Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
As the cloud becomes the heart of the digital economy, the European Union faces a historic choice: whether to transform cloud certification into a tool of sovereignty or limit it to a simple technical oversight .
The following text traces the political and technical choices that led to what many observers define as a denial of Europe’s strategic autonomy in the digital sector.
The European Commission has presented a revised Cybersecurity Act that redesigns cloud services certification. Rather than focusing on criteria of legal oversight and independence from extraterritorial laws , the new scheme focuses exclusively on technical and operational security. This means that companies with strong legal and commercial ties to third countries can still obtain European certification.
This approach stems from the desire to break years of political deadlock among Member States . The Commission’s proposal is designed to simplify the adoption of harmonized certifications and facilitate the use of cloud services across the EU. However, it leaves out a crucial issue: who actually controls the data.
The result is a certification that appears to satisfy formal requirements, but does not substantially change the dominance of large foreign platforms on the European market.
The debate over the inclusion of sovereignty criteria deeply divided EU member states. Countries like France pushed for legal recognition of dependence on external laws, while other capitals— particularly Germany —feared that overly rigid rules could be seen as protectionist and hinder trade.
This lack of consensus has pushed Brussels to adopt a more neutral approach, avoiding any reference to the nationality of suppliers or their exposure to foreign regulations.
The decision was justified as a way to avoid further legislative blockages and keep the digital internal market open.
With the adoption of this new certification scheme, major cloud players— including international giants —can obtain technical certification without worrying about their legal structure or the foreign laws to which they are subject.
This gives a huge advantage to already dominant providers, who command the majority of the European cloud market. While certification guarantees operational security, it offers no protection against the legal influence of third-party countries on hosted data.
For businesses and public administrations, certification ensures certain standards, but does not eliminate the risk of dependence on legislation outside of European control.
According to the article published by Usine Digitale on usine-digitale.fr , the European institutions’ choice marks a turning point in the relationship between technology and strategic autonomy, prioritizing technical efficiency over true regulatory independence.
European states are increasingly viewing technology as a tool of power. In a geopolitical context marked by growing tensions, this approach carries the real risk of digital infrastructure being used as leverage between states, with direct impacts on national security. A recent example clearly demonstrates this: Microsoft blocked the Israeli Ministry of Defense from accessing certain Azure cloud services after several journalistic investigations revealed their use for surveillance activities against residents of the West Bank and Gaza Strip.
But this is not an isolated incident. The recent blackouts affecting global platforms like AWS , Azure , and Cloudflare ( first incident and second incident ) have had a devastating impact on a global scale, paralyzing public services, businesses, banks, media, mobility systems, and healthcare facilities. Events of this kind can no longer be dismissed as simple “technical incidents” : we are facing true systemic risks, capable of compromising the operational continuity of entire countries and, consequently, their national security.
Aware of this structural fragility, many states are beginning to question how to reduce their dependence on external technology providers.
Even outside Europe, we’re on the same page. While Russia, following the sanctions, has switched entirely to open-source software, China is switching to domestic software in favor of many Huawei technologies, and is following a similar trajectory, planning to eliminate Microsoft Office from its national infrastructure.
Increasingly, in European political and industrial debate, the term “national cloud” or “sovereign cloud” is being used as a response to growing technological dependencies. Announcements, launches, and declarations abound, with the idea that localizing data within national borders is sufficient to ensure control and security. In practice, however, many of these initiatives simply translate into data centers located in Europe—or even Italy—that continue to operate on technology stacks provided by Microsoft, Google, or Amazon.
The critical issue, therefore, is not just where the data physically resides, but who actually controls the technology that manages it . An infrastructure that uses hypervisors, operating systems, management platforms, and cloud services from non-European companies remains, in effect, exposed to legal and political dynamics beyond the control of European states. Talking about sovereignty in these cases risks becoming a simplification, if not a true illusion.
The problem is structural and requires a different response: a fully European technology stack , designed, managed, and governed in Europe. From hardware to software, from orchestration systems to security services, control must be exercised by entities subject exclusively to European law. This aspect becomes even more relevant considering that all US companies are required to comply with regulations such as the FISA (Foreign Intelligence Surveillance Act) and, in particular, the infamous Section 702. This provision allows US authorities to collect intelligence on non-US individuals located abroad, obliging American companies to cooperate and provide access to the data, often without the possibility of notifying the data subjects or the foreign governments involved.
In this scenario, digital sovereignty cannot be reduced to a geographical issue. Without real legal and technological control over the entire supply chain, the “sovereign cloud” risks remaining a reassuring but empty formula, incapable of truly protecting Europe’s strategic interests.
Despite criticism and political difficulties, the solutions for building a truly sovereign European cloud already exist today and are fully implementable. The problem isn’t technological: all the necessary components— from virtualization to container orchestration, from storage to networking —are available as open source software , with full legal control over the data and the ability to conduct code reviews and security testing. What’s holding back a truly autonomous European cloud is often pressure from international lobbies , the vested interests of large providers, and political reticence, which favors established solutions rather than investing in an independent local infrastructure.
These solutions aren’t science fiction : there are ready-to-use open-source frameworks, platforms, and components that guarantee interoperability, security, and full European control, as well as cloud service providers that use only open-source software. With a systematic approach, it’s possible to create a truly sovereign cloud that drastically reduces dependence on non-European hyperscalers and finally puts Europe at the center of its digital infrastructure.
For those looking to build a cloud infrastructure entirely under European control , there’s a veritable ecosystem of proven open source components ready to build any sovereign IaaS architecture. These include Kubernetes for orchestrating portable containers, OpenStack for managing compute, networking, and storage, MinIO for high-performance S3-compatible storage, and Linux distros like SUSE, Debian, or Ubuntu for node management. For virtualization, Proxmox VE allows you to build clusters with KVM and highly available LXC containers, completing an open, independent European cloud platform.
This legislative shift raises a crucial question: what does it really mean to talk about sovereignty in the digital age? Technical certification, however rigorous, is no substitute for genuine legal oversight. Without the latter, the tools intended to guarantee autonomy remain partial and incomplete.
Europe thus risks becoming dependent on infrastructure and services managed by non-European players, exposing itself to foreign laws and regulations that could impact the management of sensitive data. In an increasingly tense geopolitical context, this lack of control becomes a concrete, not just theoretical, strategic vulnerability.
Building true digital sovereignty requires a different approach: infrastructure, software, and regulation must be designed and governed entirely in Europe. Only then can certification become a tool for true autonomy, protecting data, citizens, and strategic interests without external interference.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
