Europe’s long-running struggle to define digital sovereignty – and to turn it into something practical – is reaching an inflection point.
That was the message at this year’s Gaia-X Summit in Porto, where executives and governments argued that the continent finally has the technical foundations for sovereign data sharing.
All it needs now is the political will, economic models, and global partnerships to make it work at scale.
Gaia-X is a Brussels-based industry association bringing together European enterprises, technology vendors, cloud providers, standards bodies, and public sector institutions.
Its purpose is to build a common, verifiable framework: the Gaia-X Trust Framework. This framework is designed to define how organizations can share, store, and govern data in interoperable, sovereign, and audit-ready ways.
The initiative now underpins dozens of projects in manufacturing, energy, aerospace, mobility, finance and healthcare.
Unlike early misconceptions, Gaia-X is not a cloud provider. It sets rules around identity, compliance automation, service labelling, policy enforcement, and interoperability that cloud and data ecosystem providers must adhere to if they want to be considered sovereign-ready.
From pilots to real deployments
Gaia-X CEO Ulrich Ahle opened the Summit by admitting that while conceptual momentum is strong, adoption remains thin on the ground.
Europe has “more than 150 implementation projects in Europe at the moment in preparation,” but “we still have just a handful of operational databases really implementing benefits for their end users,” he said.
To help change that, Gaia-X will release its first multi-provider catalogue: 600 services from 15 providers aligned to four security and sovereignty levels. Ahle also reiterated Gaia-X’s near-term growth target: 1,000 services by the end of the year, scaling to 3,000 afterwards.
The top tier of the catalogue – Gaia-X Label Level 3 – is designed for maximum sensitivity use cases such as aerospace, energy, and national infrastructure workloads. Critically, Level 3 services can only be delivered by providers that have their headquarters in Europe, ensuring they are not subject to extraterritorial laws like the US Cloud Act.
EDF’s nuclear station program illustrates the demand: its data space is “requesting the highest level of security… the Gaia-X label level three. And this highest level security is reality,” said Ahle.
It’s worth noting that the conversation around digital sovereignty in Europe has shifted dramatically in the last two years, driven by one factor: AI systems that ingest sensitive, large-scale operational data.
“Trustful AI needs trustful data. And here, data sovereignty is of utmost importance,” said Ahle.
Hyperscalers: foundational but insufficient
CIOs and CTOs know the hyperscalers aren’t going anywhere. Gaia-X leaders know it too. But the limits of “sovereign cloud” offerings from US players were addressed without ambiguity.
Even when operated inside Europe by European employees, those services “are still under the American legislation, under the Cloud Act,” said Ahle. That constraint may be acceptable for 90% of enterprise workloads, but not for the 10% that carry regulatory, national infrastructure, or safety-critical risks.
Chairwoman of the Gaia-X Board and EVP digital at Airbus, Catherine Jestin, put it more bluntly: “The fact you have not done it in the past doesn’t guarantee that you will do it in the future.”
This is why Airbus does use hyperscaler services – but not for its most sensitive workloads: “I really love to work with AWS, with Google and Microsoft… but not for the most critical applications and services.”
For IT teams, this is the emerging pattern: hyperscalers for scale, elasticity and tooling; sovereign frameworks for critical data integrity, compliance automation, and legal insulation.
When asked whether trust in US providers had worsened under President Donald Trump’s second term in office, Jestin noted, “It hasn’t helped.”
This aligns with the wider shift across Europe. For years, EU member states could not agree on whether stringent sovereignty rules were needed. But now, Jestin said, “we see with the latest publication from the European Commission that’s now… on the top of the agenda.”
CIOs designing long-term cloud strategies could see certifications, service labels, and jurisdictional guarantees increasingly required by regulators and embedded into RFPs.
Operating a data space is not free
One of the most useful insights for IT leaders came from Jestin, who highlighted the hidden operational costs of building and maintaining data spaces – the very reason many sovereign cloud initiatives fail internally.
Running a compliant data space requires organizations to “maintain and support the connectors… to maintain [and] support Identity and Access Management (IAM)… to maintain the contracts.”
Without sustainable economics, she warned, “you just go in a negative spiral, and your data space will not be successful in the future.”
To address this, Gaia-X is working with economists at Paris Dauphine University to model participant roles, orchestrator responsibilities, and cost-recovery mechanisms to ensure sovereignty is engineered as a business model, not just a compliance posture.
The bottom line for CIOs, CTOs, and architects
Gaia-X said it’s not trying to reinvent the cloud. Rather it’s trying to standardize trust, compliance, and verifiability in a market dominated by providers whose legal obligations don’t always align with European sovereignty requirements.
The Porto Summit’s message was that sovereignty is becoming programmable through labels, identity rules, compliance automation, and clearing houses.
Yes, hyperscalers remain essential, but they are no longer sufficient for high-risk workloads. AI governance is elevating data integrity and traceability to strategic priorities.
Economic models for data spaces must be planned upfront, not retrofitted. And geopolitics has entered the IT architecture stack in a way organizations can no longer ignore.
“Technology is ready. It is about adoption… and sustainable operation,” Ahle said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- So much for data sovereignty — AI infrastructure is dominated by just a handful of countries
- Can the UK achieve AI sovereignty?
- SAP wants to take data sovereignty to the next level with new 'on-site' infrastructure options
-
BenQ PV3200U monitor reviewReviews A £699 32-inch 4K monitor for video editing – but it needs a few cuts to appeal to its target audience
-
How channel-supported smart decisions can pay off now and in the futureIndustry Insights How can partners help retailers make smarter IT investments this Black Friday?
-
Google shakes off tariff concerns to push on with $75 billion AI spending plans – but analysts warn rising infrastructure costs will send cloud prices sky highNews Google CEO Sundar Pichai has confirmed the company will still spend $75 billion on building out data centers despite economic concerns in the wake of US tariffs.
-
UK gov introduces cyber bill designed to clamp down on unsecure devicesNews Law could prevent sale of smartphones, TVs, speakers, toys, and other digital devices that fail to meet minimum security requirements
-
What is shadow IT?In-depth Hardware and software that isn't authorised by IT departments can leave businesses vulnerable
-
New Ofcom proposals to bring full fibre to six million homes and offices by 2020News Draft measures would hit Openreach's bottom line by £120 million
-
White House launches official investigation into use of personal email accountsNews Senate Intelligence Committee rebukes Kushner for omitting private account
-
Broadband customers could get £185m for poor serviceNews New Ofcom rules would compensate customers for missed appointments and outages
-
TalkTalk: BT-EE merger will lead to 25% price hikesIn-depth Rivals fear for the future of telecoms after CMA approves £12.5bn BT-EE deal
-
Ofcom faces calls to break up BTNews Sky and TalkTalk demand Openreach is split from telco giant
