de en

Your industry. Our expertise.

Managed Services 2.0: Efficient, secure, future-proof

Your challenges. Our solutions.

Banking Portfolio

Insurance Portfolio

Leasing Portfolio

Insights

About us

Home

Insights

News

Achieving cloud sovereignty - but how?

Achieving cloud sovereignty - but how?

Insight, 18/07/2025

In a world in which data protection and regulatory requirements such as GDPR, BAIT or DORA meet technological megatrends such as the use of AI or the rapid progress of quantum computing and also a new interpretation of economic and political alliances (or their rededication), it is no longer enough to simply “tick off” compliance with regulatory requirements. True sovereignty means making technological, operational and, above all, business decisions in a self-determined manner - and thus securing trust, innovative strength and competitiveness. Cloud sovereignty is therefore not a purely technical issue, but a management matter that combines geopolitical risks, organizational culture and long-term strategy.

Why cloud sovereignty is more than just a compliance label

Sovereignty is often viewed technically or legally in the financial world: GDPR, BAIT, EBA guidelines, DORA. But if you want real capacity to act, you have to think further. Cloud sovereignty doesn't just mean complying with the legal framework - it means retaining control over strategic, technological and operational decisions. It is not a tick on the checklist, but a design principle for the digital future.

In practice, this means that the decision for or against a hyperscaler, for certain operating models or for regulatory-compliant architectures must not only be IT-driven. It affects business models, the ability to innovate and customer trust - and is therefore clearly a matter for the boss.

Geopolitical reality: sovereignty needs more than technology

Cloud sovereignty does not exist in a vacuum. Dependence on non-European providers is not just a question of technology, but increasingly a strategic risk. Geopolitical tensions, extraterritorial legal claims (e.g. CLOUD Act) and regulatory divergences make this clear: Those who base their digital infrastructure on globally active hyperscalers have recently also had to deal with the political and legal framework conditions of this dependency.

Therefore: 

  • Strategic resilience requires a conscious examination of the origin, ownership structure and control options of cloud providers.

  • The “European Cloud” is more than just a label - it represents an attempt to secure digital sovereignty geopolitically.
     
  • Companies need to ask themselves: What risk am I prepared to take? What alternatives am I prepared to develop?

Sovereignty begins with awareness - also of the political implications of technical decisions. If you want to take responsibility, you have to think about global developments.

Organization & culture: Why governance alone is not enough

Moving to the cloud requires more than just a migration project. You need a deep understanding of how organization, culture and technology interact. Because the cloud is not an add-on - it changes working methods, responsibilities and mindsets.

In our discussions, it became clear that there is a lot of uncontrolled growth in many companies. Different departments commission cloud services independently, governance structures are missing or are established too late. The result: a lack of transparency, technological shadow IT and increasing risks.

How it helps:

  • Mindset work instead of tool introduction: Cloud introduction must be understood as a cultural transformation. This requires a clear vision, communication at eye level and visible leadership.

  • Change management as a success factor: employees need to understand why their work is changing - and how they themselves can be part of the transformation.

  • Making responsibility visible: Who decides what? Who bears what risk? Governance is not just about rules, but also about practiced responsibilities.

Cloud transformation starts in the mind - and it doesn't end with the go-live. Only when specialist departments, IT and management assume joint responsibility is there real capacity to act.

Strategic recommendations from the field

Based on the panel discussion and our own experience in cloud projects, we can identify specific areas of action that will determine success:

  1. Operationalizing cloud governance

  • Establishment of a central cloud board with decision-making authority

  • Definition and control of cloud policies (e.g. provider selection, data classification, cost management)

  • Integration with information security and data protection management 

  1. Thinking about exit scenarios - right from the start

  • Clear regulations in the contracts (e.g. on data portability, support in offboarding)

  • Check technical interoperability (containerization, APIs, open standards)

  • Strategic evaluation: When is multi-cloud worthwhile? When is it not?

  1. Contract design as a management tool

  • Consciously choose contract terms - with flexibility instead of lock-in

  • Establish clear SLAs, security standards and auditing rights

  • Intensify cooperation with procurement and legal

These points not only determine compliance, but also real sovereignty - i.e. the ability to choose, change or develop with confidence.

Cloud is not a project - it's an attitude issue

Many companies treat their cloud strategy like a transformation project with a beginning and an end. But that falls short. Sovereignty does not come from a one-off setup, but from continuous development. It is not a state, but an attitude: to technology, to responsibility, to strategic self-determination.

Which means:

  • Sovereignty requires long-term thinking - and people who shape it.

  • It is not created through demarcation, but through conscious selection, control and cooperation.

  • It requires the courage to ask uncomfortable questions: What happens if the hyperscaler changes its conditions? What is our plan B?

It's the attitude that counts. Those who see their cloud strategy as a learning system can act with confidence - even in dynamic markets and under regulatory pressure.

Conclusion: Consistency beats complexity

Cloud sovereignty is feasible - if you take it seriously. It requires clarity in strategy, consistency in implementation and the courage to embrace cultural change. Those who achieve it not only gain technological flexibility, but also regulatory security and entrepreneurial independence. 

Our recommendation:

  • Make the topic a top priority. It's not just about IT, but about future viability.

  • Build governance holistically - including mindset and change.

  • Think about exit and contracts right from the start. It creates leeway.

  • Anchor sovereignty as an attitude. Not as the end of a project.

  • Use the principle of cloud sovereignty specifically as a differentiating feature - your cloud offers a safe haven for customer data

We accompany many of our customers on exactly this path - pragmatically, in partnership and with a clear focus on regulatory compliance.

Because cloud sovereignty is not a trend - it's a strategic promise for the future.

You want more information?

Sie haben Fragen an unsere Experten? 

Contact us!

Back