Cloud sovereignty should include architecture

Europe’s cloud sovereignty debate has accelerated since the Cloud and AI Development Act, and it is aimed at the right target. But for the workloads that actually matter, the assessment still skips a layer — the one that asks who can pull the plug on a system, who can read what is inside it, and whether anyone outside the provider can check either answer.

The European Commission’s June technology package puts cloud dependency back on the policy agenda, framed as part of a broader push for technological sovereignty. The Guardian read CADA as a central piece of the plan for cloud providers handling public-sector data, and Le Monde made the same dependency point about AI infrastructure after the latest American export-control shock around advanced models.

It is the right debate. It just needs a technical layer to sit alongside the legal one.

Sovereignty is a control question, too

Most sovereignty frameworks start in the same place: geography, ownership, who holds the admin keys, where the data physically sits. Those things matter — they tell a public buyer a great deal about legal exposure, procurement risk, and how dependent it is on a foreign government. What they don’t capture is control.

When compute, storage, coordination, billing, and day-to-day operations all run through a single operator, that operator is a pressure point. A European flag on the company doesn’t make the pressure point disappear, and for a critical workload it is exactly where things break.

So a serious assessment should map that control surface directly:

• Who can stop the workload?
• Who can inspect its data or secrets?
• Who can change the conditions under which it runs?
• How can an outside party verify those answers?

Answering these doesn’t replace the jurisdictional analysis. It grounds it in something you can actually point at.

Architecture changes the failure model

Decentralized infrastructure won’t make geopolitics disappear. What it changes is where the single points of failure are, and how many of them there are.

Run a workload across independent operators, open protocols, and portable infrastructure, and no single provider holds practical control over the whole system. That is fewer control points for procurement rules to wrestle with later, and weaker ones.

Confidential computing attacks a different part of the problem. With trusted execution environments and remote attestation, you can design a workload so the operator runs it without ordinary access to its secrets. The question stops being “who has an admin badge” and becomes “can the execution environment itself be verified.”

Then there is the coordination layer. Depend on opaque control-plane software and buyers are stuck trusting the vendor’s description of it. Make that layer public and the assessment can rest on code, topology, and operational evidence instead.

What Europe should actually test

The CADA debate should treat architecture as part of the assessment, especially for sensitive public-sector and AI workloads. In practice that means funding and stress-testing the systems that make control points visible:

• decentralized compute and storage across independent operators
• confidential execution with documented attestation flows
• open-source coordination layers
• public status and network dashboards with freshness timestamps
• portable workloads that aren’t tied to one cloud account or provider

Some of this is rougher than hyperscaler infrastructure today — we know that better than most. That is an argument for testing it honestly, publishing the gaps, and funding the parts that reduce real dependency, not for leaving it out of the conversation.

Where we fit, and where we don’t

Full disclosure: this is our field. Aleph Cloud has spent eight years building decentralized cloud infrastructure from France — compute, storage, hosting, indexing, and confidential execution across a distributed network.

We also know what we still owe: better onboarding, better documentation, stronger proof assets, more product polish. We are not arguing that every workload should move to decentralized infrastructure tomorrow, or that architecture on its own settles every sovereignty question.

The narrower claim is the one worth making. When Europe weighs cloud sovereignty, architecture belongs in the evidence — not as a footnote, but as something you measure.

Because for any workload that matters, the assessment has to land somewhere concrete: who can stop it, who can see inside it, and who outside the room can check the answers. Architecture is how you get those answers in writing.