In this column, Matthias Nijs, EMEA VP at Datadobi, warns of the fragility of real data control in Europe and the limits of current protections in the face of extraterritorial legislation.
Last July, Microsoft lifted the veil on a worrying reality: even in Europe, your data can be accessible to foreign authorities. During its hearing before the French Senate, the company admitted that it could not “guarantee” that its customers’ data would escape the American CLOUD Act. An electric shock for the continent: Paris or Frankfurt, it doesn’t matter, digital sovereignty is not limited to the location of the servers, but is measured by the real control of the data and the power of those who write the rules.
Article of the week
The illusion of control
How did we get there? For years, European data centers, conformity labels and contractual protections gave the illusion of guaranteed digital sovereignty and we believed these protections were sufficient to secure the old continent’s data. Until a public admission, that of Microsoft, came to shatter all that: these various measures can crumble as soon as a foreign law, like the CLOUD Act, comes into play. As a reminder, in force since 2018, this text allows the American authorities to access data hosted by a US company, wherever it is located.
For European legislators, this situation is unacceptable. This also places European organizations in a very delicate position: those that depend on American hyperscalers find themselves exposed to extraterritorial legal claims, a real ongoing legal and financial headache, but in the defense, public services and critical infrastructure sectors, we are talking about a real sovereignty risk.
The problem is further compounded by the very nature of the data produced today. Up to 90% of new data generated is unstructured: emails, documents, records, media. In hybrid and multi-cloud architectures, they fragment, duplicate, travel from one country and one service to another. Identifying, classifying or securing them becomes an almost impossible operation on a human scale. In such a context, an organization that does not know where its data is located, who is accessing it and under what legal regime, is moving forward blindly. At this point, sovereignty is no longer simply difficult to achieve: it becomes ineffective in practice, even when supplier choices appear to be moving in the right direction.
How then can we respond to these challenges? The good news is that sovereignty is not just about new laws or building more infrastructure. A large part of the solution lies in the ability of organizations to regain control of their own data thanks to more intelligent, transversal governance approaches that are truly independent of the technical environments where this data circulates.
Concretely, this involves putting in place mechanisms capable of:
• map data flows between services, clouds, countries and systems
• classify information according to its degree of sensitivity and legal exposure
• consistently apply the rules of residence, access and retention
• and finally detect and limit any unauthorized access or movement.
The objective remains the same for all organizations: to gain resilience, restore trust and operate within a framework that complies with European requirements. But as long as data is locked into a single ecosystem, dependent on a vendor or closed storage formats, control remains illusory. Add to this the constraints of old systems and the technical layers that pile up, and we quickly understand why so many players struggle to achieve the level of neutrality essential for true operational sovereignty.
Conversely, a modern approach must move, organize and persist data across any infrastructure — public cloud, private cloud or internal environment — while maintaining full control.
Europe’s digital future
In the short term, uncertainty remains high. If Microsoft’s testimony highlighted the issues, sovereign cloud initiatives (like AWS’s 7.8 billion euro investment) as well as the vigilance of regulators are intensifying. The European Parliament already warned in 2020: “Citizens, businesses and member states… are gradually losing control of their data. » Five years later, this observation has become a strategic imperative.
Europe’s digital future will not only depend on the physical location of data, but on who governs it, how it is protected and whether its control can be guaranteed over time. Public and private decision-makers must invest today in data governance and management strategies that make sovereignty tangible and operational. Europe can still regain control but it must act quickly.
