European organisations want to be able to innovate with data & AI, but they also want to stay in control of their data environment. And this is particularly pertinent in data-sensitive environments like the public sector, defence and regulated industries like financial services. In client conversations, we are hearing this question more and more: “Can we build a data environment and retain sovereignty?”
We can. And in fact, we already do. But sovereignty is not a checkbox. It is a whole spectrum. Different data sets require different levels of sovereignty, and every organisation needs to decide what level of sovereignty is required for each workload – and the trade-offs it is willing to accept. A Power BI dashboard with public data is very different from a platform that processes classified case files or sensitive citizen data, for example.
Evaluating sovereignty
The European Commission’s Cloud Sovereignty Framework defines sovereignty objectives and Sovereignty Effectiveness Assurance Levels (SEALs) to make cloud sovereignty more measurable in procurement and risk assessment. Instead of relying on broad claims such as ‘European cloud’ or ‘sovereign cloud,’ organisations can assess concrete dimensions such as strategic alignment, legal and jurisdictional exposure, data and AI control, operational independence, supply-chain transparency, technology openness, security and compliance, and environmental dependency. This is especially relevant for public-sector organisations and regulated industries. Sovereignty requirements are becoming part of tenders and board-level risk discussions. The question is no longer only whether a platform is secure or scalable, but also whether the organisation can explain and defend its sovereignty decisions. This is a vital consideration for clients, shareholders, employees and regulators.
Realistic sovereignty
Full European digital sovereignty (SEAL 4) across all dimensions is difficult to achieve today. Not because the idea is wrong, but because modern technology and hardware are deeply interconnected in a global supply chain and depend on resources not found in the EU and chips not manufactured in the EU.
This does not mean that sovereignty is impossible, but it does mean that organisations need to be precise. Which risk are we trying to reduce, for which data, under which regulation, and at what cost? For most workloads, a major public cloud provider remains the best choice because it offers mature services, strong security capabilities, advanced AI features, and a fast developer experience. For other workloads, especially those involving classified, sensitive, or strategically important data, a more sovereign architecture may be required.
Three practical routes for data & AI platforms
At Valcon, we work from data and AI strategy to end-to-end implementation. We help clients assess sovereignty risks and translate them into practical architecture choices, after which we implement, together with the client, a data & AI platform in their environment of choice.
For data and AI platforms, we typically see three realistic routes:
- Public cloud for speed and innovation: platforms such as Databricks provide a strong developer experience, mature data and AI capabilities and continuous innovation. This can be the right choice when the data classification and risk profile allow it.
- A disconnected data platform for highly restricted data: some organisations work with classified or extremely sensitive data that cannot be stored or processed in a public cloud. In those cases, a disconnected data platform that can run air-gapped (with locked-down access to the internet or any other digital environment) within the perimeter of the client’s organisation can be the right solution. This increases infrastructure and operational complexity, but it also enables the organisation to process data safely within its own network boundaries.
- A sovereign data and AI platform for controlled flexibility: when a US public cloud is not acceptable, but a fully disconnected platform is too heavy, a sovereign data and AI platform can provide a middle ground. It is based on open-source technology, is designed to be portable, and can run in a private cloud, on European cloud providers such as STACKIT, Scaleway or OVHcloud, or on dedicated infrastructure.
A client may decide to keep general analytics workloads on a hyperscaler, for example. While moving sensitive AI inference workloads to a controlled European environment. That is often more realistic than trying to make the entire IT landscape sovereign overnight.
Sovereign data & AI platform architecture
A sovereign data and AI platform should avoid unnecessary lock-in while still offering a modern engineering experience. Valcon builds on proven open-source components by Databricks such as Apache Spark, Delta Lake, Unity Catalog and MLflow, and combines them with technologies such as vLLM and open-source AI inference models. The platform can run on Kubernetes, uses S3-compatible object storage and supports vector storage for AI workloads. This architecture supports both an exit strategy from public cloud, a hybrid scenario, and a standalone setup.
One size doesn’t fit all
Valcon already has considerable experience of creating data sovereignty within the financial, public and defence sectors. This is where Valcon can help: not by pushing one default platform, but by helping clients decide which workloads need which level of control and then building the platform to match. That can be in a client’s own environment, on a European cloud provider, or on a public cloud platform where that is the right fit.
Sovereignty is not about choosing one technology forever. It is about understanding your risks, making conscious trade-offs, and building a platform strategy that gives you the right level of control.
Come and speak to Valcon about data sovereignty
If you are having similar discussions, feel free to reach out to speak to us. As a European company, we feel the responsibility to help European clients with their sovereignty challenges and solve them. Please contact: [email protected] and [email protected]












