The Path to a Fully Managed Public Cloud

More and more companies are considering moving services to the cloud. In most cases, this refers to a public cloud.

A public cloud is a cloud computing environment operated by an external provider and accessible via the public internet. In contrast, a private cloud is an environment operated exclusively for a single organization—either in its own data center or at a dedicated provider’s facility. When a combination of private and public clouds is used, it is referred to as a hybrid cloud.

For companies in the German financial sector, selecting a cloud provider presents unique challenges. These stem primarily from strict regulatory requirements, high security standards, and the complexity of existing IT infrastructures. Here are the key points:

• Data Protection & Law (Germany/EU): Data Processing Agreement, GDPR, BDSG, EU Code of Conduct, international data transfers
• U.S. Law & CLOUD Act: U.S. access to EU data, conflicts with the GDPR and DORA
• DORA: The governing regulatory framework for cloud usage in the financial sector. The outsourcing financial institution remains fully responsible.

In addition to regulatory and technical requirements, there are other aspects to consider when migrating to the public cloud.

The effort involved in migration is often underestimated. A full migration can take years and incur very high financial costs, as the migration phase typically involves duplicate costs for both the existing and future operating environments.

Public cloud migration also requires significant knowledge development, which entails correspondingly high investments.

Employees should be offered career prospects as part of the migration, since roles may change or disappear entirely in a new operating model. This strengthens employee motivation to actively contribute to a successful migration.

When considering the public cloud as a target model, certain technological characteristics and limitations must still be taken into account. Here are a few examples:

A public cloud does not guarantee 100% availability, as demonstrated by the AWS outage on October 20, 2025.

The scope of services offered by providers is often similar but not identical. At a high level, for example, Azure Blobstore and AWS S3 Storage appear identical, but upon closer inspection, significant differences emerge.

From a technological perspective, it is also important to note that in your own data center, you can use any version of products and components available on the market. In the public cloud, however, you are limited to the offerings of the provider.

Finally, it should be noted that a detailed analysis is required to determine which providers to rely on and to what extent. For example, in the spring of 2025, email accounts provided by Microsoft were suspended for employees of the International Criminal Court due to U.S. sanctions.

Recommended approach for financial institutions:

1. Develop a risk-based cloud strategy
2. Define internal policies and processes in accordance with regulatory requirements
3. Carefully evaluate cloud providers (e.g., legal framework, certifications, location, exit options)
4. Include audit rights and security guarantees in contracts
5. Establish continuous monitoring and audits
6. Ensure DORA compliance

Sovereign Cloud

The term “sovereign cloud” refers to a cloud infrastructure specifically designed to meet the legal, security, and operational requirements of a particular country or economic area. The goal is to preserve digital sovereignty—that is, to maintain control over data, systems, and processes, particularly with respect to foreign jurisdictions.

Characteristics of a sovereign cloud in the EU:

• European ownership and jurisdiction
• Data residency exclusively within the EU
• Data is subject to the laws of the country in which it is collected or stored
• No access by foreign authorities or providers (e.g., U.S. Cloud Act)
• Compliance with local regulations such as GDPR, IT-SiG 2.0, NIS-2, DORA, etc.
• Avoidance of vendor lock-in and control over the technologies used
• Options for self-managed keys

These cloud models are particularly relevant for:

• Public sector
• Critical infrastructure (healthcare, energy, finance)
• Companies with stringent data protection requirements.

The European Commission’s Cloud Sovereignty Framework describes the Sovereignty Effectiveness Assurance Level (SEAL) assessment system, which the EU uses to measure how sovereign a cloud service truly is.

The model has five levels that reflect the degree of sovereignty:

• SEAL-0: No sovereignty
  Services, technology, and operations are fully controlled by non-EU providers that are legally based outside the EU
• SEAL-1: Legal sovereignty
  EU law applies, but external oversight is possible
• SEAL-2: Data sovereignty
  Applicable and enforceable EU law, although significant dependencies on non-EU actors remain
• SEAL-3: Digital resilience
  Applicable and enforceable EU law, with EU actors having significant but not complete influence.
• SEAL-4: Full digital sovereignty
  Technology and operations under full EU control, subject exclusively to EU law, with no critical dependencies on non-EU actors.

Currently, there is no SEAL-4 cloud. Not even a company’s own data center meets SEAL-4 standards. It is highly likely that a significant portion of the software and hardware comes from U.S. companies, particularly patches for open-source software.

A US hyperscaler with an EU region can only qualify for SEAL-1 or SEAL-2 because it remains subject to US laws such as the CLOUD Act.

“Perfect sovereignty” therefore does not currently exist.

The following key questions can help address this situation:

• What data should have what level of control?
• How much resources can be allocated in terms of budget and personnel?
• Which services should be operated in-house in the cloud, and where can we rely on off-the-shelf services from the service provider? What consequences might this have?
• Is it beneficial to use multiple public cloud providers?

Non-European providers offering sovereign cloud services for Germany

Major U.S. hyperscalers have responded to the requirements in Europe and are offering specific sovereign cloud solutions.

Microsoft – Sovereign Azure

• Sovereign Private Cloud: Data processing is entirely under the customer’s control; physical separation from the internet and other external networks is also possible.
• Microsoft 365 Local: On-premises deployment of Office services such as Exchange and SharePoint.
• Collaboration with local partners in Germany.
• Goal: No access to customer data by Microsoft itself.

Amazon Web Services (AWS)

• AWS offers data centers in Germany and is working on sovereign cloud models.
• These are not yet fully “sovereign” as defined by the EU, but are increasingly being adapted to meet European requirements.
• The focus is on GDPR compliance and data residency.

Google Cloud

• Google also offers services with data residency in Germany.
• Partnerships with local companies to enhance data sovereignty.
• Sovereign controls and encryption technologies to minimize access by Google itself.

These providers are responding to criticism of the U.S. CLOUD Act, which theoretically allows access to data worldwide if it is managed by U.S. companies. Therefore, technical and legal measures to safeguard sovereignty are crucial and must be carefully evaluated.

Despite these measures, there remains a dependency in the form of the operating software. If the U.S. company stops providing updates for the data center in Germany, operational problems can quickly arise there.

European providers with sovereign cloud offerings

In the meantime, a number of competitive providers have emerged in Europe.

With STACKIT, the Schwarz Group has developed a hyperscaler that is 100% German-owned and operates data centers exclusively in Germany. Its focus is on public administration, critical infrastructure (KRITIS), and large industrial companies.

Other features include

• Full legal and operational autonomy
• Focus on enterprise and critical infrastructure
• GDPR, NIS2, and BSI C5 compliant
• Modern IaaS/PaaS services (Kubernetes, object storage, DBaaS)
• Architecture based on open, global industry standards

OVHcloud, a major European cloud provider based in France, is a member of Gaia-X.

Other features include

• Data centers located throughout the EU
• No U.S. subsidiary, so no Cloud Act risk
• Good IaaS/PaaS coverage

With Open Telekom Cloud, Deutsche Telekom operates a cloud platform that is deeply rooted in the public sector.

Other features include

• Operated exclusively by EU staff
• German and EU data centers
• BSI C5, ISO 27001, GDPR
• Hybrid and multi-cloud strategies available
• Combination of sovereignty and corporate stability

Conclusion

This article is not intended to discourage the use of a public cloud, but rather to raise awareness. Companies handling sensitive data use public cloud services, and there are now reputable independent service providers in Germany as well. We would be happy to assist you in selecting suitable providers and guiding you through your cloud journey.

---

About the Author

Andreas Dvorak works as a Senior Technical Analyst at Be – Shaping the Future and brings many years of experience in the operation, automation, and monitoring of on-premises and cloud environments.