Sovereign Cloud: Europe needs a Sovereign Cloud Code of Conduct
According to a study, there is a great need for a sovereign cloud in Europe. However, there is a lack of a common understanding of exactly what this is.
(Image: gotphotos/Shutterstock)
What is a sovereign cloud, and where does the need for it come from? Lawyer Johan David Michels from Queen Mary University of London investigated these questions as part of the Cloud Legal Project on behalf of Broadcom.
According to Michels, a sovereign cloud can mean different things depending on whose perspective you take. From the user's perspective, it is about control over the cloud resources used and data access. Behind this is the fear that foreign governments will access the data based on the US CLOUD Act, for example, as well as the requirements of national and EU regulations such as the GDPR. There are particular concerns in sensitive sectors such as healthcare, critical infrastructure and defense.
Sovereign cloud as part of digital sovereignty
European politicians see the sovereign cloud as part of the debate on digital sovereignty and strategic autonomy to avoid excessive dependence on US services – a concern that is growing in light of US President Trump's “America First” agenda. Finally, for European cloud providers, sovereignty is an opportunity for differentiation. US hyperscalers, on the other hand, market their own “sovereign” services, which are met with skepticism by users.
Michels points out that there is neither a binding definition of a sovereign cloud, nor are the requirements of the GDPR in relation to data processing in the cloud entirely clear. This creates legal uncertainty and allows European and US cloud providers to describe their services as sovereign. In addition, the Data Act will bring further obligations for cloud providers from September 2025.
Videos by heise
The researcher therefore proposes that the cloud industry develop a joint Sovereign Cloud Code of Conduct in coordination with regulatory authorities that considers the requirements of the GDPR and Data Act. The Sovereign Cloud Code of Conduct should provide legal certainty for providers and users and ensure that the risks for people whose data is processed are minimized. To this end, it should provide for various models to reduce the risk of access by foreign governments – from hosting with European providers that are not subject to US jurisdiction to technical measures such as pseudonymization or encryption.
The Sovereign Cloud for Europe study discusses further aspects of the sovereign cloud and is available to download free of charge.
(odi)
