EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

Evaluating Sovereignty Claims of US Hyperscalers in Europe: A Comprehensive Audit of Legal, Technical, and Governance Controls for Digital Autonomy

Johannes Maria van Hamond

No 953fb_v1, LawArchive from Center for Open Science

Abstract: European public authorities and regulated sectors increasingly rely on cloud services offered by US-based hyperscalers operating within the European Union. These services are often presented as “sovereign” through claims related to data residency, regional service isolation, and compliance with European regulatory frameworks. This study examines whether such sovereignty claims hold under legal scrutiny when assessed against enforceable jurisdictional control rather than formal compliance statements. The research analyses the interaction between European legal obligations and extraterritorial US legislation, including the CLOUD Act and FISA 702. Using a qualitative audit-based approach, the paper evaluates legal enforceability, technical control mechanisms, and corporate governance structures underpinning sovereign cloud offerings. Specific attention is given to administrative access models, encryption and key custody arrangements, incident response authority, subcontractor involvement, and audit transparency. The findings show a recurring gap between declared sovereignty features and operational reality. Physical data localisation alone does not establish effective jurisdictional isolation when centralised management planes, remote administrative access, or parent-level governance structures remain subject to foreign legal compulsion. Certification schemes and contractual assurances provide limited protection where independent verification and technical enforcement are absent. The paper concludes with recommendations aimed at European policymakers, regulators, and public-sector procurers. These include enforceable requirements for exclusive EU-based administrative control, verifiable isolation of management layers, customer-held encryption keys, and audit regimes aligned with legal jurisdiction rather than geographic storage location. The study contributes to legal and policy debates on digital sovereignty by offering a structured framework for assessing sovereign cloud claims beyond marketing narratives and formal compliance assertions.

Date: 2025-07-27
References: Add references at CitEc
Citations:

Downloads: (external link)
https://osf.io/download/697dedd8b915a7f088e5e79e/

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:osf:lawarc:953fb_v1

DOI: 10.31219/osf.io/953fb_v1

Access Statistics for this paper

More papers in LawArchive from Center for Open Science
Bibliographic data for series maintained by OSF ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2026-02-15
Handle: RePEc:osf:lawarc:953fb_v1