Author
Listed:
- van Hamond, Johannes Maria
Abstract
European public authorities and regulated sectors increasingly rely on cloud services offered by US-based hyperscalers operating within the European Union. These services are often presented as “sovereign” through claims related to data residency, regional service isolation, and compliance with European regulatory frameworks. This study examines whether such sovereignty claims hold under legal scrutiny when assessed against enforceable jurisdictional control rather than formal compliance statements. The research analyses the interaction between European legal obligations and extraterritorial US legislation, including the CLOUD Act and FISA 702. Using a qualitative audit-based approach, the paper evaluates legal enforceability, technical control mechanisms, and corporate governance structures underpinning sovereign cloud offerings. Specific attention is given to administrative access models, encryption and key custody arrangements, incident response authority, subcontractor involvement, and audit transparency. The findings show a recurring gap between declared sovereignty features and operational reality. Physical data localisation alone does not establish effective jurisdictional isolation when centralised management planes, remote administrative access, or parent-level governance structures remain subject to foreign legal compulsion. Certification schemes and contractual assurances provide limited protection where independent verification and technical enforcement are absent. The paper concludes with recommendations aimed at European policymakers, regulators, and public-sector procurers. These include enforceable requirements for exclusive EU-based administrative control, verifiable isolation of management layers, customer-held encryption keys, and audit regimes aligned with legal jurisdiction rather than geographic storage location. The study contributes to legal and policy debates on digital sovereignty by offering a structured framework for assessing sovereign cloud claims beyond marketing narratives and formal compliance assertions.
Suggested Citation
Download full text from publisher
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:osf:lawarc:953fb_v1. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: OSF (email available below). General contact details of provider: https://lawarchive.info/ .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.
Printed from https://ideas.repec.org/p/osf/lawarc/953fb_v1.html