More and more public tenders mention sovereignty. But the wording often lands on “data must be stored within the EU”, which a hyperscaler meets without addressing the actual risk. If the goal is real control, the requirements need to be sharper.
The problem with “EU region” as a requirement
A requirement to store data in the EU tells you where the bits sit, not who can demand them. A provider with a US parent can meet it to the letter and still fall under the CLOUD Act. The criterion looks satisfied, but the risk remains.
Four mandatory criteria that capture the difference
- Jurisdiction — the provider and the entire ownership chain must be subject solely to EU/EEA law.
- Ownership — the infrastructure must be owned and operated by the provider, not rented on a third party’s stack.
- Control plane — the governing software must be open source and auditable.
- Key custody — encryption keys must be held EU-resident and never accessible to a non-EU party.
A mandatory criterion is only as good as it is evaluable. Demand proof in the product, not claims in a PDF.
— from Kepler’s trust model
Evaluate with evidence
Ask the provider to show, not tell. A residency and access report per region or for the whole account is concrete evidence you can attach to the evaluation. If the provider can’t generate it on request, that’s an answer in itself.
Kepler is built for exactly that level of control — Swedish-owned, EU-incorporated, our own hardware, an open control plane and EU-resident key management. Get in touch and we’ll walk through how the requirements can be worded and verified.