Sovereign Cloud – Definition

What is Sovereign Cloud?

Sovereign Cloud describes the state in which an organization possesses demonstrable, technically enforceable control over all relevant dimensions of its cloud infrastructure:

Sovereign Cloud = Control over:
  ├── Jurisdiction & Data Residency
  ├── Encryption Keys
  ├── Privileged Access
  ├── Outbound Data Flows
  ├── Dependencies & Subprocessors
  └── Exit Capability

Sovereignty is not synonymous with:

On-premises infrastructure (Sovereign Cloud is possible in the public cloud)
A product certification from a cloud provider
A one-time audit result without continuous verification

The Sovereign Spectrum

Sovereignty is not a binary state. It exists on a spectrum:

Level	Description	Typical Scenario
Operational Sovereignty	Control over operations, access, logging and processes within a cloud environment.	No special regulatory requirements; internally controlled operations.
Data Sovereignty	Control over storage location, encryption and transfer of data.	GDPR compliance, BSI C5, public administration.
Regulatory Sovereignty	Demonstrating fulfillment of specific legal and regulatory requirements.	EUCS, critical infrastructure (KRITIS), NIS2, financial sector.
Technological Sovereignty	Ability to switch providers or operate own developments.	Strategic independence, multi-cloud strategy.

Level

Description

Typical Scenario

Operational Sovereignty

Control over operations, access, logging and processes within a cloud environment.

No special regulatory requirements; internally controlled operations.

Data Sovereignty

Control over storage location, encryption and transfer of data.

GDPR compliance, BSI C5, public administration.

Regulatory Sovereignty

Demonstrating fulfillment of specific legal and regulatory requirements.

EUCS, critical infrastructure (KRITIS), NIS2, financial sector.

Technological Sovereignty

Ability to switch providers or operate own developments.

Strategic independence, multi-cloud strategy.

Delimitation: What Sovereign Cloud Does Not Solve

What	Why not in scope
Physical security of the data center	Falls within the cloud provider’s shared responsibility area.
Legal assessment of jurisdictions	Requires legal expertise; WAF++ provides the technical framework, not legal advice.
Complete provider independence	Overlaps with the Reliability pillar (multi-cloud). Sovereign focuses on control, not redundancy.
Network security (general)	Fundamental network security is in the Security pillar. Sovereign addresses egress control as a data residency topic.

What

Why not in scope

Physical security of the data center

Falls within the cloud provider’s shared responsibility area.

Legal assessment of jurisdictions

Requires legal expertise; WAF++ provides the technical framework, not legal advice.

Complete provider independence

Overlaps with the Reliability pillar (multi-cloud). Sovereign focuses on control, not redundancy.

Network security (general)

Fundamental network security is in the Security pillar. Sovereign addresses egress control as a data residency topic.

Sovereign Cloud in the WAF++ Context

In WAF++, Sovereign Cloud is a standalone pillar that interacts with other pillars:

Security ──────────────── provides: protection mechanisms (IAM, Encryption, Monitoring)
Governance ─────────────── provides: policy framework, controls structure, audit
Reliability ────────────── provides: backup, recovery, fault tolerance
Operations ─────────────── provides: incident response, monitoring, change management
Sovereign Cloud ─────────── integrates: jurisdiction, keys, exit, subprocessors

Sovereign Cloud consumes capabilities from other pillars (e.g. logging from Operations, encryption from Security) and extends them with jurisdictional and regulatory requirements.

Target State

A sovereign-mature platform is characterized by:

All data demonstrably stored in defined, permitted regions
Encryption keys owned by the organization (CMK/BYOK/HYOK)
Privileged access is minimal, time-bound, fully logged and reviewed
No data exfiltration possible without explicit configuration and monitoring
All subprocessors inventoried and secured with DPA
The organization can switch its cloud provider within 90 days

The target state depends on maturity level. Not every organization needs all five levels immediately. Start with the most critical: data residency and region pinning.