Cloud Sovereignty Was on Every List. Just Not at the Top.

On the CIONET stage in Haarlem, alongside VandeBron and SURF. On the tension between US hyperscaler dependency and European data sovereignty for Dutch organisations.

14 February 20266 min read
Simon Janssen
Simon JanssenCTO & Board Member ยท HappyNurse ยท CIONET

In February I was on the CIONET stage in Haarlem, alongside speakers from VandeBron and SURF. The theme: The Challenges of Realizing Sovereignty. The room: a broad cross-section of Dutch CIOs and CTOs.

What struck me: everyone knew the problem. Nobody had a simple solution.

The Hyperscaler Paradox

Dutch and European organisations are deeply dependent on three American cloud providers: AWS, Azure and Google Cloud. That is not inherently a problem โ€” they are excellent platforms. It becomes a problem the moment you ask: what happens if the political wind shifts?

That is no longer a hypothetical question. In recent years we have seen how export controls, CLOUD Act requests and geopolitical shifts have had a concrete impact on the availability and confidentiality of cloud infrastructure.

For organisations in regulated sectors โ€” healthcare, finance, government โ€” this is not a theoretical risk. It is literally in the risk registers.

Pragmatically Sovereign

My framework, which I apply at HappyNurse and presented on the CIONET stage, is called "Pragmatically Sovereign." The core idea:

Full sovereignty is an illusion. Even if you run on-premise, you depend on hardware from Taiwan, software from the US, and updates from outside your own borders. The question is not whether you are dependent, but where you draw the line.

Three layers of sovereignty:

  1. Data sovereignty โ€” where does your data reside, and who has legal access to it? This is the most achievable and the most urgent.
  2. Operational sovereignty โ€” can you keep functioning if a provider is temporarily unavailable? Multi-cloud or hybrid-cloud architecture helps here.
  3. Strategic sovereignty โ€” do you have the knowledge and talent to switch if necessary? This is the hardest โ€” and the most neglected.

What This Means for Healthcare

In healthcare, sensitive data is processed daily โ€” from patients to healthcare professionals: identity data, professional registrations, care hours, employment contracts. NEN7510 and GDPR are not optional extras. They are the legal preconditions within which we operate.

A choice for Azure, for example, must therefore be made consciously. Data centres within the EU, clear data processing agreements. But also think about a roadmap toward EU-sovereign cloud services through initiatives like GAIA-X. Not perfect, but pragmatic.

The Honest Conclusion

Cloud sovereignty makes every CIO's list. But it rarely makes the top three, because it is an investment without a direct business case. Until it becomes a crisis.

My advice: treat sovereignty as an architectural principle, not a compliance checkbox. Start with data sovereignty โ€” that is the most concrete and most achievable layer. And make sure that in three years you can still answer the question: who has access to our data, and on what legal basis?

Further reading: Why the AI Act Matters and the AI Readiness Scan โ€” to assess where your organisation stands on governance and data sovereignty.

Cloud SovereigntyCIONETAzureEuropeData Governance
Back to blog