Sovereign-by-Design: Key Management and Data Location in European Clouds

In Europe, handling sensitive data is subject to strict legal regulations. Companies are required to implement technical measures that ensure ongoing compliance—especially when using cloud services. They must ensure that control, access, and processing remain traceable and legally compliant at all times—regardless of the provider.

Two technical pillars are central to this:

• Key Management – managing cryptographic keys outside of the provider’s infrastructure, and
• Data Location – specifying exactly where data is physically stored and processed.

Together, these elements form the foundation for an architectural approach that embeds digital sovereignty from the outset rather than retrofitting it: Sovereign-by-Design.

What Does Sovereign-by-Design Mean?

Sovereign-by-Design refers to a cloud model that gives companies full control from day one over two critical domains: encryption and data location.

Unlike traditional cloud architectures—where keys, identities, and data reside within the provider’s infrastructure—Sovereign-by-Design deliberately separates these responsibilities.

Companies manage their own keys—via hardware security modules (HSMs) or API-driven key management systems (KMS)—and define precisely in which countries or regions data may be stored and processed.

This architecture separates the provider’s control plane—used to manage infrastructure and operations—from the customer’s data plane, which handles actual data traffic. The result: clearly defined trust boundaries and full technical and legal control over access and processing—an essential requirement for meeting European sovereignty and data protection standards.

Technical Foundations: Control over Storage and Keys

Sovereign-by-Design requires two essential conditions:

1. Data Location – Regional Data Processing

Companies specify which data center regions are permitted for data storage and processing. This prevents unwanted transfers to third countries and mitigates the risk of extraterritorial access. Key frameworks include the EU Cloud Code of Conduct, GAIA-X, and CISPE-certified providers.

2. Key Management – Customer-Controlled Encryption

Cryptographic keys are managed entirely outside the provider’s cloud infrastructure. This ensures that neither internal services nor support teams can access data content—not even during maintenance or emergencies. Common models include Bring-Your-Own-Key (BYOK), External Key Management (EKM), or self-managed HSMs.

Together, these components establish an isolated control environment in which data remains legally defensible and technically auditable—even when using global cloud providers.

Relevance in the European Context

The strategic importance of Sovereign-by-Design continues to grow—driven by evolving regulatory requirements across Europe:

• GDPR mandates that personal data be processed within clearly defined regions and remain fully controllable.
• NIS2 obliges operators of critical infrastructure to manage cloud risks structurally—with a focus on technical safeguards and access controls.
• DORA imposes EU-wide IT governance requirements on financial service providers.
• Countries like Spain enforce additional rules for outsourcing sensitive public or healthcare data—Sovereign-by-Design is a prerequisite for lawful cloud use in these sectors.

Outside the EU, such as in Switzerland, specific data protection laws (e.g., the revised FADP) also address control over data processing explicitly. Companies must ensure clearly traceable storage locations and full encryption control—independent of their cloud provider. These requirements are not abstract—they directly influence industry-specific cloud strategies.

Industry Perspective: Use Cases and Compliance Requirements

The principles of Sovereign-by-Design have a direct impact on sector-specific cloud strategies:

• Finance & Tax: Regulatory requirements include audit-proof encryption, GDPR-compliant data handling, and demonstrable third-party controls. Sovereign-by-Design provides the technical foundation.
• Healthcare & Life Sciences: Patient data and research information are subject to strict privacy standards. Data localization and external key management make cloud usage legally compliant.
• Public Sector & Government: Sovereign architectures allow public institutions to meet federal requirements while leveraging modern cloud functionality.
• Manufacturing & Industry: Production data, control systems, and design documents contain critical intellectual property. Controlled access reduces the risk of industrial espionage and regulatory conflict.

How CONVOTIS Implements Sovereign-by-Design

CONVOTIS builds sovereign cloud architectures with full control over data and access—operated in certified EU data centers and aligned with European regulations. Key management always remains on the customer’s side, and all data flows and access activities are transparently documented.

The architecture includes tenant-isolated resources, federated identity management, encryption-based access control, and automated governance via Policy-as-Code. Hybrid integration scenarios and GAIA-X compatibility are built into the design.