What is a sovereign cloud why is it important for your data protection strategy?

Companies increasingly take to the cloud to store data, and sovereign clouds can help comply with regulatory requirements. Learn how an EU Sovereign Cloud impacts data sovereignty and residency as required by EU laws like the General Data Protection Regulation (GDPR).
Sovereign cloud
Resources / Blog / What is a sovereign cloud why is it important for your data protection strategy?
Published by Usercentrics
7 mins to read
Mar 5, 2024
Start scan

2023 marked a significant milestone in cloud computing, witnessing the launch of two major sovereign cloud infrastructures.

Google stepped up their portfolio of Sovereign Solutions with the launch of Digital Sovereignty Explorer, a tool aimed at aiding organizations in navigating the complexities of digital sovereignty, particularly focusing on the needs of European organizations. Similarly, Amazon Web Services (AWS) introduced the AWS European Sovereign Cloud, specifically designed for companies operating in highly regulated industries and public sector entities.

These strategic moves are in response to the growing demand within the European Union (EU) for enhanced data residency and sovereignty, reflecting the increasing importance of these concepts in data protection strategy.

We look into the significance of data sovereignty and residency, their critical role in the EU’s data protection landscape, and how the advent of sovereign clouds from tech companies like Google, AWS and other tech players can bolster your data protection strategy.

What is data sovereignty?

Data sovereignty is the concept that digital data is governed by the laws of the country in which it is stored.

The concept has evolved as technology has advanced and data generation has increased. It is a critical issue for organizations that store sensitive data, such as financial information, health records, and personally identifiable information (PII).

A 2022 report from Thales found that 60% of all corporate data was stored in the cloud, with most businesses adopting a multi-cloud strategy.

“Ensuring data sovereignty is a key responsibility for companies that keep data in different countries, each with their own laws and regulations concerning privacy, censorship, and the cross-border data flow,” says Celestine Bahr, Director of Legal, Compliance & Data Privacy at Usercentrics. “Businesses must be aware of global data privacy laws and data sovereignty requirements to maintain compliance and protect their customers’ sensitive information.”

“Businesses must be aware of global data privacy laws and data sovereignty requirements to maintain compliance and protect their customers’ sensitive information.”

What is data residency?

Data residency is closely related to data sovereignty, but they are not identical concepts. Data residency focuses on the physical location of servers that hold the data.

Companies choose specific locations for data storage based on factors like performance, legal requirements, and customer preferences. Some countries have strict data residency laws requiring companies to store data on servers located within the country. This is to ensure that the data is subject to the country’s laws and regulations and that the country’s government can access it if necessary.

Understanding where data resides is key for companies to ensure they meet regulatory requirements and manage data efficiently.

The need for storing data in the EU

The EU enforces stringent data privacy regulations, notably the General Data Protection Regulation (GDPR) and ePrivacy Directive. Under the GDPR, there is a legal requirement for organizations to store and process data obtained from EU-based users within the EU or in jurisdictions that uphold comparable levels of data protection.

Get our GDPR compliance checklist:

For websites 

For apps 

These robust data privacy laws, coupled with concerns about US law enforcement’s potential access to data managed by US-based companies, has led European companies to be cautious in their engagement with US cloud service providers.

A sovereign cloud located in Europe can enable organizations to better align with these data privacy laws.

What is a sovereign cloud?

A sovereign cloud refers to a cloud computing architecture tailored to comply with the specific data regulations and laws of a particular region or country. This type of cloud ensures that data is stored, processed, and managed within the geographical boundaries defined by these laws.

Amid increasing concerns about data privacy in Europe, companies that collect data from EU-based users appear to be embracing sovereign clouds to secure user data in accordance with regulatory requirements.

Sovereign cloud adoption across industries

A 2023 report from Accenture shows that 37% of European companies have invested in sovereign clouds, with 44% planning to do so by 2025.

Cloud sovereignty strategy by sector

Cloud sovereignty strategy by sector

Source: Accenture Sovereign Cloud Survey in Europe

According to the report, adopting the sovereign cloud is overwhelmingly either in progress or on the roadmap for the next year for multiple industries, with companies in energy and utilities, insurance, healthcare, and banking and non-insurance financial services leading the way.

Google, Oracle and Microsoft have already launched their EU sovereign clouds. Amazon’s AWS European Sovereign Cloud is the latest to offer data sovereignty in the EU.

Benefits of an EU Sovereign Cloud

EU Sovereign Clouds offer several key features designed to meet data residency and data sovereignty requirements.

Data residency and localization

This involves ensuring that data is stored and processed within an EU member country. They allow customers to keep all metadata they create within the EU, ensuring data residency compliance.

Compliance with EU regulations and standards

EU Sovereign Clouds are designed to comply with key EU regulations, such as the GDPR. They adhere to standards and practices that align with EU legal frameworks to manage and protect data.

EU-based operational control

These clouds are operated and supported by EU-resident employees, ensuring compliance with local laws and regulations.

Enhanced security measures

These clouds implement advanced security protocols and technologies to protect data from unauthorized access, breaches, and other cyber threats. This includes measures like sophisticated encryption, secure access controls, and continuous monitoring for potential vulnerabilities.

These features collectively enable EU Sovereign Clouds to provide a secure and compliant environment for data storage and processing, in line with the specific legal and regulatory requirements of the European Union.

Why sovereign clouds matter for data protection

Sovereign clouds provide a cloud environment that aligns with the data sovereignty and data residency laws of a specific country or, in the case of European Sovereign Clouds, a specific region.

By keeping data within the jurisdiction, sovereign clouds minimize the risk of unauthorized access and data breaches that can occur when data is transferred across borders. This is particularly important for organizations such as government agencies, healthcare providers, and financial institutions that handle personal or sensitive information.

Further, sovereign clouds offer advanced security measures to protect data from cyber threats. They use encryption to protect data in transit and at rest, access controls to limit who can access the data, and monitoring systems to detect and respond to potential security incidents.

The key features of sovereign clouds provide organizations with enhanced protection for user data in accordance with regulatory requirements.

Data sovereignty: Impact and implications on regulatory compliance

The launch of the AWS European Sovereign Cloud, alongside Google, Oracle, and Microsoft, signifies the growing importance of data sovereignty and regulatory compliance in the tech industry, particularly within Europe.

European companies that opt for an EU sovereign cloud are taking a significant step towards GDPR compliance in terms of safeguarding user data. This not only enhances data security but also builds trust with users, who are increasingly aware of and concerned about how their data is managed.

The move towards data sovereignty and enhanced privacy measures underscores a broader shift in how data is viewed and handled, marking a new era in responsible and compliant data management.

EU Sovereign Clouds, the Digital Services Act (DSA), and the Digital Markets Act (DMA)

Data protection and digital sovereignty have gained significant attention in recent years in the EU. The European Commission (EC) has proposed the Digital Services Act and the Digital Markets Act to regulate digital services and address concerns related to data protection, competition, and market concentration.

Digital Services Act (DSA)

The Digital Services Act aims to establish a harmonized regulatory framework for digital services, including cloud computing.

The DSA regulates online intermediaries and platforms, including hosting services encompassing cloud and web hosting services. Although the European Commission has not specified a list of hosting services that fall under the regulation’s ambit, sovereign clouds as hosting services must prepare to meet its requirements.

The regulation introduces new obligations for online platforms and cloud service providers, including transparency reporting, providing information to users, requirements to terms of service and reporting criminal offenses. The situation is still developing, and companies that use these cloud computing services may need to meet the Digital Service Act’s requirements as well.

By fulfilling these requirements, EU Sovereign Clouds will enable transparency to users, which is also a pillar of the Digital Markets Act.

Digital Markets Act (DMA)

The Digital Markets Act is a regulation that imposes obligations on large tech platforms that the EC has designated as gatekeeper companies.

Amazon, Alphabet (Google), and Microsoft are all gatekeepers under the DMA, although their cloud services — AWS, Google Cloud, and Azure respectively — are not designated core platform services. This may change in the future as the EC assesses platforms and products to determine if they fulfill the criteria laid down under the DMA for this designation.

Under the DMA law, the gatekeepers are required to take strict measures for user privacy and consent management. Google has taken steps to reinforce data protection and user privacy with changes to their products and services, viz. Google Consent Mode V2, and the requirement for using a Google-certified consent management platform (CMP) that integrates with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF) to serve ads in certain regions in Europe.

The introduction of EU Sovereign Clouds is a step by these companies towards DMA compliance. It enables data from the EU to receive the level of protection that EU laws (including the GDPR) require.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.