The battle between hyperscalers and European cloud providers to conquer the European public cloud market is getting more contentious over the issue of data sovereignty. It now involves new actors, new concerns, and new weapons. Here a few of the main facts that will most probably influence the European cloud scenario moving forward.
Growing Complexity In Legislation And Cloud Providers’ Landscape
- French cloud providers are sharpening the knives against US hyperscalers. The French government is making no secret that it is willing to support the French cloud providers. The goal is to make France a nation at the forefront of cloud transformation. Most recently, French Minister of Telecommunications Jean-Noël Barrot sent a message to a privately hosted OVH event, strengthening the support of the government for French-based cloud providers. Furthermore, OVH has recently filed a claim against Microsoft for a supposed abuse of its dominant position in Europe, with the European Commission DG Competition Antitrust and General Registry currently verifying the allegations.
- EU country- and industry-level regulations are getting tougher. Regulation in the European cloud world is layering up. Starting with EU-level directives and prescriptions, each country is now developing its own cloud initiatives and internal regulations. On top of that, vertical regulators such as central banks are adding further regulations for their industries. This poses new challenges to cloud providers operating in Europe, as well as for small and medium enterprises that are more in need of advice from cloud providers and cloud service providers. Non-European cloud providers are trying to overcome these headwinds by opening in region after region and conquering pieces of territory across Europe.
- The US’s CLOUD Act and the Chinese Cybersecurity Law continue to cause concerns for European governments and some customers. European authorities and some enterprise clients have long been concerned about the provisions in the European cloud act. Some countries (notably, France) are starting to restrict the ability to use hyperscaler-based offerings in certain industries via rulings of the CNIL (e.g., healthcare and schools). Rulings like this are causing major headaches for solution vendors such as Workday. As well as creating infrastructure management headaches, this also has the potential to make the use of applications like AI/ML capabilities of hyperscalers more difficult in the future, if the current trends continue.
Data Sovereignty Is Defined By Five Key Requirements
We all know what data sovereignty means, but there is not a single universally accepted definition. The five main requirements to qualify a cloud provider as sovereign are:
- Cloud platforms and DCs must be owned by a sovereign entity. In order to qualify as sovereign, the cloud provider should be either a natively European company or a separate legal entity of a foreign organization. This characteristic, though, is just the first one and by no means ensures that even an EU cloud provider headquartered in the EU would qualify as sovereign.
- No external jurisdictional controls on data are permitted. In order to meet this requirement, cloud providers belonging to organizations from outside the EU will have to ensure that non-EU governments cannot access the data of EU citizens and companies hosted in their DCs. This could be increasingly difficult to prove for hyperscalers to balance legal requirements in the EU and in the countries where their headquarters are listed.
- All data must reside in a sovereign nation. In order to meet the sovereignty criterion, cloud providers will have to make sure that all data resides in the sovereign nations. This is somehow not completely in line with the freedom of movement that the EU grants to people, goods, and capital; data might be the first “thing” that has movement restricted in the EU, opening the way to more concerns regarding the other three.
- Data shall be operated by sovereign citizens within the sovereign nations. Only citizens of the sovereign nations where the cloud provider is operating shall access the data, in order to meet the sovereignty requirements. This poses a major restriction to the business of US hyperscalers but also to companies such as SAP that have campuses outside the EU. These vendors might not be able to leverage the lower costs from off-shore locations for certain applications and use cases.
- There must be compliance with local laws and security standards. Cloud providers will face increasing pressure to show that they are compliant with local laws and own all the necessary security certifications to be able to do business in the EU.
Hyperscalers Are Irreplaceable, At Least For Now
Hyperscalers are investing more than €40 billion in cloud capabilities globally. EU organizations benefit from these investments and use the platforms, practices, and partners of the hyperscalers to make their businesses more creative, adaptive, and resilient. Preventing EU organizations from leveraging the capabilities of the hyperscalers could harm EU organizations. It is unclear whether this will be to the advantage of EU cloud providers, whose scale and investments are far behind. My research in 2023 is going to investigate the topic of data sovereignty to help end user organizations and tech vendors make the best possible decision for their cloud migration engagements given the complex and evolving legislative scenario in the EU. The Forrester Wave™: Public Cloud Development And Infrastructure Platforms In Europe, Q1 2023, is going to be published as the end of February 2023 and will look at this issue in our assessment of the main providers.