The geopolitical landscape of cloud computing in Europe is changing rapidly. Such an absurd scenario has already occurred, where the United States threatened an EU member state and imposed sanctions on a sitting, duly elected European Commissioner. France’s tough limitations on non-EU cloud providers will come into force in 2025. For this reason, most enterprises are migrating to more of a multi-cloud approach. This transition has caught people off guard all over the continent. It’s especially interesting because four U.S.-based hyperscalers dominate roughly 70% of the EU cloud services market.
These recently proposed measures illustrate the growing concern, particularly among countries that value data sovereignty. They expose the fundamental challenge of trying to thread the needle between European regulations and American tech dominance. The European Commission (EC) has released a two-part framework to assess cloud providers competing for public sector contracts. If adopted, this action could dramatically alter the future of cloud services in Europe.
U.S. Threats and EU Reactions
The U.S. just openly threatened military action against an as-yet unnamed EU member state, sending shockwaves through European political circles. The White House further imposed sanctions on a European Commissioner for promoting laws undermining U.S. interests. This climate of uncertainty has understandably increased fears over data security and sovereignty among European organizations.
Stéfane Fermigier, a leading member of the French tech community, was categorical in his opposition to these news and developments. He stated, “The geopolitical risk isn’t just the most extreme form of a doomsday ‘kill switch’ where Washington turns off Europe’s internet. It is the selective degradation of services and a total lack of retaliatory leverage.”
A growing number of enterprises are questioning their reliance on U.S. cloud platforms. They are increasingly pressured to protect some pretty sensitive data, raising these feelings to a boiling point.
France’s Restrictive Measures
France plans to enforce strict limits on non-EU cloud providers within its public administrations by 2025. The new legislation obligates all cloud suppliers to keep data within the EU frontiers. Additionally, they need to employ EU-based staff, as well as ensure that non-EU shareholders do not control the majority of the firm. These measures are designed to protect the European data sovereignty while fostering the development of local cloud solutions.
More organizations than ever are taking on multi-cloud architectures. Now most of them are looking for partnerships with sovereign or European providers of their sensitive workloads. The European endeavour continues to face formidable hurdles as smaller European companies face impenetrable barriers to compete with established U.S. behemoths.
Many experts believe that the EU is prepared to accept certain trade-offs to enhance its data sovereignty.
The European Commission’s Framework
In October 2020, the European Commission adopted a new framework. This new two-part system is designed to rate cloud providers competing for work with the public sector. This framework builds a “sovereignty ladder” to measure the extent to which bidders comply with EU laws. Lastly, it assesses their cumulative influence on data sovereignty.
The second piece of the framework lays out a more detailed scoring rubric to measure the level of “sovereignty” for each bidder. France serves as a model for how to implement this framework well. It helps to ensure that public sector contracts—like Medicaid, Medicare, and Children’s Health Insurance Program—benefit the compliant providers.
Yet there is still great doubt as to whether these steps will have real impact, especially with regard to loopholes in the Commission’s rulemaking process. Observers have pointed out that promises of cloud sovereignty may ring hollow if a provider’s parent company is subject to U.S. laws like the CLOUD Act.
The 2018 CLOUD Act allows U.S. law enforcement agencies to require U.S.-headquartered companies to produce data when it is stored outside of the United States. This poses serious questions about the security of sensitive data collected by American businesses on European soil.
Likewise, the EU cloud initiative EURO-3C intends to address the digital sovereignty agenda. Its potential is huge and it has garnered wide support from Telefónica, other European companies, and the European Commission’s support. As these types of initiatives get more momentum, they will continue to change the competitive landscape for cloud services in Europe.
Arnold Juffer highlighted the challenges posed by U.S. firms’ stronghold on technology when he remarked, “If you look at AWS, you look at Google, they’ve created some super technology. It’s very convenient, it’s easy to use. Once you’re in that platform, in that ecosystem, it’s very hard to get out.”