The need for a Sovereign Cloud

Geopolitical context

Sovereign cloud is not only about technology, it is a strategic choice influenced by various geopolitical factors. As more and more organizations try to exploit the commercial value of data across geopolitical boundaries, countries are struggling to find a balance between boosting their economies and safeguarding their citizens' privacy in a secure way. Moreover, regulatory frameworks vary widely across nations. This poses a major challenge for cloud providers.

This dynamic interplay between technology and geopolitics underscores the importance of a comprehensive understanding of the global data governance landscape in the era of the cloud. 

The sovereign cloud is more than just technology and security, it also considers geopolitical legislation.

Vincent Dock,
Senior strategy manager at Proximus NXT

EU Strategy

Understanding just how fragile data privacy is when managed by clouds beyond European jurisdiction is very important for enterprises. Key in this is knowing what regulations on a geopolitical scale influence your data, now and in the future.

For example, the US Cloud Act of 2018 was a deciding regulatory change. This allows US intelligence services to access your data if you stored it at US Cloud providers.

To facilitate international data transfers between EU and US, the privacy shield was put in place. This was later overruled by Schrems II, in which it was decided that the US had no adequate data protection measures.

The EU is much stricter. According to Schrems II, organizations that transfer personal data from the EU to the US or other countries must ensure that the data is adequately protected in accordance with the General Data Protection Regulation (GDPR).

Since July 2023, the EU has adopted its EU – US Data privacy framework. This shows that the privacy domain is still very active, and that we can expect new regulations in the years to come.

Since GDPR, a lot of new acts have been proposed or became effective. Some noticeable examples are the Digital Markets act, the Digital Service act, and the AI act.

As part of the Cybersecurity Act, a certification scheme was worked out for cloud services, called the EUCS. Cloud providers will be able to showcase the level of cybersecurity measures implemented in their cloud services through different assurance levels. This legislation pushes for clouds where data is stored and processed within EU borders.

Regulations

In 2024, NIS2 becomes applicable, which has a major impact on how companies treat cybersecurity. NIS2 is the updated version of NIS or the Network and Information Security Directive. The original version tried to achieve a high and homogenous level of cybersecurity across the EU member states. The implementation upgraded the average level of cybersecurity, but due to dramatically rising cyber threats, a higher cybersecurity level is becoming increasingly important. NIS2 offers a framework that effectively addresses this challenge by extending the scope of the original NIS and rigorously enhancing security requirements. NIS2 will impact the way companies implement cybersecurity and will push companies to implement new solutions with additional security.

How Sovereign Cloud fits this philosophy (how Sovereign Cloud might help you to get a competitive advantage)

This regulatory context was used as a basis for the concept of sovereign cloud, a cloud that answers your sovereignty needs. The cloud can help you immensely with getting value out of your data. But today, you are almost forced to rely on US cloud providers, due to the lack of EU alternatives that offer the same rich set of features.

Initiatives popping up in Europe, like Gaia X, aim to create an EU-based data infrastructure. Sovereign cloud solutions provide the advantages of the public cloud while adhering to EU restrictions. Over time, adopting a sovereign cloud enables you to unlock the hidden value of your sensitive data or ensure a level of control over the services you offer, giving you a competitive edge.