Sovereign Cloud in Europe: Approaches and Vendor Landscape

Organizations from all sectors want to use scalable and flexible cloud resources, but also innovative services in areas like data management, analytics, and AI. In view of the dominance of a small number of non-European cloud hyperscalers in today’s European cloud market, strategic considerations around digital sovereignty are gaining in importance, covering aspects like data privacy, security, trustworthiness, and resilience.

Initiatives and regulations at the EU, country, and industry levels designed to prevent dependencies and data breaches are as manifold as vendors’ approaches to meeting these requirements. Multiple, very diverse, so-called “sovereign cloud” approaches are aimed at making cloud features available to organizations faced with specific restrictions.

In two reports, PAC has classified Sovereign Cloud approaches and positioned the vendors in a structured manner:

• Part 1 – Common Approaches presents the major aspects of sovereign cloud solutions and the most common sovereign cloud approaches, discussing their targets and specifics.
• Part 2 – Sovereign Cloud Vendor Landscape presents the current vendor landscape in Europe, providing concrete examples of the various approaches presented in the first part.

Why “sovereign cloud”?

Today’s hyperscaler oligopoly clearly has multiple advantages, such as global reach, economies of scale, and the bundling of innovative power. However, it also involves risks from a client perspective, such as potential vendor lock-in, abuse of market power, and data violations due to the centralization of workloads.

Consequently, digital sovereignty considerations are increasingly relevant to European governments and organizations; and the omnipresent GenAI trend extends sovereign cloud considerations to sovereign AI solutions.

EU regulations & initiatives driving sovereign cloud approaches

Various initiatives are aimed at strengthening the position of individual countries or of the EU in cloud technologies and at addressing the specific sovereignty, privacy and resilience needs of EU organizations:

• The General Data Protection Regulation (GDPR), for instance, is the core EU regulation on information privacy.
• NIS2 aims to protect critical infrastructure.
• The most prominent flagship project of the otherwise slow-moving Gaia-X initiative is Catena-X, an open data ecosystem for the automotive industry.
• The Data Act is designed to enhance the EU’s data economy.
• The Artificial Intelligence Act follows a risk-based approach – the greater the potential harm to society, the stricter the rules.
• The IPCEI CIS is the first Important Project of Common European Interest on Next Generation Cloud Infrastructure and Services.

What is a sovereign cloud service?

Generally speaking, PAC considers a sovereign cloud service as a public cloud computing environment that fully complies with national, regional, or industry-specific laws and regulations. Sovereign clouds are typically deployed, operated, secured, and maintained locally or regionally. They address clients with similar requirements, for example within a “community of values” such as the European Union or within a regulated industry.

The degree of sovereignty depends on various aspects, including technological sovereignty, software sovereignty, territorial sovereignty, and operational sovereignty.

Approaches to sovereignty

In addition to public cloud, there are many other strategies to achieve sovereignty, including in-house and private cloud models. A great variety of deployment, management, and contractual models can be found in the range between "self-managed in-house infrastructures” and the standard “public hyperscaler clouds”, which address different sovereignty needs:

• Providers with an IT outsourcing heritage, for instance, offer private hosting and managed services, partly including hyperscale technology. The degree of sovereignty, as well as scalability and innovative power, strongly depend on the details of the engagement and on the provider.
• European and local cloud vendors are positioning themselves as a potentially sovereign alternative to the hyperscalers, but they usually lack the latter’s global scale and innovative power and cannot invest in security and certifications to the same extent.
• The hyperscalers, i.e., cloud vendors from outside the EU, have launched sovereign options for their cloud solutions and/or are partnering with EU-headquartered managed service providers and system integrators. There is a wide variety of models, e.g.,

  • Hyperscaler-hosted and -managed, with increased customer control

  • Hyperscaler-hosted, partner-managed, with increased partner control

  • Hyperscaler technology, partner-hosted and -managed via dedicated local partnership models

  • On-premises options for hyperscaler technology, hyperscaler-managed

  • On-premises options for hyperscaler technology, partner-managed

Degree of sovereignty vs. feature-richness

A cloud infrastructure can be located at the user organization, at a cloud provider, or at a third-party services provider. It can be managed by the user organization, the cloud provider, or a third-party managed services provider.

All sovereignty approaches are based on some combination of these aspects; they all must strike a balance between

• the degree of sovereignty and
• feature-richness, i.e., the benefits that are typically associated with cloud computing, including scalability and agility, but above all innovation

It will be essential for cloud clients to strike a suitable balance between the degree of sovereignty, the wealth of functions, and the overall costs of a cloud solution – including aspects such as available skills.