ISG Provider Lens™ Multi Public Cloud Services - Sovereign Cloud Infrastructure Services - Europe 2023
Localized data residency is a key priority for sovereign cloud services providers
The Gaia-X initiative is a comprehensive framework designed to govern the data sovereignty of information deemed confidential by EU member states. The initiative has grown from 22 European stakeholders since its
launch in 2019 to over 340 organizations as of 2023. While stringent security and encryption are integral to the framework, Gaia-X has also called for data residency inside the EU and recommended that an EU entity hold 50 percent of the total ownership stake in the sovereign cloud service. Gaia-X serves as a compass for our research on the sovereign cloud quadrant.
In April 2022, Gaia-X proposed categorizing the sovereign cloud service providers under three labels. While Labels 1 and 2 had standards of cybersecurity and interoperability far superior to those inherent in other public cloud service offerings, Label 3 stressed European ownership. Label 3 effectively excludes global hyperscalers from serving customers whose data processing needs require a substantially higher level of sensitivity.
The recommended framework suggests that having European control over the provider of sovereign cloud services would increase the privacy, security, and confidential of data considered sovereign by the EU. However, this has created obstacles for EU organizations, both governmental and commercial, in maintaining a continuous service flow from their chosen providers. These organizations still depend on the scalability and
comprehensive technology stack that the global hyperscalers – AWS, Microsoft, and Google – offer and continue to develop.
Consequently, the framework serves as a blockade to EU entities that want to access a more agile, automated, and scalable platform but cannot due to data privacy requirements. Cloud service providers, both within the EU and outside, continue to work extensively with key stakeholders to develop a seamless process that adopts a highly scalable cloud ecosystem. This process is aimed at cultivating a highly scalable cloud environment, built upon sophisticated technology and leveraging opensource platform, ensuring interoperability with a strong emphasis on European standards.
An emerging key trend is the formation of partnerships between European service providers and global hyperscalers. Through such partnerships, European service providers can provide hyperscale-grade sovereign cloud services and yet comply with EU and regional security and ownership norms. Google Cloud seems to be a frontrunner in such partnerships. As of 2023, the company partners with T-Systems and Thales (jointly created S3NS) to extend its hyperscale-grade sovereign services to European institutions. Additionally, in March 2023, Google announced its partnership with Proximus to provide sovereign services to customers in Belgium and Luxembourg.
Another reason behind such partnerships is to alleviate European companies’ concerns about the potential data hack by foreign government entities. The Clarifying Lawful Overseas Use of Data (CLOUD) Act is a notable example of such foreign interference in the data privacy of entities inside the European Union. Enacted in 2018 by the US government, the Act mandates that US-based technology companies provide data stored on their servers, including overseas data, to federal law enforcement agencies when presented with a warrant.
Given the stringent data residency regulations, the European Commission insists on creating a separate pool of sovereign cloud data centers with physical guard rails. This arrangement prevents sovereign data from residing in data centers consisting of components from manufacturers whose security is not robust or does not comply with those set forth by the European Commission.
The following factors are expected to strongly influence the sovereign cloud market in the EU.
1. Cybersecurity and encryption: Enhancing sovereign data security will be key. This will involve ensuring personnel who handle sovereign data are at least based in the EU, although EU citizens are preferred. Strong data encryption in every phase of the data lifecycle, including at rest, during computation, and in transit between EU and non-EU countries or within EU member states. External key management solutions are emerging as an important feature companies will leverage. Encrypted keys configured by the companies are
opaque to everyone else. This ensures that access rights to sovereign data are further curtained from the personnel of the cloud service provider.
2. Physical guardrails: This follows up on the enhanced security requirements for sovereign cloud. Gaia-X recommends that infrastructure in which sovereign data is stored be isolated from other public cloud
infrastructure. Identifying sovereign data from a data pool, storing it in isolated centers and reintegrating some of it substantially challenges service providers’ technological capabilities.
3. Partnerships and alliances: Although there are a large number of European cloud service providers, the scale of their data center ecosystem and its technological capabilities are not as attractive as that offered by global hyperscalers. Observers can expect further tie-ups between local and global players to meet end users’ expectations for hyperscale-grade sovereign services. Complexities will, however, arise while establishing such partnerships from a policy-making perspective and on a technical level. The former will include enforcing European ownership, localized administrators, and immunization of the sovereignty of EU data from foreign
legislation that may delegitimize it. Technical complexities will include not only enforcing physical guardrails to infrastructure of the global hyperscale in which sovereign data is stored but also segregating data based on its sovereignty and enforcing different governance policies. Due to the inherent complexities associated with implementing sovereign data services, it is likely that providers of cloud consulting and managed services will partner with European service providers of public cloud infrastructure.
4. Incorporation of open-source technologies: Providers of sovereign cloud services must negate the probability of vendor lock-ins for their sovereign cloud data services. There will be a growing need to incorporate container-based and opensourced technologies to create an agile application that can easily integrate with other (including hyperscale) environments to maximize interoperability. Membership in not-for-profit organizations such as the CNCF will enable cloud service providers to adopt cloud-native technologies that are more innovative and agile to their sovereign cloud requirements.
5. Industry-specific sovereign cloud services: Many companies in the EU have expressed interest in incorporating sovereign cloud capabilities into their infrastructure. A sizable number of these companies have begun the groundwork in identifying their sovereign cloud service requirements. The number of such companies is expected to swell in the near future. Sovereign cloud service providers should standardize the governance policies based on the industry vertical of the respective customer.
Access to the full report requires a subscription to ISG Research. Please contact us for subscription inquiries.