Skip to content
Back to blog
Sovereignty Theater: The EU Cloud Act Won't Save You From AWS
Infrastructure

Sovereignty Theater: The EU Cloud Act Won't Save You From AWS

F
Fredrik BrunnbergCEO & Writer
July 15, 20268 min read

Brussels passed a law this month with "sovereignty" in the title and a hole in the middle big enough to drive an AWS availability zone through. The EU Cloud and AI Development Act was supposed to be Europe's answer to the fact that three American companies run most of the continent's digital infrastructure. Instead, as Computerworld reports, the sovereignty push "leaves room for US hyperscalers." Translation: the loopholes were priced in before the ink dried.

If you run a company in Sweden and you think this law changes your exposure to Amazon, Microsoft, or Google, I want you to stop and read the fine print. Then read it again. Because sovereignty isn't a compliance checkbox you tick on a procurement form. It's a function of who controls the silicon, who controls the model weights, and who controls the talent pipeline. Europe controls none of the three. Not one.

What "Sovereign Cloud" Actually Means, and Why the EU Version Doesn't Qualify

Here's the tell. Days after the Act moves forward, Microsoft announces expanded "sovereign cloud" features through its own pressroom. Read that sentence again. The company whose market power the law was theoretically meant to check is now the one designing what "sovereign" means in practice, packaging it, and selling it back to European governments as a product feature. The fox isn't just guarding the henhouse. The fox wrote the henhouse's security certification.

This is not new. It's the same pattern we saw with GDPR, where American cloud providers built "EU data residency" tiers that satisfy the letter of the law while the parent company remains subject to US jurisdiction, US subpoenas, and the CLOUD Act. Data staying in a Frankfurt data center doesn't matter much if a US court order can still compel access to it. Legal sovereignty and physical sovereignty are different things, and European regulators keep confusing the two, or pretending to for the press release.

Real sovereignty requires three things Europe doesn't have:

1. Silicon

Nvidia, AMD, and increasingly custom silicon from the hyperscalers themselves power essentially all serious AI compute. Europe has ASML, which makes the machines that make the chips, and that's genuinely important leverage. But ASML doesn't design AI accelerators. There is no European Nvidia. Until there is, every AI workload in Europe runs on hardware controlled by decisions made in Santa Clara, Austin, or wherever the next export control gets written.

2. Model weights

Mistral is the one bright spot Europe can point to, and I respect what they've built. But the frontier models that actually move markets, the ones enterprises are building critical workflows on top of, still come from OpenAI, Anthropic, Google DeepMind, and increasingly Chinese labs. Owning the weights means owning the roadmap. Renting API access to someone else's weights means you're a tenant, not an owner, no matter what data center your inference runs in.

3. Talent

This is the one nobody wants to say out loud. The best AI researchers in Sweden get recruited by London, Zurich, or the Bay Area within three years of finishing their PhD. Compensation, equity structures, and sheer scale of ambition pull talent west. You cannot legislate sovereignty into existence when your best people leave for better offers before you've finished writing the regulation meant to keep them home.

The Nordic Reality Check: Jönköping vs San Francisco

From where I sit in Jönköping, this whole debate looks different than it does from a Brussels conference room. Nobody here is debating abstract sovereignty theory. We're trying to ship product, keep customer data defensible, and not get locked into a vendor contract that becomes a hostage situation in three years.

What actually moves the needle isn't legislation, it's operators making real choices. Look at what's happening right now, not in a white paper, in the market:

The Netherlands government blocked a US acquisition of a Dutch cloud provider outright, according to Jones Day's analysis of the deal. That's not a compliance framework. That's a government using actual regulatory teeth to stop foreign control of critical infrastructure before it happens. Compare that to the EU Cloud Act's "leaves room for" language and you see the difference between a law with intent and a law with an exit ramp built in for lobbyists.

And then there's Lime, a Swedish company building a genuinely European CRM and AI stack from scratch, reported by TT. Nobody forced Lime to do this. No regulation mandated it. They built it because there's a real market for European companies that don't want their customer data and AI workflows sitting inside a US hyperscaler's terms of service. That's what sovereignty looks like when it's built by operators instead of legislated by Brussels: slower, harder, and actually real.

This is the gap I keep coming back to. Sweden has excellent engineers, a strong self-hosting culture, and a healthy skepticism of vendor lock-in baked into how we build things. What we don't have enough of is companies willing to bet on European infrastructure when the American alternative is cheaper, faster to deploy, and has better documentation. Sovereignty that only survives when it's the more expensive option isn't sovereignty. It's a lifestyle choice for companies with margin to burn.

Is Swedish and EU Policy Keeping Up? No.

I'll say this plainly because most tech journalism won't: European regulators are writing rules for a market structure that already lost. The EU Cloud and AI Development Act treats hyperscaler dominance as a compliance problem to be managed rather than a structural problem to be broken. You cannot regulate your way to owning silicon fabs, foundation models, or research talent pipelines. Those require capital, time horizons measured in a decade, and a tolerance for failure that European institutional investors have historically lacked compared to US venture capital.

Sweden's own AI strategy has been long on ambition and short on the kind of concentrated, patient capital that produces a national AI lab capable of competing with what OpenAI or Anthropic can deploy. We have brilliant researchers at KTH, Chalmers, and elsewhere. We don't have a Swedish sovereign compute cluster that gives them a reason to stay and build here instead of taking the London or SF offer.

The honest version of the sovereignty conversation Brussels should be having isn't "how do we regulate American clouds." It's "why don't we have a European hyperscaler, and what would it actually cost to build one, and are we willing to pay it." Nobody wants to ask that question because the answer is uncomfortable: probably hundreds of billions of euros and fifteen years, with no guarantee of catching up. So instead we get a press release with the word "sovereignty" in the headline and hyperscaler-shaped loopholes in the body text.

Where This Goes: AGI, Compute Concentration, and the Widening Gap

Here's the trajectory that matters for the next two to five years. As AI capability keeps compounding toward whatever we end up calling AGI, compute becomes the scarcest and most strategically important resource on earth, more valuable than oil was in the 20th century. The countries and companies that control frontier compute control the pace and direction of the most important technology shift in a generation.

Right now that control sits overwhelmingly with a handful of US companies and, increasingly, Chinese state-backed efforts. Europe is not in that conversation as a producer. We're a customer. A well-regulated, well-intentioned, GDPR-compliant customer, but a customer.

If that doesn't change, here's what I expect over the next few years: European companies keep building on American infrastructure while European politicians keep passing sovereignty legislation that makes for good headlines and changes nothing structural. The compliance industry around EU AI regulation grows into its own economy, employing thousands of people to write reports about sovereignty while the actual sovereignty gap widens. Meanwhile companies that quietly build real independence, like Lime, become more valuable precisely because they're rare, not because regulation rewarded them for it.

The regulatory gap that worries me most isn't about hyperscalers. It's about what happens when AI agents start operating with real autonomy in production systems, executing trades, managing infrastructure, negotiating contracts, and nobody has updated liability law, data sovereignty law, or AI governance frameworks to account for agents that act faster than any human review cycle. The EU is still writing rules for the cloud model of 2020. The agent economy of 2027 is going to run past those rules like they aren't there.

What to Actually Do About This

Enough theory. Here's what I'd tell any founder or CTO reading this in Sweden or anywhere else in Europe right now.

Stop treating "cloud strategy" as a single decision made once. Build for portability from day one. If your architecture assumes AWS forever, you've already made your sovereignty decision by accident, and you made it in favor of a vendor whose incentives don't align with yours long term. This is table stakes for anything we build in fullstack development and custom SaaS development at HEIMLANDR: multi-cloud capable by default, self-hostable where it matters, because the political and commercial ground under hyperscaler contracts is more unstable than most CTOs want to admit.

Look seriously at self-hosted alternatives for anything that isn't your competitive differentiator. The awesome-selfhosted list on GitHub, with over 300,000 stars, is not a niche hobbyist resource anymore. It's a serious inventory of production-grade alternatives to hyperscaler-locked SaaS. If you're paying Salesforce or a US CRM vendor and you haven't evaluated what Lime or a self-hosted equivalent could do instead, you're choosing convenience over control without admitting it's a choice.

What to Look At

A few specific tools I'd point any engineering team toward this quarter, all trending on GitHub right now for good reason:

  • n8n for workflow automation you can self-host completely. Nearly 200,000 stars, fair-code, and it means your automation logic isn't trapped inside a US SaaS platform's black box.
  • Kubernetes remains the foundation for genuine multi-cloud portability. If your workloads run on K8s properly, moving off a hyperscaler is an engineering project, not a five-year migration nightmare.
  • Daytona for running AI-generated code in infrastructure you actually control, which matters more every month as more of your codebase gets written by agents you need to sandbox properly.
  • Netdata for observability that doesn't require sending your infrastructure telemetry to a third party's SaaS dashboard.

And if you're building anything involving digital ownership, tokenized assets, or on-chain settlement as part of a real sovereignty strategy rather than a speculative bet, that's exactly where blockchain development and smart contract development earn their keep: infrastructure where the rules are enforced by code you can audit, not by a vendor's terms of service that can change in a quarterly update.

The Real Question

Ask yourself honestly: if AWS, Azure, or Google Cloud changed their terms tomorrow, doubled prices, or got cut off from your region by a geopolitical event nobody predicted, how long would it take your company to move? If the honest answer is "months, maybe never," you don't have a sovereignty problem you can solve by waiting for Brussels to fix it. You have an architecture problem you need to fix yourself, starting now.

The EU Cloud and AI Development Act gives politicians a headline. It doesn't give you leverage. Leverage comes from decisions made in engineering teams, not committee rooms. Software development in Sweden has always had a stubborn independent streak, from the open source contributions that came out of this country to companies like Spotify building infrastructure nobody thought a small Nordic country could pull off. That stubbornness is worth more right now than any Brussels regulation with a hyperscaler-shaped hole in the middle.

I'm not against the EU trying. I'm against pretending the trying is the same as winning.

Fredrik Brunnberg is the CEO of HEIMLANDR.IO, building AI and software solutions from Jönköping, Sweden. This is the daily HEIMLANDR briefing. If you found this valuable, share it with someone who builds things.

#EU regulation#cloud sovereignty#AI policy#software development Sweden#hyperscalers#blockchain development#self-hosted infrastructure#Nordic tech
F
Fredrik Brunnberg

CEO & Writer

CEO of HEIMLANDR.IO. Punk rock tech from Jönköping, Sweden. Building AI systems, blockchain infrastructure, and writing about where this industry is actually heading — no echo chamber, no hype.