Microsoft just confirmed what many feared: even if your data is hosted in an EU data center, U.S. agencies can still access it without notifying EU authorities.

This should be a wake-up call for all organisations. If your cloud provider can hand over your data without your knowledge, your cloud strategy is already a compliance failure.

The idea that hosting data in a specific geographic region ensures sovereignty is a dangerous illusion. Data location means nothing if you don’t control access to it.

The Shared Responsibility Model Is a Liability

Cloud vendors are great at marketing performance, cost savings, and uptime. Security? Not so much. That’s where the “shared responsibility model” comes in.

If you’re not familiar, here’s how it works:

• The cloud provider secures their infrastructure.
• You secure your data.

But while you’re accountable for the security of your data, you have no control over the underlying environment. How can you stop a vulnerability in their supply chain? How can you control how they respond to zero-day threats? The truth is, you can’t. 

Yet when there’s a breach, you own the consequences. Under GDPR, DORA, and other regulations, that could mean:

• Fines up to 4% of global revenue
• Mandatory breach notifications
• Potential executive liability for failing to safeguard sensitive data

Shared responsibility? More like shared liability, where the provider has the power, and you carry the risk.

The Cloud Is a Data Free-for-All

The cloud has become a high-speed transit system with no conductors and no ticket checks. Most are built for speed, not security.

Zero-day vulnerabilities move faster than patch cycles. Lateral movement between hybrid, multi-cloud, and on-prem networks is hard to contain. Backup tools assume the data they copy is trustworthy. But if it’s been compromised in transit, your backups are compromised too.

Worse, sovereign control is an afterthought in most cloud security strategies.
And even if your cloud provider hosts your data in-region, say, within the EU or UK, it doesn’t matter. If a third country can demand access and your provider holds the keys, your data is still exposed, and your regulatory obligations are still violated.

Certes Makes Cloud Sovereignty Real

Certes doesn’t secure environments. We secure the data itself.

With Certes Data Protection and Risk Mitigation (DPRM):

• Only you hold the keys. No cloud provider, third-party vendor, or government agency.
• Data is protected in transit, across hybrid and multi-cloud environments.
• Protection is quantum-safe, future-proofing your compliance and resilience.
• Backups remain immutable and untampered, even across virtual air-gapped environments.

Certes DPRM assumes breach, isolates workloads, prevents lateral movement, and renders data invisible, inaccessible, and worthless to attackers.

Cloud Provider Model:	Certes DPRM Model:
Shared key custody	Exclusive key ownership
Visibility to infrastructure	Zero data visibility
Reactive patching	Policy-enforced isolation

Assume Breach. Plan Resilience. Deliver Control.

The cloud is essential to modern operations. But if you’re relying on your cloud provider to keep your data safe, you’re outsourcing your compliance risk.

If you’re serious about compliance, sovereignty, and resilience, then the answer isn’t “more perimeter security.” It’s data-centric protection, and that’s what Certes delivers. Real sovereignty means making sure only the data owner holds the keys, regardless of where the request comes from.

Who holds the keys? 

Your cloud provider is not your security provider. If your data matters, so must your control of it. Certes gives you that control no matter where your data lives.

So the next time someone says “we’re covered because our cloud provider is based in the EU,” ask them one question: Who holds the keys?

If the answer isn’t you, then your data isn’t safe, and your sovereignty is an illusion.