Sovereign cloud: Should you consider it (and for what use cases)?

Amid the flurry of hyperscaler developments on digital sovereignty and sovereign cloud, it’s time to take a step back.

How should sovereign cloud feature within your (hybrid) cloud strategy? What triggers signal you should be considering it?

In this article, I answer questions like these.

Want to fast forward into how digital sovereignty impacts your cloud strategy? Explore our Digital Sovereignty services to see how it applies to your organisation.

What is sovereign cloud?

Let’s start with a common definition. In essence, sovereign cloud is:

Used to meet requirements on where data resides, provide robust security and make sure you comply with local and regional requirements.

It does this by limiting the geography where data is stored, processed and managed.

The need for sovereign cloud is generally driven by what regulations require. Note that almost every time sovereign cloud is needed, your organisation also needs a hybrid setup for its ICT infrastructure and operations.

Why sovereign cloud instead of "regular" cloud?

Hyperscaler cloud services are secured very well by default. They’re constantly updated to counter the latest vulnerabilities, risks and threats. Monitoring is 24/7. This is core to their business: if they don’t ensure customer data is secure, customers will move elsewhere. In many cases, a “regular” cloud offering meets security and compliance requirements, and there’s no real need for sovereign cloud.

Sovereign cloud comes into play if additional legal, regulatory and/or contractual obligations are imposed externally on your organisation. If you need cloud capabilities alongside the ability to fulfil additional security demands using a segregated platform, then it’s time to consider sovereign cloud.  

For instance, you should consider sovereign cloud if: 

• Data must always reside, move or be processed inside EU 
• Personnel responsible for your cloud platform are all EU citizens (or controlled by EU citizens)

What are typical sovereign cloud use cases?

There’s a degree of nuance involved in deciding when sovereign cloud is needed. Here are 3 common use cases: 

• Case 1: Your data and your environment’s usage data are required to stay inside EU. For example, you’re housing GDPR data along with other data, and the cumulative effect is that it's at a classified (or higher) security level.
• Case 2: Your business continuity strategy is hybrid and you need the ability to DR from data centre(s) to a cloud solution. Normal cloud services may not be enough.
• Case 3: Case 1 + operational restrictions. Cloud metadata and platform management must be under the control of EU citizens. For example, security clearance is required.

These use cases are just the beginning. Get the full roadmap to digital sovereignty in our free guide.

What triggers should you watch for?

For years, the popular phrase has been “cloud first”. Now it should be “regular cloud first”. This means you need to be able to justify why a “regular” cloud offering isn't enough.  

Here are 3 typical examples: 

• Trigger 1: Struggling to find a viable cloud solution – This could be when decision making is focused on data (in transit, at rest and in processing), operational control and geographical limitations. If you’re struggling to meet these requirements, bring sovereign cloud into solution design. 
• Trigger 2: Contracts have strict requirements on data location – Sovereign cloud can provide a way to meet those requirements. This is especially true when discussions are focusing on hyperscaler contracts, their parties and responsibilities. 
• Trigger 3: Questions around operational control – If people are asking questions along the following lines, it’s time to put sovereign cloud on the table: Who has access to the metadata from usage of your cloud environment? Who can engage in security activities, be asked to investigate fraud detection and/or monitor that everything is ok? Who has actual access to the environment?

Is sovereign cloud expensive? Do we need a lot of people?

There is some OpEx overhead to make it sovereign. It’s not a huge amount because it’s based on a standard cloud setup, but sovereign cloud still needs its own infrastructure and operations. Other operational costs related to security, compliance (legal, regulatory and contractual) and fault tolerance are reduced because they’re partly taken care of by the hyperscaler. 

When comparing costs, don’t look at sovereign cloud vs “regular” cloud. Rather, compare sovereign cloud to a colocation data centre with your own OpEx for everything except physical infra and physical security. The result will most likely be that sovereign cloud is less expensive. 

Running sovereign cloud doesn't come with increased personnel requirements. The shared responsibility model still applies. However, some role descriptions may change, meaning additional upskilling may be required.

How does sovereign cloud help with our hybrid operating model?

Hybrid can be on-premises data centre, cloud, sovereign cloud, colocation data centre or any combination of these. 

Most organisations work in a hybrid model already. However, for those that don't, sovereign cloud is the lowest-risk and easiest way to move to hybrid.  

You still need to decide and define strategies in the same way as hybrid, but there’s more decision leverage thanks to the increased compliance, control, restrictions, resilience and encryption.

What sovereign cloud solutions do hyperscalers offer?

Sovereign cloud is a fast-moving area, with hyperscalers providing updates on practically a weekly basis. Use these links to keep up to date: 

• Microsoft Sovereign Cloud – Follow updates here. Microsoft has provided the latest information about EU actions in this blog. (As a side note: Microsoft has also introduced Azure Local, which can help with sovereign cloud).
• AWS European Sovereign Cloud – AWS provides information here.
• Google Sovereign Cloud – Information here.

Nordcloud and IBM are launch partners for AWS European Sovereign Cloud and Microsoft Sovereign Cloud. We’re actively working with the hyperscalers as we help organisations incorporate sovereign cloud into their hybrid and AI strategies. Get in touch if you’d like to arrange a workshop to discuss sovereign cloud for your organisation’s compliance requirements.

Ready to get the digital sovereignty right?

Whether you're navigating compliance, data residency, or strategic autonomy, digital sovereignty is key. Download the Digital Sovereignty Roadmap to get actionable insights.

Download the complete sovereignty planning guide.

Get the practical frameworks you need for evaluating your risks, choosing the right approach and executing your strategy. Your toolkit to make informed sovereignty decisions confidently.

Get the guide