Google Cloud Summit in Paris: Google dives into the murky waters of European sovereignty

Google Cloud Summit in Paris: Google dives into the murky waters of European sovereignty – Microsoft, too. AWS, on its own, chooses to dig.

During Google Cloud Summit Paris (May 22nd, 2025), the Google Cloud team confirmed and detailed the launch of a complete portfolio offering trusted and sovereign solutions, as detailed during the IO Conference. Targets are local and national partners in all regions, focusing currently on Europe, where sovereignty questions have been raised for a few months in the context of geopolitical uncertainty.

The three solutions offer varying levels of trust and sovereignty capacity, ranging from straightforward isolated solutions to thoroughly segmented IT and data solutions that cater to governments, defence, and sensitive needs. To some extent, and with substantial precautions and contractual details to be elaborated, the aim is to offer extraterritorial security regulations (US / Cloud Act/ Patriot Act / FISA / 5 Eyes, Russia / Yarovaya, China / National Intelligence Law), waterproofed solutions for European B2B clients. These extraterritorial regulations tend to stress European businesses & governments that require secrecy, confidentiality, data isolation, and compliance with European rules, particularly the GDPR and NIS2. All those not available in the public Cloud.

To address these trustworthy needs, Google and Thales underwent the complex and lengthy qualification process of SecNumCloud 3.2 in France. This standard, developed by ANSSI Cybersecurity, mandates technical, human, and governance localisation in the local country of operations. It also requires hosting in the countries (or GDPR-compliant countries) where technical infrastructure and operations are based.

After three years, Google and Thales anticipate final SecNumCloud 3.2 qualification in July 2025, enabling them to be officially recognised as trusted cloud service providers for the public market and the higher end of the B2B market, where international companies seek data isolation and compliance with GDPR and, where applicable, further NIS 2. Microsoft serves the same ambition in France with an alliance with Orange and Capgemini in the Bleu alliance, with almost the same agenda on qualification.

Google Cloud aims to extend its reach beyond the French market for its sovereign offerings. This is where the mudding starts.

However, as a political entity, Europe failed to create a global technical standard for sovereignty. It aimed to publish EUCS High + Standards, but some political issues in Brussels hampered the project. The French tried to impose SecNumCloud as a de facto standard for Europe, but only Germany and the Netherlands approved this effort.

EUCS High + projects for a unified and aligned sovereign cybersecurity standards now lie dormant somewhere in Greece at the ENISA HQ, with limited expectations for revival. Hopefully, the European Commission will review its Cybersecurity Act (CSA). It may attempt to align positions and publish some technical recommendations applicable to the 27 member states without any confirmed political agenda.

In the meantime, Google’s regulatory situation looks like a muddy field.

In each country (27 for Europe + UK) where Google Cloud expects to establish local partnerships for its Trustworthy and Sovereign cloud offering, a single and non-replicable regulation applies: SecNumCloud 3.2 for France, BSI C5 for Germany…..

Therefore, leapfrogging with the same compliance investment in Europe will not work, and Google and Microsoft must undergo sovereign qualification in each country.

If someone wanted to slow down the adoption of local sovereign standards by non-European tech actors, it wouldn’t have created a more difficult situation. However, this situation, which may satisfy some political « sovereign » posture, also blocks the local initiatives by Local CSP (15) that passed the SecNumCloud 3.2 in France and the 19 that passed the BSI C5 in Germany, and cannot leapfrog into neighbouring countries without an additional certification.

Meanwhile, AWS is physically building its sovereign projects for Europe in Germany. While Google and Microsoft choose partnerships, AWS has selected the picks and shovels methodology. The cloud service provider is building its AWS capacity, infrastructure, operations, and governance in the Brandenburg region of Germany. Based on a 7.8 B€ investment, this brand new and fully isolated AWS Cloud Infrastructure (BSI C5 Certified) has announced its governance recently, making significant efforts to localise Technology and operations in Germany for the European markets.

The race for European Sovereign Cloud services is intensifying for US-based cloud champions. For the moment, though not for eternity, Google (and Microsoft) may find themselves embroiled in the European Regulatory Swamp. This situation is not new for them, nor unexpected or unfamiliar.