Guess who’s back, back again?
The European Union’s (EU) desire for cloud sovereignty has seemingly been reignited as geopolitical tensions push organizations to reevaluate the region’s reliance on the US for its digital infrastructure needs.
Last week, Amazon Web Services (AWS) announced it had launched a new European parent company and three subsidiaries incorporated in Germany for its European Sovereign Cloud offering. The parent company will be “locally controlled” and led by EU citizens. AWS European Sovereign Cloud is expected to roll out by the end of the year.
“There will be zero operational control outside of EU borders; the AWS European Sovereign Cloud will be operated entirely by residents of Europe,” the tech giant wrote in a blog post. “Only AWS employees, residing in the EU, will control day-to-day operations, including access to data centers, technical support, and customer service for the AWS European Sovereign Cloud.”
The move joins several efforts by hyperscalers to bolster sovereign cloud solutions for customers. In May, Google Cloud announced several enhancements to its sovereign cloud offerings, including a new solution that conducts “recurring security testing of customer applications to validate sovereignty postures.” The month prior, Microsoft pledged to increase its European data center capacity by 40% in the next two years.
Longtime concerns. Johan David Michels, a researcher at the Queen Mary University of London, told IT Brew via email that concerns among European customers revolve around the US’s ability to access data stored in the cloud and the country’s ability to halt access to cloud providers completely. Michels said these concerns span as far back as 2013 when Edward Snowden, a former National Security Agency (NSA) contractor, leaked confidential information on the government’s surveillance programs. Documents revealed by Snowden showed that the NSA had been spying on EU officials in Brussels, Belgium, and the US.
Michels said the concerns have continued to proliferate due to the Trump administration’s “forceful and at times unpredictable” foreign policy. He referenced reports alleging Microsoft revoked the email of International Criminal Court (ICC) Chief Prosecutor Karim Khan following Trump-imposed sanctions as an example of this. Microsoft has denied that it suspended services to the ICC.
“This has led many European customers to question whether their data are really safe in a US hyperscaler’s cloud,” Michels wrote.
Alexandre Ferreira Gomes, research fellow at independent think tank and diplomatic academy Clingendael, told IT Brew that the push for cloud sovereignty in the EU began relatively recently and is part of the greater push for economic sovereignty by the union, driven by several factors including Russia’s invasion of Ukraine and a desire to decrease dependency on the US and China for tech.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Over the past two to three years, we have been assessing dependencies and vulnerabilities on others, and then we come to realize that we are not sovereign in terms of being able to make choices, and that’s very clear when you look at the technology overall,” Ferreira Gomes said.
Changes. Michels wrote that European and US cloud providers have taken note of the concerns of customers and are working to address them.
“European cloud providers argue that they can offer similar functionality to US hyperscalers, without being subject to foreign jurisdiction,” Michels wrote. “US hyperscalers offer technical features (such as customer-side encryption and confidential computing) to protect data from foreign government access, while promising to challenge US orders that conflict with European law before US courts, if necessary.”
The push for sovereignty has led some companies, including unconventional ones, to take matters into their own hands. In 2022, Schwarz Group, owner of the Lidl supermarket chain, made its EU compliant German cloud business STACKIT available to the public.
“Our service offering means that we are paving the way in Germany for a European cloud solution that will strengthen the digital sovereignty and competitiveness of our economy,” Christian Müller, CIO of Schwarz IT, said in a statement.
Conscious decoupling. A draft penned by the EU detailing the region’s international digital strategy reviewed by Politico wrote it is “unrealistic” for it to decouple from dominant players like the US, adding that “cooperation” would remain important across the technology value chain. However, Ferreira Gomes argues that decoupling was never the end goal.
“The idea is not that we decouple from [the] US…but it’s just the idea of being aware of where we cannot be as dependent as we are today,” Ferreira Gomes said.
For cloud computing, Michels said customers will be more thoughtful with where they store their cloud environments down the line.
“In future, I expect that we will see European customers thinking more carefully about which data belong in which IT environment,” Michels wrote. “This includes multi-cloud deployments that combine US hyperscale cloud with European sovereign cloud services.”