Who controls your cloud now? Inside Europe’s shift to sovereign cloud

Cloud sovereignty is moving from buzzword to strategy. In this episode, Pinja and Stefan explore why Europe is pushing for more control and compliance in the cloud and what it means for DevOps and AI, Kubernetes, and vendor lock-in. You'll understand what organizations should consider for their cloud strategy.

[Stefan] (0:03 - 0:08)

It's the balance of meeting the market where it is and also pushing the industry forward.

[Pinja] (0:12 - 0:21)

Welcome to the DevOps Sauna, the podcast where we deep dive into the world of DevOps, platform engineering, security, and more as we explore the future of development.

[Stefan] (0:22 - 0:31)

Join us as we dive into the heart of DevOps, one story at a time. Whether you're a seasoned practitioner or only starting your DevOps journey, we're happy to welcome you into the DevOps Sauna.

[Pinja] (0:37 - 0:46)

Hello, and welcome back to the DevOps Sauna. I'm joined by, as per usual, my co-host, Stefan. How are you doing?

[Stefan] (0:46 - 0:53)

Hi, Pinja. All is good here. So what about you?

Did you get any snow in Finland yet? Like, we have the usual rain and foggy weather in Denmark.

[Pinja] (0:54 - 1:11)

Oh my god, no, no. Since I'm based in Helsinki, it is very gray, and it's going to be another 10-11 days before the day is going to start to get longer. So I'm looking forward to that.

Christmas prep is going, to be honest, regardless of the weather.

[Stefan] (1:11 - 1:17)

That's good. Still struggling with a few presents on my side, but I guess we need to find some wheels for Santa's sleigh this year.

[Pinja] (1:17 - 1:25)

It might be. So there's a Finnish song that insinuates that Santa is coming with a helicopter if he cannot take his sleigh.

[Stefan] (1:25 - 1:26)

That would be the best option in Denmark.

[Pinja] (1:27 - 1:29)

Pretty much in many countries, I would say.

[Stefan] (1:29 - 1:29)

Yeah.

[Pinja] (1:30 - 1:38)

So we hope that Christmas and the holidays are coming to your houses as well, and at the same time, we're going to talk about Sovereign Cloud today.

[Stefan] (1:39 - 1:39)

Exactly.

[Pinja] (1:40 - 2:05)

Sovereign Cloud is coming, so what do you do? What do you need to know? We try to build a package of information about what it is, who's going to benefit out of it, who's it mainly for, talk about the demands in different areas, different options, and maybe give a little bit of practical tips in the end on what does it mean actually for the organizations in practice that the Sovereign Cloud is coming.

[Stefan] (2:05 - 2:07)

And a slight sprinkle of origin as well.

[Pinja] (2:07 - 2:20)

Let's talk about that. So if we start from the origins, what is it? So this has been the offspring of the data sovereignty discussions, which has been highly driven by GDPR.

Isn't that so, Stefan?

[Stefan] (2:20 - 3:56)

Yeah. And the whole, there was this Schrems II, was it a lawsuit? I'm really bad at remembering these, but it took ages and ages and ages.

And when it is finalized, like, all right, you need to be in control of all of your data. Then it went into this whole discussion of sovereignty, like data sovereignty, operational sovereignty, legal and jurisdictional sovereignty. So it sounds very, how would you say, like lawyer speak when you say it like that, but pretty much it's like, where's your data, who can access and operate it, and under which law is it under?

And if we look under which law, it's probably one of the biggest discussions because you might have a EU company, all looks good, but when you look at where you're throwing all of your data and hosting your stuff, it's like, is it an EU entity or is it a US subsidiary? Because I think it's like 10, 15 years back, I was running a lot of stuff on AWS. It was hosted in, was it EU West or something like that.

But when our customers started reading into all of the clause and terms and everything, they could actually see in case of deep technical support, we might bring your data to the US, and that sort of spirals all of the legal and compliance departments far, far down a road of want to get guarantees and insurance that data is not ending up in the US. So you cannot be a big US company, have some sort of sovereignty in Europe, but still, if you're owned by a US company, you might end up in a different manner in these cases. So it's no real surprise, we're talking about the big four, AWS, Microsoft, Google, Oracle, there are more, but we're always talking about at least three of them.

It's not so often we talk about Oracle these days, but they're part of the gang.

[Pinja] (3:57 - 4:28)

We are. And now we can see the move away or the exit away from these big four companies. And because data is the currency of the 21st century, at least at the moment, it's not a small thing to talk about, where does the data end up in, basically, because flaws are, in fact, the way to go at the moment.

I think I even had a sticker on my laptop that said, friends don't let friends build data centers. That is true. I think it was from AWS or somebody.

[Stefan] (4:28 - 4:39)

You also had the sticker with the cloud as just someone else's computer, which is actually the reality. So yeah, it's in a EU cloud, but it's a server running somewhere, and that server might end up somewhere else.

[Pinja] (4:39 - 4:48)

Exactly. But when we think about the sovereign cloud offerings that these big four companies have, it is not something new, is it?

[Stefan] (4:48 - 5:44)

No, not really. They've been trying to push local regions, putting them under other ownership and so on. But in those cases, it might go well.

Do we really know? Have you seen any lawsuits? Have you seen any finalized court rulings around that?

Maybe not. The whole political landscape as well, that really forces a lot of push towards sovereign cloud as well, because it's no surprise to anyone that things in the US are a bit, what we call it, shaky these days, to be friendly. And a lot of people are looking across the pond like, we want to make sure that our data stays here forever in case something X, Y, and Z goes on and we can't all of a sudden reach our data, or it's all of a sudden owned by this government entity in the US or something like that.

We see all sorts of crazy rules running. So it's pretty much starting to protect the sovereignty of your company, making sure you actually own the data, as in own, own, own the data.

[Pinja] (5:44 - 6:29)

Yeah. And as I said, because data is the currency right now, and it is being traded, that's for sure. So in that sense, also the worry about where the data is going to end up is not a small thing to consider.

There are conversations ongoing about how to maybe schematize it at the EU level, and how to build policies around it. And there is this upcoming scheme called the EU Cloud Services Cybersecurity Certification Scheme, EUCS, between friends. It's been in preparation for a long time now.

But the problem right now is that they have not come to terms which model to use for this, because there are a couple of models, even within the EU, that could be utilized and reused for this. But a couple of different elements to think about here.

[Stefan] (6:29 - 8:44)

Yeah. If you go to Germany, everything in Germany is about transparency of what you're actually doing. So they have something called C5, which is an abbreviation of Cloud Computing Compliance Criteria Catalog, because everything within legal worlds have to have a long name.

So they focus a lot on transparency. But they do actually do something clever, because they base themselves off like ISO 27001 and other certifications like that. But they increase the specificity of it.

So you need to be like, X, Y, and Z needs to be in order and stuff like, you need to be in control with data. That's just like a broad term, but it turns more specific in their setting. The fun thing is, as a US vendor, you can actually get certified in Germany.

So you just need to be open and transparent about what you're doing. If we just go a bit further, we go to France, then the world is totally different. This is a technical legal focus.

So they call something SecNumCloud. It's probably pronounced in a completely different manner if you're from France. So it's very focused on shutting everything down.

You cannot achieve this by being a US vendor or anything. You have to be an entity in France to get this. But when the big vendors see that, they come up with clever tricks, of course.

So you have Microsoft. They really want to run something that's confined with SecNumCloud. So they have a company called Bleu, which they are running together with, or Capgemini and Orange are running it.

But it is essentially Microsoft. And the same goes for Google. They have Telus running something called S3NS.

So all of the big corporations, of course, see a lot of money running in this case, and they want to push into that. So it's a bit fun to see how it actually is going to end up, because the EU can't really decide if they want to focus on transparency, compliance, if it should be technical or legal entities. So it's probably going to end up in a tiered model.

So it's probably going to be a step from, let's say, the German model where you can document and everything is transparent. And at the highest level of the EU certification, you would be maybe something in the direction of the French, where there has to be legal entities in the country and so on. But as you said, they have not figured out how and when and so on.

So we both tried to find some dates when this would be in effect. There's nothing. There's no finalization or anything of that scheme.

[Pinja] (8:44 - 9:08)

No, it's an ongoing discussion. It's basically a split-brain scenario right now. And as you said, do we focus on technology?

Do we focus on compliance? Do we focus on transparency? Have you ever seen those charts where you have the kind of alignments on different areas?

The radar chart, right? So I guess it's not, building something that has all those elements in nice balance is not exactly achievable.

[Stefan] (9:09 - 10:09)

Yeah. And when you do legislation, you're not really known for being very specific either. So it's always like you should be in control of your data.

You should make sure you have no known vulnerabilities. All security policies are quite open. So when you want to go this direction, the French are probably pushing to get all of the technical details and everything.

And you can see the EU backing a bit away, like, oh, we don't want to be that specific because that puts a lot of companies out of question here because they cannot live up to this. So it's a balance of meeting the market where it is and also pushing the industry forward. And I'm happy I'm not writing those legislations or anything like that.

It's insanely hard. It's hard enough running a cloud, figuring out who actually runs this, what's the governance compliance. And then you start adding subcontractors to that story.

So just running a cloud in itself is crazy. Then all of a sudden you have external entities and laws and legislations you have to be in interaction with as well. And all of a sudden you have a legal department that is bigger than your operational department.

[Pinja] (10:09 - 10:48)

That's true. And in my previous life, I used to work for one of the Finnish ministries and I used to go to the Brussels negotiations for EU legislation. And it was not a very heated discussion, to be honest, but for especially one piece of legislation, things moved extremely slowly.

And during my tenure of a couple of years, it didn't move anywhere because of these things. That is not just that one company deciding to do something and they need to convince their stakeholders, but we're talking about actual countries here who are trying to drive, of course, their own agenda and trying to get things as best for their own organizations as possible. But it's not a simple thing.

[Stefan] (10:48 - 11:11)

No, it almost loops back to the future of software in Stockholm where we had the question, I was like, is legal stuff actually matching the world today? Because legal has a start and end and that's it. And everything is moving fast here.

So we need to be up to date with everything. So I'm not sure about our legal world and settings and EU and all of the governance, I'm not sure it really matches the real world, but here we are, we can't just run a revolution and change everything.

[Pinja] (11:12 - 12:08)

No, it's a setup where we're in, we have a framework in which we operate and it's, well, I'm not the expert to start and talk about whether we need regulation or not, as that's for different people on different platforms. But it's for sure that this is a sum of many things because we're not just talking about the data residency, we're talking about who's governing and who has the access to it, who actually is legally operating and governing it. So it's not just the companies here and it's not just about basically going, just going away from what you're used to.

And it doesn't mean that you're building your own cloud either, because we have companies that have been stalling going into cloud because of data residency and like lacking the sovereignty elements. So if we go to our next part of our discussion here, so who's it for? So what kind of companies, organizations might benefit the most out of this?

Because I know the very, maybe my initial reaction is to go for the regulated industries, for sure.

[Stefan] (12:09 - 13:36)

Yeah, they will probably ask for it in many cases, but we see that changing in some of the countries or maybe some countries are just lacking behind on the sovereignty curve or have everything under control with their legal and compliance setups way better. Like if we look at Denmark, we actually have banks moving to AWS at the moment and like they're not talking about cloud sovereignty. I have a customer in Finland that actually reached out and asked us to build a data center for them.

I was like, oh, we're not going to build a data center. We will happily find somebody who we can collaborate with on your data sovereignty journey, but we're not building a cloud for you. Like that would just be crazy for us to start off.

We're not buying hardware and spinning things in the basement, but it's so very different to see these countries. When we look at the German customers, they're sort of like trying to pull everything back, make sure it runs in Germany. Back in the days, I had a customer that, or particular customer, didn't want to engage with us because we were running things in AWS and that was seen as a competitor.

Well, you could always discuss that for a long, long time. In the end, they actually started building their own hosting center and it is actually available for everyone to use now. When we look at it, is it easy to use?

Absolutely not. Is it on feature parity with the big vendors? Absolutely not, but it probably fits their needs and their sub-organizations so they can actually run all of their organizations in one big data center and reap the benefits of scaling.

And then they can get some customers in to balance out the operational load so they can utilize as much hardware as possible. But building a new cloud on your own, good luck.

[Pinja] (13:37 - 14:01)

No, that's not what cloud sovereignty is all about necessarily, but to summarize the needs, perhaps, is that there are organizations that need and want to handle the data that is so sensitive or so strategic that it must remain under this control. We talked about legal, operational, political control, and it has to be under this one country or the region.

[Stefan] (14:01 - 14:18)

The defense might be a good one because they need to be in high, high, high control, like even more than all of the banks and healthcare. Like when they trade with the United Nations, NATO, different entities across Europe or the world, like they need to be so much in control with wherever anything is.

[Pinja] (14:18 - 14:19)

Yeah, exactly.

[Stefan] (14:19 - 14:20)

İnteresting world.

[Pinja] (14:21 - 14:32)

It is, but there is a landscape of options right now. The amount of offerings is growing, the offerings are improving as well, and some of them are still kind of DIY-y, I would say.

[Stefan] (14:33 - 16:55)

Yeah, the German one I was talking about, like that is almost like bringing your own engineer to do this in practice because it's so hard to do. You get some sort of network, you get some sort of a server somewhere, you need to bring back old school skills of network engineers and everything, which you all of a sudden own to run this, which makes it fairly expensive for you because you're just so used to like click, click, click, and a few things is running in a cloud. Might not be the best option if you click a few things, like we all want to do GitOps and have a well-setup network and everything under control, but when you see the difference in what they actually offer in these sovereign cloud, especially here in Europe, I think I have a list of five or seven companies I look at every now and then, I can definitely see they're improving because there is a bigger ask, like they used to run servers as a service. I'm pretty sure everybody knows Hetzner in Germany these days. You could buy a server, it costs you nothing, you can run it forever, but if you start moving your Kubernetes workloads to different companies, you really want them to offer a managed Kubernetes because you don't want to be running Kubernetes.

Like my good old colleague says, every idiot can spin up Kubernetes, but running and operating it, that's a different story. And it still goes, it's not easy to run and operate the Kubernetes on day two, but if you could get that as a managed service where you actually take care of the upgrades and everything, so you can sort of be aware or put your worries into structuring everything, making sure your pipelines work well, so defer this into a shared ownership model. So they take care of some things, you take care of other things.

We are seeing people moving in that direction and it takes time. Like if we look at AWS, oh dear, when I joined AWS back in the days, it was so low level, like you needed to do everything on your own and the whole UI they had, it didn't really improve anything. It was just like, oh, it's the same UI as when they released this feature.

Then I saw an uptake like five, seven years ago, like they started to improve their portals because Microsoft Azure was pretty quick to say like, all right, you're getting a cloud, you're getting a kick-ass UI, that's how it is. And then Google followed along and you could all of a sudden see that AWS figured it out, all right, so people are still doing ClickOps. We should definitely cater for those, we should have a better UI for that.

And it's like, they've been running since 2002, of course, some things are dated. But if you've been running this for 23 years and you want to be a small competitor in Europe, you're in for a ride, like you need to show your muscles to be able to compete with them.

[Pinja] (16:55 - 17:10)

To me, what that also sounded like, the run through of these companies and all that is that it takes a while to build them to really, as you say, it is not just like, oh, you can just start right now and then start competing with the big ones and actually build something lasting.

[Stefan] (17:10 - 17:27)

Yeah, you have an offering in Finland and I think they've been in the market for like five, seven years and now they're sort of picking up, like the investment that goes into building a sovereign cloud is insane. And you need to have investors that are willing to lean back, wait it out, it's going to pay back at some point.

[Pinja] (17:27 - 17:28)

Yep, exactly.

[Stefan] (17:28 - 17:37)

So it's not this big startup world where everything just needs to get some decent revenue and you can sort of like move along. Oh no, this is a long-term strategic investment for you.

[Pinja] (17:37 - 17:54)

But you already mentioned a couple of things there. If we now start to talk about what it means for organizations in practice? And you mentioned the Kubernetes and the managed services, but for some, if you've already adopted cloud-native ways, it might be kind of easy.

Kubernetes is never easy, right?

[Stefan] (17:54 - 17:54)

No.

[Pinja] (17:54 - 17:58)

But is it a little bit easier to start from that premise?

[Stefan] (17:58 - 18:10)

It can remove some of the friction, like I've been working with a ton of legacy systems over the years. As soon as you mention legacy, you can just see people putting their hand on their head like, oh dear, do we need to touch this again?

[Pinja] (18:10 - 18:15)

So what does even cloud-native mean? Like what can even be cloud-native, right?

[Stefan] (18:15 - 20:06)

Yeah, like we get that question all of the time. Like me, cloud-native, because I'm hanging out with all of these like CNCF people, cloud-native, that is cloud-native to me. If you talk to other people, cloud-native would be running stuff in AWS with all of their offerings.

So if you run in AWS with all of their offerings, it's going to take some time to move to a different cloud. If you're running everything containerized, maybe serverless, already running with something like Knative to run your serverless workloads, it's going to be easier. I'm not going to say it's going to be easy because every migration story is not simple.

Everybody knows when you move to a different cloud, you do your access management completely over because it's just so different in all of the setups. So you need to take care of that. But if you're containerized, you can sort of like it easier to move your workloads.

But then you have the question, like, do I get a managed database? Well, it might not be an offering in this cloud. Then you need to find a different vendor that is running with the same sovereign cloud setup that can actually match in, and need to have a deal with them.

So if you have offerings that span between your cloud vendor and your data services, managed services vendor, who takes care of what? Is there collaboration? How do you do it?

What about traffic running in and out? Who pays for what? So there's so many questions in setting that up.

Like even just moving from, let's say, AWS to Google, that takes a lot of time. Moving to a vendor that is not on par with things that is going to take some time as well. But it will, in the end, if you move to the sovereign clouds, it will require that you have people that are sort of like deeper into the stack because there are many of the clouds not offering your same easy approach to everything.

So you need networking, Kubernetes, database admins, or something like that. If you're a big company, you probably already have it, but they need to know it in the specific setting. And then we can just throw in the curve ball of everything.

What do you do about your AI workloads? Can you even bring them?

[Pinja] (20:06 - 20:18)

Yeah. So how do you actually leverage the big tech companies that we've been talking about here? So are we really now building something that won't be on the same level with a cloud offering at the same time?

[Stefan] (20:20 - 22:10)

Maybe that's the best answer. When I talk to some of our colleagues that are way more skilled in AI than me, they're like, if you want anything good out of AI, you're not building your own AI setup. You leverage the big ones because the setup is bigger.

It could take more parameters, bigger context, everything. But if you really, really want out, then you need to start looking into where you can actually get GPU-enabled workloads? Can you even get GPUs at this sovereign cloud?

Also, you have to look into how you do it. Can you run things on a certain scale for decent money without breaking the bank? You might be able to run Mistral models.

I think Mistral came out with a new model this week that looks super interesting because they've sort of been hiding in a corner for a while and now they're popping up again. And I guess there's still a push towards Mistral because they are sort of like an open weight model. You can get fairly good insights into it.

And it's out of France, so we're in Europe. Because if you want to step out of the big vendors in the US, well, you have DeepSeek that is good. But do people want to move to China as well?

We're sitting here in the middle of everything and we don't really trust the US fully. We don't really trust the Chinese people either. It's really, really hard to do AI well if you don't want to lean into the bigger models.

But you can build everything and make sure you can plug your models. That's pretty much the big thing because the setup around it can be good. Everything is all right.

There are certain frameworks our colleagues would recommend. But being able to swap that model because you will be swapping a model in six months anyways because something new is coming or you might find something that is cheaper or good enough. But it's so hard.

You're not going to be calling Google like, hey, can I get a clone of Gemini 3 Pro? I want to run it locally. And when you see the benchmarks at the moment, that is one of the highest performing ones.

You're not going to get the same thing for sure if you don't want to run the cloud models.

[Pinja] (22:11 - 22:19)

And I guess one thing to take into consideration, maybe the last one to point out here, is that sovereign cloud might make your circles a little smaller.

[Stefan] (22:19 - 22:19)

Oh, yes.

[Pinja] (22:20 - 22:36)

And that sounds like if we really think about... Let's take an example of debugging and troubleshooting. If you want to find peers that are doing some sort of same thing as you are, you might be limited with your options with the use of sovereign cloud in your organization.

[Stefan] (22:37 - 23:51)

I did a small search on both Stack Overflow and Server Fault. Server Fault is the upside of Stack Overflow. If I search for a big vendor in France, OVHCloud, I don't find many responses on OVHCloud, which means I have to find other people who are running with OVH because it's probably some corner case somewhere or something that is not documented.

I know they run their own conference. That would probably be a higher priority to go to to make sure if you can actually find peers in the industry to solve your problems together with. You might have a good technical account manager at OVHCloud that can point you to the specific team that can actually assist you.

Even the big vendors give you direct access to product teams every now and then if you're a big enough customer. I've been in weekly meetings with our technical account manager with Google. And every time he was like, well, I'll just connect you with our product team.

And they can sort of like tell you X, Y, and Z. Like, you're connecting me directly with a product team? I thought Google was massive and it would take me like three months to get in.

Like, no, no, we can have a call next week. It's crazy sometimes. And I guess the smaller cloud vendors, it's a bit easier to get in and have a good chat with them.

Probably I have some, I guess they have some sort of professional services around it so they can actually give you some sort of decent response or go out and help you debug stuff as well. Because it is harder to find good friends when you're running these sovereign clouds.

[Pinja] (23:52 - 24:00)

That's true. And I think that's enough. We're going to end our conversation today.

So maybe the final note, sovereign cloud is coming. Timeline? Your guess is as good as ours.

[Stefan] (24:01 - 24:01)

Who knows?

[Pinja] (24:02 - 24:03)

We'll see.

[Stefan] (24:04 - 24:06)

Yeah. Very country dependent as well. Correct.

[Pinja] (24:07 - 24:10)

Country dependent. But thank you, Stefan, for joining me in this conversation.

[Stefan] (24:10 - 24:13)

Thank you, Pinja. It was a pleasure as always.

[Pinja] (24:13 - 24:23)

Yes. Thank you everybody for joining us and we'll see you next time in the DevOps Sauna. We'll now tell you a little bit about who we are.

[Stefan] (24:23 - 24:28)

I'm Stefan Poulsen. I work as a solution architect with focus on DevOps, platform engineering, and AI.

[Pinja] (24:28 - 24:33)

I'm Pinja Kujala. I specialize in agile and portfolio management topics at Eficode.

[Stefan] (24:33 - 24:35)

Thanks for tuning in. We'll catch you next time.

[Pinja] (24:36 - 24:44)

And remember, if you like what you hear, please like, rate, and subscribe on your favorite podcast platform. It means the world to us.

Published: December 19, 2025

DevOps Cloud Sauna Sessions Security AI

Eficode

Subscribe to our podcast

Talk: Cloud Transformation at scale by Jakob Knutsson, H&M

Jakob Knutsson is responsible for cloud adoption at H&M. As a leading expert on Azure Cloud, he gives his take on how to manage a situation where IT operations must meet the demands of businesses.

Go to full transcript

Interview: The cloud for developers with Raman Sharma, DigitalOcean

Developers have an immense power when they select their preferred cloud tools and platforms. Learn the most important things for developer-friendly cloud.

Go to full transcript

Are you onboard for the new era of DevOps?

The future of software development is AI Native

Boosting service management with Atlassian, AI, and GRC

Date: 22.1.2026

Who controls your cloud now? Inside Europe’s shift to sovereign cloud

Cloud sovereignty will be an important topic in 2026. Check out the six trends CTOs should consider to succeed in 2026.