Recent geopolitical developments have highlighted significant risks associated with dependence on the ‘Big 3' US hyperscale cloud providers. ‘Digital sovereignty’ is now the mantra, but is it feasible to build national or regional clouds that are secure from foreign government interference, while delivering an appropriate level of functionality and resilience? Meanwhile, there is an acute awareness, especially in Eastern Europe and the Nordic countries, that restricting critical data to in-country or even regional infrastructure may be a major vulnerability in the event of a remote attack or physical invasion. Contrary to the calls for data localisation, might it be better in terms of security and sovereignty to move, or at least replicate, essential processes and data outside a particular country or region? Can cloud providers and nation states establish data embassy arrangements that ensure legally robust sovereign cloud havens for critical national data? In the meantime, what should business customers be doing to manage their dependence on foreign providers of critical cloud services?