Four American hyperscalers - Amazon Web Services, Microsoft Azure, Google Cloud and Oracle Cloud - between them control somewhere north of 80 per cent of the global enterprise cloud market. That single fact, more than any political event or piece of legislation, frames every serious conversation about sovereign cloud taking place inside enterprises and government agencies today.

Speaking at the Gartner IT Infrastructure, Operations & Cloud Strategies Conference 2026, Gartner analyst Douglas Toombs laid out an unsparing assessment of just how difficult it will be for any organisation, or indeed any country, to extract itself from that concentration.

Toombs pointed to Boston Consulting Group’s long-standing ‘rule of three and four’, which holds that a stable competitive market never has more than three significant competitors, the largest of which has no more than four times the share of the smallest.

The 2024 enterprise cloud infrastructure and platform services numbers fit the pattern almost too neatly: AWS at roughly US$100 billion, Microsoft at $66 billion and Google at $29 billion, with Alibaba, Huawei, Tencent, Oracle and IBM scrapping over the remainder.

“With 80, 90-plus per cent of market share being just a handful of companies, I don’t care what political party you like or dislike or whatever you think, it’s just hard from a market dynamics perspective to move that type of thing,” said Toombs.

Gartner’s own published position, as captured in research note Critical Insights: Impact of US Federal Policy Changes on International Cloud-Centric Tech Services, is even blunter: “There are (currently) no suitable non-US alternatives to Amazon Web Services, Microsoft Azure, Google Cloud and Oracle Cloud.”

Despite that uncomfortable arithmetic, the rate at which Gartner clients are now asking about sovereign cloud has exploded. Toombs said inquiry-call volumes across his analyst peers tell a clear story.

“From the end of 2024 through the first quarter of 2025 and then through first quarter of this past year, the growth in interest in sovereign cloud globally was about five-fold. So a significant global increase. A lot of questions, a lot of conversations. Would we have had that same five-fold increase if the November 2024 US election went slightly differently? Who knows? But we are where we are.”

The interest is heaviest in Western Europe but is visible globally. The trigger that comes up in client conversations again and again, Toombs said, is the 2018 US CLOUD Act and the prospect of American law enforcement reaching into data held by American providers regardless of where in the world it sits.

The Act that never really was debated

Toombs offered a brief and slightly disquieting history lesson on the CLOUD Act (Clarifying Lawful Overseas Use of Data) itself. The legislation was originally drafted as a standalone bill, S.2383, sitting on a desk in February 2018. Its text was then lifted wholesale and pasted into the must-pass H.R. 1625, the Consolidated Appropriations Act of 2018, which was signed into law on 23 March 2018.

“The Cloud Act was never debated as one would expect in a legislative body,” Toombs told delegates. “Normally we send it to a committee, people argue, make amendments, but in this case a bunch of things written down, sat for a bit, copy and paste, law.”

The Act amended 18 US Code §2703, allowing a provider to file a motion to quash a US legal demand only where the subscriber is not a US person and where the disclosure would create a material risk of violating the laws of a ‘qualifying foreign government’, defined as a country with which the United States has signed an executive agreement under section 2523.

As of March 2026, the US Department of Justice lists only two such agreements: with the United Kingdom and with Australia. “So that’s actually good,” Toombs noted. “That’s less good when I’m on continental Europe giving this presentation.”

It is worth noting that Australia signed its CLOUD Act executive agreement in December 2021, while New Zealand has no equivalent. There is no public data on how frequently the Australian agreement has been invoked.

A long graveyard of sovereign ambitions

Sovereign cloud is hardly a new idea. Toombs walked through almost two decades of attempts, most of them now defunct or moribund.

France launched Project Andromède in 2009 with 285 million euros of state backing, producing the Cloudwatt offering.

“You can’t log in to Cloudwatt today and provision a virtual machine,” Toombs observed.

France tried again in 2016 with Numergy and SFR, again with hundreds of millions of euros behind it. That too has gone.

Microsoft built Microsoft Cloud Germany in 2016 under a data-trustee arrangement with Deutsche Telekom’s T-Systems. Two years later, buried in the closing lines of a corporate blog post, Microsoft quietly stopped taking new customers.

The Gaia-X initiative announced in 2020 has, by Toombs’ reckoning, produced rather more white papers than running infrastructure. The IPCEI Next Generation Cloud Infrastructure and Services project approved in December 2023, and the Dutch-led ECOFED federation that followed, remain works in progress.

And it is not only smaller players or European national champions that have come to grief. VMware vCloud Air was eventually offloaded to OVH. HP Helion was shut down less than two years after launch. Telstra’s much-promoted A$800 million cloud play, announced by then-chief executive David Thodey back in 2011, no longer occupies a prominent place in the carrier’s portfolio.

“It’s not just small companies or non-US companies or whatever. This is a hard market to break into, at least at the cloud infrastructure and platform layers,” said Toombs.

Sovereign washing

Toombs reserved some of his sharpest commentary for what he called ‘sovereign washing’, the practice of dressing up offerings that are still ultimately tethered to US corporate parents in patriotic local livery.

Telstra’s 2024 announcement of a sovereign secure cloud built in partnership with AWS is one example.

“There’s some in Europe that have been launching there too,” he said. “Sure, ultimately it’s compute, storage, networking, CPU cycles for the providers. And if that’s fine for your customers and your regions that have concerns, great. But it’s interesting having watched this for a long time, seeing how the pendulum swings back and forth.”

Microsoft’s June 2025 announcement of Microsoft 365 Local prompted a similar reaction. The offering, marketed as part of Microsoft’s comprehensive sovereign solutions for European organisations, allows customers to deploy productivity workloads like Exchange Server and SharePoint Server in their own data centres.

“I’m an Exchange administrator from the dot-com era,” Toombs said. “I was doing that 25 years ago. How is that anything new?”

The point is that the customers driving the sovereign cloud conversation moved to Microsoft 365 software-as-a-service, with Teams at the centre, during and after the pandemic. They do not want to go back to running Exchange and SharePoint on a Windows server in a cupboard.

The bigger problem: technology sovereignty

Even if an organisation accepts that data residency and operational autonomy can be achieved through a local partner offering, the deeper question of technology sovereignty remains. Toombs put up a slide breaking the technology stack into eight layers, from hyperscalers down through database, operating system, server virtualisation, servers, network and storage, other hardware and ‘other miscellaneous’ software vendors.

The US flag dominates almost every row.

“The challenge on the technology sovereignty side is that when you start to think about the entire landscape of vendors you would typically work with to power your applications, a lot of them fall under the US flag. So, if you want to get rid of all of those, that gives you a much smaller sourcing and management landscape to work with.”

Gartner’s position, drawn from its research note Digital Sovereignty Is Needed For Future Technological Resilience and Business Outcome, is unequivocal: “Outside of the US and China, true technological sovereignty cannot be achieved today.”

Toombs cited the now-notorious July 2025 exchange in the French Senate, when Microsoft’s French general manager and head of legal affairs Anton Carniaux was asked under oath whether the company could guarantee that data on French citizens would not be transmitted to the American government without the explicit agreement of the French government. His answer, as Toombs paraphrased it, was a single word: “No.”

Five strategies, and a warning about getting cornered

Having pulled apart the comforting fictions, Toombs set out five practical strategies organisations can choose from, each with its own profile of risk, complexity and cost.

Shelter-in-place is, as he frankly described it, “do nothing and wait for things to go back to normal”. It carries the highest residual risk but the lowest cost, and Toombs said it is in fact where most of his clients currently sit.

Distributed cloud uses hyperscaler-provided hardware (AWS Outposts, Azure Local, Oracle Dedicated Region, Google Distributed Cloud) in customer or local-provider locations. It addresses jurisdictional residency but most variants remain tethered to the mothership for operational and update purposes, and the service catalogues are typically a tiny subset of what is available in the public regions.

Sovereign cloud comes in three flavours: hyperscaler-operated sovereign offerings such as the AWS European Sovereign Cloud launched in January 2026 and the Oracle EU Sovereign Cloud in Frankfurt and Madrid, hyperscaler-supported partner offerings such as Bleu (Capgemini and Orange on top of Microsoft technology) and S3NS (Thales on Google Cloud), and pure local non-hyperscaler offerings.

Toombs cautioned that even the hyperscaler-operated sovereign clouds may remain legally owned by US parent companies, and that local non-hyperscaler offerings frequently lack feature parity.

“You bought the Corvette, you needed a golf cart, but you might have a local provider that’s trying to sell it as the skateboard,” he said.

Hide-in-plain-sight wraps existing public-cloud deployments in customer-managed encryption keys and confidential computing technologies. It addresses the data-disclosure risk by ensuring the provider cannot hand over usable data, but does not protect against kill-switch scenarios or service disconnection.

Private, hybrid and multi-cloud spreads workloads across locations to balance risk against innovation, at the cost of significant operational complexity and capital investment, and without solving the problem that some innovations simply do not exist outside the big public clouds.

Underpinning all five is what Toombs described as the single most important conversation any CIO needs to have with their leadership: nailing down the specific trigger events that would prompt an exit, and the timeframe required to execute on it.

“The faster you need to exit, the more you need to spend upfront. Do not let yourself get cornered into the position where leadership tells you the exit needs to happen immediately, but you have not been given the budget or the time to prepare for it,” said Toombs.

Geopatriation, not repatriation

Toombs and his colleagues have coined the term ‘geopatriation’ to distinguish jurisdictionally driven cloud exits from the broader repatriation narrative that has bubbled along for several years. Gartner, he said, sees little evidence of mass repatriation despite the headlines, and so far only modest signs of actual geopatriation: some forward projects being paused, but very few existing workloads being pulled back.

Part of the reason is the unavoidable competing priority of business continuity. Toombs cited recent incidents in which cloud provider regions in Gulf states were directly impacted by missile strikes. “We said, sovereignty-wise, it has to stay here, but this data centre is on fire. What do we do?” he said. “It becomes a pick-your-disaster-scenario exercise, and it is going to cost a gazillion dollars.”

Toombs closed with five points he urged delegates to take back to their organisations. Consolidation of more than 80 per cent of market share into three companies makes any market exceptionally hard for new entrants to break into. The sovereign cloud landscape is replete with lofty promises and dead offerings. Do not let anyone hand-wave what your exit triggers should be. Demand the appropriate structure, budgets and time, to do it right. And implement whichever of the five key strategies protects your organisation best, at the right investment level.

Or, as Toombs put it borrowing from Thomas Edison: vision without execution is hallucination.