← Blog

Datenschutz & Souveränität

Data Sovereignty in the Company: More Than Just a Server Location

"Our data is located in the EU" sounds reassuring — but it is not enough. Why data residency and data sovereignty are two different things, and how to recognize a truly sovereign provider.

Felix Stürmer· 06 May 2026· 3 min read
Data Sovereignty in the Company: More Than Just a Server Location

Hardly any word is used more frequently in discussions about AI and the cloud than "sovereignty"—and hardly any is so often confused with "server location." The need is real: According toBitkom Cloud Report 2025hold78% of companiesGermany is too dependent on US cloud providers;Meanwhile, 97% take the country of origin into account.of a provider; for 67%, it is mandatory — in 2024, it was only 58%. The country of origin has evolved from a "nice-to-have" into a purchasing criterion.

Data Sovereignty: What Companies Want (Bitkom 2025)
Would prefer German providers100%
Consider country of origin97%
What EU hyperscalers want82%
Germany seen as too dependent on US cloud services78%
Prefer US providers6%

Residence is not sovereignty

The decisive difference in one sentence:Data residencydescribes,whereData is stored geographically.Data sovereigntydescribes,who...has legal and operational control over them. A US corporation can store your data in a Frankfurt data center—and still be subject to US law. That is exactly the core of the problem.

The structural conflict: CLOUD Act vs. GDPR

The USCLOUD Actobligates US companies to disclose data to US authorities upon request—regardless of where it is stored, and in some cases under a confidentiality requirement ("gag order"). However, Article 48 of the GDPR prohibits exactly this: the disclosure to a court in a third country without an international mutual legal assistance treaty. A US provider with an EU data center is thus caught between two incompatible legal systems. Violations of the GDPR transfer rules can be penalized with fines of up to €20 million or 4% of total global annual turnover.

This is exacerbated by the ECJ ruling.Schrems IIData transfers to the USA require a complex case-by-case assessment. With genuine EU hosting provided by a European provider, this effort is eliminated—there is simply no third-country transfer.

What the state recommends

The state is also pushing the topic. In 2026, the BSI has theCloud Computing Compliance Criteria (C3A)published as a guide for sovereign cloud services. BSI President Claudia Plattner:

"The C3A provide transparency, guidance, and the opportunity to select cloud services based on the criteria relevant to the respective application."

At the European level, [it] pursuesGaia-X the goal of an interoperable, GDPR-compliant data infrastructure where access remains revocable at any time. The Federal Ministry for Digital Affairs formulates the guiding idea soberly: "Digital autonomy is only possible together with European partners."

How to recognize true sovereignty

Five questions separate the sovereign provider from a mere EU data center:

  1. Where is the data center located — and where is the operating company based?

  2. Who is the parent company, and under which law is it subject?

  3. Who has operational access — can support personnel from third countries access data?

  4. Who holds the keys — does the encryption sovereignty lie with you or the provider?

  5. Is there a lock-in — or can you take your data and models with you at any time?

Kasimir runs in a German data center, operated by a German company — no US parent company, no third-country support access, no CLOUD Act risk. Sovereignty here is not a marketing label, but the architecture.

Conclusion

Data sovereignty is the question of whether you or a foreign state has the final say over your data in case of doubt. An EU server location is necessary for this, but not sufficient. Anyone introducing AI should consider sovereignty from the start — our Guide to GDPR-compliant AI for companies, the concrete selection criteria of the article GDPR-compliant AI: the 7 criteria.

Sources

GDPR-compliant AI from a real German data center

Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach.