Jurisdiction Adaptation

European Union

Sovereign cloud framework adapted for EU institutions and member states, aligning with GDPR, NIS2 Directive, European Interoperability Framework, and Gaia-X.

---

€15-25B Annual government cloud spend

~80% To US providers (AWS, Azure, GCP, OCI)

27 Member states

450M Citizens affected

---

1. Governance Framework Mapping

EU-Level Standards

Framework	Owner	Relevance to Sovereign Cloud
European Interoperability Framework (EIF)	European Commission	Cross-border interoperability principles; sovereign cloud must enable
ISA² / Interoperable Europe	DIGIT	Reusable solutions catalogue; sovereign platform standards
GDPR	EU (EDPB)	Data protection baseline; Schrems II restricts US transfers
NIS2 Directive	ENISA	Critical infrastructure security; cloud providers in scope
Gaia-X	Gaia-X Association	European federated data infrastructure; alignment opportunity
EU Cybersecurity Act	ENISA	Certification framework for cloud services

Schrems II Implications

The European Court of Justice (Schrems II, 2020) invalidated the EU-US Privacy Shield, ruling that US surveillance laws (FISA 702, Executive Order 12333) are incompatible with EU fundamental rights.

This ruling provides strong legal foundation for sovereign cloud migration: EU law already recognises that US cloud services cannot guarantee adequate data protection.

---

2. Compliance Requirements

Data Protection

EU GDPR

• Article 44+ on international transfers
• No adequate US adequacy decision
• SCCs insufficient without supplementary measures
• Data localisation as technical measure
• €20M or 4% global turnover fines

NIS2 Directive

• Applies to cloud service providers
• Essential and important entities
• Security requirements and reporting
• Supply chain security mandates
• Board-level accountability

Security Classification Considerations

EU member states maintain national classification systems. Common principles:

• EU RESTRICTED: Basic level for EU institution documents
• EU CONFIDENTIAL: Serious damage if compromised
• EU SECRET: Critical EU interest damage
• National schemes: France (Confidentiel Défense), Germany (VS-Vertraulich), etc.

---

3. European Sovereign Supplier Ecosystem

Europe has a strong ecosystem of sovereign cloud providers:

Provider	Country	Capabilities	Scale
OVHcloud	France	Full IaaS/PaaS, dedicated cloud, bare metal	33 datacenters, 400k customers
Hetzner	Germany	IaaS, dedicated servers, cloud	Major EU provider, competitive pricing
Scaleway	France	IaaS, Kubernetes, object storage, AI	Paris, Amsterdam datacenters
IONOS	Germany	IaaS, enterprise cloud, managed services	Part of United Internet AG
T-Systems	Germany	Sovereign cloud, managed services	Deutsche Telekom subsidiary
Orange Business Services	France	Managed cloud, hybrid solutions	Major telco backing

Gaia-X Alignment

Gaia-X is the European initiative for federated data infrastructure. The sovereign cloud initiative should align with Gaia-X principles:

• Data sovereignty and portability
• Federation and interoperability
• Transparency and trust
• European values and regulations compliance

---

4. Member State Coordination

Major Member State Cloud Initiatives

Member State	Initiative	Status
France	Cloud de Confiance, SecNumCloud certification	Active; strict sovereignty requirements
Germany	Bundescloud, BSI C5 certification	Active; federal cloud strategy
Italy	Polo Strategico Nazionale	Implementing national strategic hub
Spain	ENS (National Security Scheme)	Security certification framework
Netherlands	Rijkscloud	Government cloud programme

Coordination Mechanisms

EU sovereign cloud migration requires multi-level coordination:

• EU Institutions: European Commission DGs, European Parliament, Council
• Agencies: ENISA (cybersecurity), DIGIT (digital services)
• Member States: National CIOs, cybersecurity authorities
• Cross-border: CEF Digital, Connecting Europe Facility

---

5. EU Migration Roadmap

Phase 0: Coordination & Planning (Months 1-12)

• EU-level coordination mechanism establishment
• Member state cloud dependency audit
• Common procurement criteria development
• Gaia-X alignment assessment

Phase 1: EU Institutions Pilot (Months 13-24)

• European Commission internal systems pilot
• Validate European provider capabilities
• Establish EU-level security baselines
• Document interoperability requirements

Phase 2: Member State Pilots (Months 25-36)

• Lead member states begin migration (FR, DE, IT, NL)
• Cross-border data sharing pilots
• Supplier capability scaling
• Best practice sharing

Phase 3-4: Broad Rollout (Months 37-72)

• All member states begin migration
• EU institution full migration
• Critical infrastructure prioritised
• Cohesion funding for smaller member states

Phase 5-6: Completion (Months 73-96)

• Full sovereign cloud operation
• US cloud exit completed
• European digital sovereignty achieved

---

6. EU Investment Case Summary

Investment Required

€25-50 billion over 8 years

• EU institutions: €3-5B
• Major member states: €15-30B
• Smaller member states (cohesion): €5-10B
• Cross-border infrastructure: €2-5B

Returns

€75-150B+ value over 10 years

• Risk mitigation: €50-100B
• Economic return: €15-30B
• Strategic autonomy: Priceless
• Schrems II compliance: Required

Funding mechanisms: Recovery and Resilience Facility, Digital Europe Programme, Cohesion Funds, InvestEU, and national budgets. Multi-annual Financial Framework (MFF) allocation for digital sovereignty.

---

Recommended Immediate Actions for EU

1. European Commission Communication on digital sovereignty and sovereign cloud strategy
2. ENISA assessment of US cloud dependencies across member states and institutions
3. Gaia-X acceleration with government use-case focus
4. EU procurement directive update with sovereign cloud criteria
5. Member state CIO coordination mechanism establishment
6. Cohesion funding allocation for smaller member state participation