In the past six months saw five major sovereign cloud moves. Microsoft launched its Sovereign Private Cloud in February. Bitdefender had embedded with OVHcloud back in October 2025, ahead of the wave. CrowdStrike partnered with STACKIT in March 2026. And Cylake secured a $45M seed backing from Nir Zuk, Wilson Xu, and Udi Shamir. The capital is moving fast.
Sovereign Cloud passed beyond the compliance story. Vendors identified that data residency is turning into something they can charge for. First movers will take the lion’s share. Once a vendor is certified and embedded, they’re not getting displaced easily.
What’s Actually Changing
Three things converged in roughly the same 18-month window.
Regulatory enforcement. The Digital Operational Resilience Act (DORA) is now in force. The EU Cyber Resilience Act (CRA) is next. We will likely see procurement impact in a real way around Q3 2026. That matters because these aren’t “improve your posture” regulations. They are gating mechanisms. Who misses the certification window will not be able to compete.
The technical constraint reduction. For a long time you couldn’t run serious AI workloads locally without tradeoffs. But that’s changing and the sovereign clouds benefit from it. Inference is getting cheaper. Models are getting smaller. Architectures are getting more modular. You can now build something that is both sovereign and usable. That wasn’t true two years ago.
Certifications fragmentation. This is where things get messy. There is no “EU certification.” There are several, and you need to stack them. SecNumCloud, BSI C5, ENS, they’re all different. Different controls, different audit models, different expectations.
That creates two effects:
- Early multi-cert players get real moats
- Everyone else starts feeling the cost pressure very quickly
This is also where quiet consolidation starts. Not because of strategy, but because some players simply won’t be able to afford the costs of getting certified.
The Market Map
Hyperscalers (Microsoft, Amazon Web Services, Google Cloud) they’re all moving here. They can fund multiple certifications in parallel. That’s a real advantage. But they also carry baggage: CLOUD Act exposure means that even a sovereign-branded offering runs on an architecture ultimately subject to U.S. jurisdiction. European regulated buyers know this. Legal and procurement teams are raising it. That gap between “sovereign-labeled” and “sovereign-trusted” is proving stickier than most expected. And it’s the opening that European-native providers are exploiting.
European cloud providers OVHcloud, STACKIT, Hetzner, T-Systems, they are in the right place at the right time. They already have (or are close to) the certifications that matter. Their issue has been security depth until:
- OVHcloud + Bitdefender
- STACKIT + CrowdStrike
These are very purposeful partnerships that are filling a structural gap. But there’s a second-order effect too: European clouds depend on security platforms more than the reverse. That will show up later in pricing and control.
Security platforms This is the shift that’s easy to miss. The sovereign cloud is becoming a distribution layer. If you’re embedded as the default security layer inside a certified cloud, you’re effectively upstream of procurement. You’re in before the RFP even starts.
New entrants Cylake is the one to watch, but the reason isn’t just the team or the timing. Certification takes 12–24 months and is genuinely expensive. If they commit to it, they’re building infrastructure-level stickiness: painful to replace, upstream of procurement, compounding over time. If they don’t, they risk becoming a capable product sitting on top of someone else’s certified stack. The funding from Zuk and Shamir suggests they have the network to navigate either path.
Investment Implications
A few things stand out
The platform moat is forming now. Certification takes time. 12–24 months in most cases. Once you’re in, you’re sticky. Not because of product quality, but because replacing you is painful. The first wave gets the advantage.
The middle is being squeezed This is the dynamic most operators are underestimating. If you’re a mid-tier security vendor (not large enough to self-fund a multi-cert stack, not niche enough to survive without one) the path is narrowing fast. You’re not going to lose a deal on product. You’re going to lose it at the procurement gate, before the evaluation even starts. The options are limited: get acquired by a platform that needs your capability and your cert progress, partner into a certified cloud and accept the margin trade-off, or move downmarket into segments where certification isn’t yet required.
Data localization is becoming a revenue line. Sovereignty used to be a cost. Now it’s something customers will pay for. That shift matters for margins. European cloud providers, in particular, could see real pricing power if this holds.
What I’m Watching
- Q3 2026, when CRA starts showing up in real procurement decisions
- Cylake’s certification choices that will reveal their actual strategy
- OVHcloud, whether it stays independent if sovereign becomes premium infrastructure
- CrowdStrike whether they expand beyond Germany into other certified ecosystems
The sovereign cloud is already becoming the baseline for regulated enterprises in Europe. What’s still unclear is whether the cost of getting there is correctly understood. Certification is an ongoing operational load, across multiple layers, with significant cost and complexity.
