The focus on sovereignty has accelerated in the past years, largely due to the consequences of the COVID-19 pandemic, recent growing international tensions (notably the US-China economic warfare) and the resurgence of war in the Middle East and Ukraine. This situation has accelerated companies and government initiatives to secure supply chains, relocate strategic activities —especially in vital sectors like vaccines, chemicals, semiconductors, and batteries— and protect national interests against extraterritorial rules or decisions. This is prompting the regulation of technologies such as cloud and data, which are at the heart of the digital economy.
In particular, Europe is at the forefront of these challenges and has taken a number of measures in recent years to strengthen the data protection and safeguard its most sensitive industrial sectors. Most notably —
- General Data Protection Regulation (GDPR)
- Network and Information Security (NIS 2) Directive
- Digital Market Act
- Digital Services Act
- Digital Operational Resilience Act
- European Data Act
- European Cyber Resilience Act
- European Data Governance Act
- European AI Act
- European Cybersecurity Certification Scheme for Cloud Services
Considering all these dynamics, here are the four key trends in digital sovereignty that we are keenly anticipating in 2024:
- Continuation of the move to public Cloud with US hyperscalers
While the move to cloud remains a primary focus for many companies, the ongoing advancements in AI and generative AI technologies are paving the way for transformative use cases across industries, accelerating the digitalization of business processes in the cloud. Many customers are already starting to adopt these technologies at a large scale and we expect the industrialization phase to occur in 2024-2025.
Most of our customers are quickly approaching a high level of cloud maturity, have a FinOps governance in place, as well as several landing zones. Some complying with their security policies. They are now in the process of specializing those landing zone and adapting security controls to the business needs and data sensitivity to increase adoption. Apart from sovereignty considerations, they are increasingly considering multi-cloud approach by default to improve resilience of their business and secure their on-premises systems.
Of course, digital resiliency extends beyond cloud. It is not only about protecting the business but also about creating an organization that can thrive when disruptive events occur – an antifragile organization.
- Control of the Edge to Cloud Continuum becomes the baseline
Most customers, especially those operating in sensitive markets, such as banking, insurance, energy, healthcare, and the public sector, want to ensure that their data remains under their control while consuming public cloud services. The Controlled Edge to Cloud concept allows them to raise the sovereignty level from the edge to the public cloud. It can be defined as a configurable and modular service offering that can be adapted to specific customer requirements and use cases. With the Controlled Edge to Cloud, users have the ability to exercise control over their own data by invoking measures to satisfy the requirements which apply in their specific context. This implies the full spectrum of cybersecurity products and services in combination with hyperscalers native services including encryption solution (HSM/KMS), Identity and Access management (IAM), Application security, vulnerability management, and behavior monitoring.
Eviden is a trusted third-party operator of the controlled Edge to Cloud, guaranteeing compliance to the various models and associated labels, leveraging its OneCloud Program, its cloud, data and cybersecurity integration and managed services capabilities, cyber security product portfolio, Edge and Bare Metal servers.
- Increased adoption of trusted cloud complying with existing or in development regulations
Customers who are exposed to the regulations described above need to get access to compliant and innovative cloud services (privacy by design / security by design) to accelerate their business transformation.
It is still relevant to view sovereign cloud solutions as a spectrum across several planes of influence: the geographical plane, operational plane, jurisdictional plane, technological plane and data plane. Each of these characteristics will have differing levels of significance depending on the specific use-case and customer industry in question.
- 1. Geographical plane is where physical infrastructure is located, information is stored and processed, and operational support is delivered from.
- Operational plane is defined as the degree of visibility and control that users have over operations (people and processes), including resulting operational data.
- Jurisdictional plane outlines the laws, regulations, standards and constraints that are applied by the industries, nations or regions involved.
- Technological plane encompasses the origins and specifications of technology used such as hardware, software, networks, and information exchange interfaces, and their independence in terms of portability, source code (Opensource), security, interoperability and future roadmap developments.
- Data plane refers to the degree of control of the data over encryption, security and identity controls and third party access to data.
The development of offerings addressing those five dimensions will enable the development of first open and independent data platforms and data spaces. Over the past months, several announcements such as the AWS European Sovereign Cloud, Oracle EU Sovereign Cloud, Numspot creation, and SecNumCloud compliant Clouds in France – version 2.1 …) have been made. Not only do these enrich the available solutions, but also aim at getting closer to what hyperscalers are offering, thereby driving further adoption. Those platforms do not have the required level of scalability yet, neither they have the depth of service catalog to compete with hyperscalers. Technology dependency will also remain a constraint, particularly for the hardware part. Nevertheless, the launch of programs like SIMPL which aims to create a secure, trustworthy platform for sharing data, and supporting cloud-to-edge federations and Common European Data Spaces will help accelerate the rise in maturity of sovereign solutions.
- Emergence of first industrial dataspaces complying with GAIA-X requirements
In the past several months and from many places in the world, we can observe that a digitally enabled business ecosystem is depicted as the new horizon for businesses. Many initiatives of businesses from the same industry are organizing themselves in so-called “data spaces” to explore business opportunities that could emerge from sharing data inside their ecosystem. Under the GAIA-X umbrella, these businesses aim at developing a competitive, secure and trustworthy framework where data and services can be made available, collated and shared in an environment of trust. Energy, health, space, agriculture, tourism, finance dataspaces are some of these industries where first services are made available through projects like Catena-X, Eona-X, Factory-X or Omega-X. The SIMPL project will bring the foundation to enable more services in the coming years.
We are convinced that current trends in sovereignty and multi-cloud will continue and expand to most geographies. Growing international tensions, the return of warfare in Europe, disturbances to global supply chains, and the push to digitize health have all served to catalyze this change. This context has accelerated government initiatives that attempt to protect national interests against extraterritorial rules or decisions while still enabling data transfer and sharing. This is resulting in the regulation of digital ecosystems which are now at the heart of most areas of the economy.
Being aware of these leading trends can help you stay ahead of the curve, gain the first-mover advantage and embrace sovereignty and multi-cloud for an added advantage.