Sitting in Lisbon, we have this conversation constantly. A client wants the convenience of a US hyperscaler and the comfort of knowing their citizens' data cannot leave the EU or be reached by a foreign government. Those two wants are in tension, and pretending otherwise leads to architectures that look compliant and are not. Where data lives, and who can legally compel its disclosure, has to be designed in from the first diagram.
Residency is necessary but not sufficient
Keeping data in an EU region is the easy part. You select Frankfurt or Paris or a Spanish region and your data sits on European soil. The harder question is sovereignty: a US-headquartered provider can, under US law, be served a demand for data regardless of which region it physically sits in. Residency answers where the bytes are. Sovereignty answers who can reach them. Clients routinely conflate the two and assume picking an EU region solves both.
- Residency: the physical location of stored data, solved by choosing an EU region.
- Sovereignty: which legal jurisdiction can compel access, not solved by region choice alone.
- Data in transit and in backups can quietly leave the region if you do not pin every path.
- Metadata, logs, and support access are the leaks people forget to map.
Map every place data actually goes
The compliance failures we find are almost never the primary database. They are the edges. A logging pipeline that ships to a US region by default. A CDN caching personal data at global edge nodes. A backup replicating cross-region for resilience and crossing a border on the way. A managed service whose control plane lives elsewhere. A support engineer who can read the data from another continent. You have to trace every path data takes, not just where it sits at rest.
Data residency is rarely lost at the database; it leaks through logs, backups, caches, and support access.
Design choices that actually hold
For most clients, the pragmatic answer is to pin everything to EU regions, restrict the available regions with a service control policy so nothing can be deployed outside them by accident, and hold the encryption keys yourself so that even compelled access yields ciphertext. For the strictest requirements, the sovereign cloud offerings now run by European entities take the foreign-jurisdiction question off the table entirely, at the cost of a smaller service catalogue.
- Restrict deployable regions with an organization-wide policy so a slip cannot place data abroad.
- Hold your own keys in a managed HSM so the provider cannot decrypt without you.
- Pin logging, backups, and CDN caching to EU locations explicitly, never trusting defaults.
- For the highest assurance, evaluate the European sovereign cloud options and accept the narrower feature set.
Sovereignty is a spectrum, not a switch, and the right point on it depends on the client's actual legal exposure rather than their anxiety. Our job is to map every path the data takes, close the leaks they did not know about, and be honest about what an EU region does and does not buy. That clarity is worth more than any compliance badge.