The views and opinions expressed in this Blog are those of the authors and do not necessarily reflect the views or positions of any entities they represent.
Technological sovereignty is not just something Henna Virkkunen—the newly appointed Executive Vice-President for Tech Sovereignty, Security and Democracy—has underlined as a crucial aspect for the next decade to come, it is a term that entails many spillover effects, that ultimately affects all European citizens. From enhanced internal market competitiveness to cybersecurity, sovereign solutions have been deemed as one of the core pillars of Europe’s Digital Decade. But what about tech sovereignty when it comes to Sovereign Cloud solutions?
Cloud sovereignty refers to the ability of an organization, nation, or region—such as the European Union—to assert control, ownership, and jurisdiction over its data, applications, and infrastructure within a cloud computing environment. This need for sovereignty may arise from governmental regulations specific to certain industries, requirements to safeguard regulated data such as personally identifiable information, or business-specific and competitive concerns. As governments increasingly recognize the importance of protecting sensitive data, ensuring compliance with local laws, and asserting digital autonomy, Sovereign Cloud solutions have become a critical focus in the evolving digital landscape.
Unlike traditional public cloud services offered by Big Tech giants and hyperscalers, Sovereign Cloud solutions are hosted, managed and built entirely within the geographical boundaries of the country they serve, ensuring compliance with local regulations and enhancing data control. Sovereign Clouds can be categorized into three distinct tiers, each offering different levels of jurisdictional control and compliance.
Tier-1: Sovereign Hosted Clouds
Sovereign Hosted Clouds require that all computing resources processing regulated data, including networks, data flows, backups, and disaster recovery systems, remain within a specific geographic area. Such an environment ensures that an organization’s data (and associated metadata) is stored on servers located within specific national or regional boundaries. This guarantees compliance with local regulations and protects data from foreign access. Essentially, this kind of Sovereign Cloud is governed by the laws of the country in which it is hosted, ensuring data residency and regulatory alignment.
Tier-2: Sovereign Managed Clouds
In Sovereign Managed Clouds, access to regulated systems is restricted to individuals who are either citizens of the jurisdiction or possess the necessary security clearances. Additionally, the cloud provider must be controlled by physical or legal entities that belong to the same jurisdiction. This ensures not only compliance with local regulations but also reinforces data sovereignty by maintaining operational oversight within the designated geographic and legal boundaries.
Tier-3: Sovereign Built Clouds
Sovereign Built Clouds ensure that the entire software stack is developed, supported and controlled by entities within the jurisdiction. This approach guarantees full oversight of the cloud infrastructure, from hardware to software, and minimizes reliance on foreign technologies and technology vendors. By maintaining local control over the development and operation of the cloud platform, this tier provides the highest level of sovereignty and compliance with jurisdictional requirements.
Choosing the right Sovereign Cloud model
Once an organization realizes that they cannot rely on hyperscalers or Big Tech companies for their cloud solution, it is important to choose wisely which Sovereign Cloud model meets their specific needs. Current efforts by vendors such as Microsoft, Google, and VMware to offer “Sovereign Cloud” solutions to their EU customers, for instance, are often misleading and contribute to the general confusion around what this term really means.
The appropriate tier level to be used will always depend on the specific regulatory, security, and operational requirements of the organization or jurisdiction. Factors such as the sensitivity of the data, the need for local control, compliance with industry regulations, and the risk of foreign interference will determine whether a company requires a Sovereign Hosted Cloud (Tier-1), a Sovereign Managed Cloud (Tier-2), or a Sovereign Built Cloud (Tier-3).
Given the key role that European open source technologies like OpenNebula and others play in enabling the deployment of real Sovereign Cloud solutions, industrial actors in EU strategic sectors have now a unique opportunity to embrace an alternative approach that can help to finally liberate themselves from the technological dependencies that they might have developed with non-EU vendors.
Ignacio is the CEO of OpenNebula Systems, the European open source company behind the cloud & edge computing platform OpenNebula. He holds a Ph.D. in computer science and an executive master’s degree in business administration. He has 30 years of experience leading businesses, research projects and development teams working on large-scale distributed systems, cloud infrastructures, and edge computing. He has held several appointments as an independent expert for the European Commission and several companies and national governments; and visiting positions at Harvard University, Lawrence Berkeley National Lab, and NASA Langley Research Center. He is the Chair of the Cloud-Edge Working Group of the European Alliance for Industrial Data, Edge and Cloud and an elected member of the IPCEI-CIS Industry Facilitation Group.
0 Comments