There are different components to a successful cloud policy, including policies to spur adoption and cross-border cloud integration in the EU, and more investment in R&D. EU policymakers should adopt a dynamic perspective rather than fixating on static market shares, and pursue policies that prioritize innovation and technological advancement over merely seeking to catch up on current technologies. The cloud market and the broader Internet market are going through rapid changes, leading to new services and new competition. A future-oriented approach to cloud policy advocates for policies that foster competition, drive technological progress, and enable interoperability, all of which align with the dynamic nature of cloud services and global markets.
European policymakers are rightly concerned about Europe’s performance in cloud and the world of computing and services that run on the cloud. However, all too often these concerns manifest themselves in a knee-jerk defensiveness over the market shares held by foreign cloud suppliers or an attitude suggesting that EU cloud users rely too heavily on those from the US and China.[1] The competitiveness of especially large US cloud suppliers have made it difficult for suppliers with an EU birth certificate to build-up or maintain a strong market position, and cloud users (including the public sector) rarely find competitive offers from suppliers that are “purely European”. While some national security concerns and risks related to the on-off legal framework of the Transatlantic cross-border portability of personal data are acknowledged in many arguments for EU cloud policy, the distinguishing feature of the “sovereigntist” approach is that Europe – through a combination of restrictive and discriminatory policies – should aim to cut the wings of foreign, especially US, cloud suppliers.[2]
Some policymakers and industrialists in Europe go further and articulate a vision for Europe that involves building an independent ICT infrastructure and services offerings that resonate with European values. In 2020, EU member states signed a joint declaration which pledged public money to power the cloud sector and establish the “European Alliance on Industrial Data and Cloud.” The declaration addresses the broader concerns of the economic and security risks associated with outsourcing data and the long-term implications of dependency on external technology platforms.[3] This ongoing debate underlines a political ambition to assert technological sovereignty by maintaining more secure and potentially better performing European technological alternatives in cloud services – and, further, in AI and quantum computing.
1.1 European cloud policy requires a dynamic view rather than focusing on market shares
The sovereigntist view is misguided and economically harmful to Europe. Fortunately, it is not the only existing or possible approach to a European cloud policy and strategy. A workable and successful cloud policy should not be obsessed with the market share of current suppliers but needs to centrally feature policies for adoption and encourage dynamic technological and market changes that inevitably will change the hierarchy of suppliers. Taking measures that allow for faster diffusion of cloud services in Europe is beneficial for the EU economy but will also help to create more competition. A faster-growing market will create spaces for a larger variety of services and for new technology to accelerate. Such market development is far better for stimulating new competition.
Moreover, many other countries are also wrestling with finding the balance between market openness and maintaining agency to control security concerns – between realising technology efficiency gains and maintaining sovereignty over systems and data. The need to maintain control over sensitive and strategic data underpins many policy developments in key markets where cloud services are considered critical digital infrastructure assets. For instance, the US government’s “Clean Network” proposal is aimed at removing all Chinese influences from the country’s internet ecosystem (including specifically cloud services, represented as the “Clean Cloud”).[4] Such approaches aim to address explicit concerns and tailor policies to specific services or suppliers, including connections to foreign and potentially hostile governments. However, there exists a significant risk of divergence between a company’s aspiration to remain competitive and the regulatory structure overseeing cloud services. While the preference for a functioning cloud service should rely on markets and private sectors, there is an on-going trend to approach cloud by infusing its functioning with industrial policy and protectionist motivations.
Importantly, the approach of EU policymakers to create new EU-based competitors is to accelerate technological change and make sure that EU firms have the incentives to invest in such change. The cloud market is already undergoing technological transitions, and the changes will only accelerate with more cloud-specific developments and changes in ICT technology. A key development is the maturation and widespread adoption of next-generation data security and privacy-enhancing technologies like homomorphic encryption, secure enclaves, differential privacy, and self-sovereign identity solutions.[5] These innovations have the potential to enable secure computation on encrypted data without decryption, while also preventing unauthorized data access and empowering users with control over their personal data. As these capabilities become more engrained across cloud stacks, the perceived risks around data exposure and the need for strict sovereigntist or localization policies could diminish substantially. This could help establish a global framework for next-generation telecom and cloud services that fosters both development and security. Ensuring technology and commercial openness in the policies governing this framework would set the stage for healthy competition in the cloud sector and create opportunities for all stakeholders.
In parallel, the standardization and potential deployment of quantum-resistant cryptography algorithms will also become critical to safeguarding data transmitted across cloud environments from future quantum computing threats to encryption.[6] This could increase confidence in the security of data privacy of cross-border data flows and shared cloud models across jurisdictions. Additionally, emergence of governance frameworks for ethical, transparent and accountable AI/ML services hosted on cloud platforms could help alleviate concerns around surrendering advanced AI capabilities to foreign providers on verified grounds.
1.2 Cloud and related ICT developments are not taking a pause
The resurgence of new globalisation and decentralised supply chains will further interconnect markets and open digital ecosystems. This could catalyse the formation of regional or plurilateral “cloud blocs” with harmonized cloud policies enabling frictionless data and service mobility across trusted cloud ecosystems. Intensifying competitive pressures could further drive enterprises to demand barrier-free cloud capabilities that power innovation and responsiveness, without being hampered by data sovereignty bottlenecks. The market-driven approach – rather than a Brussels-centric or, for that matter, a Washington-centric approach – will likely re-emerge as a model for cloud governance and will be a key factor in determining how countries can maximise their economic returns from cloud and computing investments. Telecommunications and the Internet were never based on a government-led strategy; they were products of commercial and technological initiatives and market forces which generated new applications and innovation.[7] And this development is not taking a pause.
With the advent of 5G and 6G, which blends with AI and cloud computing, new services and products are now being enabled to meet the growing demand of creating data and knowledge fast to support a digital and interconnected economy in a secure way.[8] The future development of 6G/xG will further transform distributing data and computing to edge cloud. These networks will potentially be architected on the grounds of a decentralized, software-defined infrastructure closely integrated with Multi-Access Edge Computing (MEC) capabilities.[9] Being built on the principles of, for instance, network slicing allows the partitioning of physical network to serve different service requirements and multi-tenancy models,[10] which can potentially be utilised to lay the foundation for decentralised edge cloud deployment across the same telecom network infrastructure. Such a policy model will allow data to not remain centralized in any single provider’s cloud but be processed closest to its point of origin. It will facilitate data sharing and aggregation through the use of privacy-preserving technologies across virtualized multi-cloud environment.
The market-driven model for cloud policy is a good starting point for the EU. Cloud, ICT, and services markets will change with new technology and new models for data distribution and commerce. The developments will also bring a change in competition between companies. The EU could support these changes and hasten development and experimentation by setting interoperability standards and governing the ethical, secure operation of this decentralized cloud-edge-network stack. For instance, in the biomedical sector, a number of cloud platforms are supporting scientific research. This points to the increasing need for supporting cross-platform interoperability for managing and analysing data.[11] There have been attempts for interoperating cloud platforms for biomedical data by the GA4GH organization and European Open Science Cloud (EOSC) Interoperability Task Force of the FAIR Working Group. The underlying basis of these framework is to make data in the cloud platforms findable, accessible, interoperable and reusable (FAIR).[12] Following a diffusion of cloud computing innovation, there will be a potential shift towards a more decentralized framework. This will inevitably move the policy rhetoric away from localizing data and towards enabling cross-provider and cross-border harmonization of shared cloud services, which will be utilized across various sectors.
The future direction of EU cloud policies should necessitate striking a careful balance between advancing cloud innovation and capabilities versus the present imperative for sovereignty and digital autonomy. Overreliance on technology sovereignty will ultimately hamper EU competitiveness and future economic prospects and force a reallocation of EU resources to services delivered today rather than services delivered in the future. Insulating the EU cloud market from non-EU players will stifle innovation. It will deter foreign investment and also lead to a brain drain of top cloud computing talent.
1.3 The EU’s inward-looking approach to promoting domestic cloud champions is poised to fail
The insular approach risks technology isolation of the EU and prevents productive exchange of ideas and cross exchange of frontier R&D. Adopting overly stringent data localization mandates aimed at reducing dependencies on US providers risks hampering the on-going digital progress and dampening future cloud-driven growth opportunities. Current models in Europe based on industrial, resource-constrained approaches – centred on promoting domestic cloud champions through an exclusionary framework – have inherent limitations. There is already a lack of hyperscale players, semiconductor supply chain gaps, human capital shortages, and a highly fragmented digital (and non-digital) internal market which abates the EU ambition of achieving comprehensive cloud self-sufficiency in the short-to-medium term.
Yet, this paradigm refuses to die. An inward-looking policy singularly fixated on reducing foreign cloud reliance could increase economic harm by depriving EU businesses and citizen’s access to best-in-breed global cloud capabilities. This incumbency preference for nascent EU providers over established companies risks the EU to not scale up based on the modern enterprise needs. Recent survey findings indicate a growing trend towards cloud adoption across companies. Two out of three companies have already established a cloud foundation, while one out of every two companies is currently undertaking large-scale migration initiatives or building new applications and capabilities in the cloud. Notably, approximately 65 percent of surveyed companies have more than 20 percent of their workloads running on cloud platforms.[13] In total, 43 percent of EU enterprises have brought cloud computing services in 2023.[14] Restricting the operation of foreign cloud providers in EU will likely result in higher costs for consumers, while also deter the adoption and integration of cloud technologies across different sectors to enable digital transformation initiatives.
1.4 The sovereignty narrative will create more problems than it pretends to solve
The narrative around technological sovereignty in Europe is further enriched by discussions on the practical challenges and potential solutions for achieving this goal. Actors like OVHcloud and other policy documents call for a concerted European effort,[15] highlighting the need for collaboration among European nations and private companies to invest in and develop the continent’s digital infrastructure.[16] This includes addressing the complexities of integrating international companies within European projects like Gaia-X, and Catena-X while ensuring that European sovereignty is preserved.[17] The French government’s active role in the European Union Cybersecurity Certification Scheme (EUCS) negotiations reveals a political strategy that, while championing European technological sovereignty, also raises concerns over France’s attempt to skew the market in favour of its own cloud services.[18] Jean-Noël Barrot, the former French Minister for Digital Transition and Telecommunications, underscored this ambition by advocating for exclusionary requirements that surpass public authorities and Operators of Vital Importance (OVIs), aiming to model the EU’s entire digital security framework on France’s SecNumCloud certification.[19]
Thus, by pushing for the adoption of cybersecurity standards akin to France’s SecNumCloud or even Germany’s C5,[20] there seems to be an underlying ambition to artificially inflate demand for French/German cloud regulatory solutions across the EU. These approaches invite scrutiny over their potential to limit market diversity and access to the best cloud services solutions available on global markets. Such tactics, while enhancing the stature of France’s and Germany’s cloud industry, will likely inadvertently stifle competition and innovation within the European cloud services market, contradicting the broader EU principles of fair competition and technological neutrality.[21]
The advent of protecting sovereignty is appealing in Europe, and while EU policymakers may strive to make their cloud computing infrastructure competitive, the reality is that EU providers are not competitive enough to supplant American and Asian rivals. The draft Cybersecurity Certification Scheme for Cloud Services (EUCS) included several sovereignty requirements.[22] While data localization aims to enhance data sovereignty and security, it comes with economic implications for both the host nation and the cloud service provider. It imposes higher costs through local data centre investments, as well as constrained scalability and functional capabilities, thereby limiting broader cloud adoption. The evolving and complex sovereignty landscape across the EU, with its patchwork of data residency requirements, increases regulatory compliance burdens and scrutiny over operational autonomy for cloud customers across EU. Accommodating these localization requirements necessitates EU member states to establish and maintain robust local data centre infrastructure through substantial capital outlays and operational expenses to meet regulations.
For major US cloud providers like AWS, Google, and Microsoft,[23] offering controlled public cloud services that adhere to EU’s sovereignty principles involves massive investments in dedicated local capacity, regulatory compliance processes, and sovereign control capabilities. This resource-intensive overhaul is a critical factor governing their presence in the cloud sovereignty battle in Europe. Customers will likely face heightened governance and auditing obligations to verify data localization, residency, and authorized cross-border transfers – adding to the complex web of resource demands stemming from the EU’s pursuit of controlled cloud sovereignty while aiming to enable innovation and maintain cyber security requirements. This is an extremely resource demanding approach.
From the perspective of cloud service providers, adhering to data localization requirements can be cumbersome and expensive. These providers often leverage economies of scale by centralizing their operations and infrastructure, allowing them to offer cost-effective services globally. Data localization mandates, however, disrupt this by requiring the establishment of multiple data centres across various regions or countries. This fragmentation can also undermine global cybersecurity frameworks and likely affect 13 out of 14 controls in the international standards for the information and cybersecurity sector (ISO/IEC 27002),[24] while also potentially undermining the new Transatlantic Data Privacy Framework (TDPF).[25] It is important for technology firms to have market access and availability of data flows in instances where there will be a potential cyber-attack or threat.
In essence, a good point here is to also refer to the security practice between the US FedRAMP and the EU SecNumCloud (the French policy approach) and EUCS sovereignty requirements. FedRAMP primarily focuses on the technical aspects of cloud cybersecurity rather than considering the ownership structure of the firm providing the services. This has allowed many foreign firms to obtain the FedRAMP certification, reflecting the program’s emphasis on evaluating the security capabilities of cloud services. By not discriminating based on the ownership or nationality of the cloud service provider, FedRAMP creates a level playing field for both domestic and foreign companies to compete in the U.S. market. The technical cybersecurity standards employed by FedRAMP are established by the U.S. National Institute of Standards and Technology (NIST) through an open and transparent process. In contrast, the standards for the EUCS are developed by the European Union Agency for Cybersecurity (ENISA) through a politically influenced and closed approach.
Sovereignty requirements that fragment or disconnect a provider’s ICT infrastructure from their global cloud can severely hamper their ability to respond promptly and comprehensively to security incidents.[27] Moreover, joint incident analysis and coordinated response efforts between government agencies and technology firms become exceedingly difficult, if not impossible, when foreign companies are excluded from specific markets. Collaborative threat intelligence sharing and collective defence mechanisms are critical in today’s interconnected cyber landscape. Isolationist policies or data localization measures could potentially create security blind spots, leaving cloud infrastructure more vulnerable to attacks that could originate from anywhere in the world. EU policymakers must recognize that ensuring the resilience and security of cloud services necessitates a collaborative, globally integrated approach that empowers technology firms to respond swiftly and comprehensively to emerging threats, irrespective of geographic boundaries.
Table 2: Policy Approach followed by China, USA and EU (Excerpt)
The optimal policy approach for cloud technologies should facilitate cross-border data flows while striking a balance between sovereign control over resources and the economic benefits of openness and connectivity at scale. This particular model aims to create an environment that fosters investments and the diffusion of cloud technologies across borders. One could call it the “cloud free trade” approach that intends to promote free flow of data across borders as well as more foreign direct investments (FDI) in cloud capacity. Such a policy approach will focus on maintaining market access commitments for foreign clouds and harmonise cloud standards and certifications. The underlying economic value and driver of cloud development patterns is the ability to rapidly experiment with prototype and scale frontier technology applications without upfront fixed costs or regulatory constraints. An attempt underlying this approach was launched by HPE through its Cloud28+ aggregator program in 2015, which aimed to link customers with a global, open ecosystem of independent cloud service providers.[30] It was originally dedicated to the European market, but now operates globally. The initiative points to the increase in affinity of collaboration and knowledge sharing across a common ecosystem. For instance, the Helix Nebula project aimed to pave the development and exploitation of high performance computing through a global network and cloud computing infrastructure. A single IT company would not be able to deliver this architecture. But the consortium and community of partner providers through Cloud28+ were able to provide a tailored answer through a hybrid cloud strategy. [31]
Free movement of data and resources across borders can unlock the full potential of cloud technologies, enabling businesses to leverage global infrastructure and new services. This openness promotes scalability, cost-efficiency, and the ability to access cutting-edge cloud services from anywhere in the world. Further moving away from a data localised model will allow domestic and foreign companies to invest in business expansion and innovation. The success of non-EU companies in providing high-value cloud services through imports does not necessarily mean a failure for EU countries. It should not be viewed as a zero-sum game – the achievements of non-EU firms should not be seen as a loss for the EU. Instead, it can present opportunities for collaboration, innovation, and mutual growth, rather than being perceived as a win-lose situation. Europe’s level of competitiveness and growth is reliant on opportunities for investment attractiveness, cross-border exchange, and competition and technology diffusion. Access to high-quality cloud services make European firms more competitive, whilst international trade exposes domestic cloud services firms to competition, requiring constant innovation and productivity improvements to succeed in the market.[32] The promotion of multi-cloud strategies which combines EU and non-EU providers enables strong economic benefits and competitiveness. A protectionist EU cloud approach will undermine the transatlantic digital trade and also make the digital privacy framework irrelevant.[33]
The reality is that the EU will not achieve self-sufficiency across all cloud domains anytime soon, and a comprehensive policy to that end would be very resource demanding. But policies that pragmatically embrace foreign player participation, under the appropriate guardrails, and that spurs increasing adoption and faster technological change will deliver strong benefits to Europe and create new opportunities for European ICT companies to grow. There is no point trying to substitute existing US companies with their state of technology and services now: it is the future technology that can invite EU companies back to the frontier of ICT, especially as the boundary between hardware and software will further break down.
Below we demonstrate the inherent shortcomings of the EU “sovereigntist” approach to cloud resulting from a substantial lack of cumulated investments by European technology companies in ICT technology in the past and the ongoing growth and technological innovation in the industry globally. We will review the investment challenges that EU ICT companies face in their quest to catch up with their non-EU counterparts, specifically focusing on the sectors with advanced cloud services (including AI development). Our analysis will explore the broader ramifications of these challenges for European technological sovereignty and economic interdependence. In particular, we delve into the disparity in investments in infrastructure capacities and research and development (R&D) efforts. Our analysis considers the impact of regulatory frameworks, market access barriers, and the strategic manoeuvres of EU member states. By examining these factors, we aim to provide a comprehensive understanding of the challenges EU ICT companies face and the feasibility of overcoming these obstacles to achieve parity with global technology leaders. The overall results fit into the picture of the EU digital policy that has weakened the competitiveness of the EU industries.
Section 2 daws on the European Commission’s R&D Scoreboard and corporate data to outline investment trends and patterns in the global ICT hardware and software industry. In Section 3, we broadly quantify the EU’s technology investment gap in ICT and advanced cloud computing services and capacities, using firm-level data and looking at the market hierarchy of investment and R&D expenditures. Section 4 continues the policy discussion from the introduction and concludes with policy recommendations.
[1] “Today, we are launching collective risk assessments, together with our Member States, in four technology areas critical for our economic security. Technology is currently at the heart of geopolitical competition and the EU wants to be a player, and not a playground. And to be a player, we need a united EU position, based on a common assessment of the risks. With this approach we will remain an open and predictable global partner, but one who nurtures its technological edge and addresses its dependencies. Our single market will only get stronger as a result in all its parts.” – Vice President Věra Jourová, see: European Commission. (2023, October 3) Commission recommends carrying out risk assessments on four critical technology areas: advanced semiconductors, artificial intelligence, quantum, biotechnologies. Press Release. Available at: https://defence-industry-space.ec.europa.eu/commission-recommends-carrying-out-risk-assessments-four-critical-technology-areas-advanced-2023-10-03_en ; also see: Komaitis, K., and Sherman, J., (2021, May 11) US and EU tech strategy aren’t as aligned as you think. Brookings Institution. Available at: https://www.brookings.edu/articles/us-and-eu-tech-strategy-arent-as-aligned-as-you-think/
[2] Reale, R., (2023, May 26) Towards Sovereignty in AI: A 7-Tier Strategy for Europe’s Technological Independence in Generative Artificial Intelligence. European AI Alliance. Available at: https://futurium.ec.europa.eu/en/european-ai-alliance/blog/towards-sovereignty-ai-7-tier-strategy-europes-technological-independence-generative-artificial
[3] Madiega, T., (2020). Digital sovereignty for Europe. EPRS Ideas Paper Towards a more resilient EU. Available at: https://www.europarl.europa.eu/RegData/etudes/BRIE/2020/651992/EPRS_BRI(2020)651992_EN.pdf, also see: European Financial Services Round Table. (2020). EFR Paper on Cloud Outsourcing. Available at: https://www.efr.be/media/2xblnmf0/131-1-efr-paper-on-cloud-outsourcing.pdf
[4] Pompeo, R, M. (2020, August 5). Announcing the Expansion of the Clean Network to Safeguard America’s Assets. U.S. Department of State, https://www.state.gov/announcing-the-expansion-of-the-clean-network-to-safeguard-americas-assets/
[5] Amorim, I., Maia, E., Barbosa, P., & Praça, I. (2023). Data Privacy with Homomorphic Encryption in Neural Networks Training and Inference. In International Symposium on Distributed Computing and Artificial Intelligence (pp. 365-374). Cham: Springer Nature Switzerland; AWS (2024, April 10) How differential privacy helps unlock insights without revealing data at the individual-level. Available at: https://aws.amazon.com/blogs/industries/how-differential-privacy-helps-unlock-insights-without-revealing-data-at-the-individual-level/ ; AWS. Guidance for Trusted Secure Enclaves on AWS. Available at: https://d1.awsstatic.com/solutions/guidance/architecture-diagrams/trusted-secure-enclaves-on-aws.pdf ; IAPP (2022) White Paper – Self-sovereign identity as future privacy by design solution in digital identity? Available at: https://iapp.org/resources/article/white-paper-self-sovereign-identity/
[6] NIST (2023, August 24) NIST to Standardize Encryption Algorithms That Can Resist Attack by Quantum Computers. Available at: https://www.nist.gov/news-events/news/2023/08/nist-standardize-encryption-algorithms-can-resist-attack-quantum-computers , Mattsson, J. P., Smeets, B., & Thormarker, E. (2021). Quantum-resistant cryptography. arXiv preprint arXiv:2112.00399.
[7] CSIS (2021) Accelerating 5G in the United States. Available at: https://www.csis.org/analysis/accelerating-5g-united-states
[8] Ibid
[9] Microsoft Azure (2024, April 26) What is Azure private multi-access edge compute? Available at: https://learn.microsoft.com/en-us/azure/private-multi-access-edge-compute-mec/overview
[10] Ericsson. The art of 5G network slicing explained. Available at: https://www.ericsson.com/en/blog/2021/2/the-art-of-5g-network-slicing-explained
[13] McKinsey (2024) The state of cloud computing in Europe: Increasing adoption, low returns, huge potential. Available at: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-state-of-cloud-computing-in-europe-increasing-adoption-low-returns-huge-potential
[14] Eurostat (2023) Cloud computing – statistics on the use by enterprises. Available at: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Cloud_computing_-_statistics_on_the_use_by_enterprises
[15] The head of Italian defence and electronics firm Leonardo said that Italy and other European countries need a government controlled cloud services to store sensitive data. Reuters (2023) Italy, Europe Need State-Controlled Cloud Services – Leonardo Chief. Available at: https://www.reuters.com/world/europe/italy-europe-need-state-controlled-cloud-services-leonardo-chief-2023-10-25/
[16] OVH Cloud. (2024, January 17) OVHcloud presents its strategic plan, Shaping the Future, and new financial targets for FY2026. Press Release. https://corporate.ovhcloud.com/sites/default/files/2024-01/2024-01-17-ovhcloud-shaping-the-future-veng-vdef.pdf
[17] McKay (2021, April 21) What is GAIA-X and Why Are AWS, Google, and Azure Involved? How To Geek Available at: https://www.howtogeek.com/devops/what-is-gaia-x-and-why-are-aws-google-and-azure-involved/. However, it is not the first time a European Cloud has been discussed. In 2009, on a €150 million state-funded budget, Cloudwatt was launched, an initiative of Project Andromède, France’s attempts at localising the computer industry. see: INPLP (2020) GAIA-X: European Sovereign Cloud Guidelines Unveiled. Available at: https://inplp.com/latest-news/article/gaia-x-european-sovereign-cloud-guidelines-unveiled/;
Similar to GAIA-X, the Fraunhofer Society launched the International Data Spaces (IDS) project, formerly known as the Industrial Data Space, in October 2015. This initiative, funded by the German Federal Ministry of Education and Research, focuses on standardizing data exchange and sharing while ensuring participants retain sovereignty over their data. Supported by IDSA, the project includes 117 members worldwide from various industries, collectively defining the IDS standard for data sovereignty, akin to GAIA-X., see: IDSA (2021) GAIA-X and IDS. Position Paper. https://internationaldataspaces.org/wp-content/uploads/dlm_uploads/IDSA-Position-Paper-GAIA-X-and-IDS.pdf , also see: Catena-X aims to create a standard for data exchange along the entire automotive value chain. see: Wilkes, W. (2020). BMW and SAP Join Forces to Build German Auto Data Alliance – Siemens, Deutsche Telekom also join the cloud data group. Bloomberg. Available at: https://www.bloomberg.com/news/articles/2020-12-01/bmw-and-sap-join-forces-to-build-german-auto-data-alliance?embedded-checkout=true
[18] Guillaume Poupard, the Director General of ANSSI, voiced strong support for these new requirements, emphasizing their role in advancing digital sovereignty. He said, “Europe needs a rule that only European law is applicable on cloud products certified in Europe,”…. “This is about…having the courage to say that we don’t want non-European law to apply to these services,”…… “If we’re not capable to say this, the notion of European sovereignty doesn’t make sense.” Cerulus, L., (2021, September 13) France wants cyber rule to curb US access to EU data. Politico. Available at: https://www.politico.eu/article/france-wants-cyber-rules-to-stop-us-data-access-in-europe/ ; Anne Le Hénanff, a member of the French Parliament from centre-right Horizons, who is the rappporter for the bill, “We aim to regulate while supporting French cloud providers, enabling them to grow in Europe, and fostering the creation of French cloud champions,” see: Hartmann, T. (2023, October 3) France set to regulate cloud market more than EU. Euractiv. Available at: https://www.euractiv.com/section/competition/news/france-set-to-regulate-cloud-market-more-than-eu/?utm_source=Euractiv&utm_campaign=e1e24c4590-; also see: Cory, N. (2022, May 10) France’s “Sovereignty Requirements” for Cybersecurity Services Violate WTO Trade Law and Undermine Transatlantic Digital Trade and Cybersecurity Cooperation. ITIF. Available at: https://itif.org/publications/2022/05/10/france-sovereignty-requirements-cybersecurity-services-violate-wto-trade/
[19] Government of France (2021) Communique De Presse: Le Gouvernement annonce sa stratégie nationale pour le Cloud. Available at: https://minefi.hosting.augure.com/Augure_Minefi/r/ContenuEnLigne/Download?id=B32CFA9B-74D2-411D-A501-82041939FC67&filename=1002%20-%20Le%20Gouvernement%20annonce%20sa%20strat%C3%A9gie%20nationale%20pour%20le%20Cloud.pdf;
Economy Minister Bruno Le Maire, “There is no political sovereignty without technological sovereignty. You cannot claim sovereignty if your 5G networks are Chinese, if your satellites are American, if your launchers are Russian and if all the products are imported from outside,” ….following this, Jean-Paul Smets, founder of Nexedi and member of the Euclidia organisation, “We are being asked to participate in something special through intermediaries who are promoters of American technology,” Pollet, M. (2021, December 14) France to prioritise digital regulation, tech sovereignty during EU Council presidency. Euractiv. Available at: https://www.euractiv.com/section/digital/news/france-to-prioritise-digital-regulation-tech-sovereignty-during-eu-council-presidency/
[20] Federal Office for Information Security. C5. Available at: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_Einfuehrung/C5_Einfuehrung_node.html
[21] Bauer, M. (2023) Building Resilience? The Cybersecurity, Economic & Trade Impacts of Cloud Immunity Requirements. ECIPE. https://ecipe.org/wp-content/uploads/2023/02/ECI_23_PolicyBrief_01-2023_LY07.pdf ; Bauer, M., and Lamprecht, P., (2023) The Economic Impacts of the Proposed EUCS Exclusionary Requirements Estimates for EU Member States. https://ecipe.org/wp-content/uploads/2023/10/ECI_23_OccasionalPaper_04-2023_LY06.pdf
[22] ENISA. EUCS Cloud Service Scheme. Available at: https://www.enisa.europa.eu/publications/eucs-cloud-service-scheme
[23] AWS. Digital Sovereignty. Available at: https://aws.amazon.com/compliance/digital-sovereignty/ , Microsoft. Cloud for Sovereignty. Available at: https://blogs.microsoft.com/blog/2022/07/19/microsoft-cloud-for-sovereignty-the-most-flexible-and-comprehensive-solution-for-digital-sovereignty/ , Google. Cloud on Europe’s Terms. Available at: https://cloud.google.com/blog/products/identity-security/advancing-digital-sovereignty-on-europes-terms/
[24] Swire, P., & Kennedy-Mayo, D. (2023). The Effects of Data Localization on Cybersecurity-Organizational Effects. Georgia Tech Scheller College of Business Research Paper, (4030905).
[25] Transatlantic Data Privacy Framework. Available at: https://ec.europa.eu/commission/presscorner/api/files/attachment/872132/Trans-Atlantic%20Data%20Privacy%20Framework.pdf.pdf
[26] Cory, N., (2023) Europe’s Cloud Security Regime Should Focus on Technology, Not Nationality. Available at: https://itif.org/publications/2023/03/27/europes-cloud-security-regime-should-focus-on-technology-not-nationality/
[27] Ibid
[28] The term “incumbency faire” refers to the recent cloud policy focus on giving preferential treatment or advantages to the existing, established EU cloud computing firms. The rationale behind this approach is to prevent these incumbent EU companies from losing ground and to also reduce the EU dependencies on US cloud companies as part of its objective of fulfilling strategic autonomy goals.
[29] The EU now exhibits a preference for relying on domestic cloud providers, aiming to maintain control and ensure stringent data protection measures within its sovereign boundaries
[30] Cloud 28+ connects the reseller, the service provider, the systems integrator and the software vendors. see: HPE. (2016, November 29). HPE Expands Cloud28 Community. Available at: https://www.hpe.com/us/en/newsroom/blog-post/2017/03/hpe-expands-cloud28-community.html ; also see: CERN (2013, January 24) Helix Nebula project passes proof-of-concept. Available at: https://science.cern/news/news/computing/helix-nebula-project-passes-proof-concept
[31] The Global Vice President Service Providers, Colocation Providers Xavier Poisson Gouyou Beauchamps said, “Cloud28+ operates essentially as a large service center, a platform for organizations to leverage cloud services. But it also functions as a promotion center for the vendors and service providers that are members, providing opportunities for participants to promote their offerings to customers,”
[32] Bauer, M. and Lamprecht, P. (2023) The Economic Impacts of the Proposed EUCS Exclusionary Requirements Estimates for EU Member States. Available at: https://ecipe.org/wp-content/uploads/2023/10/ECI_23_OccasionalPaper_04-2023_LY06.pdf
