Why Sovereign Cloud is Essential for Today’s Businesses

So, why suddenly does everyone care about “where the data lives?” Well, the truth is, we’ve always cared. 

Policymakers interested in leveraging data sovereignty requirements to advance economic and investment goals certainly continue to care. As a candidate for European Commission President in 2019, Ursula von der Leyen highlighted the economic importance of data sovereignty, and in his September 2024 report on European Competitiveness, former European Central Bank President Mario Draghi noted that a “minimum level of technological sovereignty” is needed “to increase the long-term ‘bankability’ of new investments in Europe.” 

In today’s cloud-driven world, data residency and compliance have become top priorities due to government regulations and increasing public concern over data privacy. What has changed are the critical design factors in the interconnected world of cloud computing: the physical location of the data, metadata, and the governance surrounding it.  Sovereign Cloud solutions address these needs by ensuring data security and jurisdictional control while giving cloud service providers the tools needed to be more innovative and competitive for their customers. 

The growing web of regulations worldwide, including Europe’s GDPR, the DGA, and the U.S. Cloud Act, highlight the need for organizations to manage data within specific jurisdictions to ensure compliance and security.  Public awareness around data privacy issues further fuels this trend, compelling enterprises to seek cloud solutions that ensure compliance and security. All of this occurs amid a backdrop of significant geopolitical factors, ranging from development and investment policies to national security concerns, which influence both government regulatory frameworks and enterprise cloud strategies, prompting public and private organizations to rethink their data residency approaches.

Sopra Steria (Nordics)

“The demand for sovereign cloud solutions that can help ensure national autonomy is on the rise in the Nordic countries. As a Pinnacle Tier VCSP partner, we are well-positioned to meet the data residency and security requirements for our customers. Our Sopra Steria SolidCloud platform is built on VMware Cloud Foundation, which enables us to deliver a flexible and scalable sovereign cloud infrastructure. VMware Cloud Foundation enables us to innovate and deliver sovereign cloud services quickly by providing built-in compliance management, operations, and security capabilities.”

Roger Samdal, Agency Director Hybrid Cloud, Sopra Steria

With global data creation projected to surpass 180 zettabytes by 2025** and as much as 92% of business data previously projected to be stored by U.S.-based hyperscale cloud providers***, non-U.S. countries are reevaluating data residency requirements to strengthen jurisdictional control and protect their citizens’ data privacy. While the U.S. Public Cloud vendors have worked hard to mitigate these risks for their customers by gaining regulatory certifications across the world, some of the key factors that drive data governance and security controls to protect the data from unauthorized third-party access are beyond their ability to natively protect*.

The U.S. government has a number of legal frameworks in place to address national security concerns that extend beyond its geographical borders. For instance, the U.S. Cloud Act of 2018 allows U.S. courts to instruct U.S. companies to collect data on systems they manage not just on U.S. soil but, in theory, anywhere in the world. As a result of this and other legislation enacted in multiple other countries, the landscape is changing. Much of the global population is now protected by data privacy regulations for both personal and business-related data, much of it in line with the EU’s GDPR framework. Furthermore, the definition of personal information is ever-changing, and people’s attitudes evolve, as we saw during the Covid-19 pandemic. One thing is sure: with our online presence ever increasing, this architecture will only get more complex over time.

Typically, VMware’s approach to Sovereign Cloud involves defining three types of solution architecture, which can align with the requirements of different organizations and different regulatory requirements.

These might be defined as:

• Provider Sovereign Cloud: VMware Cloud Provider who offers services that deliver on customers’ requirements for data and application sovereignty. VMware partners providing such a service would be part of the VMware Sovereign Cloud Program for CSP Partners, outlined below. 
• Enterprise Sovereign Cloud: A commercial business entity with regulatory requirements (in some cases, industry-specific) for data/digital sovereignty. These include heavily regulated industries such as aerospace, nuclear energy, and military/defense suppliers. This solution is hosted and managed by the enterprise or in conjunction with a partner, with strict oversight from regulators. 
• Government Sovereign Cloud: A government entity that requires, for legal or governance reasons, to hold data and application processes on sovereign soil. This solution is hosted and managed by the government entity itself or in conjunction with a partner, with strict oversight from regulators.

Broadcom: Sovereign Cloud Focused

Broadcom’s Sovereign Cloud solution is designed for VMware Cloud Service Partners to deliver sovereign cloud services that comply with a specific jurisdiction’s digital sovereignty requirements, which are defined in our 10-point self-attested Sovereign Cloud criteria (listed below).  Data residency relates to where the data is physically and geographically stored and processed. Due to the extreme scale of the large public cloud providers, this is something they are usually able to primarily provide, but often artifacts like metadata (data about the data) can leak out into other regions, typically the U.S. In some cases, data residency alone is not sufficient to ensure compliance with data privacy laws. Data sovereignty relates to law, specifically, data being subject to the governance structure and, more importantly, the jurisdiction of the nation where the data is processed and stored.

Despite this, the data still needs to be accessible by an authorized entity, and this is a really important aspect of sovereignty. A sovereign cloud solution needs to not only protect critical data but also unlock its value. Data can be extracted in a meaningful way for both private and public sector organizations while providing transparency around architecture and operations.

STC (Middle East)  

“STC offers Sovereign Cloud services built on VMware Cloud Foundation that meet the specific needs of businesses and government entities in Saudi Arabia. Our services aim to foster trust, security, and compliance in cloud computing while supporting the broader digital transformation goals of the region. Unlike native public clouds, our 100% local infrastructure helps ensure complete data sovereignty and compliance with local regulatory requirements.”

Mohammed Khamis Balobaid, Executive Head Cloud & Digital Solutions by STC

As we have seen, the need for organizations to deliver truly sovereign digital services is growing, and Broadcom has the partner network and solution expertise to help strategic partners deliver services that can meet various regulatory requirements worldwide. Broadcom’s primary aim is to put the customer in total control of their data assets. It does not replace any industry compliance framework but instead aims to deliver a complete answer to the questions around data and jurisdictional control. 

To do this, the VCF sovereign solution uses standardized architectures based on VMware Validated Solutions alongside a 10-point Criteria that outline guiding principles and best practices for delivering cloud services that adhere to the data sovereignty requirements of the specific jurisdiction in which that cloud operates, as mandated by the relevant government or commercial body. These criteria are intended to be flexible enough to accommodate different design considerations depending on the scope of the Sovereign Cloud. There are more than 50 Sovereign Cloud providers globally, which makes for the largest ecosystem of partners capable of building a sovereign solution.  All partners are self-attested to the 10-point criteria below:

1. Local Residency (Data/Metadata): All data resides within the relevant sovereign country, ensuring compliance with local data protection laws.
2. Full Jurisdictional Control: Local governmental authorities have sole jurisdiction over the data, preventing foreign access.
3. Encryption with External Keys (BYOK): Customers maintain control over data encryption and key management, enhancing security.
4. Local Entity: The service is operated by a legal entity incorporated in the relevant country, ensuring accountability.
5. Local Operations: Only authorized personnel with country-specific security clearances manage the Sovereign Cloud offerings.
6. Resiliency with 2 Data Center Locations: Managed from multiple Tier III data centers within the country, ensuring high availability and redundancy.
7. Full Reversibility (Portability Without Lock-In): Supports hybrid cloud deployments, allowing seamless workload migration without vendor lock-in.
8. Security Certification: The offering adheres to relevant industry certifications required for end-user workloads.
9. Zero Trust with Logical Network Segmentation: Implements a zero trust security posture, ensuring that access is tightly controlled.
10. Isolation for Parts of the Offering: Certain components of the infrastructure are kept in segregated environments for enhanced security.

The key aim of the 10-point principles outlined above is to define governance requirements for enhanced security controls and ongoing compliance, delivered through data residency and the digital sovereignty of applications processing data pools. Partnering with a value-added managed service provider offers numerous advantages for organizations adopting Sovereign Cloud solutions:

• Managed Service Expertise: Locally Built and Supported: Sovereign VMware Cloud Service Providers bring local knowledge and a deep understanding of compliance requirements, ensuring tailored solutions for specific industries.
• Improved Customer Experience: Customers benefit from faster response times and personalized service, simplifying the management of complex environments.
• Competitive Differentiation: By meeting stringent local requirements, Sovereign VMware Cloud Service Providers build trust with customers, offering transparency that sets them apart in the marketplace.

Jurisdictional control is critical! The idea that a country or jurisdiction has the authority to govern and control the data generated within its borders is a fundamental component of any Sovereign Cloud. Ensuring that no outside entity, whether government or commercial, can obtain the right to access data is an essential component of a Sovereign Cloud offering and is a key and differentiating component of any Sovereign VMware Cloud Service Provider service.

Plusserver (Germany)

“Data sovereignty requirements in Germany are some of the most stringent in the world, guided by both GDPR and other national regulations. plusserver is a leading authority in understanding these requirements and helps customers operate in a secure and compliant manner. We have been focusing on digital sovereignty for many years now, including through our involvement in Gaia-X. As a thought leader in this area, we offer sovereign cloud solutions from our certified German data centers. One of these solutions is based on VMware Cloud Foundation (VCF). By delivering sovereign VCF-based cloud services from our in-country data centers, we can ensure customer data remains within German borders.”

Katharina Cordes, Product Director pluscloud VMware plusserver GmbH

In the evolving landscape of Sovereign Cloud, a new concept is also gaining traction with governments and enterprises: Sovereign AI. The concepts surrounding Sovereign AI effectively bring together and are interwoven with those of Sovereign VMware Cloud Service Providers and AI. With its unparalleled market position, Broadcom stands out as the ideal partner to help its cloud providers navigate these AI sovereignty challenges with the same focus on innovation and competitiveness that is at the heart of Broadcom’s approach to Sovereign Cloud. It is able to do this by ensuring partners can deliver increased control over where their customers’ data is located, where the application executes against that data, and how they can manage emerging regulatory, compliance, and legal requirements.

This momentum we are seeing in Sovereign AI is largely due to the fact that artificial intelligence has become vital to nations, governments, and regulated industries. Therefore, these organizations are proactively increasing their oversight and control over data privacy and cloud computing. A Sovereign AI solution, fully contained within an entity, such as a regional cloud provider or country, empowers the organization to meet its objectives, ensuring that all data, execution, and outcomes remain contained, both from a security and privacy perspective.

As Broadcom moves forward with the new Sovereign VMware Cloud Service Provider solution, many of our strategic partners will start to offer a range of artificial intelligence services, including infrastructure, large language models, private AI solutions, toolsets, and a well-enabled support team. These Sovereign AI solutions will offer robust security and data privacy features, empowering their customers to achieve their goals with the confidence that legal, regulatory, compliance and ethical considerations are being addressed.  Sovereign VMware Cloud Service Provider partners will deliver comprehensive, value-added solutions that meet the privacy and compliance requirements of organizations utilizing AI.

Conclusion 

Sovereign Cloud has gone well beyond a trend – it’s a fundamental necessity for businesses that prioritize data compliance and jurisdictional security, and it’s an established approach sought by governments to advance various policy and economic development goals. Broadcom’s VMware-based Sovereign Cloud provides a comprehensive path forward, empowering organizations to confidently navigate diverse regulatory landscapes and secure their data’s future.

Simply put, sovereignty is part of Broadcom’s DNA. Through VMware Cloud Foundation and VMware Cloud Service Providers, Broadcom enables sovereign solutions that support the digital economy and ensure data security and regional compliance. By partnering with value-added managed service providers, organizations can achieve true data residency and regulatory compliance.

Resources / Calls to Action:

• Watch the Sovereign Cloud Overview Video.

• Find out more about VMware’s Sovereign Cloud and 10-pt criteria on the Sovereign Cloud web page.

• Find a value-added VCSP-approved Sovereign Cloud partner.

Sources: 

*Microsoft admits no guarantee of sovereignty for UK policing data, Computer Weekly, https://www.computerweekly.com/news/366589152/Microsoft-admits-no-guarantee-of-sovereignty-for-UK-policing-data, Sebastian Klovig Skelton, Data & ethics editor, Published: June 19, 2024

**Amount of data created, consumed, and stored 2010-2020, with forecasts to 2025, Statista, https://www.statista.com/statistics/871513/worldwide-data-created/, Petroc Taylor, Research expert covering global developments in the use of data, Published: November 16, 2023

***A National Capability that treats our data as a National Asset, https://www.linkedin.com/pulse/national-capability-treats-our-data-asset-simon-hansford/, Simon Hansford, formerly CEO of UKCloud. Published: December 6, 2019