The panel discussed practical strategies for both businesses and governments to achieve strategic autonomy, through open standards and innovative European solutions. Moderated by Ulrich Seldeslachts, Executive Director at LSEC.eu, the expert panel included Florence Steenackers, Director Privacy and Data Governance Services at Approach Cyber, Pascal Steichen, Chair of ECCC Governing Board, Pascal Rogiest, General Manager at Clarence and Jelle Van den Wijngaard, Researcher at Clingendael Institute.
Defining cloud sovereignty and geopolitical risks
The debate opened by establishing that the concept of sovereignty has become critically relevant to modern cyber security discussions, especially considering geopolitical developments. The panel first delved into how reliance on external cloud providers impacts national and corporate control over sensitive data. The moderator kicked off the discussion by asking how cloud sovereignty affects us today, especially when it comes to confidentiality and availability.
According to Jelle Van den Wijngaard, moving to the US cloud, for example, is effectively compromising confidentiality and availability. “Confidentiality is lost partly due to the Cloud Act, which allows the US government to request customer information from cloud providers. Additionally, Section 702 of the Foreign Intelligence Services Act permits US intelligence agencies to look at data without a formal request. Availability is compromised because the controlling US company can be sanctioned”, he said.
Florence Steenackers added: “Sovereignty is a hot topic for private and public companies as they handle sensitive, business-confidential or citizen data and therefore must comply with various legislations like GDPR and NIS 2. However, it raises questions as well on the impact it has on innovation and how can we ensure data keeps flowing”.
Disconnected clouds and strategic autonomy
The discussion moved to practical, high-level solutions being developed within Europe to regain technological control, differentiating between outright “sovereignty” and the more achievable goal of “strategic autonomy”.
Pascal Rogiest highlighted the example of Luxembourg, which has created a fully disconnected sovereign cloud, in a partnership with the Belgian government. “This infrastructure is completely independent regarding data localization and jurisdiction. It is administered solely under the Luxembourg umbrella and not subject to foreign acts. This solution has been operational for one year, protecting sensitive data across defence, health, finance, and critical infrastructure sectors,” he explained.
Pascal Steichen reminded the audience of the purpose of sovereignty which is creating peace through mutual respect, a common language, and interoperability. “We seek sovereign spaces for confidentiality, security, and control of infrastructure, but they must be built on a single, interconnected and not a fragmented internet. Europe’s mission is to preserve common, open standards and technologies and we have a lot of competences to achieve that. The objective should be “strategic autonomy”: ensuring every entity has the autonomy required at its level”, he advocated.
Jelle Van den Wijngaard agreed that open standards and open-source software are the way to go. “Innovation does not have to be sacrificed”, he stated. “The EU’s next generation internet platform can fuel innovation. Governments need to start funding these projects or buying European alternatives to stimulate innovation.”
Addressing concerns and pragmatic migration strategies
Acknowledging that US hyperscalers dominate the market, the panellists provided advice on how companies can progressively address sovereignty challenges without undertaking disruptive, costly, and blunt migrations.
Florence Steenackers: “With over 65% of European organisations relying on hyperscalers, it is costly and risky to migrate everything at once. A phased, hybrid approach is wiser: first identify “crown jewels” and legally regulated data, then segment workloads. Use familiar cloud services for non-critical assets, while choosing sovereign hosting for data that must be tightly controlled.”
On the moderator’s question of how much are EU companies willing to sacrifice on functionalities to regain autonomy, Pascal Rogiest responded that the majority remains pragmatic, prioritizing commercial and financial goals: “They view sovereignty as extensions of what they have today and then decide where they cannot compromise. Trade-offs are inevitable: some functionality will be lost, and we will continue to rely on US technology until a full-fledged European solution emerges.” Interestingly, a quick poll among the panel and audience present revealed that if European cloud providers would offer 90% of the functionality of the current leading non-European providers, the majority would migrate, whereas if only 80% of the functionality would be offered, the majority would not.
Florence Steenackers added that at the most practical level, businesses should first clean up, classify, and label their data. Then, they must define their level of trust in vendors. “This involves rigorous vendor screening and checking jurisdiction, as other governments might also access data based on their laws. Given the massive rise in supply chain incidents, vendor screening is critical, as protecting your own environment is useless if those connecting to your data are flawed,” she added.
Setting up a disconnected solution is quite complex according to Pascal Rogiest: “First you need to create a community of organisations that are willing to work on this and then take it to the national level. If you can create a decent critical mass, things become possible.”
Jelle Van den Wijngaard added: “Indeed. And within the organisations, C-level and boards need to get involved by making them understand what the technological but also economic benefits are in terms of not paying fees to US companies. “
“At the very start of cloud computing, we lost the competence of managing the technology that we use. With programmes like IPCEI Europe is taking initiative to build the next generation European cloud. But we also have to work on the awareness for European alternatives”, Pascal Steichen concluded.
The Future: Innovation, open standards, and the AI opportunity …
In closing, the panel explored how the shift toward Artificial Intelligence offers new possibilities in the realm of cloud sovereignty for European entities.
According to Jelle Van den Wijngaard the emergence of AI is a key opportunity to implement sovereignty correctly from the start and “companies should avoid launching new projects that take them further away from that sovereignty”. Florence Steenackers agreed and stated that with AI projects as well, building on partners you trust is vital, and assessing how data can be kept in-house before sharing it would be good practice.
For Pascal Rogiest there is no contradiction between sovereignty and AI: “Within a sovereign community you can use AI tools. There are European alternatives like Mistral AI, but of course these are susceptible to being taken over by foreign players as well.”
Pascal Steichen concluded the panel discussion stating that regarding cybersecurity, AI can significantly enhance capabilities without requiring enormous computing power or super complex systems. “The key is the availability of threat intelligence data. In that respect, Luxembourg has launched the Cyber Security Factory project to provide threat intelligence as open data, fostering innovation by helping companies build their models specifically for cyber security needs, based on open models”, he said.
This inspiring panel discussion confirmed that relying on foreign (and particularly US) hyperscalers presents a critical strategic challenge, jeopardizing European data confidentiality and availability. The case was made to pursue strategic autonomy over absolute sovereignty, advocating for open standards and technology, and funding to foster viable European alternatives. The discussion revealed the importance of combining enhanced security and confidentiality with the need to keep data flowing to fuel innovation in Europe. To manage this practically, European organisations need to collaborate, migrate carefully and pragmatically, and leverage the opportunities presented by new technologies such as AI.
On picture 1: Jelle van den Wyngaerd & Pascal Steichen
On picture 2: Florence Steenackers & Pascal Rogiest
