Dieser Artikel wurde ursprünglich auf Englisch veröffentlicht.
Sovereignty washing: 5 patterns to recognize before you sign
Sovereignty washing sells data residency, certifications, or an EU subsidiary as proof of data sovereignty. Here are five patterns to spot before you sign.


Sovereignty washing is the digital equivalent of greenwashing and involves the practice of misleadingly marketing an offering as sovereign when its data residency, jurisdictional realities or security certifications cannot deliver on this claim.
Researcher Paul van Vulpen coined the term to describe vendors who present their products as sovereign while actual control over data and infrastructure stays elsewhere. The issue moved from academic critique to EU policy discourse in March 2026, when several European cloud provider CEOs wrote to the EU Commission warning that Europe's forthcoming sovereign cloud legislation could let providers claim sovereignty "without delivering genuine protections."
Five patterns account for most of what gets sold under the label today, and each one fails a specific question which CIOs, CTOs and procurement officers should ask before signing the next contract or agreeing to another renewal.
Key takeaways
Sovereignty washing is the practice of substituting residency, certifications, or EU subsidiary structures for actual jurisdictional independence
None of these individually or combined guarantee that a foreign government cannot legally compel access to data. The gap between the marketing claim and the legal reality is real, usually deliberate, and has consequences for your compliance position regardless of how you've assessed probability.
Five identifiable patterns account for most sovereignty washing in practice
Residency washing, certification washing, subsidiary washing, AI washing, and supply chain washing each exploits a different assumption in how buyers should think about sovereignty. Knowing the patterns makes them detectable during the procurement process.
An EU subsidiary of a US company doesn't create legal separation from its parent.
Courts follow ownership, not incorporation. The CLOUD Act's "possession, custody, or control" test reaches the subsidiary through its parent.
AI inference has opened a new sovereignty washing vector that most governance frameworks don't yet address
A platform can store data in Europe and process it through AI inference running under US legal jurisdiction. The data doesn't move, but what the AI learns from it can.
How sovereignty washing shows up in enterprise offerings
Residency washing
A vendor certifies that data stays in EU data centers, then frames that as sovereignty. EU-hosted and EU-sovereign sound similar but answer completely different questions. Data residency explains where the data is stored, whereas sovereignty touches many and much deeper layers – including telling you which government can legally demand your data.
US law follows corporate structure, not geography. The CLOUD Act applies to any company incorporated in the United States, regardless of where it stores data. If the company handling your data is a US entity, US authorities can compel access to it. A server room located in Frankfurt doesn't change that.
Amazon's European Sovereign Cloud makes this concrete. Amazon has explicitly declined to separate it from its US parent company. US authorities can still compel Amazon to produce data stored in EU data centers, because the legal relationship is determined by where Amazon is incorporated, not where it keeps its servers.
Certification washing
ISO 27001 certification and GDPR compliance are routinely presented as sovereignty credentials. Both are meaningful: ISO 27001 attests to an organization’s security management practices; GDPR compliance means proper data handling under EU rules. However, neither of these certifications has anything to say about which government can legally demand access to data. A US-incorporated provider can hold both and remain fully subject to the CLOUD Act.
Subsidiary washing
The structural move that many hyperscalers have made is to incorporate a separate EU entity to operate European cloud services, and market that as the solution to the jurisdiction problem. The goal hereby is to create a legal barrier between the US parent and the EU-operating entity, so a US subpoena cannot reach the data of the European entity.
In June 2025, Microsoft France's director of public and legal affairs, testified under oath that he cannot guarantee French data won't be seized by U.S. authorities, even for data held under Microsoft's EU sovereign cloud offering.
The reason is structural: courts assess whether the US parent has possession, custody, or control, which it does through ownership, regardless of how the subsidiary is incorporated. The EU entity exists on paper, while legal exposure exists in practice.
AI washing
The newest pattern, and one that is least discussed or brought to the attention of enterprise procurement boards involves claiming compliance with the EU AI Act, specifically its transparency requirements and risk classifications, as evidence that AI-related data sovereignty is addressed. In reality, it isn’t. A vendor can be fully AI Act compliant while running inference on US-operated infrastructure, processing your most sensitive operational data under US legal jurisdiction the whole time.
Atlassian's Rovo is a concrete instance. It can't be fully disabled on the cloud tier, and its AI features run under Atlassian's US corporate structure.
Supply chain washing
The most overlooked pattern, and the one that often catches otherwise-careful buyers is supply chain washing. A European-branded SaaS provider, correctly incorporated in Europe and claiming sovereignty at the application layer, runs on AWS, Azure, or GCP infrastructure underneath. The provider's sovereignty claim is real at the layer they control, but the data still traverses and sits within US-incorporated infrastructure that is itself subject to the CLOUD Act. The sovereignty of the SaaS layer above doesn't inherit throughout.
The Wero payment service is an example of this illustrated at scale. Wero is operated by a consortium of major European banks (Deutsche Bank, ING, Sparkassen, Raiffeisenbanken) and marketed explicitly as "the strong and independent European solution for digital payments," positioned against US providers. In 2026, it was however cofirmed that Wero uses managed infrastructure and software services from AWS.
The point also arrived at institutional level in April 2026, when the European Commission selected four providers for a €180 million sovereign cloud procurement, one of which was S3NS, a joint venture between French company Thales and Google Cloud. CISPE's Secretary General, Francisco Mingorance, called it "an own goal that threatens to institutionalize sovereignty washing at the highest levels." S3NS runs on Google Cloud technology, and Google is a US-incorporated company whose infrastructure remains subject to the CLOUD Act regardless of the Thales partnership layer above it. This shows that even a procurement body whose job is to enforce sovereignty can get the answer wrong.
Why AI raises the stakes
Governance frameworks built for data storage typically stop at the storage layer. The inference layer, and what AI derives from your data, often isn't covered by the same controls.
A work management platform, for example, can store raw tickets and documentation in a European data center, fully inside the governance framework. When AI summarizes that data or generates insights from it, inference can run under separate jurisdictional terms entirely. The raw data stays in Europe, but what the AI learns from it may not.
The reasonable objection
The strongest version of the counterargument to this is worth engaging honestly: the CLOUD Act is a narrow criminal investigation tool, and sovereignty concerns are overstated, since only a very low number of enforcement request result in content disclosure.
The argument represents a fair point. Low enforcement frequency is real, and for most organizations, most of the time, the CLOUD Act probably isn't the biggest risk on their list. But regulated organizations don't get to price risk that way. A financial institution under DORA, or a public body under NIS2, isn't asking "how likely is this?". Its regulator is asking "can this happen, yes or no?". "We assessed this as low-probability" and "this exposure doesn't exist" are two different answers, and only the second one satisfies a regulator. Frameworks like BSI's C3A and the EU's proposed CADA legislation exist to close that gap, turning sovereignty from something you estimate into something you must resolve.
How to verify a sovereignty claim
Most sovereignty claims collapse into a single axis: where the data physically sits. That's one layer of control, and it's the easiest one for a vendor to satisfy while leaving the rest unaddressed. A claim only holds up if it covers four separate layers:
Data sovereignty: do you control where data resides, who can access it, and how it's exported or deleted?
Technical sovereignty: can you change, extend, or exit the system without rebuilding it from scratch?
Operational sovereignty: can you operate and recover the system without depending on the vendor?
Jurisdictional sovereignty: which legal regimes can compel access to your data, regardless of where it's hosted?
A vendor who can only speak to the first layer hasn't answered the question. Ask for evidence at all four before you sign.
Where sovara fits
A platform that passes those four questions has a specific architectural profile. Here is how rready’s work management platform, a sovereign alternative to Jira and Confluence called sovara, answers each one.
Corporate structure: rready AG is incorporated in Zurich, Switzerland, verifiable in the Swiss commercial register, with no US corporate parent anywhere in the ownership chain. Swiss incorporation places rready outside the jurisdiction of both the CLOUD Act and FISA Section 702, neither of which applies to companies without US corporate domicile.
Switzerland and EU data transfers: Switzerland is not an EU member state, but for organizations subject to GDPR, this creates no compliance gap for data transfers. The European Commission's adequacy decision under GDPR Article 45 means that data flows from EU member states to Switzerland carry the same legal standing as intra-EU transfers, with no Standard Contractual Clauses required. The jurisdictional questions that drive most European sovereignty evaluations, including CLOUD Act applicability and FISA 702 reach, follow corporate domicile. They do not follow the EU border.
Supply chain: sovara runs on EU and Swiss infrastructure under ISO/IEC 27001:2022 certified operations. The full infrastructure transparency detail, including the specific hosting providers and their own sovereignty credentials, is documented in rready's Sovereignty Trust Center
AI governance: Customers bring their own AI endpoint, use a hosted European LLM, or run entirely self-hosted. The choice is set in configuration, not negotiated per contract. Opting out of AI features entirely is available on all tiers. Inference does not route through a third-party model under rready's control unless the customer explicitly selects and provisions one. For regulated organizations, this means the jurisdiction question for inference is a customer decision, not a vendor default.
Encryption and operational control: ISO/IEC 27001:2022 certification covers annual independent audit of rready's information security management system. Product and security decisions are made in Zurich.
Exit capability: Every workspace can be exported in full, at any time, via REST API or CLI, in open formats — Markdown and JSON, not a proprietary format that creates vendor lock-in to sovara's own tooling. Source code is held in escrow with an independent third party, so access to it doesn't depend on rready remaining in business or choosing to cooperate. That's the actual answer to the exit question: not what it takes to move data in, but what it takes to get the data, and the code behind it, out.
Conclusion
Sovereignty washing works because it supplies plausible answers to questions that most procurement checklists aren't precise enough to ask well. The five patterns above; residency, certification, subsidiary, AI, and supply chain; each exploit a different gap in how organizations think about the problem. They are identifiable before you sign, and there are frameworks that have been adopted to give you the questions to identify them.
A credible sovereignty claim comes down to questions about corporate structure, supply chain, encryption, operational control, and exit. A provider that can answer them doesn't need the label. A provider that can't tells you something more useful than their marketing materials do.
FAQs
What is sovereignty washing?
Sovereignty washing is the practice of marketing data residency commitments, security certifications, or EU subsidiary structures as evidence of digital sovereignty, when none of these guarantee that a foreign government cannot legally compel access to your data. The term entered formal EU policy discourse in March 2026, when several European cloud CEOs named it specifically in a letter to the EU Commission regarding the Cloud and AI Development Act.
Is GDPR compliance the same as data sovereignty?
No. GDPR compliance means a provider meets EU data protection rules for how data is collected and stored. It does not address which government can compel access to that data. A US-incorporated company can be fully GDPR compliant and still be subject to the CLOUD Act, which allows US authorities to demand data from US companies regardless of where it is stored.
Can an EU subsidiary of a US company be truly sovereign?
Not under current legal interpretation. Anton Carniaux, Microsoft France's director of public and legal affairs, testified under oath in June 2025 that he "cannot guarantee French data won't be seized by U.S. authorities," even under Microsoft's EU sovereign cloud offering. The CLOUD Act's "possession, custody, or control" test follows the US parent's ownership of the subsidiary, not the subsidiary's EU incorporation.
Is Switzerland the same as the EU for data sovereignty purposes?
Not exactly, but for the questions that drive most European enterprise sovereignty evaluations, Swiss incorporation reaches the same answers. The European Commission has granted Switzerland an adequacy decision under GDPR Article 45, meaning data transfers from EU member states to Switzerland carry the same legal standing as intra-EU transfers, with no Standard Contractual Clauses required. For jurisdictional independence, the CLOUD Act and FISA Section 702 both follow US corporate domicile: Swiss-incorporated companies are outside their scope because neither statute applies without US corporate presence. For DORA-regulated financial institutions, third-party ICT provider rules focus on operational resilience and contractual terms, not EU versus Swiss incorporation.
Does AI sovereignty washing apply to work management tools?
Yes, and it's among the least-discussed vectors. A work management platform can store data in Europe while running AI inference through a US-operated model, processing sensitive operational data under US legal jurisdiction. GDPR compliance and the EU AI Act address different questions. The test is where inference runs and whether you can disable AI features or bring your own model. For tools that embed AI you can't control, the sovereignty claim stops at the storage layer.
Mehr erfahren

Digitale Souveränität 2026: Trends und Prognosen
Erfahren Sie mehr über die wichtigsten Trends der digitalen Souveränität für 2026 – Sovereign Cloud, AI-Governance, Shadow AI und Compliance-Risiken.

KI und digitale Souveränität: Was Sie 2026 wissen müssen
Erfahren Sie, wie KI die digitale Souveränität prägt; von Governance- und Compliance-Risiken bis hin zu Datenkontrolle und Best Practices für souveräne KI.

So wählen Sie die beste digital souveräne Lösung [Tools]
So gelingt digitale Souveränität: Kontrolle behalten über Ihre Daten, Systeme und Prozesse – und Abhängigkeiten von einzelnen Anbietern vermeiden..

