Digital sovereignty in 2026: why cloud choice is a risk decision

The conversation about digital sovereignty changed tone in 2026. It's no longer an academic concern for lawyers - it's an operational decision every Portuguese CIO is making when they sign the next cloud contract.

Three forces converged this year:

The EU Data Act entered into force on 12 January 2026. It forces providers to allow friction-free exits and to avoid technical dependencies that make portability impossible. Anyone who designed architecture around a single hyperscaler's proprietary services now has an audit window.

NIS2 is in active enforcement. Sectors previously unregulated - manufacturing, distribution, waste management, postal services - now have cybersecurity duties equivalent to those of the financial sector. The Portuguese cybersecurity authority (CNCS) is notifying covered entities.

The US CLOUD Act still allows US agencies to require access to data held by US providers - even when that data is stored in Europe. AWS's and Microsoft's "sovereign cloud" offerings that launched in 2026 reduce operational exposure but do not eliminate legal exposure.

The practical consequence? The question has shifted from "AWS or Azure?" to "for this workload, what's the right mix between US hyperscaler and European sovereign cloud?".

What this changes in practice

For workloads with sensitive personal data of European citizens, health data, or strategic IP, the risk calculus has changed. Even if the hyperscaler's technical performance is superior, legal exposure has entered the equation.

For commodity workloads - websites, internal tools without sensitive data, test environments - US hyperscalers remain the pragmatic choice. There's no ideology here: there's per-workload analysis.

What we're doing with our clients

We're designing hybrid architectures where data sensitivity dictates placement. Workloads processing personal data or subject to NIS2 go to OVHcloud (SecNumCloud), IONOS (C5/IT-Grundschutz) or T-Systems. Workloads without that exposure stay where they are today.

More important than the choice of provider is portability. The Data Act gives us the right; architecture design is what makes that right exercisable in practice. Terraform-managed infrastructure, OCI containers, open observability (OpenTelemetry), databases without proprietary extensions. If you can migrate in four weeks, you're sovereign.