Trust in cloud security and sovereignty

What a surprise for the EU 😱 😉 A recently published expert opinion commissioned by the German Federal Ministry of the Interior has sparked a pivotal discussion on data governance and sovereignty. According to the report, US authorities can exert far-reaching access rights to cloud data managed by US-based companies, even when that data is stored in European data centers and administered through local subsidiaries. This is because legal instruments such as the Stored Communications Act extended by the Cloud Act and Section 702 of FISA focus on the provider’s control, not the physical location of the servers. This finding is a firm reminder that simply hosting data on European soil does not guarantee protection from extraterritorial legal claims. It reveals structural risks in relying on dominant foreign cloud providers for sensitive data and critical digital infrastructure. For Europe to truly uphold its data protection principles and strategic autonomy, the conversation must go beyond compliance checklists and contractual assurances. We need stronger investment in #opensource digital infrastructure and indigenous technologies that reduce dependency on non-European platforms. Open source fosters transparency and auditability while enabling communities and businesses to build on systems that are not bound by foreign legal systems. If #digitalsovereignty is to mean more than a buzzword, we must accelerate our efforts towards resilient, interoperable, and locally governed alternatives. Only then Europe can ensure that its data is governed by the laws and values that its citizens and organisations expect. Source: https://lnkd.in/dtpXiwYN

What happens if the new US Government tears up the Cloud Act?   Experience shows that without any warning they aren’t shy about ripping up international agreements (trade or otherwise). There’s growing concern that we could wake up one morning to find that the Cloud Act and associated digital sovereignty frameworks are gone with one stroke of a pen.   This isn’t abstract fear-mongering. It’s a very real risk. Personally, I’d hate to be sitting in front of a Select Committee, or my CEO, explaining why we didn’t have a Plan B.   If these legal protections disappear, UK and EU organisations could become non-compliant overnight, just by continuing to store or process personal data in US-owned public cloud infrastructure. That includes M365, AWS, Azure, Google Workspace, Oracle, Salesforce, Dropbox, the list goes on.   All your data would be exposed to extraterritorial US surveillance or seizure, with no meaningful legal route to challenge it under UK or EU law. The EU–US Data Privacy Framework is already on shaky ground. If the US withdraws (again), UK firms relying solely on public cloud could be left stranded, with data protection regulators forced to respond.   So, what’s the low-risk path forward?   It’s hybrid cloud (on premise or hosted). But done properly and not a panicked knee jerk reaction, where the non-public cloud components are delivered and governed locally by you, or a UK-based provider under domestic law. Right workload, right place, right time... (and supporting UK businesses to grow and become future unicorns), growing our tax base and helping communities. This doesn’t just mindlessly tick compliance boxes. It also brings greater control, clearer governance, and a meaningful reduction in business risk.   In this climate, that’s not a nice-to-have… it’s beyond essential. Even if you disagree, its gotta be worth documenting why internally. Don't leave yourself exposed, it could be very career limiting.   Can I sell it to you? Nope, not my bag. But there are plenty of awesome local providers who deserve your attention that I can point you at.

Europe is finally asking the right question — but it’s still early in the game. The €180M sovereign cloud initiative is not the destination. It’s table stakes. Digital sovereignty is not a hosting problem. It’s a control problem. And control does not live in infrastructure — it lives in the layer above it. The real battleground is the trust and control layer: Who owns identity? -Who governs authentication and authorization? -Who controls cryptographic keys? -Who enforces policy across systems? -Who guarantees provenance, traceability, and continuity? That layer defines whether sovereignty is declared… or actually executed. This is where Europe has a unique strategic opportunity. Because European Business Wallets, Digital Product Passports, and Trusted AI are not just digital tools — they are control primitives for a new economic architecture. They enable: → Programmable trust → Verifiable ecosystems → Cross-border interoperability with embedded compliance In other words: they operationalize sovereignty at scale. But there is a non-negotiable constraint most strategies are still underestimating: If it’s not quantum-resilient, it’s not sovereign. Any identity or trust system built today on vulnerable cryptography has a built-in expiration date. So the mandate is clear: 👉 Move from sovereign infrastructure to sovereign control 👉 Design from day one for a post-quantum world 👉 Treat identity and trust as core strategic infrastructure, not as features Because the future won’t be defined by who owns the cloud. It will be defined by who controls the logic of trust across the entire digital stack.

🌍 The Shift in Europe: Moving Away from US Hyperscalers 🌩️ As geopolitical concerns, data sovereignty, and pricing instability grow, European companies are making bold moves in their cloud strategies—and the implications are massive. Over the past 15 years, reliance on public cloud giants like AWS, Microsoft, and Google has skyrocketed. But now, we’re seeing a strategic pivot unfolding across Europe, as organizations mitigate risks and embrace alternative solutions to protect their future. 🎯 Why the shift? ✅ Data Sovereignty: Stricter data protection laws like GDPR and fears over compliance with laws like the US CLOUD Act are driving demand for European-managed cloud solutions and sovereign cloud providers. Organizations are prioritizing control over their sensitive data and leaning into platforms that support their unique privacy needs. ✅ Security and Trust: Concerns over potential government interference, espionage, and vendor lock-in are making European businesses rethink their current reliance on US-based hyperscalers. The rising interest in diverse, multi-cloud strategies and locally governed services reflects the growing importance of trust in cloud decisions. ✅ Economic Predictability: Increasing costs from hyperscalers have raised concerns about long-term pricing stability. Enterprises are recognizing that forward-looking cloud strategies need to include providers that prioritize pricing transparency and tailored solutions. 🎯 What’s the result? A diverse and dynamic cloud ecosystem is emerging in Europe, leaning on open-source technologies, sovereign cloud providers, and tailored private cloud solutions. Platforms like OpenStack and others are paving the way for digital transformation without compromising on compliance or strategy. As businesses explore these new approaches, multi-cloud strategies, hybrid environments, and innovative pricing models are becoming essential for mitigating risks and staying competitive within an ever-evolving cloud landscape. 📢 This shift isn’t just about technology—it’s about geopolitics, trust, and long-term business resilience. Let’s embrace a future where diversity in cloud ecosystems fosters innovation, enhances security, and ensures sovereignty. What are your thoughts on this shift towards sovereign and multi-cloud solutions? 💭 Let’s discuss! #CloudComputing #DataSovereignty #SovereignCloud #MultiCloud #Geopolitics #Innovation

Everyone wants the "German Cloud" – but what does reality tell us? We often talk about digital sovereignty and the preference for German or European cloud providers. That’s an important goal – a clear statement about trust and data ownership. But let’s get real for a moment – and make a quick comparison: Everybody says they’d prefer to drive German. Quality, safety, reliability – it's deep in our mindset. But just look around in traffic: today’s streets are more international than ever. At the end of the day, price, features, or performance often win the race. That’s exactly the kind of contradiction that shows up in the Bitkom #Cloud Report 2025 – and it’s something every company in DACH needs to address in their cloud strategy. Here’s what the report tells us: 🇩🇪 The preference is clear: 97% of companies care about the origin of their cloud provider. 100% prefer German and 96% EU data cetners in direct comparisson. The desire for digital sovereignty is massive. 💸 The reality is pragmatic: Only 12% would accept longer waiting time for services, only 7% will accept 10–20% higher costs for that preference. And just 6% would tolerate compromises on usability or service. ⛓️ Dependency is real: 53% feel locked in by providers regarding pricing and terms. 78% say "Germany is too dependent on U.S. cloud companies". So what does this mean for your cloud strategy? The Bitkom report doesn’t just show growing adoption (90% usage, rising investment) – it highlights a strategic dilemma: How do we align the push for digital sovereignty with real-world needs like scalability, innovation, cost efficiency, and global competitiveness? The good news: We’re starting to see movement. More and more companies are adapting their strategies toward European alternatives. I expect that within the next 12–18 months, we’ll start to see real shifts – major rollouts, migrations, and new sourcing models becoming visible. The real question isn’t if we go to the cloud – but how. To make it work, we need: 🔍 FinOps discipline: 51% expect rising costs. Without structured cost control, we’re burning potential. 🔁 Robust multi-cloud strategies: To avoid lock-in and get the best from multiple ecosystems. 🇪🇺 Competitive European offerings: Not just sovereign – but also powerful, user-friendly, and cost-attractive. We don’t just need the idea of a “German & European Cloud”. We need realistic and executable strategies to guide through the complexity of digital transformation – with sovereignty and innovation in mind. Because let’s face it: our IT landscapes will stay hybrid and diverse for a long time. What matters is how well we orchestrate and govern that mix. What’s your take? How do you navigate between sovereignty and the pragmatic realities? report: https://lnkd.in/eCjftxRx #cloudcomputing #CloudTransformation #DigitaleSouveränität #Bitkom #CloudStrategie #FinOps

BREAKING: Microsoft just announced their grand plan to protect European data from "foreign interference." Sovereign datacenters in Germany and France. European personnel controlling access. Customer-controlled encryption. Sounds familiar? They tried this exact playbook in China. Microsoft partnered with local Chinese companies to run "sovereign" datacenters. Same promises. Same marketing. Same "your data stays local" narrative. Here's what actually happened: When the US government wanted access to one specific Chinese customer's data, Microsoft simply shut down the entire datacenter. The Chinese customer? Locked out of their own data. The "sovereign" protection? Worthless. Now they're selling Europeans the same story. "Data Guardian" will ensure only European personnel control access. "External Key Management" gives customers control. "National Partner Clouds" operated independently. All meaningless when push comes to shove. The fundamental problem remains: These datacenters are still connected to Microsoft's global infrastructure. There are no "internet walls" in the middle of the ocean blocking data access. If the US government decides they want access to European data, and Microsoft has to comply, all these "sovereign" protections become theater. Why this matters for your organization: This isn't about bashing Microsoft's technology. Their cloud services are excellent. But don't let marketing promises about "sovereignty" drive your infrastructure decisions. Make choices based on: Your actual compliance requirements Real data residency needs Operational control you can verify Contract terms that matter The lesson from China is clear: When geopolitics meets technology, sovereignty promises crumble fast.

𝗘𝘂𝗿𝗼𝗽𝗲’𝘀 𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝘁𝗼 𝗮𝗰𝘁 𝗶𝘀 𝗶𝗻𝗰𝗿𝗲𝗮𝘀𝗶𝗻𝗴𝗹𝘆 𝗱𝗲𝗰𝗶𝗱𝗲𝗱 𝗶𝗻 𝘁𝗵𝗲 𝗰𝗹𝗼𝘂𝗱. Today, together with Frederic Munch, Sopra Steria, I published a joint guest article in Table.Briefings on why digital sovereignty has become an operational question. Cyber threats, regulatory complexity and geopolitical tension are converging. Digital infrastructure is no longer just an efficiency layer. It determines whether governments, institutions and critical industries remain capable of acting under pressure. The real dilemma is not whether to move to the cloud. It is how to do so without losing control. Many organisations hesitate because jurisdiction, accountability and decision rights are not clearly anchored in cloud architectures. And that hesitation is understandable. At the same time, staying outside modern architectures limits scalability, resilience, and AI adoption. Inaction creates risk just as much as unmanaged dependency does. This is exactly where the sovereignty debate must mature - and where European technology providers such as SAP play a critical role in anchoring operational control within cloud architectures. Digital sovereignty is not about isolation. It is about: 🔹Operational control by design. 🔹Clear legal frameworks embedded in architecture. 🔹Defined decision rights across partners. 🔹Accountability that holds under stress. Europe has the technology and the industrial base. What matters now is execution. That is the shift we argue for in our article: moving from abstract sovereignty debates to concrete governance models that work in practice.

🧼 Is your "Sovereign Cloud" actually sovereign, or is it just "Sovereignty Washing"? Here is a hard truth for CISOs: If your cloud provider says "Your data stays in Germany" but their support team in Seattle has root access... you aren't sovereign. If your provider says "Bring Your Own Key" but their software has to decrypt your data in memory to process it... you aren't sovereign. If your provider is a "local partner" but the underlying stack is licensed closed-source code from a US giant subject to FISA 702... you aren't sovereign. We have created a massive industry of "Compliance Theater." We are checking boxes to satisfy NIS2, while ignoring the technical reality that US tech stacks are fundamentally under US jurisdiction. Stop buying the label. Audit the architecture. #CyberSecurity #CISO #CloudArchitecture #SovereignCloud #Compliance

“Hosted in EU” Is Not Sovereign. Sovereignty is not geography. It’s control. If your cloud is hosted in the EU but the control plane is governed by a non-EU parent company, you don’t have sovereignty. You have data residency. Real sovereignty requires: - Control plane ownership - Identity independence - Backup autonomy - Operational self-sufficiency - API-level portability This is where Kubernetes/OpenShift changes the equation. Because it is deployable: - On-prem - In EU-owned infrastructure - In fully controlled environments The difference between hyperscaler cloud and Kubernetes/OpenShift-based cloud is simple: One gives you services. The other gives you control. And control is what sovereignty actually means. If your vendor disappeared tomorrow, could you rebuild your entire platform from your own automation? If not you are renting stability. Not owning it. #stakater #cloud #sovereignty

Would you live in a home where someone else holds the keys?   That’s the essence of data sovereignty: ensuring that your most valuable information: such as customer records, IP, and financials, remains under your legal, operational, and strategic control.   It’s like making sure the keys to your digital home stay in your hands.   AI thrives on data. It feeds algorithms, shapes outcomes, and influences real-world actions. But when that data is stored in environments governed by external jurisdictions, you risk losing visibility, agility, and trust.   The goal isn’t to avoid the cloud, but to use it with sovereignty in mind.   In our daily work, we support CIOs and organizations in building infrastructure and data strategies that are local, trusted, and aligned with company’s values and regulations.   🔐 Data sovereignty means knowing who's at the door and who holds the key.   That’s how CIOs can secure the foundation and give leadership the clarity and control needed to make data - and AI-driven decisions, securely.   #DataSovereignty #AI #Leadership #iwork4dell