noun_Email_707352 noun_917542_cc noun_Globe_1168332 Map point Play Untitled Retweet

Why sovereign cloud is a hot topic – 5 tips, and the background

What is sovereign cloud, and how can your organisation benefit from it? In this blog post, Wenche Karlstad guides you through the regulatory maze and explains how to deal with sensitive data in cloud.

Wenche Karlstad / November 09, 2021
Watch also related webinar!

Sovereign cloud is not a new concept. It has just become very topical due to a changing geopolitical landscape and new regulations that affect control of data. To put it briefly, sovereign cloud provides a smart solution for an international battle of digital sovereignty, but let’s dig a little deeper.

Behind the move to make clouds sovereign is the need for digital sovereignty. In practice, this is all about data: where does it reside, where is it flowing, and who has control over it? These questions are critical for a modern data economy, where data means power. Inevitably, cloud services come under the spotlight. They are the engines of the data economy.

Solving the legal limbo around cloud services

European industries and public sector organisations are storing more and more data in cloud data centres. As everyone knows, this playground is dominated by American tech giants. Now, regulation has caused a legal limbo around cloud. Among the driving factors are the US Cloud Act and similar laws in other countries such as China. They are in conflict with new EU rules and decisions by the EU Court of Justice, in particular a ground-breaking case coined Schrems II.

The European Union wishes to mitigate dependence and the risk of foreign access to critical data, also considering that cloud is the powerhouse of AI, and other essential technology. EU regulations, such as GDPR, Data Act and Data Governance Act, are meant to control the flow of data across borders to prevent the risk of access to data by non-European authorities. In particular, the rules demand that sensitive or critical data stay on sovereign soil. This is emphasised in the Schrems II judgment. As a result, Chief Data Privacy Officers now need to understand and assess what data is stored in the cloud and whether any of that data is being transferred outside of the EU.

Also read our previous blog: What you should know about CLOUD Act, Schrems II, Gaia-X and data sovereignty regulations

As an example, public cloud providers may guarantee that data stored on their EU servers is under the customer’s control. But in their privacy statements, they distinguish customer data from account information, or metadata, very clearly, and explicitly say that they reserve the right to keep or transfer metadata wherever they choose. The amount of metadata that public cloud providers are collecting is much greater than people realise. The collection is often automatic and may include data such as IP addresses, credentials, as well as logging and diagnostic reports.

However, the point here is not to say “stop using public cloud services”, but rather to say “do a thorough data classification and application assessment to secure compliance”. Organisations must deploy the right applications and the right data into the right cloud.

It is necessary to differentiate what data can be classified as critical according to national and regional security standards. First, there are different classification tiers such as public, confidential or restricted data, which vary by country or region. Second, there are different types of industry data such as national, corporate, or personal. That is why the first thing to do is a full data and application assessment.

Sovereign cloud to ensure data sovereignty

Today, sovereign cloud lacks a definition that is commonly accepted or used in the industry. But fundamentally it is about data, its ownership, trust, control, national interests, and compliance with regulations. Why?

A sovereign cloud ensures all data including metadata stays on sovereign soil and prevents foreign access to data under all circumstances. It provides a trusted environment for storing and processing data that can never be transferred across borders and must remain under one jurisdiction. Sovereign cloud is really about protecting and unlocking the value of critical data. Sovereign clouds are mature and well-established solutions that are part of emerging multi-cloud landscape. They also provide all the other core benefits of cloud such as agility, security and automation.

In the end, sovereign cloud should be a part of a multi-cloud strategy. It just demands understanding that not all data is the same and that there are differences between clouds. The clouds have a different value proposition, and organisations must use each flavour side by side. It’s time to update your cloud strategy to match the current regulatory maze and take sovereign cloud as part of the palette.

5 recommendations for sovereign cloud

  1. Classify your data, and for critical and sensitive data, mitigate all risks including data sovereignty and foreign access risks.
  2. Create a Chief Data Privacy Officer or Data Guardian role in your organisation.
  3. Understand your data flows and conduct a data protection impact assessment (DPIA) before moving to the cloud.
  4. Shift from Cloud First to Cloud Smart, deploying the right data/workload into the right cloud.
  5. Engage a partner as a trusted multi-cloud advisor to guide you.

Above all, digital sovereignty is the right of the nations, organisations and citizens to have control over their digital autonomy and their data. The sovereign cloud infrastructure is the connected ‘highways’ needed to unlock all the potential of the data-driven economies and promote the innovation of the society through digital technologies. Digital ecosystems need to flourish through collaboration and open access to commonly architected data hubs. The values of openness, trust and transparency, as well as the inclusiveness that we are proud of in the Nordic countries deserve to be guaranteed through digital empowerment.

We are here to guide you through the maze, so don’t hesitate to contact us to continue the discussion.

Watch our livecast: Navigate the data sovereignty maze – from cloud first to cloud smart!

About VMware’s Sovereign Cloud

VMware is part of the Gaia-X project and also has its own sovereign cloud initiative. VMware recognises partners like TietoEVRY that are building, operating and selling sovereign clouds in a specific jurisdiction, i.e., the Nordic countries. VMware has a set of requirements that allows cloud providers to attest that their cloud platform aligns with the strategic principles of data sovereignty and digital sovereignty. This way, VMware can connect its customer to approved partners very quickly. Find out more here.

Wenche Karlstad
Head of Customer Value and Service Offering Development

Wenche is passionate about creating value for our customers and enabling growth with attractive service offerings. She has near twenty years of experience in the IT business with different roles within management and advisory, bringing new services to the market.

In her current role as Head of Customer Value & Service Offering, she is leading a global team of experts and managers.


Wenche Karlstad

Head of Customer Value and Service Offering Development

Share on Facebook Tweet Share on LinkedIn