Europe’s Data is Somebody Else’s Business And That’s a Problem

Summary and takeaways
European regulatory frameworks including NIS2, DORA, and the Cyber Resilience Act have converted digital resilience from discretionary IT spend into legal obligation across 18 critical sectors. At its core, this is about protecting citizens: sovereign infrastructure keeps healthcare, energy, and public services under European jurisdictional control and out of reach of foreign legal regimes or geopolitical disruption.

The sovereign cloud market sits at roughly $118B today and is forecast to reach $649B by 2033, driven by demand that is structural rather than cyclical. Target customers in healthcare, finance, energy, and public administration are buying because their sovereignty and regulation requires it, and the highest-margin opportunity lies in the asset-light software layer above the infrastructure.

Defining the Terms
Two closely related but distinct concepts dominate this space, and confusing them leads to bad procurement and worse investment theses.

Digital resilience is the ability of critical digital services (cloud platforms, networks, data infrastructure, operational technology) to withstand, adapt to, and recover from cyber, technical, or geopolitical shocks. Think of it as the immune system of a digital economy.

Sovereign data infrastructure is the operating condition in which control over data, access, and operations remains under European jurisdiction and European values, GDPR, EU law, rather than being subject to non-EU legal regimes.

Sovereignty asks who ultimately controls the data, not just how well the system runs.

The distinction matters. A system can be highly resilient and still be legally vulnerable: it recovers quickly from outages, but its data remains subject to extraterritorial legal reach from a non-EU government. 

Data residency in the EU does not eliminate US legal reach if the cloud provider is a US entity.

This is the core tension. Under the CLOUD Act (2018), US authorities can compel American service providers to produce data stored anywhere in the world, as long as the provider falls under US jurisdiction. That means a hospital in Stockholm storing patient data on Azure may be potentially subject to American legal reach (depending on the structure of the relationship and applicable legal interpretations), regardless of where the data physically sits. European data residency, without European jurisdictional control, is an incomplete solution.

Why the Regulatory Stack Changed Everything

This is not a new concern. The problem has been legible to European policymakers since at least the Snowden revelations of 2013 and the subsequent Schrems judgments dismantling EU-US data transfer frameworks. What has changed since 2022 is the move from aspiration to binding obligation: a stack of regulation that collectively redesigns the legal landscape for digital infrastructure procurement.

Figure 1: EU Sovereignty / Resilience Regulatory Toolkit

NIS2 (applicable from January 2023) expands mandatory cybersecurity risk-management obligations from 7 to 18 critical sectors, covering everything from energy and transport to healthcare, public administration, and digital infrastructure. Tens of thousands of firms now face mandatory incident reporting, supply chain risk management, and resilience requirements.

DORA (enforceable from January 2025) harmonises ICT risk management across an estimated 17,000 or more financial entities in Europe. Critically, it targets third-party ICT providers directly, including cloud vendors, and subjects them to regulatory oversight. Cloud is no longer just an IT choice; it is a regulated input.

The Cyber Resilience Act (applicable from December 2024) introduces security-by-design requirements for manufacturers of products with digital elements. Security can no longer be retrofitted; it must be architecturally embedded from the start.

The EU Data Act (applicable from September 2025 across the EU) introduces legally enforceable cloud switching rights and data portability obligations, directly targeting the vendor lock-in that has long been a structural feature, rather than a bug, of major hyperscaler commercial models.

The EU Cloud Sovereignty Framework (published October 2025) provides procurement guidance for public bodies and regulated sectors, defining sovereignty objectives including data control, jurisdictional safeguards, and supply-chain security. This is guidance rather than binding legislation, but its effect on public procurement decisions is already visible.

Together, these instruments shift digital resilience from discretionary IT spend to compliance necessity.

According to IDC research, regulation-driven demand is now the second most common driver behind sovereign cloud adoption across European enterprises, second only to concerns about extraterritorial data requests, meaning exactly the CLOUD Act exposure described above.

Is the Demand Structural?

A legitimate question: is this a temporary wave of sovereignty sentiment, driven by geopolitical emotion rather than durable economics? The evidence says otherwise, and the reasons are structural.

Enterprise intent is hardening into procurement reality.

Research from Gartner projects that over 75% of enterprises outside the US will have an active digital sovereignty strategy by 2030, a projection initially made in 2022 that has only been reinforced by subsequent geopolitical developments. Sixty-one per cent of European CIOs and IT leaders surveyed indicate a preference for transitioning workloads to local service providers. These are not abstract preferences; they are showing up in procurement decisions.

Figure 2: Geopolitical Factors Are Impacting the Use of Global Providers and Cloud Solutions (Western Europe Responses) (Gartner, 2025)

The evidence from governments is more concrete still. In October 2025, the European Commission established the Digital Commons European Digital Infrastructure Consortium, backed by France, Germany, the Netherlands, and Italy, to jointly build open-source sovereign digital infrastructure for public administrations across the bloc. The same month, a Franco-German Digital Sovereignty Summit in Berlin drew over 900 policymakers and produced binding commitments to expand open-source tools across both governments’ administrations. The International Criminal Court, based in The Hague, announced in November 2025 it was replacing Microsoft Office with OpenDesk, a German-built open-source collaboration suite, a decision directly triggered by the ICC prosecutor being locked out of his Microsoft account following US sanctions. Germany’s state of Schleswig-Holstein has already migrated 40,000 civil servants off Microsoft tools entirely. These are not procurement pilots or mere policy intentions. Institutions, including some of the most sensitive in Europe, are making operational decisions on the ground of sovereignty with growing frequency.

The macro environment is not improving, either. The risks identified in the EU Economic Security Strategy - infrastructure security, technology leakage, weaponisation of economic dependencies, foreign coercion - have become structural features of the geopolitical landscape rather than temporary shocks. Draghi’s report on European competitiveness (September 2024) similarly warned of the current state of reliance on foreign essential technology providers. The current US administration has accelerated the political urgency considerably, but the underlying trajectory predates it by several years and is unlikely to reverse regardless of electoral outcomes.

Figure 3: Sovereign Cloud Market (2026-2033) (Grand View Research, 2026)

Underlying all of this, the demand drivers are compounding rather than substituting. Compliance requirements, data privacy concerns, and strategic autonomy imperatives are each independently growing, and they all point in the same direction. The sovereign cloud market, currently valued at approximately $118 billion (2025), is forecast to reach $649 billion by 2033, with data sovereignty as the largest sub-component. Even under conservative assumptions, this represents one of the larger structural market shifts in European technology over the coming decade.

What Failure Looks Like

The risk is not hypothetical. Three incidents illustrate how dependency translates into real-world disruption.

Data outflows and jurisdictional conflict. In May 2023, Meta received a €1.2 billion GDPR fine (the largest ever issued) for transferring EU user data to US systems without adequate safeguards. The Irish Data Protection Commission found that no contractual mechanism could adequately compensate for the fact that US surveillance law is structurally incompatible with EU privacy rights. The fine was not a one-off enforcement action. The regulator explicitly noted that the same logic applies to any US cloud provider subject to American surveillance law. That is most of them.

Service denial via sanctions. When the US, EU, and UK sanctioned Russia following the 2022 invasion of Ukraine, Microsoft, GitHub, and Adobe suspended services for entities in the region. EU companies with Russian operations or supply chain exposure found software dependencies suddenly disrupted, with service suspensions administered by foreign governments, not Brussels. The legal trigger was external; the business impact was European.

Single points of failure. US hyperscalers hold around 70% of Europe's cloud market, according to Synergy Research Group, with European providers accounting for just 15%. On October 20, 2025, AWS experienced a major outage originating in its US-EAST-1 data centre in Virginia, lasting approximately 15 hours and impacting over 17 million users worldwide. In Europe, UK banks including Lloyds and Bank of Scotland locked customers out of online banking. Payment processors failed. The disruption cascaded across sectors despite European physical infrastructure being present, because the software stack, operational dependencies, and incident response chains all ran through a foreign parent. The issue was not where the servers were; it was who controlled them.

The Software Opportunity

Hardware is not 4impact capital’s core domain. But the software layer of the sovereignty stack where control, compliance, and coordination problems are solved, is squarely within our investment thesis. 

The further you move from the hyperscaler end of that spectrum, the more sovereignty-compatible the architecture becomes.

To understand where the software opportunity sits, it helps to think about the computing infrastructure landscape as a spectrum: from fully managed hyperscaler services (AWS, Azure, Google Cloud), through enterprise on-premise AI platforms that give organisations control over their own environments, to EU sovereign cloud providers like OVHcloud, Safespring, and the newly launched Evroc. Software that enables or accelerates that shift is where we will be placing our focus.

Figure 4: European Sovereignty Tech Market Map

1. Confidential Computing and On-premise AI

High-security sectors (defence, intelligence, critical infrastructure, regulated healthcare) require AI capabilities that function entirely within their own controlled environments, independent of cloud connectivity. Solutions that provide containerised, air-gapped AI stacks for regulated organisations address a real and growing procurement need that existing hyperscaler offerings generally do not meet. These actors adddress confidentiality, but fail on sovereignty and control requirements in sensitive sectors

ConfidentialMind enables hospitals, government agencies, and energy operators to run large-scale models on their own infrastructure without any dependency on foreign cloud. Berget AI takes a similar approach for Nordic public sector institutions. Edgeless Systems and Enclaive focus on confidential computing at the cryptographic layer, enabling sensitive workloads to run even on shared infrastructure without exposing data to the host. CYSEC and MADANA address related problems in secure execution environments.

NobodyWho (Copenhagen, pre-seed 2025) represents an architecturally distinct but philosophically aligned approach: rather than bringing sovereignty to the enterprise data centre, their open-source engine pushes it all the way to the endpoint. Small Language Models run entirely on-device, on laptops and mobile phones, with no data leaving the device and no server infrastructure required. For many real-world enterprise use cases (internal assistants, document tools, domain-specific chatbots), SLMs are more than sufficient, and the elimination of both cloud dependency and server costs changes the unit economics entirely.

Examples: ConfidentialMind, Berget AI, Intrinsic, Eggsplain, Edgeless Systems, Enclaive, MADANA, SECURITEE, CYSEC, NobodyWho

‍

2. Federated data platforms

Sectors including health, mobility, and finance are increasingly required to pool data across institutions while maintaining compliance with strict data residency rules. The European Health Data Space (EHDS), now legally established, creates explicit obligations and opportunities for cross-institutional data use, but requires infrastructure that allows analytics without data centralisation.

Federated architectures solve this by keeping data at source and bringing computation to the data rather than the reverse. LynxCare (Belgium, active across Benelux, France and Germany) deploys a federated clinical NLP platform directly in hospital environments, enabling multi-site real-world evidence generation without any data leaving the hospital environment. Apheris (Germany) addresses the same architecture for life sciences. Decentriq (Switzerland) builds confidential data clean rooms, sitting at the intersection of federation and confidential computing, enabling multi-party analytics under cryptographic guarantees. Owkin (France, more mature) has built this model at scale for biomedical research and represents the category’s reference point for commercial viability.

Vantage6 (Netherlands) is worth noting separately: it is open-source federated infrastructure that underlies several EU-funded data space pilots. It is not itself a commercial investment target, but it creates the infrastructure surface on which commercial applications can be built.

Examples: LynxCare, Apheris, Decentriq, Owkin, Triall

‍

3. Cloud Abstraction and Portability

The EU Data Act creates a legal right to switch cloud providers. Legal rights and technical feasibility are not the same thing. The migration tooling, API abstraction layers, and workload portability software needed to make switching operationally viable represent a real and currently underbuilt category, particularly because most organisations have accumulated years of hyperscaler-specific integrations, proprietary APIs, and configuration that make switching costly in practice even when it is free in principle.

Kubermatic and Impossible Cloud (Germany) address this at the Kubernetes orchestration and cloud storage layers, helping enterprises manage workloads consistently across providers and on-premise environments. Cast AI (Lithuania) provides multi-cloud cost optimisation and workload automation that works uniformly across AWS, Azure, and GCP. Mia-Platform (Italy) builds internal developer platforms that abstract away from hyperscaler-specific tooling at the application layer, a slightly different angle on the same lock-in problem.

Yasu (Netherlands) is developing AI agents that run 24/7 across multi-cloud environments, catching cost inefficiencies and misconfigurations before they reach production. Organisations that have real-time visibility across providers, rather than siloed per-hyperscaler tooling, are structurally less locked in. Cloudgeni (Norway, pre-seed 2025, Antler-backed) takes this further: agentic Infrastructure-as-Code that generates production-grade Terraform, OpenTofu, and CloudFormation from natural language, codifies unmanaged ‘ClickOps’ resources, and remediates configuration drift. IaC-first infrastructure is inherently more portable; cloud-agnostic by construction.

Examples: Kubermatic, Impossible Cloud, Cast AI, Mia-Platform, Yasu, Cloudgeni, Cycloid

‍

4. Compliance, Security and Monitoring Infrastructure

NIS2, DORA, and the Cyber Resilience Act collectively mandate continuous monitoring, incident reporting, risk management, and third-party oversight at a scale that cannot be managed manually. The compliance obligations are not one-time certification exercises; they are ongoing operational requirements with significant financial penalties for failure. Under both NIS2 and DORA, fines can reach 2% of global turnover.

This creates the conditions for a new generation of B2B compliance software, analogous to the GDPR compliance wave that produced companies like OneTrust, Usercentrics, and Didomi in the late 2010s, but materially larger in scope, given that NIS2 alone covers 18 critical sectors and DORA applies to the entire EU financial system including its ICT supply chain.

Formalize (Copenhagen, Series B €30M, 2025) is one of the most commercially advanced European-native player in this category. Its AI-powered platform automates compliance workflows for GDPR, NIS2, DORA, and ISO 27001 across a single system, and now serves over 8,000 organisations and 850 consultancies and law firms. With backing from Acton Capital and BlackFin, and an active expansion into DACH and France, it is the closest European analogue to Vanta or Drata, but built from the ground up around EU regulatory architecture rather than retrofitted to it. Dastra (France) takes a similar approach with a strong enterprise positioning in the French market. Cyberday (Finland) focuses on ISO 27001 and NIS2 specifically for mid-market companies. 4C Strategies (Sweden) addresses resilience and business continuity requirements across sectors classified as critical infrastructure under NIS2. Eye Security (Netherlands, 2020) provides enterprise-grade cyber protection and incident response targeted at mid-market organisations facing full NIS2 exposure without large internal security teams. Aikido (Belgium, 2022) addresses the same compliance gap from the developer side, scanning code, containers, and cloud environments for vulnerabilities that map directly to supply chain risk management obligations under NIS2 and the Cyber Resilience Act. Sekoia.io (France, 2022, Series B €26M, €60M total raised) is the most commercially advanced threat detection play in this group: an AI-powered SOC platform built around NIS2 and DORA obligations, with clients including the French Ministry of Armed Forces, EDF, and SNCF.

Cloudgeni (Norway), already noted in the portability category, also has a meaningful compliance dimension: its IaC agents enforce SOC 2, ISO 27001, and NIS2 policies directly in the infrastructure codebase, delivered as auditable pull requests. Compliance-as-code, rather than compliance-as-documentation, is a direction the category is clearly moving.

Examples: Formalize, Dastra, Cyberday, 4C Strategies, Cloudgeni, Apiax, Eye Security, Aikido, Sekoia.io

‍

5. Sovereign AI Deployment Platforms

European governments, universities, defence institutions, and regulated enterprises need AI infrastructure with full jurisdictional control. The hyperscalers have responded to this demand with ‘sovereign zone’ offerings: contractual and technical safeguards designed to approximate sovereignty while keeping the customer on American infrastructure. The market is increasingly distinguishing between these arrangements and genuinely European-owned, European-operated alternatives.

Aleph Alpha (Germany, Series B) is the reference company in this category: a European LLM with on-premise deployment options specifically designed for government and regulated enterprise clients. It has moved beyond model development toward a broader ‘sovereign AI’ platform, with active procurement relationships across German public institutions. Safespring (Sweden/Norway) and Cleura (Sweden) offer privacy-by-design cloud infrastructure built on open-source, operated under EU jurisdiction, and used by Nordic public sector and university systems. Axelera AI (Netherlands, 2021, Series B $68M) sits at the hardware boundary but merits a mention: it designs AI inference chips purpose-built for edge deployment and received a €61.6M grant from the EuroHPC Joint Undertaking specifically to build sovereign AI compute capacity within Europe.

Evroc (Sweden, Series A €50M, EQT Ventures and Norrsken) deserves specific mention as the most ambitious infrastructure play in this space, though it sits at the boundary of our investment scope. It is attempting to build the EU’s first genuine hyperscale sovereign cloud: full-stack compute, storage, networking, and GPU capacity for AI inference, with data centres in Stockholm, Paris, and Frankfurt and a major facility under construction near Arlanda Airport. It launched commercially in July 2025. We include it as the demand-side anchor that defines what public institutions are actually increasingly procuring, and therefore what the software layer above it needs to enable.

Examples: Aleph Alpha, Berget AI, Intrinsic, Safespring, Cleura, Evroc (infrastructure context), Axelera AI

‍

6. Sovereign AI Applications

The categories above are predominantly infrastructure and tooling plays: they enable sovereignty rather than embody it. There is an emerging sixth category that deserves its own framing: commercially viable, AI-powered SaaS applications built sovereignty-first, where European jurisdiction, data residency, and regulatory compliance are architectural properties of the product from day one, not contractual overlays added at the request of regulated customers.

The infrastructure and tooling categories above enable sovereignty. This one embodies it, and that distinction matters commercially. If European institutions increasingly procure on sovereignty grounds, the application layer ultimately captures more value than the infrastructure layer. The companies best positioned are those that built with European jurisdiction as a design constraint from the start, not a feature bolted on after a large-enterprise sales call.

Klang (Sweden) is a clean example of this archetype. It is an AI-powered transcription, note-taking, and conversation intelligence platform built explicitly around European values: data stored and processed in Europe, on-premise deployment available, ISO 27001 and ISO 42001 certified, AI Act compliant, zero training on customer data, and full audio traceability for every AI inference. It targets precisely the sectors (public institutions, law firms, research organisations) that are under the most regulatory pressure to avoid US-jurisdiction AI tools. Its customer list includes Swedish government bodies, Stockholm School of Economics, and major Nordic law firms. It is building commercial traction in the same institutional segments that are driving the procurement shift this article describes, and it is doing so by making sovereignty the product, not just a feature.

Examples: Klang, and an emerging cohort of vertical AI applications built on EU-sovereign infrastructure

‍

Where Does 4impact capital Sit in This?

4impact capital invests at the intersection of People and Planet impact. The sovereignty thesis maps to both.

On the People side: critical digital infrastructure that operates under genuine European jurisdictional control reduces the probability and blast radius of disruptive failures in healthcare, energy, and public administration. These are services that real people depend on. When a hospital cannot access patient records because a foreign cloud provider experienced an outage or was subject to geopolitical intervention, the cost is not measured in SLAs. Continuity of essential digital services under European governance is a direct expression of citizens’ rights to access critical services.

On the Planet side: EU-based sovereign cloud infrastructure carries an embedded sustainability dimension that is increasingly material. Energy-efficient compute, waste-heat recovery, and renewables integration are structural features of newly built European data centre infrastructure in ways that legacy hyperscaler infrastructure often is not. NIS2 classifies data centres and cloud services as essential services, creating simultaneous cybersecurity and operational resilience requirements. Sustainability and sovereignty are becoming co-designed rather than competing priorities.

The commercial case is just as strong. The structural customer segments driving sovereign adoption (healthcare, energy, public administration, financial services) have non-cyclical demand. They are not buying sovereignty because it is fashionable; they are buying it because regulation requires it and supply chain risk has become visible. European dependence on US cloud infrastructure is estimated to cost the continent between €200-300 billion annually when accounting for data transfer costs, vendor premiums, and compliance overhead. Redirecting even a fraction of that toward EU-based, sovereign-capable solutions would represent a structural market shift with compounding economic effects.

What We Are Looking For

We are not looking to back European data centres. The capital requirements and infrastructure intensity are outside scope for a software-focused pre-seed to Series A fund. What we are looking for are asset-light, software-driven solutions that satisfy one or more of the following:

• Enable regulated and critical-sector organisations to operate AI and data workloads with genuine jurisdictional control, through confidential computing, on-premise AI deployment, federated platforms, or on-device inference
• Help enterprises navigate and comply with the NIS2, DORA, and Cyber Resilience Act stack at scale, through automated compliance, continuous monitoring, and risk management SaaS that is built around EU regulatory architecture rather than US frameworks retrofitted for the EU market
• Solve the practical interoperability and portability challenges that the EU Data Act creates a legal right to but does not create a technical solution for
• Build AI-powered applications where European sovereignty is a structural product property and a commercial differentiator, not a contractual overlay

‍

We are focused on companies in Benelux, DACH, and the Nordics, regions where the regulatory urgency is sharpest, the institutional procurement relationships are most accessible, and the founding teams best understand the specific texture of EU regulatory architecture and public-sector procurement dynamics.

The opportunity is not to build a European AWS.

The sovereign data infrastructure opportunity is not about building a European AWS. It is about building the software layer that makes European institutions genuinely independent in data, in operations, and in the legal control of both. That is a durable problem, a large market, and exactly the kind of mission-aligned commercial opportunity we look for.