Rediscovering data control: Should you reassess your cloud policies? (Part 2)

In the digital age, European organizations are grappling with the risk of working with Chinese cloud providers for sensitive data. This concern has led to a significant action aimed at reducing dependency on foreign technologies and securing supply chains: the European Processor Initiative.

The initiative, however, is not the only solution on the table. Companies are exploring various strategies to achieve data sovereignty, a concept that ensures data remains within the borders of a country and is subject to its laws.

One approach is the hybrid cloud model, which allows companies to choose what data they want to deploy to the off-premises cloud and what data they need to keep on-premises or at the edge. T-Systems, for instance, is working with Google in Germany to implement this strategy.

Data sovereignty can also be achieved on public cloud using additional control mechanisms like hardware security modules (HSM), key management systems (KMS), identity and access management (IAM), and security monitoring. This ensures that the data remains secure, even when it is being processed or stored outside of the country.

Another option is for a local provider to partner with a hyperscaler, operating a segregated hyperscaler environment on behalf of local clients. An example of this approach is S3NS, created by Thales in partnership with Google.

A private cloud can be located within the country and dedicated to a customer, providing the core building blocks for cloud sovereignty. This approach aligns with France's "cloud au centre" strategy, with Atos working with UGAP to provide public, private, and sovereign cloud services.

The analysis should examine not only the stored data but also transformed data outside of jurisdictions and metadata being gathered, including IP addresses, credentials, logins, reports, etc. European companies must balance data security with the need to leverage efficient and innovative technology.

However, achieving 100% sovereignty may not be necessary or achievable due to global bilateral data export government agreements and challenges in achieving full software and technology sovereignty. Companies should conduct app assessments and risk analyses to decide which data can remain on the public cloud and which data will move to on-premises.

Key companies and partners involved in the development and implementation of sovereign cloud solutions in Europe include Amazon Web Services (AWS) with its AWS European Sovereign Cloud launching in Germany by the end of 2025, investing 7.8 billion euros and creating an independent European governance structure. AWS plans to operate its sovereign cloud entirely separated from its US parent.

NTT DATA is another player in the field, collaborating closely with Microsoft’s AI Cloud Partner program and specializing in Sovereign Cloud as part of a global Microsoft Cloud unit. These initiatives aim to ensure compliance with European data sovereignty, privacy, and regulatory requirements for public sector and regulated industries.

Atos has partnered with Dassault Systèmes to offer Dassault's 3DEXPERIENCE platform at client premises, augmented by cybersecurity services compliant with ANSSI requirements for critical operators.

Making the right choices now brings us one step closer to Europe's cloud sovereignty. The largest cloud players in the market are American or Chinese, but with initiatives like the European Processor Initiative and the development of sovereign cloud solutions, Europe is taking strides towards securing its digital future.

Rediscovering data control: Should you reassess your cloud policies? (Part 2)