AWS has become the latest Infrastructure-as-a-Service (IaaS) provider to announce that it’s setting up a dedicated European Sovereign Cloud that will allow customers to keep all metadata they create in the EU - and help the US company to push even further into the European public sector market.
According to the firm, only EU-resident AWS employees who are located in the EU will have control of the operations and support for the AWS European Sovereign Cloud. The official announcement states:
Located and operated within Europe, the AWS European Sovereign Cloud will be physically and logically separate from existing AWS Regions, with the same security, availability, and performance of existing AWS Regions, giving customers additional choice to meet their data residency, operational autonomy, and resiliency needs. The AWS European Sovereign Cloud will launch with its first AWS Region in Germany and will be available to all European customers.
AWS currently has 102 Availability Zones across 32 geographic regions, and has plans to launch 15 more Availability Zones and five more AWS Regions in Canada, Germany, Malaysia, New Zealand, and Thailand. AWS infrastructure in Europe consists of eight AWS Regions in Frankfurt, Ireland, London, Milan, Paris, Stockholm, Spain, and Zurich.
But there’s a need for the Sovereign offering, argued Max Peterson, VP of Sovereign Cloud at AWS in a blog posting:
When we speak to public sector and regulated industry customers in Europe, they share how they are facing incredible complexity and changing dynamics with an evolving sovereignty landscape. Customers tell us they want to adopt the cloud, but are facing increasing regulatory scrutiny over data location, European operational autonomy, and resilience. We’ve learned that these customers are concerned that they will have to choose between the full power of AWS or feature-limited sovereign cloud solutions.
We’re taking learnings from our deep engagements with European regulators and national cybersecurity authorities and applying them as we build the AWS European Sovereign Cloud, so that customers using the AWS European Sovereign Cloud can meet their data residency, operational autonomy, and resilience requirements. For example, we are looking forward to continuing to partner with Germany’s Federal Office for Information Security (BSI).
The German citation is interesting. A recent article on the Politico website revealed that Germany’s Federal Commissioner for Data Protection and Freedom of Information was questioning whether AWS cloud hosting was suitable for use in storing police data.
Still, AWS is clearly doing something right with the Sovereign Cloud announcement as it managed to get Claudia Plattner, President of the German Federal Office for Information Security (BSI) to chip in an obliging comment for the launch press release:
The development of a European AWS cloud will make it much easier for many public sector organizations and companies with high data security and data protection requirements to use AWS services. We are aware of the innovative power of modern cloud services, and we want to help make them securely available for Germany and Europe. The C5 (Cloud Computing Compliance Criteria Catalogue), which was developed by the BSI, has significantly shaped cybersecurity cloud standards, and AWS was, in fact, the first cloud service provider to receive the BSI’s C5 testate. In this respect, we are very pleased to constructively accompany the local development of an AWS cloud, which will also contribute to European sovereignty, in terms of security.”
And Plattner is backed up by no less a personage thank Dr. Markus Richter, CIO of the German federal government, Federal Ministry of the Interior, who declared:
This will give businesses and public sector organizations more choice in meeting digital sovereignty requirements. Cloud services are essential for the digitization of the public administration. With the “German Administration Cloud Strategy” and the “EVB-IT Cloud” contract standard, the foundations for cloud use in the public administration have been established. I am very pleased to work together with AWS to practically and collaboratively implement sovereignty in line with our cloud strategy.
Others in the EU may need more convincing. The Defence Committee of the Italian lower House of Parliament has recently been discussing the need for a national government cloud tied into the idea of that becoming a European government cloud.
AWS isn’t the first IaaS provider to announce a Sovereign Cloud rollout. Oracle, for example, beat its rival to it with its own iteration in 2022, with the first two regions being located in Germany and Spain, with operations and support restricted to EU residents and specific EU legal entities.
Then there is the question of the UK. No longer part of the EU, but - for the time being - adhering to EU data protection standards, can organizations in Brexit Britain tap into an EU-dedicated Sovereign Cloud. AWS makes no reference to this in its blurb to date. It may again follow Oracle’s lead here, where UK customers can indeed access the EU Sovereign Cloud.
And, of course, the announcement by AWS comes against the backdrop of the UK's Competition and Markets Authority (CMA) launching a formal investigation into alleged anti-competitive dominance of the country's £7.5 billion cloud services market, with AWS and Microsoft firmly in its sights. Given that one reason for the Sovereign Cloud is to make it easier for the public sector to adopt AWS as a provider, it's tempting to wonder how far this will be seen as a benefit by the CMA...