Cloud Sovereignty: How Berlin and Paris Are Trying to Draw a European Line

Since then, the European Commission has pursued an ambitious digital agenda that combines security, economic performance and independence into a single line of action. The aim is a technical infrastructure that allows global competition while remaining subject to the European legal framework.
The Covid-19 pandemic accelerated the process. Many states realised how vulnerable supply chains and administrative processes are when key infrastructures are dominated by non-European providers. The open letter from the heads of government of Germany, Denmark, Estonia and Finland in 2021, calling for Europe to become digitally sovereign, underscored this concern. They demanded digital services developed within the European Union, robust data spaces, a modernisation of public administration and open markets without losing operational capability. This vision forms the strategic background against which Germany and France are conducting their current dialogue.

German Perspective and Developments

The discussion about digital self-determination is rooted in the recognition of how dependent German administrations and companies are on global platforms. A sober view of these dependencies shaped the discourse in Berlin. Claudia Plattner, President of the Federal Office for Information Security, describes digital sovereignty as “freedom of decision” and makes it clear that European products must compete with international solutions. At the same time, she calls for securing foreign technologies so that “data remain sovereign.”
When the federal office presented its cooperation with Amazon for a European cloud solution, she declared she was “very pleased” to “constructively accompany” the development of a sovereign cloud, because this commitment strengthens European security. The then Minister of the Interior, Horst Seehofer, indicated that the government intended “to reduce dependence on individual IT providers” and added that it was examining alternative programmes to replace proprietary standard software. The legal scholar Dennis Kenji Kipker, scientific director of an institute for cyber intelligence, warned that “regional instead of global has become the credo of our decade” and called for regaining lost digital sovereignty to prevent European business and IT from becoming blackmailable.
Such positions reflect a German line that relies on technical controls, strict access concepts, cryptographic key management and audit-secure processes. At the same time, a survey by the security provider Myra shows that more than eighty percent of respondents want European solutions for critical infrastructures, although only a quarter actually use European cloud offerings (https://www.myrasecurity.com/de/news/myra-security-studie-zum-stand-der-digitalen-souveraenitaet). Two thirds of respondents would switch if performance and security were comparable. The discrepancy between aspiration and practice highlights the challenges companies and authorities face when moving away from established US providers.

French Approach and Debate

France pursues a restrictive interpretation of sovereignty based on legal independence and clear separation from non-European jurisdictions. “La souveraineté numérique de l’Europe est intimement liée à sa capacité à maîtriser ses dépendances sur le marché du cloud,” says Bernard Duverneuil, former president of Cigref and a leading voice of French IT users. He anchors sovereignty in manageable dependencies and in a demand-driven user policy. The national cybersecurity agency ANSSI certifies with SecNumCloud only those offerings in which management and data remain entirely under European control. Bruno Le Maire, French Minister of the Economy, stated at the presentation of GAIA-X: “We are not China, we are not the United States – we are European countries with our own values.” He has positioned Paris for years as a driving force behind a strict sovereignty doctrine.
MP Philippe Latombe warned that Berlin was diluting the sovereign course, saying a dependency on Russian gas was being traded for a dependency on American digital companies. He doubted the sovereignty of American clouds and argued that the AWS Cloud could not be sovereign because it falls under American law.
Agnès Pannier-Runacher, former Minister of Industry and Energy, compared reliance on US services to a “soft drug” whose use becomes addictive. Josep Borrell (since 2019 EU Representative for Foreign Affairs and Security Policy) and Thierry Breton (EU Commissioner for the Internal Market and Industry from 2019 to 2024) stated that the era of a “conciliatory, if not naive” attitude was over and emphasised the need for Europe’s own technological capacities. Lise Fuhr (Director General of the European Telecommunications Network Operators Association, ETNO, since 2016) called for moderation and stressed that digital leadership must not slip into an us-versus-them dynamic. The French discourse thus oscillates between isolation and close cooperation with partners.

Convergence and Joint Projects

After years of disagreement, Berlin and Paris are seeking understanding. The two governments presented a joint economic programme in late summer 2025 and announced a summit on digital sovereignty for November. The partners’ agenda includes jointly securing highly sensitive data, openly discussing extraterritorial laws such as the US Cloud Act, and harmonising their security certifications. Another focus is the alignment of digital work environments, where France’s “Suite numérique” and Germany’s “openDesk” in the public sector are expected to converge. At a higher level, both states plan to present the European Commission with a joint position on the reform of legal frameworks for artificial intelligence, cybersecurity and the data economy.
In addition, Paris and Berlin agree to invest jointly in research and industry. The plan foresees coordinated projects in artificial intelligence, quantum computing and space infrastructure. The cooperation is intended not only to close technological gaps but also to signal that Europe wants to develop its key technologies jointly instead of sourcing them from third countries. The merging of public software platforms, such as for e-government solutions, is also on the agenda. The goal is to facilitate cross-border administrative processes through shared tools and interfaces and to launch a European usage offensive.
This new dynamic builds on earlier demands. In March 2021, Angela Merkel, Mette Frederiksen, Kaja Kallas and Sanna Marin wrote an open letter calling for Europe to become digitally sovereign, stating: “Now is the time for Europe to become digitally sovereign.” They demanded a genuine digital single market, stable infrastructure and consistent administrative modernisation. What was then an initiative is now becoming more concrete. The planned summit will create a forum where governments, companies and researchers can present projects and pool investments. The hope is that a coordinated Franco-German approach will pave the way for a European digital policy and offer smaller member states guidance.

SAP and Industry as Catalysts

The market is driving change. SAP, as a heavyweight in the European software industry, has sharpened its strategy. The company is cooperating with Amazon Web Services and plans to provide its “Sovereign Cloud” on the European AWS infrastructure. David Brown, Vice President for Compute and Machine Learning at AWS, expressed his satisfaction with the outlook and emphasised that the SAP Sovereign Cloud features would be available on the European AWS Cloud; this offering would give organisations more options for meeting their sovereignty requirements while enabling the use of cutting-edge cloud technologies. Thomas Saueressig, the board member responsible for Customer Services and Delivery, stated that the expanded portfolio would enable companies across industries to harness the “full power of cloud innovation and AI,” and predicted that Europe’s leadership in the next era would depend on how effectively artificial intelligence is used in industry-specific scenarios. Martin Merz, President of the SAP Sovereign Cloud division, underscored the link between availability and security, stressing that Europe’s digital resilience depends on sovereignty that is secure, scalable and future-ready.
The technical foundation of this initiative includes data centres in Europe, a clear separation between operational and control layers, encryption keys managed within Europe and the use of European AI models. In France, SAP is building a dedicated platform with Bleu, a joint venture between Orange and Capgemini, and in Germany the company works with Delos Cloud, a joint venture between Google and Deutsche Telekom. In addition to these cooperations, German providers such as T-Systems are investing in their own “Sovereign Cloud” offerings. The variety reflects a pragmatic course in which European values are linked to global infrastructure. It shows how the market seeks a balanced relationship between autonomy and competitiveness. Business is thus setting impulses to which governments must respond.

Regulatory Landscape and Political Dynamics

This rapprochement is taking place in a dense regulatory environment. The European Cybersecurity Act forms the basis for the planned EUCS certification scheme, which is intended to define levels of security and sovereignty for cloud services in several tiers. France insists that only providers completely immune to non-European legal access should be able to reach the highest tier. Germany favours a modular solution in which technical and organisational measures are decisive and legal immunity is desirable but not mandatory. Industry associations demand planning certainty and want to know whether they will need to deal with the US Cloud Act and the FISA Court or whether national contracts, encryption and key management will be considered sufficient protective mechanisms.
Borrell and Breton recalled that Europe’s regulatory strength alone is insufficient to achieve digital independence, reiterating that “the time of a conciliatory, if not naive attitude” is over. French parliamentarians such as Latombe argue that without legal immunity there can be no true autonomy. German representatives point to the reality of global markets and argue that verifiable technical controls and European operational models are the practical answer.
The November meeting at which member states aim to decide on the EUCS scheme will thus become a test of these positions. At the same time, additional regulatory frameworks apply, including the new NIS2 directive, the Data Governance Act and the forthcoming AI regulation, which are intended to shape Europe into a “human-centric” data space. At national level, Germany can rely on the C5 catalogue and France on SecNumCloud. Both could be integrated into the EUCS. The outcome of this debate will determine how international providers may operate and how strict national requirements will be in the future.

Technical Dimensions of Sovereignty

The call for sovereignty stems from concrete technical requirements. Sovereign platforms must strictly separate physical, administrative and data layers. Administrative access must be multifactor and auditable. Key management must remain in the hands of customers or European trustees. Data residency must cover the storage of content, metadata and log data within the European legal area. Support and maintenance may not leave this area. These requirements form the basis for certifications such as SecNumCloud in France, the C5 criteria in Germany and the emerging EUCS scheme.
Standards alone are not enough. Projects such as GAIA-X, Euro-Stack or the Deutschland-Stack are working on federated architectures with open interfaces that aim to combine performance, portability and autonomy. Their concepts are based on open programming interfaces, federated identity management and the ability to move data and workloads without proprietary lock-ins. At the same time, cloud technology remains globally interconnected. Container orchestration, DevSecOps practices and AI services often arise through transatlantic cooperation. The challenge lies in reconciling European requirements — from data sovereignty to reversibility — with this flow of innovation.
Technical sovereignty concerns not only cloud platforms but also the underlying hardware layers and data spaces. With the European Processor Initiative, the Union is investing in its own processor architectures based on open instruction sets such as RISC-V, intended for supercomputers and edge devices. The EuroHPC programme is building a fleet of supercomputers to advance artificial intelligence, weather models and materials science in Europe. Europe-developed chips and networks are being used there for the first time. “Without chips, no digital transition, no green transition, no technological leadership,” Thierry Breton stated at the presentation of the Chips Act. This ties industrial policy to sovereignty and supports the call for European manufacturing depth. In parallel, federated data spaces such as Catena-X in the automotive industry or Health-X in medicine are emerging, enabling trustworthy data exchange through uniform protocols and semantic standards. As part of eIDAS 2, the EU is also working on a European digital identity that citizens and companies can use across borders. These initiatives show that sovereignty requires an end-to-end architecture from hardware to virtual layers and identity management.
Lise Fuhr warns that claims to leadership must not slip into isolation. Openness to international partners remains a core principle, and the goal is a balanced ecosystem in which European providers can flourish and international actors comply with European rules. Technical sovereignty therefore does not mean isolation but the creation of robust infrastructures that can compete globally while complying with European legal norms.

Societal Resonance and Market Movements

The debate is no longer limited to ministries and boardrooms. In Berlin, the non-profit organisation Topio is running a project that helps people free their smartphones and laptops from major US platforms. Its founder, Michael Wirths, explains: “It’s about the concentration of power among US companies” and says that not only tech-savvy visitors come today, but increasingly “politically alert people who feel exposed.”
Christian Kroll, founder of the environmentally friendly search engine Ecosia, takes a pragmatic view of this development, saying: “The worse it gets, the better it is for us,” because demand for local services is increasing. The British internet regulator Maria Farrell reports that more and more people who had never previously thought about data protection are asking themselves whether they still want to use American services. At the same time, US activist Bill Budington of the Electronic Frontier Foundation warns that it is almost impossible to completely detach from US technologies, because essential services such as push notifications and content delivery are still provided by American companies. Technologist Robin Berjon, deputy director of the IPFS Foundation, concludes that the market is “too tightly captured” and that without regulation there will be no real alternative. Voices from civil society and the business environment show how broadly the demand for digital sovereignty is now anchored and how complex the path to real alternatives remains.

Outlook

The coming months will reveal whether Berlin and Paris can create a viable synthesis. A Franco-German agreement on a model that combines strict data protection and legal requirements with flexible technical solutions could become a blueprint for the entire EU. Without such a consensus, a patchwork of national rules and certifications threatens to emerge, slowing investment and creating new dependencies. At the same time, SAP’s repositioning shows that industry is ready to combine European values with global infrastructure. Claudia Plattner reminds us of the need to preserve decision-making scope and use international technology securely.
Further questions loom on the horizon. How can an AI infrastructure be designed that is trained in Europe and reflects European languages? How can European semiconductor production be expanded so that critical components are not sourced exclusively from Asia? And how can small and medium-sized enterprises benefit from sovereign services without jeopardising their competitiveness? Such questions affect education and research policy as much as industrial policy. Universities and research centres are looking for ways to build expertise in semiconductor design, quantum computing and AI development. At the same time, vocational schools and training programmes are to develop IT professionals capable of managing cloud services and shaping data spaces.
The geopolitical context remains present. The debate over the American Cloud Act and the FISA Court shows how technological issues are intertwined with foreign policy. Washington views European sovereignty demands sceptically and warns against protectionism. At the same time, European negotiators such as Lise Fuhr urge not to close the doors. Meanwhile, China is building its own digital spheres and tempting European companies with investment programmes. In this multipolar environment, Berlin and Paris must find a course that balances openness and protection.
For users in industry, the question is how quickly they can integrate sovereign services without disrupting their operations. Studies from the SME sector show that a lack of resources and unclear guidelines slow implementation. Funding programmes and joint procurement models could provide relief. Attention therefore also turns to the European Investment Bank and the planned Sovereignty Fund, which finances research and infrastructure.
Such considerations make it clear that digital self-determination is not purely a technical project. It requires political leadership, economic investment, legal clarity and societal acceptance. Without a shared cultural vision, any technical solution will remain a torso. A Franco-German alliance is an important step, but it is only one of many building blocks on the road to a resilient European digital order.