Data sovereignty tips for businesses selling into EU governments - Pt 1: Professional services projects

Something has shifted in how European governments buy from their suppliers. In April 2026, the European Commission awarded its first sovereign cloud tender, worth €180 million, to four European providers. France is moving its civil servants off Microsoft Teams and Zoom. Denmark's Ministry of Digital Affairs has switched to LibreOffice. The German state of Schleswig-Holstein has replaced Microsoft Exchange with open-source alternatives. The pattern is consistent. Public buyers increasingly want assurance that the data they share with their suppliers cannot be reached by a foreign government, regardless of where the server physically sits.

For professional services firms, law firms, consultancies, architects, accountants, creative agencies, this has a very practical edge. When you win a project with an EU public body, the buyer will ask where their data lives and who can legally reach it. For years, "Microsoft 365, like everyone else" was an acceptable answer. It is quietly stopping being one.

Let's get started

The good news is that you do not need to rebuild your whole business to stay competitive. This post walks through how to stand up a ring-fenced, EU-safe delivery environment for a single project, running alongside your normal operations. Every tool we mention is available today. Most cost well under €100 a month. The whole setup can be live within a week and dismantled cleanly at the end of the engagement. If you win the project, you deliver it without exposing your client's data to risks they have told you they care about. If you don't, you have built a capability you can reuse next time.

The right mental model is a ring-fenced delivery environment. Not "change the company", but "stand up a clean room for this client".

Email and domain

Register the domain with an EU-based registrar. Gandi (France), INWX (Germany), and EuroDNS (Luxembourg) are the common choices. Avoid GoDaddy, Namecheap, Cloudflare Registrar, all US. Pick an EU top level domain (.eu, .fr, .de) if the buyer cares about optics, which they often do.

Host the DNS with the same provider or another EU one. This matters more than people think: DNS queries reveal traffic patterns and DNS providers hold data subject to their jurisdiction. Cloudflare DNS is a US service even when it's fast.

For email itself, the credible options are Infomaniak kSuite (Swiss, which has its own privacy story and adequacy), Proton for Business (Swiss), Mailfence (Belgian), Tuta or Mailbox.org (German), OVHcloud email, or IONOS. For a project-duration mailbox, Infomaniak kSuite and Mailbox.org are the practical picks because they include collaboration tooling too.

This gives you sovereign addresses like projectname@client-project.eu for every team member on the engagement. Team members keep their normal company email for internal work and use the project email for everything client-touching.

Collaboration and documents

Replace Google Workspace and Microsoft 365 for this project. The practical substitutes:

Nextcloud hosted by an EU provider (Hetzner, OVHcloud, Infomaniak, or one of the managed Nextcloud partners like Hetzner's Nextcloud Managed or IONOS). Gives you file storage, shared drives, calendars, contacts, and via Nextcloud Office real-time document editing. This is the single most useful move because it replaces four or five services at once.

OnlyOffice or Collabora for document editing inside Nextcloud, both European.

Element or Mattermost for chat. Both are self-hostable on EU infrastructure, both are what European governments themselves use internally (Element powers Bundeswehr messaging and the French state's Tchap). Mattermost Cloud has EU hosting available.

Jitsi (hosted by Infomaniak, Scaleway, or self-hosted) for video calls. This is the actual Visio replacement the French government deployed.

Storage and backup

If you need dedicated storage beyond Nextcloud, Scaleway Object Storage, OVHcloud Object Storage, Hetzner Storage Boxes, and IONOS S3 are all S3-compatible and EU-resident. Wasabi has an EU region but is US-owned, so avoid it for this scenario.

Backups to a second EU provider for redundancy, explicitly not to the same one. A Scaleway primary with Hetzner backup (or vice versa) is a clean pattern.

Project management and tooling

OpenProject (German, open source) or Taiga (Spanish, open source) for project management, self-hosted or hosted by an EU partner.

GitLab self-hosted on Hetzner, Scaleway, or OVHcloud, or GitLab.com with an explicit EU region, for any code or document version control. GitHub is US and owned by Microsoft, so avoid for this project.

Password management via Bitwarden self-hosted on EU infra, or Passbolt (French, open source, EU-hosted by default).

Time tracking via Kimai (German, open source) self-hosted.

Video conferencing specifically

This deserves its own mention because it's where most professional services firms leak. Every time your team dials into a Teams or Zoom call about the project, metadata and often content sits on US infrastructure. For project calls, use Jitsi or Whereby (Norwegian, with a genuine EU data story) or BigBlueButton (open source, US-origin but widely hosted in EU). Document this in the project's data flow diagram.

Endpoints

Here's the awkward bit. The laptops running all this are probably MacBooks or Windows machines with iCloud, OneDrive, and a dozen sync services enabled. You can't realistically swap operating systems for one project. What you can do:

Disable all cloud sync services for the project's working directories. No iCloud Drive, no OneDrive, no Dropbox touching project folders.

Use full disk encryption, which is on by default on modern machines, and document it.

Put all project work inside the Nextcloud client, which syncs only to your EU host.

Use a separate browser profile (Firefox, Vivaldi, both European) for project work so that Chrome's sync doesn't shuttle tabs and history through Google.

For high-sensitivity engagements, some firms issue dedicated project laptops running Linux with disk encryption, configured only to reach the project environment. This is a day's work per device and genuinely changes the sovereignty story.

Mobile

Mobile is the weak spot nobody talks about. iOS and Android both back up to Apple and Google. For a project where mobile access is needed, the answers are: a dedicated project device with no personal account and cloud backup disabled, a hardened Android (GrapheneOS on Pixel devices is what European security services often use), or just don't use mobile access for client data and say so in the contract.

Pulling it together

Documented as a package, a one-off EU-safe delivery environment looks like:

• Domain with Gandi or EuroDNS
• Email with Infomaniak or Mailbox.org
• Nextcloud on Hetzner for docs, files, calendar, contacts
• Element for chat
• Jitsi for calls
• GitLab self-hosted for version control
• Scaleway or OVHcloud for any additional storage
• Bitwarden self-hosted for credentials
• Firefox project profile on all endpoints
• No cloud sync into project folders
• Full DPIA and data flow diagram as deliverables to the client

Setup cost, roughly 500 to 1500 euros per month depending on team size, plus maybe two to five days of one technical person to get it running. Teardown at project end is clean because nothing is entangled with the company's main systems.

This is a sellable service in itself, incidentally. Several consultancies are beginning to offer "sovereign project delivery" as a premium line.

Frequently asked questions

Is AWS eu-west-1 enough for EU data sovereignty?

Not on its own. AWS eu-west-1 keeps your data physically in Ireland, which satisfies data residency rules. The harder question is jurisdictional reach. Amazon Web Services is a US company subject to the CLOUD Act, which means US authorities can compel the parent company to hand over data held anywhere in the world. Mitigations like customer-managed encryption keys improve the posture, and the forthcoming AWS European Sovereign Cloud is designed to address this properly. For most commercial work, AWS eu-west-1 is fine. For EU government contracts where sovereignty is being scored explicitly, it is increasingly not enough without additional controls.

What is the CLOUD Act and does it affect EU hosted data?

The CLOUD Act is a 2018 US law that allows US authorities to compel US-based companies to disclose data they control, regardless of where that data is physically stored. So yes, it reaches EU-hosted data whenever the cloud provider is a US company or a subsidiary of one. An AWS server in Ireland, a Microsoft server in Frankfurt, a Google server in the Netherlands, all of them are theoretically in scope. Requests are often legally sealed, which means providers may not be able to tell a customer it happened. This is the central legal concern behind the EU digital sovereignty push.

Which EU cloud providers are considered sovereign?

The main European cloud providers that hold up to sovereignty scrutiny today are OVHcloud (France), Scaleway (France), Hetzner (Germany), IONOS (Germany), STACKIT (Germany, owned by the Schwarz Group), Proximus (Belgium), Post Telecom (Luxembourg), and UpCloud (Finland). In April 2026, the European Commission's sovereign cloud tender was awarded to four provider groups: Post Telecom (with CleverCloud and OVHcloud), STACKIT, Scaleway, and Proximus (with S3NS, Clarence, and Mistral). These are the current benchmarks for what the Commission considers sovereign.

Do I need to leave Microsoft 365 to sell to EU governments?

Not usually, and not immediately. Many EU public buyers still accept Microsoft 365 when it is configured with Microsoft's EU Data Boundary and customer-managed keys. What is increasingly expected is that you can explain what you are using, what law governs it, and what mitigations you have in place. For a specific project where the buyer requires full sovereignty, the practical answer is almost always to stand up a separate EU-hosted delivery environment for that project, rather than to attempt a full company-wide migration away from Microsoft 365.

How much does a sovereign project environment cost?

For a project team of five to fifteen people, expect 500 to 1500 euros a month in hosting and subscription costs, plus two to five days of one technical person's time to set it up. Ongoing maintenance is minimal if you pick managed options for Nextcloud, email, and collaboration. At the end of the engagement, the whole environment can be torn down cleanly because nothing is entangled with your main company systems. For most firms, this is well inside the budget of any EU government project worth bidding for.