New Dimensions of Digital Sovereignty in European Cloud Sector

In a recent development, Amazon Web Services (AWS) has made an announcement regarding the establishment of an independent cloud for Europe, highlighting the increasing divergence between Paris and Berlin on digital sovereignty in the cloud sector. This move by AWS is part of a larger trend where American hyperscalers, such as Microsoft and Oracle, are addressing the concerns of EU countries seeking to keep their data within Europe’s borders.

AWS has received endorsement from the German Federal Office for Information Security (BSI) for its European Sovereign Cloud, which has raised concerns among French lawmakers. The French centrist MP Philippe Latombe expressed worry that Germany’s support for AWS could potentially exert pressure against France’s highest cloud security certification, known as SecNumCloud.

According to AWS, their European sovereign cloud ensures security by implementing technical building blocks and security features that allow customers to enforce access restrictions, ensuring that only authorized individuals can access the data. They further clarified that AWS cannot access customer data without consent, and encryption tools are provided to customers for added security.

Conflicts of law arise when considering the applicability of US laws, such as the Foreign Intelligence Surveillance Act (FISA) and the Cloud Act, on AWS. MP Latombe argues that AWS cannot be considered sovereign due to its compliance with these legislations. However, AWS asserts that they challenge any inappropriate requests for data from US administrations, especially if it conflicts with local laws like the EU’s General Data Protection Regulation (GDPR).

The Franco-German divergence on the concept of the sovereign cloud has been an ongoing issue, leading to differences in understanding digital sovereignty for cloud infrastructure. This disagreement was a primary factor contributing to the loss of political momentum for the Gaia-X European digital sovereignty project. France’s attempt to replicate the sovereignty requirements of SecNumCloud at the EU level faced resistance from more liberal countries, with Germany not providing support and even openly criticizing the initiative.

This divergence has raised concerns among French lawmakers that Germany’s position might lead to a dependency on American digital companies, similar to their industrial dependency on Russian gas. The certification of AWS’s European Sovereign Cloud by the German BSI has been seen by some as undermining the French SecNumCloud certification.

In summary, the announcement from AWS regarding an independent cloud for Europe has further highlighted the divergent views on digital sovereignty in the cloud sector between Paris and Berlin. The endorsement of AWS by the German BSI has raised concerns among French lawmakers, who fear that it may compromise their own cloud security certification. The conflicting applicability of US laws on AWS is also a point of contention. The Franco-German divergence on the sovereign cloud concept has been a long-standing issue that has impacted initiatives such as Gaia-X and the European Cloud Services scheme.