Yet that doesn’t mean only European providers can offer sovereign cloud solutions. American providers might also be able to protect customer data from United States government access through technical measures such as client-side encryption, encryption with third-party key management or confidential computing. If securely implemented, the American provider can then only disclose data in its encrypted form. In addition, United States law allows cloud providers to challenge production orders under certain circumstances, including on the basis of comity. Whether such measures can reduce the risk of foreign government access to an acceptable level depends on the nature of the data and the specific use case.
Hosken: At Broadcom, we’re seeing growing customer interest in building sovereign clouds across Europe. What’s driving this demand?
Michels: I see regulation as one of the main drivers for European customers seeking to protect their cloud data. This is particularly true of the GDPR, given the high level of potential fines. Admittedly, the EU and the United States have made progress on international data transfers and on increasing the level of protection for European personal data, including through the EU-US Data Privacy Framework. Nonetheless, there remains a level of legal uncertainty as to whether American providers can provide an appropriate level of security and offer sufficient guarantees of compliance when acting as processors of European personal data. An example of this uncertainty is the European Data Protection Supervisor’s enforcement action regarding the EU Commission’s use of Microsoft 365. In France, the CNIL [National Commission on Informatics and Liberty] has also repeatedly raised concerns about the use of American cloud providers.
This problem applies especially to so-called special category data , such as those relating to health and ethnicity, which are subject to strict rules under the GDPR.
Some member states also have domestic legal requirements for sovereign cloud, which apply at the national level. These typically apply to the public sector and to operators of critical infrastructure, as with the French SecNumCloud scheme. That said, regulation isn’t the only driver. Many customers also seek to protect commercially sensitive information and trade secrets from foreign government access.
Hosken: Will European organizations move all their data to sovereign clouds or is there a case for multi-cloud?
Michels: European customers will continue to use the traditional cloud services of American hyperscalers. But many organizations also need to think more strategically about which data belong in which IT environment. Different environments suit different workloads depending on technical and security requirements, cost and regulatory compliance. For example, some workloads benefit from the scalability and functionality that American hyperscalers offer, while other, more sensitive data require additional protection. So, for some customers, there is a strong case for cloud deployments that combine traditional hyperscale cloud with sovereign cloud solutions.
