Oracle announces sovereign cloud regions for the EU

In a bid to support customers that are facing increasingly complex data protection regulations, as well as limitations and hurdles when it comes to international data transfers, Oracle has announced new sovereign cloud regions for its customers across the European Union. 

The dedicated Oracle Cloud Infrastructure (OCI) regions will be available for customers across the EU in 2023 and will be available to both private companies and public sector organizations. Customers that have data and applications that are sensitive, regulatory or are of strategic regional importance will now, with Oracle’s EU sovereign cloud, be able to have operations and customer support restricted to EU territories. 

Oracle said that these sovereign cloud regions are designed to enable customers to “demonstrate alignment with relevant EU regulations and guidance”. 

The cloud vendor has also said that it plans to migrate customers using Oracle Fusion apps within the existing EU Restricted Access cloud service to the new OCI sovereign cloud regions. 

In a blog post, Scott Twaddle, VP of Oracle Cloud Infrastructure Product and Industries, said: 

Our customers tell us they want the benefits of cloud but have requirements for where data is located, the regulations they must meet, and the personnel operating the underlying infrastructure. OCI is an established leader in building cloud regions for customers who require the highest levels of security and have regulated workloads. 

We operate government regions in the UK and North America and have deployed our industry’s first OCI Dedicated Region, serving customers that include highly-regulated companies and governments around the globe. To better serve our European customers, Oracle has built on this experience and plans to launch new sovereign cloud regions for the European Union in 2023.

These new sovereign cloud regions will operate under a comprehensive set of policies and governance that further enhance OCI’s existing capabilities for data residency, security, privacy, and compliance. These additional policies will establish a framework for data and operational sovereignty, including how customer data is stored and accessed, and how government requests for data are handled.

The first two sovereign cloud regions for the EU will be located in Germany and Spain. The sovereign cloud regions will be logically and physically separate from the existing public OCI regions in the EU (of which there are six: in Amsterdam, Frankfurt, Paris, Marseille, Milan and Stockholm). 

An increasingly complex environment

Oracle’s move to offer a sovereign cloud to EU customers comes within the context of more stringent data protection regulations (GDPR and beyond), as well as restrictions on data protection transfers following the CJEU Schrems II ruling. 

Whilst the ill-advised Privacy Shield framework had allowed for transatlantic data transfers to take place, since the CJEU Schrems II ruling shot it down, organizations have had to rely on alternative mechanisms until a long-term replacement is sought. 

Clearly, it’s becoming increasingly important for organizations to have more control and transparency over where their data is stored and processed. Regis Louis, Vice President of Oracle Cloud Infrastructure for EMEA, told diginomica: 

As cloud usage continues to grow at double-digit rates, there is an increasing interest in protection of sensitive data in public clouds that span national borders and jurisdictions. Countries and jurisdictions are requiring more control over data within their borders, and organizations are asking their global cloud providers for more transparency and control over how and where their data is stored, handled, and secured. This is especially true in the EU where we are seeing EU regulation being formalized across the 27 EU countries.

Oracle EU Sovereign Cloud is designed for compliance with the laws and general practices of the EU (and not individual countries) to help customers comply with EU regulation across all 27 EU countries.

EU Oracle Sovereign Cloud will help EU customers to align with key relevant regulations such as GDPR, including data transfer restrictions following the CJEU Schrems II ruling, and related guidance from EU privacy authorities.

It will be available to any company (public or private sector) who requires compliance with such regulations, wherever they are located.

Oracle has said that the new sovereign cloud regions for the EU will offer all of the 100+ OCI services available in Oracle’s existing public cloud regions, as well as the European Union Restricted Access application services. Pricing for OCI services will also remain the same, with the same levels of support and SLAs. 

Offering support for the announcement, Jarkko Levasma, Government CIO and Director General of Ministry of Finance of Finland, said: 

Having cloud services with data centers that are located in the EU, and operated, updated and supported by EU residents, while maintaining isolation from non-EU cloud regions is an important part of our Cloud adoption. This will open up possibilities to adopt Infrastructure, Platform and Software as a service in Finland for the government.

My take

The rhetoric from cloud vendors early on in the advent of cloud infrastructure was essentially either ‘trust us’, or the onus was placed on customers to know where their data is at all times, without providing transparent mechanisms in order to make that possible. However, as governments around the world put in place stricter data protection regulations, and as it becomes harder to predict how international data flows will go, buyers will likely be looking for solutions that make it easier to understand where their data is. These points are no longer trivial and data location is likely to be a key influencing factor when making a decision between different cloud providers.