Depending on the US cloud? Germany's struggle for the cloud: How to compete with AWS (Amazon) and Azure (Microsoft)

Digital self -sufficiency or dependency management? The future of German cloud policy

This article analyzes the strategies and initiatives of the German Federal Government to strengthen digital sovereignty in the cloud area and to reduce the dependency on US hyperscalers. Driven by security concerns (especially by the US Cloud Act), economic risks (Vendor Lock-in, costs) and the strategic goal of technological ability to act, Germany pursues a complex approach. The core pillars are the federal multi-cloud strategy, the positioning of the state as an "anchor science" to promote domestic and European providers, as well as the establishment of strict security and procurement standards (BSI C5, EVB-IT Cloud). Initiatives such as the German Administrative Cloud (DVC) and the controversial Delos Cloud project should promote the modernization of the administration and at the same time meet sovereignty requirements. At European level, the GAIA X project, despite the considerable criticism and a likelihood of a hyperscal competitor to a standardization framework, and the more technically more concrete sovereign Cloud Stack (SCS) play a central role in creating interoperable and open alternatives. However, the cloud market in Germany is still massively dominated by US providers such as AWS, Microsoft Azure and Google Cloud. German and European providers such as T-Systems, SAP, IONOS, OVHCLOUD and Stackit are increasingly positioning themselves with specialized, sovereign offers and use certifications such as BSI C5 as market access, especially in the public sector. However, the complete digital sovereignty remains an ambitious long -distance goal. The challenges are immense and include technical complexity, high costs, the shortage of skilled workers and the sheer market power of the established actors. The success of the German strategy depends largely on the consistent implementation of political guidelines in procurement practice, the successful scaling of European alternatives such as SCS and realistic expectations, which are more aimed at management of dependencies than on complete self -sufficiency.

Suitable for:

• US policy inspires EU tech companies? Data sovereignty of US dominance: The future of the cloud in Europe

The requirement of digital sovereignty: Germany's cloud challenge

Drive of digital sovereignty in Germany

The progressive digitization of business and society forms the background for Germany's endeavors to digital sovereignty in the cloud area. It is about strengthening Germany's ability to make its digital future independently and to secure technological ability to act. This goal is regarded by the Federal Government, across various political constellations, as essential for national security, economic competitiveness and trust of the citizens.

Digital sovereignty is a complex concept. It includes technical, operational and legal control over data and infrastructures, self-determination, independence and IT security. It is not just about the physical location of data, but a major role in controlling their processing and the underlying technology. The cyber security strategy for Germany 2021 explicitly mentions the strengthening of digital sovereignty as a central guideline. The goal is a free, open and safe internet in which fundamental rights are protected.

Despite this political meaning, there is a certain blurring of the term in practice. Even among small and medium -sized companies (SME), the term is partially unknown. Even within the administration, there does not seem to be a uniform, operationalizable definition of how inquiries indicate to the federal government. Various actors - from security authorities to economic ministries to data protectionists - focus on different priorities, be it on control, security, economic opportunities or data protection. This definition blur harbors the risk of political ambivalence and potentially contradicting initiatives. It also complicates the measurement of progress on the way to more sovereignty. The need for clarification, which is realistically accessible and desirable, is underlined by detailed parliamentary inquiries.

The promotion of open source software (OSS) is closely linked to the striving for digital sovereignty. Open source codes promise transparency, verifiability and a reduction in dependence on individual proprietary providers.

Risk assessment: the dependence on US hyperscalers

The strong dependence on the dominant US cloud providers (hyperscalers) is perceived by German politics as a significant risk in several dimensions.

Security risks

The use of systems, whose trustworthiness cannot be fully controlled, creates potential pens gates for cyber actors. In particular, the concern before accessing foreign intelligence services for sensitive data plays a role. The well-known security incidents among large providers and the general complexity of cloud environments that favor incorrect configurations and weaknesses increase these concerns.

Legal and data protection risks

The US Cloud Act (Clarifying Lawful Overseas Use of Data Act) is a central problem. He potentially emphasizes US authorities to access data worldwide, which is stored by US companies, even if the storage is made outside of the USA. This is conflict with the strict European data protection rules (GDPR) and undermines control of your own data. The Schrems II judgment of the European Court of Justice, which declared former data transfer mechanisms to the United States, has further tightened legal uncertainty. There are technical (e.g. encryption with key control at the customer) and contractual approaches to risk reduction, but their long -term legal resilience and practical enforceability are questioned. It is noteworthy that many SMEs are very familiar with the implications of the cloud act.

Economic risks

The strong market concentration leads to a significant dependence on few providers, the so-called Vendor Lock-in. This limits flexibility in the event of a change of provider and weakens the customer's negotiating position. The result can be clear price increases, as examples from practice (VMware) and the increasing expenditure of the Federal Administration for Microsoft licenses. There is a risk that dominant providers use their market power to their own advantage and only insufficiently address specific requirements, such as the public sector of information security.

Geopolitical and strategic risks

The technological dependence on non -European providers harbors risks due to geopolitical shifts and potential disorders of the supply chains. In the long term, the sovereignty of a state can be hollowed out if control over critical data is lost.

In this context, a remarkable tension in the German strategy reveals: On the one hand, the goal of digital sovereignty is proclaimed, on the other hand, projects such as the Delos Cloud are promoted that are technologically based on Microsoft Azure. Although this is to be “confident” through operation in German data centers through a German society and under the supervision of the BSI, but nuclear technology remains proprietary and US. At the same time, US hyperscalers are members of the GAIA X consortium and offer even BSI C5-certified services in Germany and Europe. This indicates a pragmatic but potentially contradictory approach. The federal government seems to recognize the need for widespread technologies (such as Microsoft Office) and the innovative strength of the US companies. Instead of complete technological independence, which is considered unrealistic or too costly at short notice, the reduction of risks is based on specific control mechanisms (data location, operating control, BSI supervision). The criticism that Delos is not really sovereign reflects this tension. Germany's strategy therefore aims more at a ramble relationship than on complete independence. The success of this strategy decisively depends on the effectiveness and durability of the established control mechanisms and the ability to promote real European alternatives that reduce the need for such managed dependencies in the long term.

Suitable for:

• The digital dependence on the USA: cloud dominance, distorted trading balance sheets and lock-in effects

Politics in action: Germany's strategic initiatives for cloud-independence

The multi-cloud strategy of the federal government and the role as "ancerry"

A central element of German cloud policy is the federal government's multi-cloud strategy. Their core principle is to avoid binding to a single provider (vendor lock-in) by using several cloud providers. This is intended to enable flexibility, promote competition and allow the integration of the best available solution (“Best of Breed”) for specific application cases into the administration's own IT architecture. The strategy expressly emphasizes the need for close cooperation with the cloud providers instead of decoupling.

The role of the state is closely linked to it as an "anchor science" ("anchor customer principle"). The public sector is intended to use its significant demand to stimulate the market for sovereign, trustworthy cloud solutions. By increasingly relying on such offers ("Cloud-First" strategies), German and European providers are intended to support the federal government, the federal states and municipalities themselves to scale and make their services more competitive. Funding programs for start-ups and increased expenses for research and development should also strengthen the domestic technology ecosystem.

However, observations indicate a potential gap between the strategic orientation and the actual implementation. While the Multi-Cloud and European provider strategy promotes, concrete, large-volume tenders from the federal administration seem to be partially tailored to established hyperscalers. At the same time, large US providers such as Microsoft continue to benefit from significant public expenditure. The promotion of open source software is supported, but with the restriction “where it is technically possible and economical”, which leaves room for interpretation. The reasons for this can be varied: existing dependencies, preferences of the users, a perceived immaturity of alternatives or complex award procedures could favor established providers. Internal resistance or lack of specialist knowledge can also hinder the adaptation of alternatives. The effectiveness of the anchoring principle therefore decisively depends on a consistent implementation across all administrative levels, clear procurement guidelines that prefer sovereigns or OSS solutions (which may require a revision of the EVB-IT) and the overcoming of practical hurdles when introducing alternatives. The critical inquiries about specific tenders indicate concerns about this implementation gap.

Lighthouse projects: Bundescloud, German Administrative Cloud (DVC) and Delos Cloud

Several concrete projects are to implement the federal cloud strategy:

BundesCloud

This is an established, exclusive private cloud infrastructure that is operated by the BUND (ITZBUND) information technology center for federal authorities. It runs in the data centers of the Itzbund and can be reached via the secure network of the federal government. The BundesCloud offers specific services as an infrastructure-as-a-service (IAAS), Platform-As-A-Service (PAAS) and Software-As-A-Service (SaaS), including a collaborative storage solution (SIB-BOX) based on NextCloud and the E-Achaft Bund. It is considered the core component, but there are questions regarding their further expansion in relation to the multi-cloud approach and the DVC.

German Administrative Cloud (DVC)

This is a newer, overarching strategy and platform that is supposed to create a multi-cloud ecosystem for the entire public administration in Germany (federal, state, countries). Starting symbolically in March 2025, the DVC offers a central portal through which administrative staff can order standardized and legally secure cloud services, initially from public IT service providers. One core destination is to strengthen digital sovereignty through open standards that enable change of providers and avoid lock-in effects. The DVC is intended to improve the federal IT cooperation and achieve scale effects through joint tenders. Your exact relationship with the federal cloud and specific tenders still need clarification. There is a specific economic consideration (Wibe DVC) for the evaluation of cloud migrations in the DVC context.

Delos Cloud

A specific project under the leadership of the Federal Ministry of Finance (BMF) as part of the multi-cloud strategy. The aim is to enable the use of Microsoft services (in particular office products and Windows operating system) beyond 2029, since Microsoft plans to cancel on-premise versions. The Delos Cloud is to be operated by German Delos Cloud GmbH on a dedicated infrastructure decoupled by Microsoft technology. It strives for technical, operational and legal sovereignty, whereby the Federal Office for Information Technology (BSI) controls the necessary external data exchange and monitors compliance with the requirements of the federal government (information security, data protection, secret protection). The project is in the test and validation phase. Although primarily designed for the federal government, reuse by countries and municipalities is planned. Delos represents a pragmatic attempt to ensure access to essential standard software and at the same time meet conflicts of confidence, but sees criticism of actual sovereignty.

The parallel existence of these initiatives-the established federal cloud, the overarching DVC frame and specific solutions such as Delos-raises questions about integration and coherence. There is a risk of fragmentation. The DVC is intended to serve as a standardized layer, but the practical implementation requires the integration of existing systems and the consideration of specific needs. A purely centralized approach is difficult to implement in German federalism. A federated approach in which different systems are networked under common standards could offer a solution and would be in line with the GAIA X idea. However, success depends on effective coordination and standardization. Without this, inefficiency, duplication and confusion threatens, which would undermine the overarching goals of sovereignty and efficiency. The role of the DVC as a central portal and standard seter is therefore crucial for the production of coherence.

Structuring of procurement: The EVB-IT Cloud contract

In order to standardize and legally secure the procurement of cloud services through the public sector, the "supplementary contractual terms for the procurement of IT services-cloud" (EVB-IT cloud) were introduced. This contract, which has been available since March 2022, should apply to authorities at federal, state and local levels.

The EVB-IT Cloud cover various cloud service models, including Software-As-A-Service (SaaS), Platform-As-A-Service (PAAS), Infrastructure-As-A-Service (IAAS) and Managed Cloud Services (MCS). They consist of several documents: sample agb, a sample contract, a technical criteria catalog for the definition of performance parameters and regulations for the inclusion of the general terms and conditions of the provider. It is also imperative to conclude an agreement on order processing (AVV).

A central requirement of the EVB-IT Cloud is the proof of conformity with the basic criteria of the Cloud Computing Compliance Criteria Catalog (C5) of the BSI. While this was already required for federal authorities, the C5 conformity by using the EVB-IT Cloud is now also a prerequisite for state and local authorities. The EVB-IT regulations have priority to the Cloud provider's standard AGB. The contract templates are open to the public, whereby official translations for international providers are missing.

However, critics question whether the EVB-IT Cloud is used consistently in practice and whether they have to set sufficient incentives to procure open source software or have to be re-sharpened here. The standardization by the EVB-IT Cloud is therefore a double-edged sword: it simplifies the procurement for public clients and raises the security level through the C5 specification. At the same time, the complex and rigid guidelines can be a hurdle for smaller or foreign providers that are not familiar with the German system. This could unintentionally favor larger actors who are better prepared for the fulfillment of the specific requirements and thus counteract the goal of promoting a diverse ecosystem. Careful observation of the effects and, if necessary, flexible adjustments are therefore necessary to ensure that the EVB-IT Cloud does not hinder innovations or disproportionately disproportionately disadvantage.

Ki-Gamechanger: The most flexible AI platform-tailor-made solutions that reduce costs, improve their decisions and increase efficiency

Independent AI platform: Integrates all relevant company data sources

• This AI platform interacts with all specific data sources
  • From SAP, Microsoft, Jira, Confluence, Salesforce, Zoom, Dropbox and many other data management systems
• Fast AI integration: tailor-made AI solutions for companies in hours or days instead of months
• Flexible infrastructure: cloud-based or hosting in your own data center (Germany, Europe, free choice of location)

• Highest data security: Use in law firms is the safe evidence
• Use across a wide variety of company data sources
• Choice of your own or various AI models (DE, EU, USA, CN)

Challenges that our AI platform solves

• A lack of accuracy of conventional AI solutions
• Data protection and secure management of sensitive data
• High costs and complexity of individual AI development
• Lack of qualified AI
• Integration of AI into existing IT systems

More about it here:

• AI integration of an independent and cross-data source-wide AI platform for all company matters

Building European alternatives: Gaia-X and the Sovereign Cloud Stack

Gaia-X: Vision, progress and practical implementation

The GAIA-X project, initiated by Germany and France in 2019, pursues the vision of creating a fed, open, safe and transparent data infrastructure for Europe, which is based on European values ​​such as data protection, sovereignty and interoperability. It aims to reduce the dependence on non-European cloud providers and to strengthen the digital sovereignty of Europe.

Gaia-X is not a single cloud platform, but sees itself as a framework and ecosystem. It defines common standards and rules (Policy Rules, Trust Framework) and promotes the development and use of interoperable components, often based on open source. The aim is to network providers and users and enable the safe exchange of data in so -called data rooms (data spaces). The structure includes a central non-profit organization (GAIA-X AISBL), national coordination points (such as the GAIA-X Hub Germany) and a variety of projects that are intended to implement concrete applications in various industries such as mobility, industry or health.

The German Gaia-X Hub, whose office is operated by Acatech and whose project duration is planned by the end of 2025, serves as a central point of contact in Germany. He bundles information, organizes working groups according to industries (domains), supports projects, publishes publications and organizes events. Current activities (as of the beginning of 2025) include the explanation of architectural documents, the promotion of conformity tests and digital evidence (credentials) as well as the further development of tools (GAIA-X Federation Services, XFSC). One focus is on creating an interoperable cloud-edge infrastructure.

Suitable for:

• Industry-X: Promoting European and global logistics and supply chains through industry initiatives Catena-X and Gaia-X

Dealing with criticism: challenges and future of Gaia-X

Despite the ambitious goals, Gaia-X sees itself exposed to considerable criticism. Slow progress, excessive bureaucracy, high complexity and sometimes unclear benefits are criticized. The membership of large US hyperscalers (AWS, Microsoft, Google) and security policy, such as Palantir in the Gaia-X consortium, is also controversial. Prominent founding members such as the French cloud provider Scaleway and the German company NextCloud left the project. The reasons were the blockage keeping of US corporations or the assessment that the project in its original ambition, creating a real European alternative, had failed or even “dead”. Media reports indicate that GAIA-X is considered a failed by some observers, at least as far as the goal is to build a European hyperscal competitor.

Representatives of GAIA-X reject this assessment and emphasize the continuous work of standards and the role of the project in enabling data ecosystems and promoting cooperation. The focus is on the creation of interoperable data rooms, not necessarily on building a single huge cloud.

It is becoming apparent that Gaia-X may experience a strategic realignment. The original expectation that GAIA-X will produce a direct European hyperscal competitor has given way to the criticism and slow progress of a more pragmatic perspective. The establishment of a competitive hyperscaler against the established global actors turned out to be extremely difficult. The complexity of the coordination of different European interests and the integration of the US companies watered down the vision of a “purely European” alternative. Focusing on the role as a standardization body and ecosystem more as possible for federated data rooms appears as a more realistic and more achievable goal. This ties in with European strengths in specific industries and in regulatory harmonization (GDPR). The success of GAIA-X should therefore be measured less to whether it is directly displaced by US hyperscales, but rather to establish common rules, to promote interoperability between different (also European) providers and to enable the safe, sovereign data exchange in important European sectors (e.g. automotive industry, mobility). The long -term effect depends on the acceptance and practical implementation of its standards and framework works.

 The Sovereign Cloud Stack (SCS): A technical basis for sovereignty

The Sovergäud Stack (SCS) has established itself as a more concrete technical initiative in the GAIA-X area. It is an open source project that was originally funded by the German Federal Ministry of Economics and Climate Protection via the Open Source Business Alliance (OSBA). SCS provides standardized, interoperable and fully source-open software components to build cloud infrastructures (IAAS) and container platforms (CAAS). It sees itself as a concrete implementation that builds on the principles of Gaia-X.

The goals of SCS are the definition of certified standards, the guarantee of openness and transparency (no “open core” model), the promotion of sustainability and the enabling of a federation of compatible cloud instances. A central concern is the avoidance of Vendor Lock-in. Technologically, SCS is based on established open source projects such as OpenStack and Kubernetes, but aims to standardize and simplify its use. SCS provides a reference implementation.

Project funding expired at the end of 2024, but the work will be continued by a consortium of companies within the OSBA and the community. Several cloud providers are already developing offers based on SCS (e.g. PlusServer with PlusCloud Open). SCS is also discussed as a possible standard for the planned Swiss Government Cloud. However, the concrete plans of the federal government to use SCS, for example in the context of the DVC, are still unclear. SCS defines its own levels of sovereignty, but this taxonomy is criticized because it focuses primarily on control and neglects aspects such as performance or wider technological dependencies (e.g. hardware).

While Gaia-X is struggling with broad acceptance and a clear definition of its role, SCS offers a concrete, source-open technology stack that is already implemented by providers and is considered for government projects. SCS directly addresses the technical challenges of interoperability and Vendor Lock-in, which are in the center of the sovereign debate. His focus on OSS fits the strategic goals of the government. Due to the standardization of proven components, SCS lowers the entry hurdle for providers who want to offer Gaia-X-compatible services. SCS could thus become de facto standard for an actually sovereign European cloud infrastructure under the roof of GAIA-X, even if Gaia-X is becoming more a governance and data space framework. His success depends on the further distribution in the community, the adaptation by provider and integration into public procurement (e.g. via the DVC).

Market dynamics: the German cloud landscape

Market share overview: US dominance versus European competitors

The global market for cloud infrastructure services (IAAS, PAAS, hosted private cloud) is a growth market with enormous volumes. In 2024, sales reached around $ 330 billion in 2024, an increase of 60 billion compared to 2023. The fourth quarter of 2024 alone recorded $ 91 billion, which corresponds to growth of 22 % compared to the previous year. This growth was largely fueled in 2024 by investing in generative artificial intelligence (genai). Also in the second quarter of 2024, the strong growth continued with $ 79 billion sales (also +22 % YOY).

The market is clearly dominated by the three major US hyperscalers: Amazon Web Services (AWS) holds a market share of around 30-32 %worldwide, followed by Microsoft Azure with 21-23 %and Google Cloud with 11-12 %. Together, these three providers check a large part of the global public cloud market (approx. 68-73 %). Microsoft and Google tend to have higher growth rates than the market leader AWS.

This global dominance is also reflected in Europe. Although the European cloud market has grown significantly since 2017 (over EUR 10 billion per quarter in mid-2022), European providers have continuously lost market shares-from 27 % in 2017 to only 13 % in mid-2022. The three US hyperscales already combined 72 % of the European market at that time. In addition to Great Britain, Germany is one of the largest cloud markets in Europe.

There are less detailed, current market share data for the German market, but analyst reports confirm the image of the US dominance. The ISG Provider LENS ™ for 2024 sees AWS and Azure as a clear market leader in Germany. Google Cloud, the Open Telekom Cloud (OTC) of T-Systems and Ionos, therefore form the “chase trio” in the leader quadrant, to which Noris Network also opened in 2024. Providers such as Ovhcloud (France) and Stackit (Schwarz Group) were classified as “Rising Stars” in 2023, but did not make it into the leader segment in 2024. SAP and Deutsche Telekom are considered the leading European providers across Europe, but only came to around 2 % market share in Europe in mid -2022. In 2020, the Software-As-A-Service (SaaS) segment dominated 67 %of the market, followed by IAAS (21 %) and Paas (12 %).

Estimated market shares for cloud infrastructure providers (IAAS/PAAS) in Germany (2024)

The estimated market shares for cloud infrastructure providers (IAAS/PAAS) in Germany in 2024 show a clear picture of the market distribution. With a market share of over 30 %, Amazon Web Services (AWS) is considered a leader, as is evidenced by ISG 2024 and Synergy, which also highlight the dominance in Europe. Microsoft Azure follows with an estimated share of over 20 % and is also classified as a leading provider. As a pursuer, Google Cloud reaches around 10 to 12 % market share and, according to ISG, is part of the "Leader Trio", similar to Open Telekom Cloud (OTC) and Ionos, which are also managed in this category. Noris Network is described by ISG as a leader in his segment, while SAP is listed as a European market leader with around 2 % market share. Ovhcloud and stackit, on the other hand, are classified as a "rising stars" for 2023, based on ISG reports. Other providers share the rest of the market share, although exact percentages for Germany are difficult to find according to analysts. The analysis is based on data from ISG and Synergy, which above all illuminate the relations within Europe.

This market structure illustrates the enormous challenge for European providers. The cloud market is a scale business that requires massive and long-term investments as well as the highest operational excellence. The US hyperscalers benefit from their early market entry, huge capital resources, global reach and network effects. European providers find it difficult to individually reach these scale advantages. Initiatives such as Gaia-X and SCS try to enable a kind of virtual scaling through federation and standardization, but this is naturally more complex than the expansion of a single company. A significant shift in market shares requires either massive, coordinated European investments (e.g. via IPCEI projects) or the success of the federated approach of GAIA-X/SCS when creating an attractive, large-scale ecosystem. Individual European providers will probably not be able to challenge the top 3 in the wide Iaas/Paas market.

Focus on German and European providers: offers and potential

Despite the dominance of the US hyperscalers, there are a number of relevant German and European cloud providers who could benefit from state sovereign efforts:

Deutsche Telekom / T-Systems

Offers the Open Telekom Cloud (OTC) and specific sovereign solutions such as the Open Soverägn Cloud (OSC), which relies on data security, compliance (BSI C5, ISO 27001) and operation in Germany. Cooperates in the Gaia-X context also with other providers such as Ovhcloud.

SAP

As the leading European software company, SAP offers extensive cloud services via SAP Enterprise Cloud Services (ECS) and Business Technology Platform (BTP), which also go through BSI C5 audits. Is considered one of the leading European cloud providers.

Ionos

Positions itself as a leading European hosting and cloud provider, especially for SMEs, but also increasingly for larger companies and the public sector. Offers Iaas (Cloud Cubes, Compute Engine) and S3 Object Storage that are BSI C5 certified. Is seen by ISG as part of the chasing trio in the German market. Operates data centers in Europe and the USA. Emphasizes its certifications (C5, IT basic protection) in order to create trust in the public sector and regulated industries. Is available for public administration via marketplaces such as Govdigital.

Ovhcloud

A large French cloud provider with a strong focus on Europe and data sovereignty. Also offers BSI C5-certified services and cooperates with T-Systems as part of GAIA-X. Was classified in Germany in 2023.

Stackit

The Cloud division of the Schwarz Group (Lidl, Kaufland) positions itself as a sovereign German cloud alternative, especially for the public sector and critical infrastructures (CRITIS). Has also received a BSI C5 test for its services and is available via Govdigital.

plus server

A German provider who, with his “PlusCloud Open”, offers a cloud platform based on the Sovergägn Cloud Stack (SCS) and thus focuses strongly on open source and sovereignty.

More

Secunet/Syseleven and Noris Network are other German providers, which are mentioned in the context of cloud services.

These providers are increasingly relating to specialization in order to stand out from the global hyperscalers. They emphasize aspects such as data sovereignty, the use of open source, compliance with specific German or European compliance requirements (especially BSI C5) or offer industry-specific solutions. This focus on niches in which the global providers may have weaknesses or enjoy less trust (e.g. in the highly regulated German public sector) appears as a promising strategy. Instead of trying to copy the hyperscales in width, you can score with targeted offers and high security standards. State strategies and procurement rules can support this specialization by creating specific demand for such sovereign and certified solutions.

Selected German/European cloud providers with a focus on sovereignty

(¹ Status refers to specific services/regions according to sources; ² selection of relevant certificates)

Selected German and European cloud providers attach great importance to sovereignty and offer specialized solutions for different target groups and industries. With the Open Telekom Cloud (OTC) and the Open SOEUGEN Cloud (OSC), Telekom or T-Systems offers confident cloud services that have both the BSI C5 status and the ISO27001 certification and are particularly interesting for the public sector and regulated areas. SAP convinces with the SAP Enterprise Cloud Service (ECS) and the SAP Business Technology Platform (BTP), which are also BSI C5 compatible and ISO27001-certified, and is aimed at companies and regulated industries. Ionos offers solutions such as the Compute Engine, Cloud Cubes and S3 Object Storage, which are also BSI C5 certified. With additional certificates such as ISO27001 and IT basic protection, Ionos primarily appeals to small and medium-sized companies (SMEs), the public sector and regulated areas. With a variety of IAAS, PAAS and SAAS solutions, Ovhcloud from France covers a wide range and focuses special on EU data souvenir. Stackit, the cloud solution of the Schwarz Group, offers the Stackit Cloud a sovereign, BSI C5 Type 2-certified option for the public sector, trade and critical infrastructures (CRITIS). Plus server is similarly positioned with the PlusCloud Open based on SCS, which is also type 2-certified and, in addition to the public sector, also appeals to companies. All providers are also qualified by important certificates such as ISO27001 and focus specifically on the needs of their different target markets.

Suitable for:

• Top ten data management systems (DMS) - from Document Management Systems to Cloud Database Management (DBMS)

The role of security certifications: BSI C5 and ISO 27001

Security certifications play a crucial role in the evaluation and selection of cloud providers, especially in the context of digital sovereignty and for use in the public sector or in regulated industries.

BSI C5 (Cloud Computing Compliance Criteria Catalogue)

This criteria catalog developed by the Federal Office for Information Technology (BSI) has established itself in Germany as a key standard for the security of cloud computing. It defines minimum requirements for the information security of cloud services and is based on internationally recognized standards such as ISO 27001, the IT basic protection of the BSI and the Cloud Controls Matrix (CCM) of the Cloud Security Alliance (CSA). An important feature of the C5 is the demand for transparency regarding so -called environment parameters, which includes information on the data location, the provision of services, the place of jurisdiction and the obligations of information. This is intended to enable customers to have a well -founded risk assessment. Compliance with the C5 criteria is confirmed by tests of independent auditors. For federal authorities, the use of C5-compliant services is mandatory, and C5 is also becoming increasingly a prerequisite for state and local authorities as well as companies in regulated industries (e.g. healthcare). Numerous providers, including both the US hyperscalers (AWS, Microsoft Azure, Google Cloud) for their European regions as well as the leading German and European providers (T-Systems, SAP, IONOS, OVHCloud, Stackit, PlusServer), have C5 tests for relevant services.

ISO/IEC 27001

This is the internationally leading standard for information security management systems (ISMS). ISO 27001 certification certifies that a company has implemented systematic processes to control information security. The scope is wider than that of C5 and refers to the entire management system, not only to specific cloud services. Many cloud providers see ISO 27001 as a basic certification on which more specific evidence of C5 builds up. Almost all relevant providers in the German market have an ISO 27001 certification.

IT basic protection

The methodology of the BSI for the implementation of IT security measures. C5 builds on the principles of IT basic protection. Some providers, such as Ionos, can also be specifically certified according to IT basic protection in order to prove a particularly high level of protection.

The increasing importance of these certifications, in particular the BSI C5, makes it an important factor for market access in Germany. For providers who want to serve the public sector or regulated industries, a C5 test has become almost essential. This applies to both European and US providers who make corresponding efforts to meet the requirements. While this increases the general security level and offers customers a standardized comparison basis, the certification process also requires significant investments on the part of the providers. This could potentially favor larger companies, but at the same time offers specialized European providers the opportunity to qualify for sensitive markets by fulfilling these high standards.

Xpert.Digital has in-depth knowledge of various industries. This allows us to develop tailor-made strategies that are tailored precisely to the requirements and challenges of your specific market segment. By continually analyzing market trends and following industry developments, we can act with foresight and offer innovative solutions. Through the combination of experience and knowledge, we generate added value and give our customers a decisive competitive advantage.

More about it here:

• Use the 5x expertise of Xpert.Digital in one package - starting at just €500/month

Navigation on the way forward: feasibility and challenges

Evaluation of the realizability of the German cloud independence goals

The ambitions of Germany to achieve greater independence in the cloud area are generally welcomed by experts, but are often considered with a portion of skepticism with regard to complete feasibility. A complete technological self -sufficiency appears to many as unrealistic or at least extremely expensive. The focus is therefore increasingly moving to a gradual reduction in critical dependencies and strategic management of the remaining dependencies (see section II.B) instead of complete isolation. The need to continue to benefit from global innovations, including US providers, is recognized.

The federal government's multi-cloud strategy is seen as a pragmatic way to gain flexibility and reduce provider dependencies without fully decoupling established players. Open Source Software (OSS) is seen as a decisive building block for more sovereignty and interoperability, as the development of the Sovergägn Cloud Stack shows. However, there are still hurdles in the procurement of OSS through the public sector.

Ultimately, the feasibility of the goals decisively depends on the consistent implementation of political strategies in procurement practice (see section III.A), success and scaling European initiatives such as GAIA-X and in particular SCS, the effective use of procurement instruments such as EVB-IT Cloud and the DVC and the coping of the numerous challenges.

Suitable for:

• The dangers of Vendor Lock-in: Why companies should avoid dependencies

Identification of central hurdles: technical, economic and human factors

The path to greater cloud sovereignty is paved with considerable obstacles:

Technical complexity

The structure and operation of competitive, large-scale cloud infrastructures is technologically extremely demanding. The integration of different systems in multi-cloud or federated environments (as they are sought for DVC or GAIA-X) places high demands on interoperability. The guarantee of security in such complex, distributed systems is a constant challenge.

Economic factors

The enormous investment costs for the development of data centers and cloud platforms make it difficult to keep up with the scale effects of the global hyperscals. High energy prices in Germany represent a location disadvantage for data centers. At the same time, the dependence on proprietary software contains the risk of increasing license costs and a lack of price transparency. Budget reservations in the public sector and the need for profitability considerations (Wibe) influence investment decisions.

Shortage of skilled workers

A lack of qualified staff for the structure, operation and the use of cloud technologies, especially for advanced or alternative open source-based solutions, is one of the greatest hurdles.

Market contracts and dominance

The established market power of the US hyperscaler complicates alternatives to gain a foothold. Existing investments, familiar ecosystems and the familiarity of users create considerable inertia.

Regulatory and compliance load

The navigation through complex regulations (GDPR, industry -specific rules) and the obtaining of necessary certifications (such as BSI C5) require considerable effort and resources.

Gaia-X-specific challenges

Internal problems such as bureaucracy, complexity, slow progress and conflicting interests within the GAIA X initiative itself hinder their effectiveness.

Expert perspectives on the way

Despite the challenges, experts emphasize the need to continue to pursue the path to digital sovereignty. Cloud technologies are considered indispensable for modernization, especially administration. The following points are considered essential for further success:

Focus on standards and interoperability

The establishment and enforcement of open standards is crucial to enable interoperability and avoid lock-in effects.

Strengthening European cooperation

Coordinated approach at European level (e.g. via the Joint Declaration Cloud or IPCEI-CIS projects) is essential to achieve scale effects and prevent fragmentation of the market.

Pragmatic approach

Dependencies should be gradually reduced. Open source and technical security measures such as encryption should be taken, but without completely avoiding external innovations.

Strengthening the domestic ecosystem

The framework conditions for data centers in Germany must be improved (energy prices, approval procedures). The promotion of start-ups and investments in research and development are also important.

It becomes clear that the achievement of significant cloud-independence is a long-term undertaking that requires considerable and permanent efforts. Overcoming the advantage of the US hyperscaler, the change of established IT practices, the establishment of a competitive European ecosystem (providers, specialists, standards) and the coping with complex political questions cannot be done overnight. It is more of a generation order for the development of digital skills, to promote an open source culture and to consistently use of sovereignty-oriented policy over legislative periods. Initiatives such as Gaia-X and SCS lay important foundations, but their full effect will probably only develop for years or decades. The evaluation of the German strategy therefore requires a long -term perspective. Short -term shifts of the market shares are likely to be low. Important progress indicators will be the adaptation of standards (C5, SCS), the growth of a viable European provider ecosystem (also in niches), the successful implementation of the DVC and the demonstrable ability of the public sector to be strategically managed, including effective exit strategies.

Strategic recommendations

Synthesis of the German strategy and progress

Germany pursues a clear strategic intention to strengthen digital sovereignty in the cloud area. This is driven by the recognized risks of the dependence on US hyperscalers-especially with regard to the cloud act, Vendor Lock-in and security concerns. The chosen approach is pragmatic and multi-layered: A multi-cloud strategy is intended to secure flexibility, while the state is intended to promote local and European providers as an an an an anchor on targeted procurement policy (based on EVB-IT Cloud and the C5 certification). Projects such as the DVC and Delos Cloud are intended to combine the modernization of the administration with sovereign objectives. At European level, Germany relies on initiatives such as GAIA-X, which may change from the original vision of a hyperscaler competitor to a standardization framework, and the more technically concrete sovereign cloud stack (SCS), which creates an open source basis for interoperable clouds.

Despite these efforts, the German Cloud market is still dominated by US providers. However, progress can be seen: standards such as BSI C5 establish themselves, European providers develop specialized sovereign offers, and with SCS a promising technical alternative is created. Nevertheless, complete digital independence remains a distant goal. The challenges of scaling, costs, shortage of skilled workers and technical complexity are considerable. Success depends on whether it is possible to consistently translate the strategic goals into procurement practice and to sustainably strengthen European alternatives.

Recommendations for politics and industry

Based on the analysis, the following recommendations can be derived:

Clearly define and operationalize sovereignty

A clear, graded and measurable definition of digital sovereignty is required, which can serve as the basis for procurement decisions. What does sovereignty mean in concrete terms at technical, operational and legal level and which gradations are acceptable?

Consistently use procurement power

The EVB-IT Cloud should be used consistently and, if necessary, strengthened with regard to the preference of OSS solutions. The DVC portal must be used effectively to make sovereign and European offers visible and to facilitate their commission. Tender procedures should be critically checked whether they favor unintentionally established hyperscales.

Invest in SCS and open source

The SOEGEUGN Cloud Stack should actively promote and use in projects in the public sector (DVC, federal cloud development). Existing hurdles for the procurement of OSS must be identified and dismantled. The development and maintenance of open source components that are relevant for sovereign cloud solutions should be financially supported.

Promote European ecosystem

Support for European cooperation projects such as IPCEI-CIS should continue. The framework conditions for data center operators in Germany (energy costs, approval procedures) must be improved. Cloud native start-ups and SMEs need targeted support. Investments in the training and further training of cloud specialists are essential.

Focus on gaia-x

The efforts in the context of GAIA-X should concentrate on the development and establishment of practical standards, enabling data rooms and ensuring interoperability instead of looking for direct competition with hyperscalers. Transparency and a clear governance are crucial to regain trust and to meet criticism.

Suitable for:

• Gaia-X: Data security & interoperability between different systems and actors in the Smart Factory & Industrial Metaverse

Improve transparency and monitoring

Data for cloud use in the public sector should be published regularly (share of various providers, costs for OSS vs. Proprietary solutions). The progress of key projects such as DVC and Delos as well as the effectiveness of sovereign measures must be made transparent and monitored. Compliance with specifications (e.g. BSI requirements for Delos) must be checked by independent places.

Develop exit strategies

For critical applications that are operated on non-sovereign or proprietary platforms, technical and organizational exit strategies (exit strategies) must be planned and prepared proactively. This is a central aspect of risk management and the long -term securing of the ability to act.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the AI ​​strategy

☑️ Pioneer Business Development

 

I would be happy to serve as your personal advisor.

You can contact me by filling out the contact form below or simply call me on +49 89 89 674 804 (Munich) .

I'm looking forward to our joint project.

 

 

Xpert.Digital is a hub for industry with a focus on digitalization, mechanical engineering, logistics/intralogistics and photovoltaics.

With our 360° business development solution, we support well-known companies from new business to after sales.

Market intelligence, smarketing, marketing automation, content development, PR, mail campaigns, personalized social media and lead nurturing are part of our digital tools.

You can find out more at: www.xpert.digital - www.xpert.solar - www.xpert.plus