The public cloud is a game changer – and the overwhelming majority of European companies have recognized this. This has been shown by – now widespread – digitalization and cloud-first strategies. As their potential for improving flexibility and responsiveness in an increasingly dynamic commercial environment are indisputably high. Nevertheless, those wanting to use cloud products often discover that planning, consultation, and preparation are also important. Moreover, some industries find it easier than others to use the public cloud.
One reason for this is that in Europe, protecting sensitive data is the top priority – and is therefore embedded into laws and regulations. Industries such as banking, insurance, and health-care – but also the public sector – are therefore presented with considerable organizational challenges, as the use of the cloud needs to be compliant with legal requirements.
German companies are quickly being presented with a dilemma in this regard, As they know that they need digital technologies like the cloud for the development of their business and to remain competitive internationally. At the same time, the use of these technologies can however result in an enormous workload, meaning the dynamism and simplicity of the cloud are lost. European clouds or the project GAIA-X should resolve this dilemma – including for companies in less regulated industries.
Firstly, sovereignty means full control. And it is reflected in several ways.
The owners of data must have certainty that their data will not be manipulated, deleted, copied, or viewed in the cloud by unauthorized parties (this includes the cloud operator). Data sovereignty also means the encryption of information outside of the cloud platform or that the key is managed in a key management system external to the cloud.
The customer needs to be able to rely on the operator/provider of public cloud services to further develop the technical foundation of the cloud, to avoid undermining the principle of sovereignty when adaptations are made to the platform. This means that the future sustainability and full performance of the platform need to be secured. At the same time, unauthorized access to original platform functions must be prevented.
The most important principle of the sovereign cloud: avoiding customer dependence. Consequently, it must be easy to migrate applications and services onto a different IT infrastructure at any time (this could include, for example, in-house infrastructure). This is one of the guidelines from the German Federal Financial Supervisory Authority for the exit strategy of a finance company.
A sovereign cloud provides cloud services that do not result in vendor lock-in. The services are either available as "open source" or there is a corresponding equivalent independent of the provider, meaning that any functionality can be used at any time, regardless of the provider. It complies with the requirements set out in the regulatory/legislative framework in force in that jurisdiction. The data and its usability always remain with the user – not even administrative access from outside is possible.
Various approaches are being taken on the way to digital sovereignty.
Alongside the classic approach of in-house operation or the private cloud, public clouds like Google Cloud, Azure, and AWS are currently being equipped with add-on services to ensure compliance. Among other aspects, contract design and the involvement of reliable and experienced managed service partners, who are aware of international legal principles like the European General Data Protection Regulation, as well as German and industry-specific compliance requirements, play an important role in such propositions.
GAIA-X, the European initiative for creating a sovereign data space, is working on a more basic solution for all EU companies. The GAIA-X project is setting European standards for the realization of sovereignty by first providing a basic definition of what constitutes a sovereign cloud solution. One of the main requirements: the cloud is controlled by Europe, for example, because it is built and operated there. An example of this is the Open Telekom Cloud.
The result of GAIA-X will not be a (new) cloud. GAIA-X aims to create federated and secure data infrastructures – and in doing so, to create digital sovereignty that fosters innovation. The goal of the initiative is to set up an ecosystem of many cloud service providers that facilitates trustworthy data exchange. Users have full control over their data in this ecosystem. This will be the basis for the European data economy of the future.
The joint initiative of T-Systems and Google Cloud takes a different approach. With the T-Systems Sovereign Cloud powered by Google Cloud, the partners implement sovereignty as part of an existing hyperscaler platform. German companies that want to use a sovereign cloud receive a comprehensive package that not only encompasses the digital ecosystem and a complete range of (sovereign) Google Cloud services, but also a cloud that complies with European data protection standards. T-Systems ensures that the platform complies with the agreed sovereignty conditions. Companies from regulated industries can therefore benefit from the full potential of public cloud computing – without exceptions. This is currently a unique approach in Germany.
It is becoming a success factor for digitalization in EU, as it overcomes regulatory hurdles for cloud use and gives European companies the security of a “to-go” cloud. The availability of sovereign clouds will accelerate the implementation of numerous digital initiatives significantly by removing existing compliance hurdles. It combines the technical expectations for the cloud with innovation capability and a clear conscience – “all-inclusive”.
It resolves the dilemma between innovation and compliance. This offers regulated industries in particular, as well as others, the opportunity to quickly take advantage of the public cloud and implement digitalization projects. Data sovereignty and the cloud no longer contradict each other, and satisfying compliance requirements do not require any additional effort. The sovereign cloud is therefore turning into an essential component of the multi-cloud landscapes of cloud users.