Sovereign cloud is not a new concept. It has just become very topical due to a changing geopolitical landscape and new regulations that affect control of data. To put it briefly, sovereign cloud provides a smart solution for an international battle of digital sovereignty, but let’s dig a little deeper.
Behind the move to make clouds sovereign is the need for digital sovereignty. In practice, this is all about data: where does it reside, where is it flowing, and who has control over it? These questions are critical for a modern data economy, where data means power. Inevitably, cloud services come under the spotlight. They are the engines of the data economy.
Solving the legal limbo around cloud services
European industries and public sector organisations are storing more and more data in cloud data centres. As everyone knows, this playground is dominated by American tech giants. Now, regulation has caused a legal limbo around cloud. Among the driving factors are the US Cloud Act and similar laws in other countries such as China. They are in conflict with new EU rules and decisions by the EU Court of Justice, in particular a ground-breaking case coined Schrems II.
The European Union wishes to mitigate dependence and the risk of foreign access to critical data, also considering that cloud is the powerhouse of AI, and other essential technology. EU regulations, such as GDPR, Data Act and Data Governance Act, are meant to control the flow of data across borders to prevent the risk of access to data by non-European authorities. In particular, the rules demand that sensitive or critical data stay on sovereign soil. This is emphasised in the Schrems II judgment. As a result, Chief Data Privacy Officers now need to understand and assess what data is stored in the cloud and whether any of that data is being transferred outside of the EU.
Also read our previous blog: What you should know about CLOUD Act, Schrems II, Gaia-X and data sovereignty regulations
The amount of metadata that cloud providers are collecting is much greater than people realise. The collection is often automatic and may include data such as IP addresses, credentials, as well as logging and diagnostic reports. The recommendation is to do a thorough data classification and application assessment to secure compliance. Organisations must deploy the right applications and the right data into the right cloud, whether it is private, hybrid or native public cloud.
It is necessary to differentiate what data can be classified as critical according to national and regional security standards. First, there are different classification tiers such as public, confidential or restricted data, which vary by country or region. Second, there are different types of industry data such as national, corporate, or personal. That is why the first thing to do is a full data and application assessment.
Sovereign cloud to ensure data sovereignty
Today, sovereign cloud lacks a definition that is commonly accepted or used in the industry. But fundamentally it is about data, its ownership, trust, control, national interests, and compliance with regulations. Why?
A sovereign cloud ensures all data including metadata stays on sovereign soil and prevents foreign access to data under all circumstances. It provides a trusted environment for storing and processing data that can never be transferred across borders and must remain under one jurisdiction. Sovereign cloud is really about protecting and unlocking the value of critical data. Sovereign clouds are mature and well-established solutions that are part of emerging multi-cloud landscape. They also provide all the other core benefits of cloud such as agility, security and automation.
In the end, sovereign cloud should be a part of a multi-cloud strategy. It just demands understanding that not all data is the same and that there are differences between clouds. The clouds have a different value proposition, and organisations must use each flavour side by side. It’s time to update your cloud strategy to match the current regulatory maze and take sovereign cloud as part of the palette.
5 recommendations for sovereign cloud
- Classify your data, and for critical and sensitive data, mitigate all risks including data sovereignty and foreign access risks.
- Create a Chief Data Privacy Officer or Data Guardian role in your organisation.
- Understand your data flows and conduct a data protection impact assessment (DPIA) before moving to the cloud.
- Shift from Cloud First to Cloud Smart, deploying the right data/workload into the right cloud.
- Engage a partner as a trusted multi-cloud advisor to guide you.
Above all, digital sovereignty is the right of the nations, organisations and citizens to have control over their digital autonomy and their data. The sovereign cloud infrastructure is the connected ‘highways’ needed to unlock all the potential of the data-driven economies and promote the innovation of the society through digital technologies. Digital ecosystems need to flourish through collaboration and open access to commonly architected data hubs. The values of openness, trust and transparency, as well as the inclusiveness that we are proud of in the Nordic countries deserve to be guaranteed through digital empowerment.
We are here to guide you through the maze, so don’t hesitate to contact us to continue the discussion.
Watch our on-demand event: Navigate the data sovereignty maze – from cloud first to cloud smart!
Learn more about our services here to ensure that your data is protected and kept sovereign with a trusted, cloud infrastructure and data platform provider.