
The Sovereignty Trap: EU Cloud Rules Will Make Things Worse
Brussels is building a wall around the wrong castle
The EU is rolling out new cloud rules right now that could sideline Amazon, Microsoft, and Google from strategic government tenders. The plan is framed as digital sovereignty. Swedish challenger cloud providers are celebrating. And I am sitting here in Jönköping thinking: we are about to create a capacity fiction that will hurt European companies for a decade.
Let me be direct. I want European digital independence. I have built my company on it. At HEIMLANDR.IO we do custom SaaS development and AI solutions from Sweden, not from some US tech campus. I have skin in this game. But what Brussels is doing right now is not sovereignty. It is theater. And theater has consequences.
What the rules actually say
The new EU framework creates a classification system for cloud services used in government and critical infrastructure. The highest classification, covering sensitive data and strategic workloads, will require providers to be headquartered in the EU, operated by EU entities, and subject exclusively to EU law. No CLOUD Act exposure. No foreign government access.
On paper, that makes sense. In practice, it means AWS, Azure, and GCP are locked out of the most important government contracts in Europe. The workloads that need the most performance, the most reliability, the most scale. Those get handed to providers who have a fraction of the capacity.
Swedish cloud company City Network (via EFN) is publicly celebrating. "A welcome step," they say. Sure. If you are a small provider about to get a wave of mandated government contracts, this is Christmas morning. But the question is not whether City Network benefits. The question is whether European governments and companies get worse infrastructure as a result.
The answer is yes.
The capacity gap is real and it is not closing
Let me put numbers on this. AWS operates in over 30 regions globally with hundreds of availability zones. Azure is comparable. GCP is close behind. The largest European-headquartered cloud providers operate in single-digit regions with a fraction of the compute capacity. They do not have the same redundancy. They do not have the same edge presence. They do not have the same tooling ecosystem.
This is not a quality judgment on European engineering. It is a math problem. The hyperscalers have spent hundreds of billions of dollars building this infrastructure over 15+ years. You cannot replicate that with regulation. You replicate it with capital and time, and Europe has been chronically short on both when it comes to cloud.
Meanwhile, the hyperscalers are not sitting still. Microsoft is expanding sovereign cloud features across Europe right now. AWS is deepening its SAP sovereignty partnership. They are building regulatory moats from the inside, creating EU-resident instances with EU-citizen operators and EU-only legal frameworks. They are making it so the technical reality of "sovereignty" exists on their platforms, while the political definition in Brussels excludes them anyway.
This is the worst possible outcome. The hyperscalers build sovereign-compliant infrastructure that Europe cannot use. European providers get mandated contracts they are not equipped to serve at scale. Everyone loses except the consultants writing compliance reports.
The real dependency goes completely unaddressed
Here is what frustrates me. The Atlantic Council published analysis warning that Europe must address the "digital sovereignty triad" of cloud, data, and AI together. Not in isolation. Brussels is ignoring that warning in real time.
The cloud layer is the least critical part of the dependency stack. Think about what actually creates strategic vulnerability:
Silicon. NVIDIA, AMD, and increasingly custom chips from Google and Amazon. All American. TSMC fabrication in Taiwan. Europe has zero presence in AI-grade silicon at scale. The EU Chips Act money is flowing, but we are years away from production capacity that matters.
Foundation models. GPT, Claude, Gemini, Llama. The models that power every AI workload are trained by US companies on US infrastructure. Mistral exists. It is good. It is not enough. Europe does not have a competitive foundation model ecosystem. One company in Paris does not equal sovereignty.
Training compute. Training a frontier model requires tens of thousands of GPUs running for months. Europe does not have this capacity in any meaningful, accessible way. The EuroHPC infrastructure is a start, but it is research-oriented, not commercially available at the scale builders need.
So the EU is telling governments: you cannot use AWS for your database workloads. While every AI agent, every automated workflow, every intelligent system those governments deploy will run on American models trained on American silicon. The cloud layer is the plumbing. The models and silicon are the water supply. Brussels is regulating the pipes while ignoring who controls the water.
Sweden and the Nordics: getting some things right, some things wrong
From Jönköping, I see a mixed picture. Sweden has genuine advantages. We have cheap, green energy. We have a strong engineering culture. We have data center density in the Nordics that punches above our weight. Stockholm is a legitimate tech hub. The talent is here.
But we also have a culture of compliance-first thinking that makes us uniquely vulnerable to regulation-as-strategy. When Brussels says "use European clouds," Swedish public sector will comply immediately and thoroughly. We are good at following rules. Sometimes too good.
The Swedish cloud providers celebrating right now are mostly small. City Network, Elastx, Safespring. They do solid work. I have respect for what they build. But none of them can match the tooling depth of AWS. None of them have the global edge network of Azure. If Försäkringskassan or Skatteverket need to run large-scale AI inference workloads in two years, where do they go? The answer matters.
What Sweden gets right: the open-source culture. Nordic developers contribute disproportionately to projects like Kubernetes and tools like Traefik. There is a real self-hosting instinct here that could form the basis of actual sovereignty. Not sovereignty by regulation. Sovereignty by capability.
What Sweden gets wrong: we keep treating cloud procurement as a policy problem instead of an engineering problem. Actual sovereignty means you can build and run the full stack yourself. Not that you signed a contract with a European-branded company that resells capacity from someone else.
Where this goes: 2027 to 2030
Let me sketch the trajectory I see.
Short term (2026-2027): European governments begin migrating sensitive workloads to compliant EU providers. Performance degrades. Costs increase. Shadow IT expands as agencies find workarounds to get things done. The hyperscalers continue building EU-sovereign instances and lobby for rule changes. Some will succeed.
Medium term (2027-2028): The AI dependency becomes impossible to ignore. As agentic AI systems become the default interface for government services, the question of which models power them becomes a sovereignty issue that dwarfs cloud hosting. Brussels will scramble to extend the framework to cover AI, but by then the dependency will be deeply embedded.
Long term (2029-2030): If the path toward AGI continues at current pace, the strategic importance of controlling the model layer and training infrastructure will make cloud hosting look like a rounding error. The countries and blocs that control AI development infrastructure will have a structural advantage that no procurement regulation can offset. Europe either builds this or it does not. There is no regulatory shortcut.
For those of us doing software development in Sweden, this trajectory matters. The infrastructure our clients deploy on, the models our AI agents use, the training capacity we can access. All of it shapes what we can build and how competitive it is.
What to actually do about this
If you are a CTO or founder reading this, here is my honest take on practical moves.
Build portable. Do not lock yourself into any single cloud provider, European or American. Use Kubernetes. Use Terraform. Use infrastructure-as-code that lets you migrate in days, not months. The regulatory environment is going to keep shifting. Portability is your only real insurance.
Invest in self-hosting capability. The awesome-selfhosted repo on GitHub has nearly 300,000 stars for a reason. There is a massive ecosystem of self-hostable services that give you genuine control without depending on any cloud provider's compliance posture. Tools like n8n for workflow automation and Netdata for observability can run on your own metal. That is real sovereignty.
Separate the model question from the hosting question. Where your data sits is one problem. Which AI models you depend on is a different, bigger problem. Start evaluating open-weight models you can run on your own infrastructure. Build your AI agents and systems with model portability in mind. At HEIMLANDR we build AI agent systems with exactly this principle. No single model lock-in.
Follow the silicon. Watch what happens with TSMC, with Intel's European fabs, with the EU Chips Act deployments. The real sovereignty story is in semiconductor production, not cloud contracts. If Europe gets chip fabrication right, everything else follows. If it does not, nothing else matters.
What to look at
- awesome-selfhosted: The definitive catalog of software you can run on your own infrastructure. If sovereignty matters to you, start here.
- n8n: Open-source workflow automation with AI capabilities. Self-hostable. A real alternative to being locked into someone else's automation platform.
- Traefik: Cloud-native reverse proxy that works across any infrastructure. Essential for portable deployments.
- Kubernetes: Still the foundation of infrastructure portability. If you are not running on k8s and the sovereignty rules hit your sector, you are going to have a bad time.
The sovereignty we actually need
I want European sovereignty in tech. I want it badly. I have built a company in Jönköping specifically because I believe world-class software can be built from Sweden, not just consumed from California. But sovereignty is not a procurement checkbox. It is a capability. You either can build the thing or you cannot.
Right now, Europe is writing rules about who can host the data while remaining completely dependent on foreign powers for the intelligence layer that makes the data useful. That is not sovereignty. That is paperwork.
Build the chips. Fund the models. Train the engineers. Create the compute capacity. Those are the hard things. Those are the things that take a decade and cost hundreds of billions. And those are the only things that will make Europe genuinely independent in tech.
Kicking AWS out of government tenders is the easy thing. It makes for good press releases. It makes small cloud providers happy. It might even create some short-term contracts for European companies doing smart contract development or blockchain development on EU-compliant infrastructure. But it does not solve the problem. And pretending it does is the real trap.
Build things that matter. Build them portable. Build them here.
Fredrik Brunnberg is the CEO of HEIMLANDR.IO, building AI and software solutions from Jönköping, Sweden. This is the daily HEIMLANDR briefing. If you found this valuable, share it with someone who builds things.
VD & Skribent
VD för HEIMLANDR.IO. Punk rock-teknik från Jönköping, Sverige. Bygger AI-system, blockchain-infrastruktur och skriver om vart branschen faktiskt är på väg — inget ekokammare, ingen hype.