What is Cloud sovereignty really about?

In the conversations about Cloud sovereignty, one central issue always emerged: protecting data in the Cloud and data processed from the Cloud. We see that there are several components focused around data from sovereignty principles:

Jurisdiction: Cloud is everywhere and nowhere, so what about laws around exploitation? What law applies the moment something arises when using Cloud? Is it then the origin of the provider that determines which laws apply? Or is it the place where data is stored and processed that is leading?

Regulation: by now we are all familiar with the RGDP legislation, which was also imposed from Europe to protect its citizens. But in addition, there are other laws in Europe, such as the Data Act, as well as the AI Act that became active in the summer. This new law describes how to handle data applied in training AI models.

Architecture: the Cloud platform chosen and the way data is stored is central to this and is a principle when it comes to sovereignty. For example, making sure data is stored securely by providing it with encryption is the standard today, but will already be thought about going forward. With the advent of quantum computing, being able to crack the encryption mechanism will become easy and we will have to look at such matters as tokenization of data.

‍

ENISA: regulation and certification of Cloud services

In Brussels, several speakers reflected on the above mentioned sovereignty principles. For example, ENISA - the body for certifying markets and standards - explained how it looks at Cloud sovereignty. Conclusion: a certification around 'sovereign Cloud' will never happen, but a working group from Spain, Portugal and France is busy setting up a Cloud Scheme. This should form the foundation for an EU Cloud Act that has yet to be adopted. This Cloud Scheme is expected to be adopted in 2025, but depends on the approval of all member states. ENISA is also working on an EUCS: an EU Cybersecurity Certification Scheme to standardize and regulate cyber resilience. This was adopted early this year, marking a milestone in being able to certify the digital market within the EU.

‍

When looking at all the certifications within Europe and the target domains of Cloud, we see that a lot of regulation applies:

‍

Developments at Cloud Providers regarding sovereign Cloud

In addition to the initiatives from the EU commissions, the day also covered developments in the market. How do Cloud Service Providers and Cloud Consultants look at sovereignty in their services?

A number of providers spoke up. For example, OVHcloud has begun to position itself as the sovereign initiative alongside hyperscalers. They reason, similar to Fundaments, from a European principle of sovereignty: they have set up legislation with entities operating locally in each European country, combined with storage in the customer's country of origin. In addition, they use the highest standards for data storage. In their service catalog, they can offer 100+ services on a menu similar to the big hyperscalers.

Other concurring colleagues, such as Orange Sweden, invest the definition of sovereignty in the regional aspect: where data is stored, where EU sovereignty is guaranteed by operating within European zones. In this, you can see that they are looking from an EU lens and therefore not using a national definition.

ITQ presented its ITQ Cloud platform, which positions the managed sovereign Cloud as an option alongside the managed private or public Cloud and managed Software as a Service (SaaS) service. Sovereignty translates to regulation on data within the Cloud platform.

‍

Sovereignty in AI technology

Finally, during the event, NVIDIA demonstrated its ability to process specific data within a regulated environment, in this case the Indian government, with Retrieval Augmented Generation (RAG) AI on legal files. The result: a chatbot that can make legal files available to judges, lawyers and citizens, in the various languages India has. Incredibly interesting. You can read more about it here: https://blogs.nvidia.com/blog/what-is-sovereign-ai/

In conclusion, with all the technical developments, it is important to maintain the right balance between applications involving new technology versus protecting data with legislation, frameworks and certifications. This all comes together in the sovereignty of Cloud and data platforms. I am very curious to see how this balance will evolve again in the coming year. Regulating our data is certainly a good thing because the ease with which we as users share and generate data requires regulation in the platform offered, especially when it comes to mission-critical data.

And speaking of data, now that the initial hype for Artificial Intelligence is over and further consideration is being given to how AI can really be deployed for the organization, the discussion about where data resides in an organization and how it is protected arises. Because to properly deploy AI, having a grip on the data from all systems and (Cloud) platforms is crucial. So, gathering the data correctly in a datalake for deployment of statistics and as a next step artificial intellgence and machine learning, is crucial and usually the biggest challenge.

This is something I will elaborate on in my next blog article, 'The next station in the data journey of organizations: AI'.

‍