The Evolution and Importance of Sovereign Cloud (play now)
Broadcom’s recent EU Sovereign Cloud Day with Arrow in Brussels kicked off with a powerful keynote by Jon Collins, VP of Engagement at Gigaom. Jon delved into the critical importance and evolution of Sovereign Cloud, emphasizing that while technological sovereignty is essential, it remains an elusive concept demanding robust governance.
“Technological sovereignty is both essential and elusive,” Jon stated.
“It’s difficult to pin down but crucial for action.”
He identified three primary drivers behind technological sovereignty: geopolitical factors such as GDPR, rising personal privacy laws, and the increasing complexity of modern multi-platform architectures. He also outlined strategic choices for organizations considering sovereign cloud solutions when data is moved and accessed. Jon prognosticated that sovereign is now with business models dictating sovereign needs with visibility, transparency and access becoming a key business asset.
These include leveraging sovereign hyperscale like AWS or Azure’s upcoming offerings, opting for localized providers offering more in-country control, or maintaining on-premises solutions to ensure maximum security despite higher costs. In the end, Sovereignty affects all organizations, regardless of size, and is rooted in jurisdiction, technological, and data sovereignty
Certification Frameworks: Navigating Complexities with ENISA (play now)
Andreas Mitrakas from European Union Agency for Cybersecurity (ENISA) Head of Certification Division provided valuable insights into cloud services certification. Andreas highlighted the challenges posed by rapidly evolving technology markets that lack historical references—making it difficult for both consumers and regulators to keep pace.
“…but we (private and public sector) have massive, massive really massive did I say massive use of data services and cloud services instigated by governments and this of course is happening in a continuous environment where threats are evolving”
“The concept of information asymmetry highlights how sellers typically know more than buyers about product quality—a scenario prevalent in rapidly evolving tech markets inundated with questionable goods,” Andreas explained.
He discussed how initial concerns about sovereignty were driven by leading member states like Germany, France and Spain but have recently been alleviated by removing such requirements from new proposals. Andreas explained that ENISA’s certification frameworks aim to create a digital single market through public authorities accrediting bodies based on conformity assessments produced by testing labs—ensuring technologies benefit not just large corporations but also SMEs and individual consumers alike.
Andreas highlighted 3 key areas to make Sovereignty easy…
- In-country – with data storage and processing only within EU/specific locations and within Cloud service operations based and working from the EU.
- Technical measures – Encryption, Key Management (BYOK and Runtime access controls), and Decision-making on data (in the EU with Keys and people liable in the EU)
- Company Control – Global and Local HQ in the EU, Control from the EU.
“Our framework aims at creating a digital single market composed of various elements such as public authorities accrediting bodies based on conformity assessments produced by testing labs,” he noted.
European Commission’s Vision for 2030 and EU Legislation (play now)
Manuel Mateo Goyet from DG Connect shared enlightening perspectives on Europe’s growing yet diminishing share held by European providers in the cloud technology landscape—a significant concern for Europe’s technological sovereignty.
“The European cloud market is growing exponentially; however, the share held by European providers is diminishing,” Manuel pointed out. “This trend poses a significant concern for Europe’s technological sovereignty.”
Manuel outlined ambitious targets for 2030: achieving 75% cloud adoption across all companies in Europe and deploying 10,000 edge nodes to support low-latency applications like autonomous driving. Legislative efforts such as the Data Act aim to facilitate easier switching between providers (fast switching), prevent unlawful data access (fluid data control), and promote interoperability through open specifications rather than traditional standards.
“These targets are crucial not just for leading tech companies but across various sectors,” he emphasized.
The Data Ecosystem with Gaia X – EU Market perspective (play now)
Pierre Gronlier offered an intriguing perspective focusing more on “autonomy” over “sovereignty” due fluid nature movement breaking down categories legal technical operational emphasizing collaborative environments known “data spaces” where participants share common rules managing specific verticals automotive industry etc., concluding no one-size-fits-all approach exists depends organizational needs preferences ultimately shaping future advancements within collaborative environments known as “data spaces.”
“Instead of using ‘sovereignty,’ I prefer ‘autonomy’ because it better describes control over data due its fluid nature,”
Pierre argued passionately before breaking down autonomy into legal technical operational categories. He stressed the importance of constantly asking key questions when dealing with shared infrastructure services, where they are located, and who handles data….placing an importance on a robust infrastructure. He stressed that there is no ‘one-size-fits-all’ approach and depends on organizational needs and preferences to shape future advancements and collaboration to effectively navigate complex landscapes together. If organizations ask critical questions about their collectivedata services and locations they can ensure a long-term shared vision, a unified secure & innovative ecosystem and organizational success to benefit everyone involved include customers, stakeholders, partners, and regulators alike!
Broadcom’s Industry Leadership and Takeaways on Regulatory Frameworks & Market Demand (play now)
Laurent Allard emphasized three main points during his session: there is real demand for sovereign cloud solutions; Europe is heavily investing in developing regulatory frameworks while pursuing aggressive digital transformation strategies; despite progress made so far confusion remains about what exactly constitutes a sovereign cloud solution. A clear framework for cloud definitions can help address confusion and provide a common language for stakeholders.
“Sovereignty matters,” but “There remains confusion about what exactly constitutes a sovereign cloud.”
To address these gaps Laurent proposed defining this landscape based upon three axes—security, privacy, interoperability/portability ensuring full sensitive-data-control while enabling flexibility evolving needs of clients’ environments private/public/hybrid clouds alike!
“We need clear definitions around security, privacy, interoperability/portability,” he suggested as key principles aiming to ensure full control over sensitive data while enabling flexibility across different environments.
VMware has the largest footprint for data sovereignty with over 50 approved and value-added partners that provide a structured approach for customers to realize sovereign solutions and meet sovereignty standards. VMware has an established 10-point Sovereign Cloud criteria to provide cloud security, privacy, and protection of sensitive data from unauthorized access. Featured are native sovereign cloud, jurisdictional control, locally built & locally operated, and compliant with EU’s regulatory framework.
Cloud Service Provider experience on strategic Sovereign Cloud with Arvato in highly protected and compliant markets (play now)
Hansjörg Metzger representing Arvato Systems, discussed their role as a full-service IT provider for the Bertelsmann Group. He focused on delivering sovereign cloud services tailored to highly regulated and compliant sectors like healthcare and defense. Hansjörg highlighted the importance of sovereignty in IT, noting that it enables companies to act self-determined in digital spaces, particularly for data protection and operational sovereignty. Sovereign Cloud services allow clients to maintain full control over their data, reducing risks associated with external providers. This is vital for industries like healthcare and defense. Arvato Systems adapts its offerings to meet the specific needs of regulated industries, ensuring compliance while providing flexibility in service usage.
He explained, “Sovereignty is the ability to act in a self-determined manner in the digital space,” emphasizing the flexibility for businesses to choose where to store and process their data.
Hansjörg also pointed out the cost challenges of using public cloud services for critical workloads: “If you use the public clouds as your data center extension, it’s going to be very expensive.”
Hansjörg shared a success story involving Kubus, a major healthcare IT provider in Germany, which relied on Arvato’s sovereign cloud to ensure secure and compliant data storage, saying,
“They focus on the application content…but rely on us to meet all the sovereign cloud criteria.”
By aligning with rigorous German data protection standards, Arvato Systems builds trust with clients who prioritize data security and sovereignty. Sovereign Cloud services allow clients to maintain full control over their data, reducing risks associated with external providers.
In conclusion, Hansjörg underlined the importance of offering both cloud services and managed services to create customized, secure solutions for sectors like healthcare and defense, where sovereignty is critical.
Sovereign Cloud and North Europe Healthcare (Vertical Market: Healthcare success) (play now)
Sverre Stokken from Orange Business Services discussed sovereignty in the healthcare sector, highlighting the need for robust healthcare systems, supported by secure and sovereign data practices.
Sverre emphasized that data sovereignty, particularly in healthcare, is essential for maintaining trust and ensuring data is controlled according to local laws and regulations. Transparency, availability, and integrity of healthcare data were identified as key pillars, as mistakes or data mismanagement in this field can have dire consequences, potentially costing lives. Data sovereignty ensures that healthcare data is controlled according to local laws, critical for patient safety and regulatory compliance. This is vital in maintaining trust in healthcare systems.
“We must ensure that the data is controlled according to local laws and regulations…to build patients’ trust.” Transparency and trust were emphasized as key pillars, particularly when dealing with sensitive healthcare data, where “getting it wrong…actually kills people.”
He also stressed the necessity of collaboration between public and private sectors to ensure seamless data sharing while respecting sovereignty and privacy concerns.
Moreover, the growing importance of healthcare data for improving services, and the balance between security and sovereignty, were discussed. Sverre underscored the potential risks of relying on international platforms, advocating for operational, data, and infrastructure sovereignty to ensure that regions retain full control over their data.
“making sure that the data can’t be accessed by someone outside of your region.” This was illustrated by a key point: “If the emergency services don’t have access to the correct data exactly when they need it, people might lose their lives.”
Sverre concluded with a call for more standardized regulations and cooperation to future-proof healthcare services, ensuring their sustainability and security in a changing landscape.
Engaging in Sovereign in 2024 with DEEP, POST Luxembourg in Telecom (play now)
Luc Halbardier, Strategic Engagement Manager at DEEP, launched by POST Luxembourg in 2024, consolidates telecom and ICT services by merging subsidiaries like EBRC, Elgon, Digora Luxembourg, and POST Telecom’s B2B unit. This integration enhances POST Luxembourg’s ability to offer comprehensive services in cloud computing, cybersecurity, AI, and data management. Luc shared insights on the evolution of data sovereignty, particularly from Poste Luxembourg’s perspective.
He highlighted how the organization has combined its ICT services into a single unit, while emphasizing that, as a state-owned entity, sovereignty has always been at the core of their operations.
“We’ve been sovereign for 15 years now because everything is in Luxembourg. We are the state.”
Luc discussed how data sovereignty is more than just a trend for Poste Luxembourg, stating, “Sovereignty is not just a buzzword; it’s embedded in our DNA.” He noted that Luxembourg’s highly regulated market, particularly in sectors like finance and telecom, has made security and data protection essential from the start. He also stressed the importance of understanding where data is stored, who operates it, and ensuring full control over it, saying,
“Customers must understand where their data is and who is in control.”
Additionally, Luc addressed the competitive landscape posed by hyperscalers, acknowledging their dominance but stressing the unique value of sovereign cloud services.
He pointed out, “We need to combine the best of both worlds to ensure we deliver the best service to our customers,”
Emphasizing that partnerships and leveraging the strengths of both public and private clouds will be critical to staying competitive.
Lastly, Luc called for collaboration among service providers and vendors, emphasizing the importance of working together to meet local market needs and regulatory requirements:
“It’s essential to join forces, not just with partners but with vendors, to ensure the best solutions are built and delivered.”
Advancing the Data Ecosystem with ITQ (play now)
Jeffrey Kusters, Chief Technology Officer at ITQ, emphasized the strategic value of sovereign cloud in modern IT environments. He noted that many IT directors are caught between private and public cloud solutions, but sovereign cloud offers a middle ground that balances scalability and compliance:
“Sovereign cloud is really the best of both worlds coming together… with the benefits of data security, privacy, compliance, and scalability.”
Jeffrey acknowledged the complexity of implementing a sovereign cloud but highlighted its potential to resolve critical challenges:
“It’s not simple… adding a third environment like a sovereign cloud can become very complex to manage yourself… but it’s worth it to ensure compliance and control over your data.”
He also touched on the evolving understanding of cloud usage, particularly with the decline of the “cloud first” mentality:
“Thankfully, this whole cloud-first sentiment is slowly going away… because not every workload belongs in the public cloud.”
This shift is driving more organizations to explore sovereign cloud solutions, especially in industries like healthcare, finance, and public sectors, where compliance and data security are paramount.
Delivering Sovereign Cloud at Scale with OVHCloud (play now)
During their presentation, Laurent Blin and Stefan Schaeffer of OVHcloud emphasized the critical role of sovereign cloud in ensuring data privacy and compliance across Europe. They highlighted the need to address sovereignty requirements at scale, describing it as a core value embedded in OVHcloud’s operations.
Laurent noted, “For OVHcloud, sovereignty is not just a feature; it’s a core value we’ve held since the beginning.”
Stefan outlined the three pillars of OVHcloud’s sovereignty strategy:
- Data Sovereignty: OVHcloud guarantees full control over data, avoiding any extraterritorial influence, such as the U.S. Cloud Act. Schaeffer emphasized,
“Only a company headquartered in the EU or outside of the U.S. can be truly cloud-free.”
- Technical Sovereignty: OVHcloud leverages open-source technologies and ensures interoperability, allowing customers to maintain independence and control over their data.
- Operational Sovereignty: OVHcloud builds and manages its own data centers and servers, providing customers with control over where their data is stored and how it is processed. Schaeffer explained:
“We own the entire supply chain, from manufacturing servers to operating data centers.”
A key feature of OVHcloud’s strategy is its multi-local approach, where they provide localized data centers, support, and compliance with local regulations. Laurent stated:
“Being multi-local means having local data centers, local support, and the knowledge to manage networks and regulations specific to each region.”
OVHcloud also emphasized its commitment to sustainability, highlighting innovative water-cooling systems that reduce energy consumption and costs. Stefan noted,
“Our clear water cooling system makes our data centers more sustainable and cost-effective.”
These, as well as many more attributes of OVHcloud’s commitment to sovereign cloud and sustainability, positions them as a leading European provider capable of delivering secure, scalable cloud services while ensuring compliance with local data protection laws.
Nvidia’s Vision for Sovereign AI Infrastructures (play now)
During the event, Carlo Ruiz, Vice President of Enterprise Solutions and Operations at Nvidia EMEA, discussed building sovereign AI infrastructures. Carlo emphasized that creating these infrastructures doesn’t have to be complex or costly.
“Building sovereign AI infrastructures doesn’t necessarily have to be complex or costly,”
Carlo provided insights into effective national AI strategies for countries, stressing the importance of understanding AI’s potential without being mystified by its complexity.
“As a government, you should not be mystified by what AI can do”
Carlo discussed how governments could leverage existing models and infrastructure to develop their own sovereign solutions efficiently and cost-effectively. But it doesn’t just apply to governments, AI opportunities exist in every vertical, a great example of this is the U.S. Federal Credit Union (finance) who discussed using VMware Private AI on VCF at Explore in Las Vegas 2024 (more info)
Carlo addressed energy efficiency concerns associated with large-scale AI deployments, explaining that accelerated computing is extremely efficient and sustainable compared to conventional methods.
“Accelerated computing is very efficient; it’s one of the most sustainable ways to do computing”.
By using advanced technologies like GPUs combined with the right software layers, organizations can achieve significant performance gains while minimizing energy usage.
Carlo concluded by highlighting successful implementations in countries like Sweden and France, where visionary leadership has driven significant advancements in sovereign AI platforms. These examples underscore how strategic investments in talent and infrastructure can position nations as leaders in the evolving landscape of artificial intelligence.
Sovereign Critical Systems and AI Innovation with Sopra Steria (Play now)
Roger Samdal, Director of Hybrid Cloud at Sopra Steria, highlighted the challenges and innovations involved in building secure, sovereign cloud platforms across Europe. With over 50,000 employees, Sopra Steria delivers consulting and digital services, focusing on balancing security and innovation in its cloud offerings. Roger emphasized the importance of sovereignty in their cloud solutions, particularly when addressing the stringent security demands of sectors like energy and healthcare.
“We have created a sovereign platform that we offer our customers throughout Europe, but that’s not enough. The customers demand more… we need to build innovative services on top of that platform, like AI and new innovation.”
He stressed that while sovereign platforms are crucial, customers now demand more value, including innovations like AI. Sopra Steria’s approach integrates secure, sovereign cloud solutions with innovative services, including AI, across public, private, and air-gapped data centers.
“They want cloud native, super innovative solution without any internet connection… air-gapped.”
Roger shared examples from Norway, including projects in the healthcare and energy sectors, highlighting the convergence of IT and operational technology (OT) for critical infrastructure. Norway has unique attributes for developing secure, innovative platforms. He emphasized that their sovereign cloud offerings are grounded in Norway’s local infrastructure, stating,
“We have implemented this super solid, secure foundation across several data centers in the Nordic region. On top of that, we have a sovereign platform run and owned by us, supported out of Norway, operated by Norwegian nationals, with security clearance.”
Roger also discussed the evolving landscape of sovereign cloud, expressing hope for a collaborative European approach, where different providers could build on a common platform to enhance services across the continent.
“If all of us here today can come together and collaborate on a platform… a common European sovereign cloud… that’s what I’m dreaming about.”
Defining Sovereign Cloud and Its Importance (play now)
Martin Hosken, Broadcom’s field CTO, emphasized that the concept of sovereign cloud is still a matter of opinion, as there is no universally accepted definition.
He opened by saying, “Sovereign cloud is an opinion because we don’t have a clear definition.”
Despite this ambiguity, Martin highlighted the critical need for clear jurisdictional control over data, arguing that without it, sovereign cloud lacks true meaning.
Martin gave several examples of industries and sectors that have significant stakes in data sovereignty, such as military defense, energy generation, and cybersecurity. He cited a particular case in the UK where an energy provider was instructed by the government to move workloads from public cloud to private cloud.
He explained, “One of the big energy providers in the UK have been told by the government workloads have to be moved out of public cloud.”
A key point of Martin’s presentation was the notion of jurisdictional control, which he believes to be the most critical factor when defining sovereign cloud.
He asked the question, “If my data lives in a particular country, but other countries can access it through legal means, is it truly sovereign?”
Without clear jurisdictional control, the sovereignty of data remains questionable.
Martin warned that the complexity surrounding data sovereignty will only increase as more legislation and compliance frameworks are introduced, making it harder for businesses to manage their data.
He said, “It’s not going to get any easier. We’re going to see more and more legislation, and the cost of business will be substantial.”
This increasing regulatory burden could stifle innovation if businesses are unable to balance compliance with growth.
Martin also touched on the growing importance of sovereign AI, stating that it is likely to be a key topic in future discussions. He projected that every data source will be connected to machine learning or deep learning in the coming years, and ensuring sovereign AI will be crucial for businesses handling sensitive data.
Martin examined hyperscale claims of offering a ‘sovereign cloud’, pointing out that some hyperscale have admitted they cannot guarantee full sovereignty due to its global operating model. He highlighted a case involving Police Scotland, where Microsoft had to acknowledge its inability to ensure sovereign cloud in the face of cross-border data transfer issues.
“Microsoft were forced to admit that they can’t actually guarantee sovereign cloud.” (read the article)
Martin concluded by sharing the results of a survey conducted during the event, where the majority of participants agreed that a clear definition of sovereign cloud from the EU would be beneficial. Additionally, the survey revealed that jurisdictional control, data security, and compliance were the most important aspects of data sovereignty for organizations.
The Sovereign Cloud Day event underscored not only complexities but crucially needed Sovereign Cloud solutions amid evolving regulations and technological landscapes – highlighting strategic pathways organizations can take towards achieving true technological sovereignty. What emerged from the day is the understanding that everyone; UE Regulators / Commission, analysts, customers, partners, ISV, even consumers are directly involved in ensuring that their cloud is secure, within jurisdiction and aligns to sovereign principles. Together as a community we can make a difference for an innovative and sovereign future.