A month ago, Canadian Prime Minister Mark Carney briefly mentioned that his new Major Projects Office would be supporting the development of a “Canadian sovereign cloud” in an address outlining nation-building projects. This news reflects a much broader conversation around digital sovereignty for Canada, yet it offers little specificity on what a Canadian sovereign cloud would actually entail.

Meanwhile, American hyperscalers, including Google, Amazon Web Services (AWS), Microsoft and Oracle, that dominate cloud infrastructure across the globe have taken note of the recent turn toward sovereignty. They have been quick to try to capitalize on it. Just days after Carney’s address, Google issued a press release unveiling its new “Sovereign Cloud” offering for Canadian consumers. The product promises data localization through measures such as the so-called “Google Data Boundary,” which is tailored for “Government of Canada Sensitive Workloads” and allows customers to set up ​​data residency and access controls. But can a cloud built and run by a foreign provider, however tailored, truly be called sovereign?

This trend is hardly unique to Canada, and if anything, we are late to jump on the cloud sovereignty bandwagon. The hyperscalers have been marketing “sovereign” cloud solutions in Europe for nearly a decade, beginning with Microsoft’s Deutschland Cloud, which operated from 2015 to 2018. The initiative sought to increase data protection by placing control of customer data under a third-party German trustee. More recently, AWS announced plans for a 7.8 billion euro European Sovereign Cloud, slated to launch by the end of this year. Yet, as critics have correctly pointed out, this project is but a facade that conceals the fundamental inability of US companies to provide true data sovereignty in Europe, or anywhere else.

Cloud infrastructure from American companies, whether located in Europe or Canada, is incompatible with sovereignty. If Canada seeks genuine control over the physical and digital infrastructure that stores and transports information of its public, it cannot rely on US hyperscalers to provide it. These companies fall under US jurisdiction and, therefore, are subject to the 2018 CLOUD Act, which enables US authorities to access data they hold, even if that data is stored abroad. In other words, the US can access any data stored by American cloud providers in Canada without our authorization or even knowledge. This fact was confirmed by Microsoft, whose representative told the French Senate that the company could not guarantee that a French citizen’s data would not be transmitted to US authorities without the explicit authorization of French authorities.

Hyperscalers’ claims about sovereignty, which often emphasize data localization and robust security practices while glossing over the US government’s ability to access information, risk being deceptive. This behavior echoes the maple-washing we observed when US tariffs on Canada were first introduced; this time, however, such “sovereignty-washing” serves as a strategic ploy to deepen Canada’s dependence on US tech firms and deflect legitimate concerns. Unfortunately, because cloud sovereignty remains poorly defined, sovereignty-washing claims easily go uncontested.

The CLOUD Act provides the clearest and most immediate rationale for pursuing digital sovereignty on national security grounds: continued dependence on American tech companies allows US authorities access to hordes of sensitive information. This vulnerability, however, is not new, as the CLOUD Act merely formalized mechanisms that have existed since 2001 under the PATRIOT Act. But President Trump’s second term has only heightened the urgency of addressing Canadian dependencies on US tech companies. Given his record of disregarding regulatory and legal norms and the rules-based international order more broadly, it is reasonable to expect that the CLOUD Act could be abused and further exploited.

Options for a sovereign cloud

Cloud sovereignty clearly does not look anything like what the hyperscalers are currently offering, but there are several possible models for what it could look like instead.

First, a sovereign cloud could be approached as a matter of procurement: Canada could shift its contract from US tech companies that currently dominate the approved list to non-American alternatives. At present, eight cloud service providers (CSPs) are approved for use by the Canadian government, seven of which are American. Accordingly, there is a clear opportunity to diversify procurement, particularly towards European CSPs, as suggested by the government’s ongoing discussions with France’s OVH Cloud. Moving towards non-American providers would immediately mitigate the vulnerabilities posed by the CLOUD Act, though these alternatives are likely to come at a somewhat higher cost.

Second, a sovereign cloud could be defined as cloud infrastructure that is not only located in Canada and insulated from foreign legal access, but also owned by Canadian entities. Practically speaking, this would mean procuring services from domestic companies, a step the government has already taken with ThinkOn, the only non-American company CSP on the government’s approved list. ThinkOn also recently announced a partnership with three other Canadian digital infrastructure companies, Hypertec Group, Aptum, and eStruxture, to develop a new sovereign cloud offering for the federal government.

Domestic ownership enables greater control because these companies fall under Canadian jurisdiction. However, simply transferring all cloud contracts to ThinkON is not feasible. Canadian companies currently lack the capacity to meet the country’s own cloud computing demand. To make this option viable, the government would need to make strategic investments in Canadian CSPs to expand domestic capacity, investments that would likely entail significant amounts of capital.

Among peer countries, the EU has advanced the furthest towards digital sovereignty with the EuroStack initiative, which arose from concerns over geopolitical vulnerabilities tied to digital dependence. The Eurostack Report, published in February 2025, outlines what would be required for Europe to achieve digital sovereignty across all layers of its technology stack. Most recently, the initiative proposed a regulatory framework for a “Buy European” procurement policy, an approach closely aligned with this second option for a sovereign cloud.

Third, perhaps true cloud sovereignty might require more direct state intervention and a publicly built and maintained cloud. The Canadian government could develop in-house capacities for cloud computing and exercise the highest possible degree of control over government data. A dedicated Crown corporation could be established to serve the government’s cloud computing needs.

However, such a high level of control may only be necessary for particularly sensitive government data, such as health or tax data, while procurement-based models may suffice elsewhere. Only government information up to Protected B is allowed to be stored in the cloud, which presumably means there is existing in-house capacity for storing the most sensitive information. If so, then public sovereign cloud becomes a question of updating in-house capacity to take advantage of cloud infrastructure and expanding it to other classifications of information like Protected B, which can still "cause serious injury” if compromised.

Key considerations for a sovereign cloud

The trend towards digital sovereignty raises important questions about market governance and forces us to clarify our priorities. For example, we are watching our big telecommunication firms breaking into the data centre and AI markets—Bell and Telus announced AI data center projects this year—and these firms have significant advantages over smaller, new market entrants, like existing fiber networks. Should Canada seek to replicate the US Big Tech oligopoly with another one, simply closer to home? If the answer is no, we must take care to promote fair competition in building our Canadian cloud market.

No matter how we approach it, cloud sovereignty will be costly. Hyperscalers can offer more flexible and cheaper pricing models, and will likely be able to undercut emerging alternatives. To make digital sovereignty viable, the Canadian government will have no choice but to intervene, strategically investing in domestic cloud service providers and likely subsidizing these options. Energy is another crucial factor: cloud computing requires enormous amounts of power, and hyperscalers operate the largest and most energy-efficient facilities. The relative inefficiency of smaller Canadian providers will only drive up the cost of domestic options.

However, the costs of inaction are equally high. If Canada fails to invest in some form of sovereign cloud, we will continue to compromise our national security and lose the opportunity to capture value within the cloud computing market. Building sovereign cloud capacity would also position Canada to capture greater value in other digital markets, such as AI. Conversely, if the country further entrenches its dependence on US tech and fails to develop sufficient alternatives, those firms will be free to charge the government and the public whatever they want. Such profiteering will have long-term economic consequences that would likely outweigh the upfront costs of sovereign cloud development.

Fortunately, there are opportunities for Canada. Because our current digital dependence on the US poses a risk to national security, there is a strong case for recognizing digital infrastructure as dual-use, especially since it enhances control over our own cybersecurity. Digital sovereignty thus presents an ideal target for increased defense investment required to meet the government’s new defense spending goal.

Canada is finally waking up to the risks of relying on the US for digital infrastructure, and we mustn't lose this momentum. We have a rare opportunity to redefine our digital infrastructure in a way that reflects Canadian values, including promoting a safer, more responsible, and more trustworthy digital ecosystem, while also capturing greater economic benefit.