How to start with sovereign cloud: A practical playbook for real teams | Ladybug Unplugged | Episode 5.

Lysa Banks:
One thing I’m hearing from you really takes me back to advice I’ve given organisations on their cloud and modernisation journeys — even before sovereignty entered the conversation.

I often talk about fit‑for‑purpose infrastructure. You look at the application, look at the workload, and choose the platform that fits best. That might be on‑premises, on a mainframe, or in public cloud running in containers. The question is always: what does this workload actually need?

It sounds like sovereignty is another lens for making those decisions. Not all workloads are equal. Some are regulated, some handle sensitive customer data, and some don’t. That naturally leads into risk assessment.

So let’s get practical. Where should organisations actually start when approaching digital sovereignty or sovereign cloud?

Sander Nieuwenhuis:
That’s exactly the question we asked ourselves as well, especially when interest in sovereignty increased significantly.

There are two things that really matter at the beginning.

The first step is simple, but often overlooked: put all relevant stakeholders in one room and talk about it. There’s a lot of misinformation and misunderstanding around sovereignty, and organisations need a shared understanding of what it actually means for them.

They also need awareness of what’s happening in the market. Hyperscalers are launching new sovereign offerings, and European partners and providers are emerging. Organisations need to understand those developments before making decisions.

So step one is alignment — getting on the same page.

Lysa Banks:
And after that initial alignment?

Sander Nieuwenhuis:
The second step is creating an inventory. Organisations need to understand what data they have, what workloads they run, and where that data is being processed.

Many organisations believe they have this covered because their cloud workloads run in European regions. But they often overlook SaaS platforms, third‑party services, and now AI systems that move data in less visible ways.

Without a clear view of your current situation, you can’t assess risk properly.

Lysa Banks:
And that leads naturally to risk assessment.

Sander Nieuwenhuis:
Exactly. The third step is conducting a structured, risk‑based assessment.

Some organisations can do this internally. Others may need external support, depending on their size and complexity. The key is that the assessment is grounded in reality and aligned with business priorities.

So the first steps are: shared understanding, inventory, and then risk assessment.

Lysa Banks:
Let’s do a bit of a reality check. I often hear people say that hyperscaler sovereign cloud offerings are just another region with better marketing and a higher price tag. True or false?

Sander Nieuwenhuis:
The perception exists, but the reality is more nuanced. Hyperscalers have introduced additional services that do enhance sovereignty.

That said, organisations need to look beyond the marketing and understand what those services actually provide and whether they meet their specific needs.

In some sectors, like defence, sovereign cloud offerings can be an opportunity rather than a threat — allowing workloads to move to the cloud with appropriate guarantees. But only if those offerings are properly understood.

Lysa Banks:
Another challenge is trust. Even with contractual guarantees, it’s hard to prove a negative — that no unauthorised access will ever occur. What else can organisations do beyond relying on contracts?

Sander Nieuwenhuis:
Trust is part of it, but so is insurance.

Organisations can add technical layers on top of hyperscaler platforms. For example, abstracting workloads using platforms like container orchestration makes it easier to move workloads if needed.

Customer‑managed encryption keys are another option, although they add complexity and operational overhead. They can increase trust, but they must be weighed against effort and risk.

At some point, absolute independence becomes impractical. Much of the hardware we rely on isn’t built in Europe. A certain level of trust is unavoidable.

Lysa Banks:
That brings me to something I often call security theatre. What do you see organisations doing that creates a false sense of sovereignty?

Sander Nieuwenhuis:
I see a lot of discussion, but not enough action. Sovereignty becomes philosophical instead of operational.

Organisations should focus on running their business and ensuring continuity, using sovereignty as a trigger to reassess risks and dependencies — not as an abstract goal.

Lysa Banks:
Let’s finish with some quick hot takes. Overrated or underrated: customer‑managed keys?

Sander Nieuwenhuis:
Overrated. They add complexity and effort, and the benefit is often overstated.

Lysa Banks:
Air‑gapped deployments?

Sander Nieuwenhuis:
Also overrated. Truly air‑gapped systems are impractical for most organisations. They only make sense for very specific, high‑value intellectual property.

Lysa Banks:
What’s the most overused buzzword in sovereignty discussions?

Sander Nieuwenhuis:
The Cloud Act. It dominates discussions, but in practice it applies to a small subset of workloads. Organisations should protect what truly matters and not over‑index on it.

Lysa Banks:
And the biggest misconception about data residency versus control?

Sander Nieuwenhuis:
Where data is stored matters less than who has access to it. Sovereignty is about control and continuity, not just location.

Ultimately, sovereignty isn’t the problem. It’s a trigger to reassess business continuity. The real question is whether your organisation can keep operating when conditions change.

Lysa Banks:
That’s a great place to end. Sander, thank you so much for joining.

Sander Nieuwenhuis:
Thank you.

Lysa Banks:
Thanks to everyone for listening to Ladybug Unplugged. This is where we keep it real.