🎧 Prefer to listen? Audio version below — approximately 8 minutes.
A Gartner VP analyst stood up in Sydney this morning and said what most procurement teams have been carefully avoiding for a decade. Sovereign cloud, he said, is only possible if you are American or Chinese. Everyone else is in a relationship with a foreign provider whether they admit it or not.
This is not a fringe position. This is Gartner -- the firm whose quadrants determine enterprise procurement decisions, whose analysts are quoted in board papers and ministerial briefings. When Gartner says sovereign cloud is structurally impossible for European organisations, that statement lands in rooms where decisions get made.
The response from Europe has been consistent. White papers. Gaia-X produced a governance framework and a logo. France produced Andromeda and Numergy. The EU produced the European Cloud Initiative. All of them went nowhere -- but they did produce some nice white papers.
Meanwhile, AWS Outposts sits in your data centre and phones home. Azure Local runs on your hardware under Microsoft’s legal jurisdiction. The geography is yours. The keys are not. On-premises infrastructure built on US-owned tooling is not sovereignty. It is sovereignty theatre with better latency.
The CLOUD Act requires US companies to disclose data held on foreign infrastructure to US authorities upon valid legal request, regardless of where the data physically resides. “Data remains in the UK” is a statement about geography. It has never been a statement about legal jurisdiction. Every procurement team that has signed a contract with a US cloud provider in the last decade has either understood this and accepted it, or failed to understand it and should not have been signing the contract.
The question is which one.
Because the tools to do this differently exist and are not exotic. Open source software. EEA-jurisdiction hosting providers outside US ownership. Self-hosted services. Documented change control. Restore-tested backups. A genuine exit plan rather than a two-year migration project that gets swept under the rug when the renewal comes around.
The Haunted Lighthouse runs exactly this stack. One company. One operator. Hetzner infrastructure in Helsinki -- EEA jurisdiction, no CLOUD Act exposure. Mastodon, Forgejo, Nextcloud -- self-hosted, open source, auditable. Backups verified, not assumed. GPG-signed commits. RFC 3161 timestamps on deliverables. Not because it is easy. Because the risk was understood and the appetite was there to address it on day one rather than defer it to whoever holds the post in five years.
That is the real question Gartner’s Sydney presentation puts on the table. Not whether sovereign infrastructure is possible -- it is, demonstrably, even at single-operator scale. Not whether the tools exist -- they do, and they are well documented. The question is whether the organisations that should care about this actually do.
The honest answer, looking at the pattern of procurement decisions, white paper launches, and quietly renewed hyperscaler contracts, is that they have made a calculation. The cost of genuine sovereignty is immediate -- it requires architectural decisions, vendor discipline, and the political will to say no to the path of least resistance. The consequences of not doing it are deferred. A future minister. A future board. A future regulator. A future incident report.
This is not ignorance. Or rather, it is no longer ignorance -- not after this morning. When Gartner says it plainly in Sydney to a room full of enterprise buyers, the “we didn’t know” defence evaporates. What remains is a choice. And the choice most organisations are making, quietly and repeatedly, is to let someone else deal with it.
The can keeps moving. The road, eventually, runs out.
Sources: The Register, 11 May 2026 (Douglas Toombs, Gartner VP analyst, IT Infrastructure, Operations & Cloud Strategies Conference, Sydney); Adrian Wong, Gartner Director Analyst, speaking at the same event.
The Sovereign Auditor covers digital sovereignty, cybersecurity governance, and data protection policy -- with a particular focus on Isle of Man jurisdiction and Crown Dependency issues.
Payments via PayPal. Credentials delivered by email. No Substack. No Stripe. No middlemen.
