Beyond Borders: The Role of the Sovereign Cloud in Digital Resilience

In today’s environment, the sovereign cloud relates closely to digital sovereignty. Digital sovereignty refers to how a country or government regulates and exercises control over technology and services that are in use within the nation. A sovereign cloud is a cloud platform that helps organizations or nations achieve their digital sovereignty requirements. A sovereign cloud ensures that all data, including metadata, are stored within national borders and prevents foreign access to the data under all circumstances.

Europe is leading the charge for sovereign cloud solutions. European governments, industry regulators, and enterprises are all working together to develop frameworks centering around supporting technology development within the European Union (EU) and greater restrictions on non-EU entities in the EU market. Consequently, cloud hyperscalers such as Amazon Web Services (AWS) will be launching a new independent sovereign cloud for Europe that provides public sector customers and customers in highly regulated industries more choices, and flexibility to address the evolving digital sovereignty requirements in the EU.

Microsoft Cloud for Sovereignty, which will be in general availability in December 2023, is designed to help governments unlock cloud innovation through several sovereign controls, including Sovereign Landing Zones that provide guardrails for sovereign cloud environments for customer workloads. Microsoft Cloud for Sovereignty also supports Italy's Agency for National Cybersecurity (CAN) requirements and the Netherlands’ BIO regulation, a basic information security framework.

VMware announced new data and security services for more than 50 VMware Sovereign Cloud providers worldwide, enabling VMware’s cloud service provider partners to deliver best practices and technical architecture requirements for national jurisdictions where the sovereign cloud operates, as mandated by the relevant government.

Three out of the top five largest cloud platforms are operated by U.S. cloud hyperscalers and laws like the Clarifying Lawful Overseas Use of Data (CLOUD) Act require organizations or governments to share their data with U.S. authorities as and when needed, even if the data are stored outside of the United States. This has accelerated the need for governmental agencies and industry regulators to adopt sovereign clouds that comply with local data and privacy laws. The CLOUD Act gave birth to Gaia-X, which is an initiative to develop a federated and secure data infrastructure for Europe, to ensure European digital sovereignty. It also aims to develop digital governance based on European values of transparency, openness, data protection, and security.

In addition to serving the demands of a government or the public sector, the sovereign cloud also meets the requirements of organizations in highly regulated industries like banking, insurance, and healthcare, as well as those that must abide by data protection regulations like the General Data Protection Regulation (GDPR). By using sovereign cloud safeguards that are tailored to local jurisdiction and compliance, these organizations—which would otherwise have to keep and handle consumer personal data on-premises—can migrate to the cloud.

Sovereign clouds are also being used by governments that are keen to leverage Artificial Intelligence (AI)/Machine Learning (ML) use cases to accelerate national interest and citizen well-being. An example of an AI-powered sovereign cloud is Singapore’s Centre for Strategic Infocomm Technologies (CSIT) working together with Google Cloud using AI to tackle defense and security needs, leveraging Google’s Distributed Cloud (GDC) Hosted. The GDC Hosted sovereign cloud is a fully isolated environment hosted in Singapore and is used to deploy vision AI systems to analyze battle equipment in the field, analyze sensitive data, and translate classified phone conversations in real time. CSIT retains operational control of the data and software, and Google cannot access any data that are hosted through GDC Hosted.

Data play a crucial role in driving economies, accelerating innovation, and improving public services. Control and governance of critical data is crucial, so governments and organizations are focusing on ensuring proper legal compliance of data storage to prevent unauthorized access. Although sovereign cloud activities are mainly centered in the European region, for now, ABI Research expects sovereign cloud activities to intensify in Asia-Pacific very soon. Asia, especially, is currently very restrictive in terms of data residency. Indonesian banks, for example, are required to have data centers and disaster recovery centers that are located within the country. Organizations in China cannot transfer customer and employee data outside of China.

The growing popularity of generative AI will continue to dominate technology headlines, along with the public cloud as the de facto platform to develop and deploy generative AI solutions. However, for organizations digging deeper into building use cases for generative AI as a competitive differentiator, it has become clear that data security, data privacy, and digital sovereignty compliance make it impossible for organizations in highly regulated industries to deploy generative AI in the public cloud. This is where if a strategically developed sovereign cloud is deployed, compliance to local data residency can be achieved as the sovereign cloud sits within the local jurisdiction of the country, eliminating conflicts from multiple regulations and law jurisdictions.

Ultimately, most, if not all governments and organizations will have a mix of cloud platforms, and that will not change. The sovereign cloud addresses digital sovereignty challenges, while the public cloud still reigns supreme in terms of scalability and flexibility for computing power requisition. On-premises data centers will continue to house mission-critical business applications, while the private cloud addresses efficient workload processing without compromising privacy.