AWS Outlines Sovereignty Controls as EU Sets Cloud Procurement Tests
Public-sector buyers are turning cloud sovereignty into a set of testable controls rather than treating data location as sufficient assurance. In its digital sovereignty resource, Amazon Web Services says customers can control workload location, data access, encryption, and resilience. The European Commission has separately translated sovereignty into procurement criteria for cloud providers.
For Drupal agencies and site owners, the distinction matters because evidence for regulated hosting may need to cover the application stack, not only the selected cloud region. A Drupal estate can include files, backups, logs, CDN caches, search indexes, analytics exports, deployment artefacts, and support records. Each layer can affect whether a client can document data location, privileged access, key custody, recovery, and international transfers.
AWS says customers can choose where workloads run, use Dedicated Local Zones for specified locations, and apply AWS Control Tower controls for data residency requirements. It also cites the Nitro System for EC2 access boundaries, customer-managed encryption keys, AWS Key Management Service External Key Store, AWS Backup, and AWS Elastic Disaster Recovery. These services provide technical building blocks, but the AWS resource does not establish that a particular Drupal deployment meets a buyer’s legal or operational requirements.
AWS’s most sovereignty-specific offer in the material is the AWS European Sovereign Cloud. In a launch post dated 14 January 2026, AWS said its first Region in Brandenburg, Germany, was generally available, physically and logically separate from existing AWS Regions, and operated exclusively by EU residents located in the EU. The company also said the infrastructure had no critical dependencies on non-EU personnel or infrastructure, while noting a gradual transition to operation exclusively by EU citizens located in the EU.
Those claims can be compared with the Commission’s Cloud Sovereignty Framework, although the awarded-provider list does not include AWS. The framework combines Sovereignty Effectiveness Assurance Levels with an overall score based on 48 criteria grouped into eight categories: strategic, legal and jurisdictional, data and AI, operational, supply chain, technological, security and compliance, and environmental sustainability. In April 2026, the Commission awarded four contracts under which EU institutions and bodies can procure sovereign cloud services worth up to EUR 180 million in total over six years.
Data-protection guidance points to the same need for project-level evidence. The European Data Protection Board’s 2023 coordinated action says public bodies may struggle to obtain cloud services that comply with EU data-protection rules, while its international-transfer guidance states that transfers outside the European Economic Area must meet Chapter V conditions.
For Drupal projects, region selection should therefore be reviewed alongside subprocessors, administrative access, support workflows, logging, backups, analytics, incident response, portability, and exit planning. AWS’s controls may support that work, but they do not replace a documented assessment of the deployed architecture and the client’s requirements.
References
-
Opening the AWS European Sovereign Cloud (14 January 2026)
-
