Europe is trying to make its cloud sovereign, and the sticking point is a United States law that reaches data stored on European soil. The gap between where data sits and who can be compelled to produce it is now driving legislation, and it is a question of architecture as much as of policy.
What the EU proposed
On 3 June 2026 the European Commission presented its Tech Sovereignty Package, with the Cloud and AI Development Act at its centre. The stated goals are to at least triple the EU's data centre capacity within five to seven years, to cut the bloc's reliance on non-EU providers, and to set an EU-wide sovereignty framework for cloud services. The reliance it is reacting to is large: by the Commission's own framing, Europe depends on non-EU providers for more than 80 percent of its digital products, services and intellectual property.
The Act sorts providers into sovereignty assurance levels, ranging from data processed and stored in Union infrastructure, through demonstrated independence from third countries, up to full EU ownership and control with no third-country interference. For the most sensitive public-sector work, the framework would leave only European providers, or non-European firms that meet localisation and independence criteria, eligible to bid.
The law it is aimed at
The concern named throughout the debate is the US CLOUD Act of 2018. It compels US-headquartered providers to preserve and disclose data under their control in response to valid US legal process, wherever that data physically sits. As one analysis of the conflict puts it, a demand served on a US provider's US headquarters compels production of data from its Frankfurt, Amsterdam or Dublin servers. That is what makes "the data is in an EU region" an incomplete answer to a sovereignty question.
Why localisation alone does not settle it
Storing data in an EU data centre does not remove the provider's ability to read it, and it is that ability the CLOUD Act reaches. European law pushes the other way. The EU Data Act and the GDPR require providers to take measures preventing unlawful non-EU government access to data held in the EU, so a US-headquartered provider can be caught between two regimes: complying with a CLOUD Act order may breach the EU Data Act, while refusing may expose the provider to US penalties. Localisation changes where the bytes rest. It does not change who can be ordered to hand them over.
Data localisation says where your files sit. Key custody says who can be made to open them.
The part that actually resolves it
The consistent technical answer is to remove the provider's ability to read the data in the first place. If files are encrypted so that only the customer holds the keys, a disclosure order returns ciphertext the provider cannot decrypt, which satisfies both legal regimes at once. Encryption under the provider's own keys does not achieve this, because the provider can still be compelled to use them. Sovereignty, on this reading, is decided less by the map than by key custody.
Where this maps to what we build
i46 builds SpaceBox, a sovereign data vault, to that principle. Files are sealed on the owner's device before upload with AES-256-GCM, and the content key is wrapped to the recipient's public key using ML-KEM-768, the post-quantum key exchange standardised by NIST as FIPS 203. Private keys are generated on the device and never leave it, so the servers hold ciphertext and nothing else, and there is no key for i46 or anyone else to be compelled to produce. For organisations that want the vault inside their own walls, SpaceBox also ships as an on-premises appliance. Post-quantum key exchange is not unique to us, and it is not a complete security story on its own; the point here is narrower, that a provider which cannot read your data has nothing to disclose.
Europe's sovereignty debate is, underneath the procurement tiers and capacity targets, an argument about control. The systems that hold only ciphertext take the provider, and the provider's jurisdiction, out of that argument.
SpaceBox is i46's sovereign data platform, offered in on-premises, hosted and orbital tiers, with the free SpaceBox Lite app in beta. Read how the stack works on the SpaceBox page.