Sovereignty is a word that gets bandied about in cloud marketing decks until it means almost nothing. A region badge on a console is not sovereignty. A clause in a master services agreement is not sovereignty. Sovereignty is a property of the wires, the routers, the legal entity that signs the lease on the building, and the people who hold the keys. If any one of those four sits outside Irish or EU jurisdiction, you do not have a sovereign system. You have a hosted system with good intentions. With Ireland Quantum, committed for delivery in Q2 2027, we are designing for the harder definition from the cabling up.
What sovereignty actually has to mean
For a quantum compute facility serving Irish and European workloads, sovereignty has to satisfy four tests at the same time. The data must remain on Irish or EU soil for its entire lifecycle, including backups, telemetry, and crash dumps. The control plane must answer to a legal entity domiciled in the EU, with no parent company subject to extraterritorial discovery. The physical network must have no path that egresses outside the EU, even as a fail-over. And the operators with root credentials must be employed under EU labour law, vetted under Irish process, and physically present.
None of those four are software problems. They are procurement, property, employment, and cabling problems. Most of the engineering work in the next eighteen months is exactly that — unglamorous decisions about who owns which fibre strand and who signs which contract.
Air-gapped fibre paths and the no-egress rule
An air gap, in the strict sense, means there is no electrical or optical path between two networks. In a real facility, full air gaps are reserved for the most sensitive enclaves — key material, control systems for the dilution refrigerators, the classical co-processors that hold workload state during a hybrid job. Around those enclaves we design concentric rings of progressively less restricted networks, each one with a defined and audited reason to exist.
The outer ring — the public-facing API surface — is where most so-called sovereign clouds quietly fail. Their packets leave the building, traverse a backbone owned by a company headquartered in California or Beijing, and come back through a different door. The packets were technically in Ireland at both ends. They were not in Ireland in the middle.
The architecture for Ireland Quantum starts from the opposite assumption: no packet may leave the EU at any point in its journey, including transit. That means dark fibre under contract with Irish and European carriers, with route maps that we hold and audit, not vendor-supplied SLAs we trust. It means peering only with networks that can prove EU-only paths to the destinations we care about. And it means refusing the convenience of global anycast for anything other than the most public, least sensitive endpoints.
What no-egress actually rules out
No-egress is not a default-deny firewall rule. It is a procurement posture. It rules out:
- Telemetry pipelines that ship logs to a SaaS observability vendor outside the EU.
- Container registries, package mirrors, and base images pulled from non-EU origins at build or run time.
- Identity providers whose token validation requires a round trip to a non-EU endpoint.
- Backup targets in non-EU regions, even encrypted, even as a third copy.
- Support tooling that screen-shares an operator's terminal to a vendor's staff outside the EU.
Each of those is a small convenience that, if accepted, quietly punctures the sovereignty claim. The work is not in saying no once. It is in saying no consistently across thousands of small procurement decisions, and in writing the build pipelines so that a tired engineer at two in the morning cannot accidentally reach for a non-EU mirror.
Data residency for quantum workloads
Data residency for classical workloads is hard enough. For quantum, it has shapes most teams have not had to think about. A quantum job is not a single payload. It is a circuit description, a set of calibration parameters specific to the machine on the day, the classical pre- and post-processing code, intermediate measurement results from many shots, and the final aggregated output. Each of those artefacts has a different sensitivity profile and a different lifecycle.
The circuit description and the classical wrapper code are usually the customer's intellectual property. The calibration data is the operator's. The shot-level measurements often reveal more about the customer's problem than the customer realises, because the structure of the noise leaks the structure of the circuit. All of it has to stay inside the EU residency boundary, including the ephemeral intermediate state, including any debug capture an engineer might take when a job fails.
The architectural answer is to treat the entire job lifecycle as a single residency-tagged transaction, with a hard rule that no artefact tagged for an Irish or EU customer can be written to storage that does not carry the same tag, and no process can read across the tag boundary. This is enforced in the storage layer, not in application code, because application code has bugs and storage policy can be audited.
The legal framework underneath the wires
The cleverest network design fails if the company operating it can be compelled by a foreign court to hand over keys. This is not a hypothetical. The CLOUD Act in the United States, and equivalent provisions elsewhere, can reach data held by EU subsidiaries of non-EU parents. A genuinely sovereign Irish facility therefore has to be operated by an Irish-domiciled legal entity with no parent or controlling shareholder subject to those regimes.
That sounds dry. It is the most important sentence in the whole project. It determines whether a Garda warrant or an Irish court order is the only lawful route to the data, or whether there is a back door through a Delaware holding company. We are designing Ireland Quantum so the answer is unambiguously the former.
The supporting framework underneath that includes:
- Operator vetting under Irish process. Anyone with root, key custodian, or physical access credentials is employed in Ireland, vetted in Ireland, and works under Irish employment law.
- Key custody on EU soil. Hardware security modules sit inside the facility. Master keys never leave. Vendor remote support, where it exists at all, is read-only and supervised.
- EU-only supply chain for the security boundary. Where EU vendors exist for HSMs, switches, and key management, we use them. Where they do not, we accept the dependency, document it, and design around it with cryptographic separation.
- Auditable contracts with carriers. Fibre routes are written into contracts with the underlying carriers, with the right to inspect — not just an SLA on availability.
Why this is harder than building another data centre
I spent over twenty years engineering at Tesco, Dunnes Stores, and Oracle before IMPT. Large-scale infrastructure is a familiar problem. The pattern in retail and enterprise was always the same — buy the cheapest reliable building block, abstract away the location, let the cloud vendor worry about the physical layer. Sovereign compute inverts that. The physical layer is the product. The location is the product. The legal entity is the product.
That changes how you cost the build. You cannot use the cheapest transit. You cannot use the most convenient observability stack. You cannot use the global identity provider everyone else uses. Each of those decisions adds engineering work, and each of them is the reason the facility can credibly call itself sovereign at the end. A sovereign cloud Ireland claim that does not bear the cost of those decisions is a marketing claim, not an architectural one.
The shape of the network we are actually building
Without giving away anything that should not be public yet, the topology has three concentric zones. An outer zone hosts the customer-facing API and the documentation, on EU-only paths but with conventional internet reachability. A middle zone holds the orchestration, the classical compute, the storage, and the identity systems, reachable only from the outer zone through inspected, logged, and rate-limited interfaces. An inner zone holds the quantum hardware control systems, the HSMs, and the key material, reachable only by physical presence and operator credentials, with no routable path from the middle zone except through narrowly defined job-submission queues.
Backups are EU-only and tagged by residency. Telemetry is processed inside the facility and only aggregate, non-sensitive metrics leave the boundary. Software supply chain is mirrored inside the EU, with provenance tracking from source to running binary. Operator access is hardware-token-bound and tied to named individuals, not shared roles.
None of this is exotic. It is the boring application of principles that have existed for decades in defence and finance, brought to a kind of compute that is about to matter in a much wider market.
What to do this week
If you run anything in Ireland or Europe that handles data you would not want a foreign court to subpoena, spend an afternoon this week tracing the actual path your packets take. Not the marketing diagram. The real path. Look at where your logs go, where your container images come from, who owns the parent company of your identity provider, and where your backups land. You will probably find at least one boundary you thought was inside the EU and is not. Fix the worst one. Document the rest. That is the same work we are doing now for Ireland Quantum, at a different scale, and we will share what we learn as the build progresses through 2026 toward the Q2 2027 commitment. Sovereignty is built in small, unglamorous decisions. Start making them.