administrative clouds for the German public sector.
- European cloud providers like OVHcloud or Scaleway, which operate under EU law and offer services ranging from IaaS to managed offerings closer to PaaS.
According to Gartner forecasts, global sovereign cloud IaaS spending is expected to grow strongly in 2026, with particularly marked growth in Europe — to the point that the European sovereign cloud market is projected to surpass North America's as soon as 2027.
Gartner, sovereign cloud forecasts 2026What portability means in practice
Beyond the regulatory obligation, technical portability rests on concrete standards that determine how easy switching providers actually is.
Open formats rather than proprietary ones
Favoring widely adopted, open data formats (rather than provider-specific proprietary formats) is the first condition for real portability — an architectural decision to make upfront, not when migration becomes necessary.
S3-compatible APIs, a de facto standard
The object storage API protocol popularized by Amazon S3 has become, de facto, a widely adopted interoperability standard beyond AWS itself — many providers, including European ones like OVHcloud, offer storage services compatible with this interface, which considerably eases portability for this type of data.
Beyond storage: databases and compute
Storage portability is the easiest to achieve thanks to existing open standards. Managed databases and proprietary compute services generally remain harder to port from one provider to another, particularly when they rely on non-standardized specific features — a point worth evaluating carefully before building a strong dependency on this type of service.
Reversibility clauses worth knowing
Reversibility is the contractual counterpart of technical portability: it guarantees, by contract, the conditions under which a customer can actually retrieve their data and end a relationship with a provider.
- The timeframe for retrieving data after a termination request, and the format in which it will be returned.
- The technical assistance (or lack thereof) provided by the provider to support migration to another vendor.
- The conditions for effective data deletion at the original provider after migration, with proof of deletion where applicable.
- Costs associated with the reversibility procedure, beyond the data transfer fees already covered by the Data Act.
A vague or missing reversibility clause in the initial contract becomes very hard to negotiate once dependency has already set in. These clauses should be negotiated upfront, at signing time, not when exiting becomes necessary.
The most common confusions on this topic
Three mistakes come up regularly in how this topic is approached.
Believing data location alone guarantees sovereignty
As mentioned above, data located in Europe can remain potentially exposed to extraterritorial legislation if the hosting entity is subject to non-European law — location is necessary, but not sufficient.
Treating sovereignty as a binary choice
Sovereignty isn't an all-or-nothing switch: an organization can choose different levels of guarantee depending on the sensitivity of each data category, for example combining sovereign providers for the most critical data with international providers for the rest.
Only thinking about portability once you want to switch
The actual cost of a migration largely depends on architectural decisions made years earlier — data formats, level of integration with proprietary services, contractual clauses. Anticipating this topic from the design stage considerably reduces the cost of a potential future exit.
A dedicated guide to explore this topic in depth
This topic is covered in a dedicated memia guide, which pairs these concepts with a flashcard deck to durably memorize the regulatory and technical issues of cloud sovereignty, complementing the guides on Azure, AWS and Google Cloud.
Further reading
Frequently asked questions
What's the difference between data location, residency and sovereignty?
Location simply indicates where data is physically stored. Residency contractually guarantees it stays within a defined area. Sovereignty goes further: it covers legal and administrative control over data, via an entity operating under a specific jurisdiction, independent of physical location alone.
Is a cloud hosted in Europe automatically sovereign?
Not necessarily. If the entity hosting the data is a subsidiary of a group subject to extraterritorial law (like the US CLOUD Act), the data can remain exposed to that law even if physically stored in Europe.
What does the Data Act regulation actually change?
The Data Act, fully applicable since September 2025, imposes concrete portability and interoperability obligations on cloud providers, and mandates the gradual removal of data egress fees tied to switching providers, by January 2027.
What is Gaia-X?
Gaia-X is a European initiative aiming to define common interoperability and trust standards between cloud providers, rather than a cloud provider itself. It serves as a reference framework for the European sovereign cloud ecosystem.
What's the difference between portability and reversibility?
Portability is the technical ability to extract and reuse your data in a usable format elsewhere. Reversibility is its contractual counterpart: the formal guarantees (timeframes, assistance, costs) that govern the actual end of a relationship with a provider.
Are S3-compatible APIs a real guarantee of interoperability?
They significantly ease object storage portability, since many providers, including European ones, support them. However, this is only one aspect of overall portability — other services (compute, managed databases) require specific attention.
Should you choose a 100% sovereign provider for all your data?
Not necessarily. Sovereignty isn't a binary choice: many organizations combine a sovereign provider for their most sensitive data with one or more international providers for the rest of their needs.
What is SecNumCloud?
SecNumCloud is a security qualification issued by France's national information systems security agency, which notably requires protection against the application of non-European extraterritorial legislation to hosted data.
Is the sovereign cloud market growing?
Yes, strongly. According to Gartner forecasts, global sovereign cloud IaaS spending is expected to grow markedly in 2026, with particularly strong growth in Europe, which is projected to surpass North America on this segment as soon as 2027.
Do you need to know these issues for a cloud certification?
Entry-level certifications generally cover compliance and data residency concepts at an introductory level, but the detailed issues of sovereignty, portability and reversibility go beyond the scope of these certifications — this topic is covered in depth in memia's dedicated cloud sovereignty guide.