Oracle Sovereign Cloud: Is it the answer to your privacy concerns?

Update (May 2026): The original version of this article was published in September 2024, just after we moved MonkeyJar to Oracle EU Sovereign Cloud in Frankfurt. Since then, a lot has changed — not on Oracle’s side, but around it. DORA has been in full enforcement for over a year, AWS launched its European Sovereign Cloud in January 2026, and the August 2026 EU AI Act deadline is now visible from where we’re standing. I’ve updated the regulatory section, added a comparison with the other hyperscalers’ sovereign offerings, and refreshed our own MonkeyJar experience based on what we’ve learned operating in EU SC for almost two years.

A polish bank we talked to last spring had a clean migration plan to a hyperscaler’s public EU region. The plan died on a single line in their DORA pre-audit: “ICT third-party provider operations and support personnel must be subject to EU jurisdiction, not parent-company jurisdiction.” Their candidate provider couldn’t credibly say yes. They started over.

Stories like this have been getting more common since DORA came into full enforcement in January 2025. Sovereign cloud — until recently a slightly niche concept — has quietly become a procurement requirement for entire sectors. This article is about one specific offering in that space: Oracle’s EU Sovereign Cloud. We use it ourselves for MonkeyJar, our sales-commission product, so what follows isn’t just a brochure read — it’s what we’ve learned running in it.

For many companies, this weirdly disconnected nature of the cloud meant potential issues. That’s when someone came up with the idea of digital sovereignty – and a while back, Oracle brought it fully into life with its new sovereign cloud services.

What is digital sovereignty?

Digital sovereignty refers to a nation’s or entity’s control over its digital assets, data, and technology – to create, access, and govern digital information and infrastructure without undue external influence. Local regulations might require data to remain in an area within a certain jurisdiction and be operated only by personnel from within this area. In some cases, digital sovereignty rules might be more specific and complex, requiring comprehensive data protection or the use of separated clouds, disconnected operations, etc.

Let’s imagine that you’re running a business in one of the European Union countries. You don’t want your data (including the personal data of your customers) to leave the EU, not only because of European regulations but also your company’s security policies. The ideal situation would be that the servers with your data are located in the EU, they are maintained by EU citizens employed in a company registered in the EU, and everything works according to the European regulations (both the present ones and those that will probably soon come into force). That’s exactly what the sovereign cloud promises.

Digital sovereignty in 2026 is usually discussed at three levels, and they don’t all mean the same thing:

• Data sovereignty — your data stays in a specific jurisdiction. This is the easiest one. Almost every hyperscaler can do it.
• Operational sovereignty — only personnel from that jurisdiction can access the systems and the data. This is where the differences between providers start showing up.
• Legal sovereignty — the entity operating the cloud is subject only to local law, not to any foreign jurisdiction (US CLOUD Act, FISA, and so on). This is the hardest one, and it’s the one that matters most for DORA-critical workloads.

Most “sovereign cloud” marketing covers the first level cleanly and the second one partially. The third is where you have to read the actual contracts.

How can the Oracle Sovereign Cloud help you?

The Oracle sovereign cloud is a service – or rather a group or services because there are several different options – that allows companies to access the power of the cloud while meeting regulatory, compliance and legal requirements specific to their region or field of work. It offers the following capabilities:

• Control over data infrastructure and localization (for example, the servers the data is stored on can be in the same country/area the company operates in)
• Control over data access and information flows
• Local operations and support (you can be sure data will only be accessed by local personnel and not outsourced outside the country)
• Servers configured appropriately to specific demands (network isolation, encryption, and so on)
• A dedicated team making sure that the servers are maintained according to local regulations

Some numbers that put this in context: as of early 2026, Oracle has scaled the EU Sovereign Cloud operations team to more than 1,500 EU residents across seven dedicated EU-incorporated legal entities. The Frankfurt and Madrid regions each have at least three fault domains, and the regions can replicate to each other over a low-latency network without leaving EU territory. For a service that’s relatively quiet in the public discourse, the operational footprint behind it is actually substantial.

Specifics depend on the service – Oracle provides several sovereign cloud options (as shown in the image below), each designed for slightly different purposes.

Image source: Oracle

Use cases in 2626: When Sovereign Cloud stops being optional

Two years ago this section was a list of “industries that benefit.” That framing isn’t quite right anymore. For some workloads, sovereign cloud has moved from “nice to have” to “required by law.” Here’s where we see that playing out most clearly:

• Banks, insurers, and investment firms under DORA. The Digital Operational Resilience Act has been in full force since January 17, 2025. Article 28 obliges financial entities to keep a register of all ICT third-party arrangements, with detailed information on critical providers — and the European Supervisory Authorities have been actively reviewing those registers since their March 2026 deadline. A sovereign cloud provider with EU-only operations and contracts that explicitly address Articles 29 and 30 (sub-outsourcing, exit strategies, audit rights) makes the evidence file substantially easier to defend during a supervisory review. As of early 2026, only around 50% of in-scope financial institutions report full DORA compliance, so this is very much a live issue.
• Healthcare providers and HealthTech under NIS2 and EHDS. NIS2 categorizes healthcare as an “essential service,” with strict ICT risk management requirements. The European Health Data Space regulation, fully in force from 2025, adds data residency and access controls on top.
• AI-driven SaaS approaching the EU AI Act deadline. The EU AI Act reaches full application on August 2, 2026. High-risk AI systems require complete data lineage documentation that’s substantially easier to produce when your infrastructure, training data, and inference layer all live under one consistent jurisdiction. We’ve started seeing this as a procurement question in RFPs from public-sector clients in the last six months.
• Public sector and defence-adjacent organisations. Sovereign cloud has been a procurement default in these areas for a while. The list of national certification schemes (Germany’s BSI C5, France’s SecNumCloud, Spain’s ENS) keeps getting tighter rather than looser.
• Global companies with EU subsidiaries. Same logic as before — local compliance gets more complex per country — but now with three or four new regulations stacked on top of GDPR.

What is our experience with the Oracle Sovereign Cloud?

But let’s get down to specifics, taking our case as an example. We needed the sovereign cloud for our MonkeyJar product, a sales commission platform based on Oracle APEX. The service that interested us was the EU Sovereign Cloud, which currently offers servers in Frankfurt (Germany) and Madrid (Spain). We’ve chosen the former.

The main idea here was that we want to provide services for companies from the EU financial sector – banks, insurance businesses, etc. – that must adhere to local laws and compliance regulations such as GDPR. This meant that the data MonkeyJar handles could not be transferred outside the EU – our cloud server had to be housed somewhere on the continent. Moreover, it also meant the cloud’s support couldn’t be outsourced to a country outside the EU (because support often also needs to access data to provide help).

The EU Sovereign Cloud guarantees we meet these security and privacy requirements –and, as a result, allows us to sell our service to customers from the European Union. Since the server is in Frankfurt, it’s also close enough to us to help us avoid performance problems, and the support operates in the same time zone. Moreover – and this is one of the coolest things about the EU Sovereign Cloud – it doesn’t cost us extra money.

The pricing is the same as for the regular Oracle public cloud.

It would’ve been easy to make the sovereign cloud a separate premium product with a higher price tag, but Oracle didn’t do this. Instead, getting the EU Sovereign Cloud is as easy as choosing a server location for your OCI account – because that’s precisely what it boils down to (though enabling it for older accounts requires jumping through some additional hoops on Oracle’s part – it’s easier for newer accounts, which is a potential consideration). Seems like a very smart, business-conscious way of approaching this subject, one that the customers are bound to appreciate.

When we wrote the first version of this article in September 2024, we’d just finished migrating MonkeyJar to Frankfurt. Almost two years on, I can fill in some things you can only know after running in production for a while. A few things that turned out to matter more than we expected:

• Onboarding new EU customers got noticeably easier. Procurement teams from banks now ask “where is the data hosted, and by whom?” as one of the first questions, not the last. Having a clear, short answer (“Frankfurt, Oracle EU-incorporated entity, EU-resident operations only”) shortens those conversations significantly.
• Service parity with the commercial OCI public cloud is real, but not 100%. Most things we use (Autonomous Database, APEX, OCI Vault, Object Storage) are there. A handful of newer services arrive a few months later than in the global commercial regions. Worth checking against your specific stack before you commit.
• The “same price” promise has held. We’ve been on EU SC for nearly two years and have not paid a premium relative to the commercial Frankfurt region.

How Oracle EU Sovereign Cloud compares to the other hyperscalers

When the original version of this article went out in late 2024, Oracle EU SC was effectively alone in offering a hyperscale sovereign cloud in the EU. That picture is very different in 2026.

AWS European Sovereign Cloud (ESC) went generally available on January 15, 2026, operating from a region in Brandenburg, Germany, with Local Zones planned in Belgium, the Netherlands, and Portugal. It runs under a new German legal entity with EU-resident leadership and is physically and logically separate from the global AWS partitions. Two things to be aware of: independent analyses (tecRacer and others) have measured a roughly 15% pricing premium over standard AWS EU regions, and at launch, AWS ESC ships with about 90 services — a subset of the global catalogue. Bedrock model availability, in particular, is currently limited to Amazon’s own Nova models.

Microsoft Cloud for Sovereignty / Bleu (France) uses a partnership model — Microsoft’s technology operated by an independent EU entity (in France’s case, Bleu, the Orange-Capgemini joint venture). This typically delivers a higher level of operational sovereignty than a self-operated US-owned cloud, at the cost of some technological dependence on the upstream provider. Pricing premiums are in the 15–20% range.

Google S3NS is a similar partnership model with Thales, targeting France’s SecNumCloud certification primarily.

Oracle EU Sovereign Cloud has been operational since June 2023, runs from Frankfurt and Madrid under EU-incorporated Oracle legal entities with EU-resident-only staff, and — uniquely among the four — charges no premium over the commercial OCI public cloud. Service parity is also higher in percentage terms than at the newer hyperscaler offerings, simply because Oracle has had longer to build it out.

None of this means Oracle EU SC is automatically the right answer. The right answer depends on your existing stack, your AI/ML needs (where AWS and Google still have an edge), and how much your sovereignty requirement leans toward “EU data residency” versus “no possible US legal exposure.” But if you’re already running Oracle workloads — Oracle DB, APEX, Fusion Apps — the math gets very simple.

Summary: Is the Oracle Sovereign Cloud good for you?

Oracle’s sovereign cloud services seem to be a simple answer to a complex problem. The EU Sovereign Cloud, in particular – because that’s what we can speak about from our experience – offers companies an easy and cost-effective way to address at least a few important issues:

• Your servers are located in a specific region
• Only employees from this region handle the servers
• The companies maintaining the servers are registered in this region
• No entity (either a company or a government) outside of this region can access your data
• Everything is done according to the local regulations (either the general ones or those regarding specific areas like healthcare or finance)
• And the cherry on the top is that it doesn’t cost you any additional money
• In 2026, with multiple hyperscalers in the EU sovereign cloud market, Oracle remains the only one charging no sovereignty premium over its standard public cloud pricing

Three years on from its launch, Oracle EU Sovereign Cloud is no longer the experiment it was in mid-2023. It’s a working product with hundreds of paying enterprise customers, a 1,500+ EU-based operations team, and a track record long enough to actually evaluate. For Oracle-shop organisations facing DORA, NIS2, EHDS, or the EU AI Act, it’s now a serious default rather than an “interesting option to watch.”

At Pretius, we’ve been developing custom software based on Oracle technologies for almost 20 years. Are you planning a new project, or want to modernize a legacy system, and would like to consult somebody? Let us know using the contact form below or by writing to hello@pretius.com – such initial consultations are always free.