A sovereign cloud is infrastructure where you keep legal, operational, and technical control over your data and systems, instead of renting that control from someone else. The data lives where you choose, the encryption keys are held by you, and no foreign jurisdiction can quietly reach into your systems. For organizations in Europe, and Germany in particular, this has moved from a nice-to-have to a board-level requirement driven by GDPR, NIS2, DORA, and the reach of the US CLOUD Act.
The good news: there is no single “correct” sovereign cloud product to buy. A sovereign private cloud can be built many ways, almost entirely on open source and open standards. This guide explains what the term actually means, then walks through the real landscape of ways to build one so you can match the approach to your workloads rather than to a vendor’s marketing.
What “sovereign” actually means
Data residency (where bytes physically sit) is only one piece. True digital sovereignty layers several things together:
- Jurisdictional control - your data stays outside the reach of foreign law, aligned with EU regimes like GDPR, NIS2, DORA, and the EU Data Act.
- Key control - you hold the encryption keys (BYOK, or fully HYOK), not the platform operator.
- Operational control - you decide who can access, change, and audit the environment.
- Portability - open, standard interfaces (Kubernetes API, OCI, S3) mean you can leave or move without a rewrite.
- Transparency - open-source components you can inspect, plus optional confidential computing (Intel TDX, AMD SEV-SNP) for runtime protection.
Frameworks worth knowing as you scope a project: Gaia-X and its Trust Framework labels, the upcoming EUCS certification scheme from ENISA, Germany’s BSI C5 catalogue, and the community-driven Sovereign Cloud Stack (SCS). These give you a shared vocabulary with auditors and procurement.
The big misconception
A common myth is that “private cloud means OpenStack” or “you need Proxmox.” Neither is true. Private cloud and IaaS are categories, not products. The right question is not which tool, but what control plane fits your scale, your team, and your compliance posture. There are at least three credible architectures, and a sovereign cloud can be built on any of them.
Way 1: A full IaaS control plane
This is the classic “build your own cloud” model: a control plane abstracts pooled compute, storage, and networking into self-service, multi-tenant infrastructure with APIs, quotas, and tenancy. It suits larger estates, service providers, and teams that genuinely need cloud-like elasticity on their own hardware.
Open-source options in this category include:
- OpenStack - the most complete IaaS control plane, now under the OpenInfra Foundation (which joined the Linux Foundation in 2025). The backbone of many European sovereign clouds.
- Apache CloudStack - a mature, simpler-to-operate IaaS from the Apache Software Foundation.
- OpenNebula - lightweight, good for edge and mid-size private clouds.
- Sovereign Cloud Stack (SCS) - open standards and reference implementation purpose-built for sovereignty, often layered on OpenStack and Kubernetes.
OpenStack is frequently the leading VMware alternative for organizations that want full IaaS without licensing lock-in.
Way 2: A hypervisor or HCI stack
If you mainly run virtual machines and want operational simplicity over hyperscale elasticity, a hypervisor or hyper-converged stack is often the better fit. These give you VM lifecycle, clustering, and storage without the operational weight of a full IaaS control plane.
- Proxmox VE - hugely popular open-source virtualization and HCI platform, KVM plus LXC, increasingly used as a VMware replacement.
- oVirt - the upstream of enterprise virtualization management, KVM-based.
- XCP-ng - the open Xen-based hypervisor (XAPI), a direct alternative for Citrix Hypervisor users.
- Harvester - HCI built on Kubernetes and KubeVirt, bridging into Way 3.
Under all of these sit the same Linux foundations: KVM and libvirt for KVM-based stacks, the Xen Project for XCP-ng, and Ceph as the software-defined storage layer of choice.
Way 3: Kubernetes-native, where Kubernetes is the cloud
A growing pattern is to skip a traditional IaaS layer entirely and make Kubernetes itself the cloud. Containers are the primary unit, and VMs run inside Kubernetes when needed. This fits cloud-native organizations and platform-engineering teams.
- KubeVirt - runs VMs as first-class Kubernetes workloads alongside containers.
- OpenShift Virtualization (and its upstream OKD Virtualization) - enterprise distribution of the same idea.
- Cluster API (CAPI) - declarative cluster lifecycle, treating clusters themselves as managed resources.
- Harvester, Incus - HCI and system-container options that complement this model.
Here the “control plane” is the Kubernetes API itself, with the broader CNCF ecosystem (Cilium for networking, Rook/Ceph or Longhorn for storage, OpenBao or Vault for secrets) filling in the rest.
Choosing between them
There is no universal winner. A rough guide:
- Large multi-tenant estate or service-provider scale: lean toward OpenStack / CloudStack / SCS (Way 1).
- VM-centric workloads, smaller team, fast time-to-value: lean toward Proxmox VE / oVirt / XCP-ng (Way 2).
- Cloud-native, container-first, platform-engineering culture: lean toward a Kubernetes-native KubeVirt / Harvester approach (Way 3).
- Many real environments are hybrids, for example OpenStack for IaaS with Kubernetes running on top.
The layers around the control plane
Whichever way you build, sovereignty depends on the supporting layers, and these are open-source-first too:
- Storage: Ceph, Rook, Longhorn, MinIO (S3-compatible) - your data, on your hardware, via CSI and the S3 API.
- Networking and security: Cilium (eBPF), Calico, WireGuard, plus zero-trust identity with SPIFFE/SPIRE and mTLS.
- Secrets and keys: OpenBao or HashiCorp Vault for BYOK/HYOK.
- Infrastructure as Code: OpenTofu, Terraform, Pulumi, Crossplane, Ansible, and Nix so the whole platform is reproducible and auditable.
- GitOps and delivery: Argo CD or Flux, with Tekton, GitHub Actions, GitLab CI, or Jenkins for builds.
- Observability: OpenTelemetry, Prometheus, and the Grafana LGTM stack, all on open standards so telemetry stays portable.
These open standards (Kubernetes API, OCI, CSI/CNI, OpenTelemetry, S3) are what keep a sovereign cloud genuinely portable rather than a new flavour of lock-in.
FAQ
Is sovereign cloud the same as data residency?
No. Data residency means your data sits in a chosen region. Sovereignty adds key control, operational control, jurisdictional protection, and portability on top.
Do I have to run OpenStack to be sovereign?
No. OpenStack is one excellent option, but Apache CloudStack, OpenNebula, Proxmox VE, oVirt, XCP-ng, and Kubernetes-native stacks (KubeVirt, Harvester) can all underpin a sovereign cloud.
Is open source actually safe for this?
Yes, and it is usually the safer choice for sovereignty. Open source is inspectable, avoids vendor lock-in, and is backed by neutral governance (Linux Foundation, CNCF, OpenInfra, Apache).
Can I run private AI in a sovereign cloud?
Yes. Self-hosted inference (vLLM, Ollama, llama.cpp) with vector stores (pgvector, Qdrant) and PII redaction (Presidio) lets you run private LLMs and RAG where prompts and weights never leave your environment.
Where does confidential computing fit?
Intel TDX and AMD SEV-SNP protect data in use, so even the platform operator cannot read workload memory. Useful for the highest-assurance workloads.
Build it with the right partner
A sovereign cloud is an architecture decision, not a product purchase, and the hardest part is matching the approach to your workloads, scale, and compliance obligations. Rapid Solutions is an engineering consultancy and managed-services firm (not a cloud provider) with offices in Amsterdam and Dubai. We design and operate sovereign private clouds across the full open-source ecosystem, OpenStack and CloudStack, Proxmox VE and Harvester, or Kubernetes-native KubeVirt, with EU data residency available as a capability and a simple principle throughout: your data, your keys, your control.
Whether you want to build from scratch or have us sovereign-manage what you already run, get in touch with Rapid Solutions to scope the right approach.