It's like the topic of sustainability: „If a word is trendy, everyone slaps it on themselves.“ This is how Peter Ganten describes the discussion about the „sovereign cloud“, which has recently gained momentum. Ganten is Chairman of the Open Source Business Alliance – Bundesverband für digitale Souveränität e.V. (OSBA). He has been observing the development for a very long time. Around ten years ago, he was part of a working group in Berlin that wanted to find a definition for digital sovereignty, but the topic had not yet entered the public debate. That has changed since then.

The current discussion about the sovereign cloud revolves primarily around the question: Who is really offering absolute sovereignty and who is just window-dressing? Specifically: who has access to the data of German companies? And which provider really operates its systems independently and autonomously? Is it a German company on German soil, where are the data centres located and which laws actually apply?

Sovereign in this context means: Being independent of the USA. This is why the hyperscalers in particular – i.e. Amazon, Google and Microsoft – are the „bad guys“. On the other side are the „good guys“ – at least at first glance: German companies that offer alternative cloud solutions to the US corporations and thus promise sovereignty. These include Deutsche Telekom, SAP, Delos, Ionos and the Schwarz Group.

The criticism of the offers made by US companies is obvious: dependence on the US can be dangerous – especially in times of Donald Trump and trade wars. But it's not quite that simple. There is also criticism of German service offerings, and some people think the discussion is too emotional and out of touch with reality.

According to T-Systems, the major US providers have a market share of more than 70% in the European cloud market. This means that they not only dictate the technological standards, they also have an influence on the economic and legal conditions under which European customers operate.

The legal side in particular repeatedly attracts a lot of attention: critics often refer to the Cloud Act in the USA. This states that US authorities may access customer data in the data centres of American IT companies and cloud providers even if the locations are outside the country.

But that's not all, says OSBA chairman Ganten. He refers to the NSA's „National Security Letter“ instrument. „Companies are asked to hand over data. And companies are not even allowed to talk about it," he explains. Ganten sees this lack of transparency in the interaction with the US intelligence service as even more problematic than the frequently mentioned Cloud Act.

One company whose offering falls under the Cloud Act is Amazon Web Services (AWS). AWS is currently promoting its „European Sovereign Cloud“, which should be available in Germany at the end of the year. Operations are to be completely separate from the global AWS cloud. To this end, AWS has founded a parent company and three subsidiaries that are registered in Germany. The entire infrastructure is separate and operations, including support, will only take place in the EU.

The Cloud Act still applies. However, the company emphasises that it has never been forced to hand over European customer data under US law. It is important for AWS to clarify what is at stake: in order for US authorities to demand the release of data, the entity must be involved in a suspected criminal offence. However, there is also the right to challenge such requests if they conflict with national laws, including the General Data Protection Regulation (GPDR.) There is also a way to eliminate the residual risk that no data will end up in the USA: Simply encrypt the data in the cloud. „Then, in an emergency, the only data which can be accessed is heavily encrypted,“ explains Michael Hanisch, Head of Technology at AWS in Germany.

„From my point of view, all these hyperscaler offers are fraudulent,“ says Frank Karlitschek, head of the open source company Nextcloud. He speaks of „sovereignty washing“. However, in his opinion, it is also not the case that offers from Germany can automatically be classified as harmless.

The example of SAP and Delos shows just how complex the discussion is: Delos GmbH is a subsidiary of the software group with locations in Walldorf and Berlin. It was founded in 2022 to build a sovereign cloud platform. The Delos cloud should also be available at the end of the year. Thomas Saueressig, the SAP Executive Board member responsible for Cloud, calls his product „extremely sovereign. The gold standard, so to speak“.

But critics complain: Microsoft technology is behind the offer – a wolf in sheep's clothing. Saueressig explains why he doesn't see this as a problem: "We buy the technology from Microsoft and then it is operated completely independently. Even software solutions such as Office 365 – though decoupled, similar to „on-premise“ – i.e. stored locally, without access from the USA. The problem: software needs updates. In the hypothetical case that the USA were to shut everything down, „we could continue to operate Delos as normal for the time being,“ says Saueressig. However, time would be limited.

In addition to the planned Delos cloud, SAP also offers another option without hyperscaler technology. However, critics such as association head Ganten are not satisfied with this either. „On paper, SAP is a German company, but it still has a strong economic interest in fulfilling the wishes and requirements of the USA", he says. This is because SAP generates a large part of its turnover in America and has contracts with US authorities. The importance of the market for the Walldorf-based company was demonstrated during the discussion about the DEI programs in the USA. In the course of this, SAP had removed its quota for women – although the company emphasised that the diversity programs would continue.

The discussion about the Sovereign Cloud is often philosophical, the SAP Executive Board member notes. At the centre of the debate is a situation that will probably never happen. And anyway, he is irritated by the fact that the Americans are „the bad guys“ again. What about Asian manufacturers? Companies are just as dependent on them. In the end, only their own indispensable products can protect Europeans, says Saueressig.

Frank Karlitschek from the open source company Nextcloud believes that the debate about data security and cloud operation falls short anyway. He points to the market power of US providers, which he already sees as problematic. „Microsoft has raised prices several times in recent years, just recently again by 40%. They can only do this because of their monopoly position.“