Data sovereignty, new geopolitics, and our future with enterprise software in Europe
✍️ By Patrick Ittah, Partner at UpCRM
A new cloud reality for Europe
Amid intensifying geopolitical tensions, even with long-standing allies—a critical question now sits high on the IT agenda for public and private organizations in Europe:
Can we continue trusting American cloud providers with our most sensitive data?
For decades, U.S.-based tech giants like Salesforce, Microsoft, Google, and Oracle have powered Europe’s digital transformation. Even when data is hosted locally within the EU, the legal control over it can still reach across the Atlantic.
As the co-founder of a Salesforce consulting firm, I see this dilemma firsthand—not only for our own operations but more importantly for our clients who depend on us to help them navigate an increasingly complex landscape.
Today, nearly 75% of enterprise applications in Europe still rely on American cloud services. But let’s rewind for a moment!
From Safe Harbor to Privacy Shield: a fragile framework
In 2000, the Safe Harbor agreement was established to allow U.S. companies to process European data while complying with EU privacy standards. But in 2015, the European Court of Justice (CJEU) ruled it invalid, citing inadequate protection from U.S. surveillance laws.
Its successor, the Privacy Shield, met the same fate in 2020 with the landmark Schrems II decision. At the core of both rulings: U.S. laws like the Patriot Act, FISA, and the CLOUD Act, which grant federal authorities far-reaching access to data—regardless of where it is physically stored.
This legal imbalance continues to challenge trust, particularly in sectors dealing with health, finance, or public services.
Encryption & BYOK: silver bullets or sophisticated illusions?
In response, cloud providers have deployed encryption tools and control features. Salesforce, for instance, offers solutions like Salesforce Shield, Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK)—empowering clients to manage encryption independently.
But encryption, while reassuring, is not a perfect shield. It can limit the use of powerful functionalities like AI, automation, and advanced analytics. And legal experts argue that, under U.S. jurisdiction, providers could still be compelled to hand over decrypted data. These tools improve confidence, yes—but rarely deliver full sovereignty.
Hyperforce: Salesforce’s regional answer
Salesforce began by offering regional hosting in Europe—starting with dedicated data centers in France and Germany. This was particularly significant for Luxembourg-based clients who need to comply with strict local data requirements.
Then came Hyperforce—Salesforce’s next-generation architecture launched in 2020. It enables clients to store data locally and scale globally, with greater flexibility and adherence to regional compliance. Hyperforce also supports hosting through infrastructure partners like Amazon Web Services (AWS) , and allows for multi-cloud strategies, giving clients more autonomy.
At UpCRM, we view Hyperforce as a game-changing option for companies that want to retain both control and innovation.
The rise of sovereign cloud initiatives
In parallel, European governments and tech companies are investing in sovereign cloud solutions, such as Clarence/Proximus Luxembourg and Deep/OVHcloud in Luxembourg. These aim to provide data autonomy and national oversight—but integration challenges remain. Most are not yet compatible with complex, multinational systems, and many software ecosystems are still tightly coupled with U.S. providers.
That’s why many companies are adopting hybrid approaches—maintaining global platforms while evaluating sovereign options for high-sensitivity systems.
CIOs & CDOs: The new diplomats of digital sovereignty
Cloud architecture is no longer just a technical issue—it’s a strategic, even diplomatic decision. Today’s IT leaders must weigh not only costs, performance, and user experience, but also legal risks, regulatory shifts, and political tensions.
The dilemma is clear:
How can European organizations benefit from global innovation without compromising sovereignty?
There’s no single answer. Each organization must define its own red lines, prioritize its values, and architect solutions accordingly.
Conclusion: Toward pragmatic sovereignty
When we talk about sovereignty, the conversation often focuses on infrastructure. But the real stakes lie in the application layer—what software manipulates your data, and who controls that software?
It’s time for a shift in mindset:
• From seeking peak performance to building robustness
• From resilience (recovering after disruption) to robust design (withstanding shocks before they hit)
• From relying on single-vendor solutions to embracing diversity, redundancy, and agility
Let’s be clear: this applies to all infrastructures—sovereign, hybrid, or private. No provider is immune to disruption, regulation, or strategic pivots.
We’ve already seen:
• VMware’s acquisition by Broadcom forcing enterprise reevaluation of virtualization tools.
• COVID-19 exposing vulnerabilities in global tech supply chains.
• The war in Ukraine prompting energy independence strategies across Europe.
The next shock will come. The time to prepare is now:
- At the enterprise level, organizations must embed sovereignty into their digital strategy, and design architectures that are robust by design.
- At the European level, institutions must actively reinforce the legal and technical frameworks governing cloud adoption—so that organizations can continue to benefit from world-class platforms without compromising control.
- And on the strategic horizon, we must create the conditions for new European tech leaders to emerge—like the USA did already decades ago.
As a trusted consulting partner embedded in the European ecosystem, we navigate this complexity every day. No platform is perfect. But we must also be honest: today, no other provider matches Salesforce when it comes to continuous innovation, platform reliability, and ecosystem maturity.
That’s why we believe the priority should not be to oppose global platforms—but to govern their use with confidence and clarity and focus our energy where it matters: on building systems that last.
Because true sovereignty is not about reacting to the world. It’s about designing systems and strategies that endure.
