Dependent on the US cloud? Germany's battle for the cloud: How they plan to compete with AWS (Amazon) and Azure (Microsoft)

Digital self-sufficiency or dependency management? The future of German cloud policy

This article analyzes the German Federal Government's strategies and initiatives for strengthening digital sovereignty in the cloud sector and reducing dependence on US hyperscalers. Driven by security concerns (particularly due to the US CLOUD Act), economic risks (vendor lock-in, costs), and the strategic goal of technological capability, Germany is pursuing a multifaceted approach. Key pillars include the Federal Government's multi-cloud strategy, positioning the state as an "anchor customer" to promote domestic and European providers, and the establishment of stringent security and procurement standards (BSI C5, EVB-IT Cloud). Initiatives such as the German Administrative Cloud (DVC) and the controversial Delos Cloud project aim to advance the modernization of public administration while simultaneously meeting sovereignty requirements. At the European level, the Gaia-X project, despite significant criticism and a likely shift from a hyperscaler competitor to a standardization framework, and the more technically concrete Sovereign Cloud Stack (SCS) play a central role in creating interoperable and open alternatives. However, the cloud market in Germany continues to be heavily dominated by US providers such as AWS, Microsoft Azure, and Google Cloud. German and European providers like T-Systems, SAP, IONOS, OVHcloud, and STACKIT are increasingly positioning themselves with specialized, sovereign offerings and using certifications such as BSI C5 as a means of market access, particularly in the public sector. Complete digital sovereignty, however, remains an ambitious long-term goal. The challenges are immense and include technical complexity, high costs, a shortage of skilled workers, and the sheer market power of established players. The success of the German strategy depends significantly on the consistent implementation of political guidelines in procurement practice, the successful scaling of European alternatives such as SCS, and a realistic expectation that aims more at managing dependencies than at complete autarky.

Suitable for:

• US policy inspires EU tech companies? Data sovereignty of US dominance: The future of the cloud in Europe

The imperative of digital sovereignty: Germany's cloud challenge

Driving Digital Sovereignty in Germany

The ongoing digitalization of the economy and society forms the backdrop for Germany's efforts to achieve digital sovereignty in the cloud sector. The aim is to strengthen Germany's ability to shape its digital future independently and to ensure its technological capability. The German government, across various political constellations, considers this goal essential for national security, economic competitiveness, and the trust of its citizens.

Digital sovereignty is a multifaceted concept. It encompasses technical, operational, and legal control over data and infrastructure, self-determination, autonomy, and IT security. It is not just about the physical storage location of data, but crucially about control over its processing and the underlying technology. Germany's 2021 Cybersecurity Strategy explicitly names strengthening digital sovereignty as a central guiding principle. The goal is a free, open, and secure internet in which fundamental rights are protected.

Despite its political significance, the term "sovereignty" exhibits a certain ambiguity in practice. Even among small and medium-sized enterprises (SMEs), the term is sometimes unknown. Within the administration as well, there appears to be no uniform, operationalizable definition, as inquiries to the Federal Government indicate. Various actors—from security authorities and economic ministries to data protection officers—place different emphases, be it on control, security, economic opportunities, or data protection. This lack of definition carries the risk of political ambivalence and potentially contradictory initiatives. It also makes it difficult to measure progress toward greater sovereignty. The need to clarify what level of sovereignty is realistically achievable and desirable is underscored by detailed parliamentary inquiries.

Closely linked to the pursuit of digital sovereignty is the promotion of open source software (OSS). Open source code promises transparency, verifiability, and a reduction in dependence on individual proprietary vendors.

Risk assessment: Dependence on US hyperscalers

The strong dependence on the dominant US-based cloud providers (hyperscalers) is perceived by German policymakers as a significant risk in several dimensions.

Security risks

The use of systems whose trustworthiness cannot be fully verified creates potential entry points for cyber actors. In particular, concerns about foreign intelligence services accessing sensitive data play a role. Publicized security incidents at major providers and the general complexity of cloud environments, which facilitate misconfigurations and vulnerabilities, reinforce these concerns.

Legal and data protection risks

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) poses a key problem. It potentially empowers US authorities to access data stored by US companies worldwide, even if the data is stored outside the US. This conflicts with strict European data protection regulations (GDPR) and undermines control over one's own data. The Schrems II ruling by the European Court of Justice, which invalidated previous data transfer mechanisms to the US, has further exacerbated legal uncertainty. While technical (e.g., encryption with key control at the customer level) and contractual approaches to risk mitigation exist, their long-term legal resilience and practical enforceability are questionable. It is noteworthy that many SMEs are unfamiliar with the implications of the CLOUD Act.

Economic risks

The high level of market concentration leads to significant dependence on a few providers, a phenomenon known as vendor lock-in. This restricts flexibility when switching providers and weakens customers' negotiating position. The result can be substantial price increases, as demonstrated by real-world examples (VMware) and the rising expenditures of the German federal government for Microsoft licenses. There is a risk that dominant providers will exploit their market power for their own benefit and inadequately address specific requirements, such as those of the public sector regarding information security.

Geopolitical and strategic risks

Technological dependence on non-European suppliers carries risks due to geopolitical shifts and potential supply chain disruptions. In the long term, a state's sovereignty can be eroded if control over critical data is lost.

In this context, a remarkable tension emerges in the German strategy: On the one hand, the goal of digital sovereignty is proclaimed, while on the other hand, projects like the Delos Cloud, which is technologically based to a significant extent on Microsoft Azure, are being promoted. Although this cloud is intended to be "sovereign" through operation in German data centers by a German company and under the supervision of the BSI (Federal Office for Information Security), the core technology remains proprietary and US-based. At the same time, US hyperscalers are members of the Gaia-X consortium and even offer BSI C5-certified services in Germany and Europe. This suggests a pragmatic but potentially contradictory approach. The German government seems to recognize the necessity of widely used technologies (such as Microsoft Office) and the innovative power of US corporations. Instead of complete technological independence, which is considered unrealistic or too costly in the short term, the focus is on mitigating risks through specific control mechanisms (data location, operational control, BSI oversight). The criticism that Delos is not truly sovereign reflects this tension. Germany's strategy thus aims more at a managed dependency than at complete independence. The success of this strategy depends crucially on the effectiveness and sustainability of the established control mechanisms and the ability to promote genuine European alternatives that will reduce the need for such managed dependencies in the long term.

Suitable for:

• The digital dependence on the USA: cloud dominance, distorted trading balance sheets and lock-in effects

Politics in action: Germany's strategic initiatives for cloud independence

The federal government's multi-cloud strategy and its role as an "anchor customer"

A central element of German cloud policy is the Federal Government's multi-cloud strategy. Its core principle is to avoid vendor lock-in by utilizing services from multiple cloud providers. This is intended to enable flexibility, promote competition, and allow the integration of the best available solution ("best of breed") for specific use cases into the administration's own IT architecture. The strategy explicitly emphasizes the need for close collaboration with cloud providers, rather than decoupling from them.

Closely related to this is the role of the state as an "anchor customer" (the "anchor customer principle"). The public sector should strategically leverage its considerable purchasing power to stimulate the market for sovereign, trustworthy cloud solutions. By increasingly adopting such offerings themselves ("cloud-first" strategies), federal, state, and local governments aim to support German and European providers in scaling their services and making them more competitive. Funding programs for startups and increased spending on research and development are intended to further strengthen the domestic technology ecosystem.

However, observations point to a potential gap between the strategic direction and its actual implementation. While the strategy promotes multi-cloud and European providers, specific, large-scale tenders from the federal administration appear to be tailored, in part, to established hyperscalers. At the same time, large US providers like Microsoft continue to benefit from significant increases in public spending. The promotion of open-source software is supported, but with the caveat "where technically feasible and economically viable," which leaves room for interpretation. The reasons for this can be manifold: existing dependencies, user preferences, a perceived immaturity of alternatives, or complex procurement procedures could favor established providers. Internal resistance or a lack of expertise can also hinder the adoption of alternatives. The effectiveness of the anchor customer principle thus depends crucially on consistent implementation across all administrative levels, clear procurement guidelines that favor sovereign or open-source solutions (which may require a revision of the EVB-IT [German Federal Procurement Ordinance for IT]), and overcoming practical hurdles in the introduction of alternatives. The critical questions regarding specific tenders indicate concerns about this implementation gap.

Lighthouse projects: Federal Cloud, German Administrative Cloud (DVC) and Delos Cloud

Several specific projects are intended to implement the federal government's cloud strategy:

Federal Cloud

This is an established, exclusive private cloud infrastructure operated by the Federal Information Technology Center (ITZBund) for federal agencies. It runs in the ITZBund's data centers and is accessible via the federal government's secure network. The Federal Cloud offers specific services as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS), including a collaborative storage solution (SIB-Box) based on Nextcloud and the Federal Electronic Records Management System (E-Akte Bund). It is considered a core component, but questions remain regarding its further expansion in relation to the multi-cloud approach and the Digital Virtual Environment (DVC).

German Administrative Cloud (DVC)

This is a newer, overarching strategy and platform designed to create a multi-cloud ecosystem for the entire German public administration (federal, state, and local governments). Symbolically launched in March 2025, the DVC (Digital Cloud Computing) offers a central portal through which public administration staff can order standardized and legally compliant cloud services, initially from public IT service providers. A key objective is to strengthen digital sovereignty through open standards that facilitate switching providers and prevent vendor lock-in. The DVC aims to improve federal IT cooperation and achieve economies of scale through joint tenders. Its precise relationship to the Federal Cloud and specific tenders still needs clarification. A specific economic analysis (WiBe DVC) exists for evaluating cloud migrations within the DVC context.

Delos Cloud

A specific project led by the Federal Ministry of Finance (BMF) within the framework of its multi-cloud strategy. The goal is to enable the use of Microsoft services (especially Office products and the Windows operating system) beyond 2029, as Microsoft plans to discontinue on-premises versions. The Delos Cloud is to be operated by the German company Delos Cloud GmbH on a dedicated infrastructure decoupled from Microsoft technology in German data centers. It aims for technical, operational, and legal sovereignty, with the Federal Office for Information Security (BSI) controlling the necessary external data exchange and monitoring compliance with federal requirements (information security, data protection, and confidentiality). The project is currently in the testing and validation phase. Although primarily designed for the federal government, subsequent use by states and municipalities is envisioned. Delos represents a pragmatic attempt to secure access to essential standard software while simultaneously meeting sovereignty requirements, but it faces criticism regarding its actual sovereignty.

The parallel existence of these initiatives—the established federal cloud, the overarching DVC framework, and specific solutions like Delos—raises questions about integration and coherence. There is a risk of fragmentation. The DVC is intended to serve as a unifying layer, but practical implementation requires the integration of existing systems and consideration of specific needs. A purely centralized approach is difficult to implement in German federalism. A federated approach, in which different systems are networked under common standards, could offer a solution and would be consistent with the Gaia-X concept. However, success depends on effective coordination and standardization. Without these, inefficiency, duplication of effort, and confusion threaten, which would undermine the overarching goals of sovereignty and efficiency. The role of the DVC as a central portal and standard-setter is therefore crucial for establishing coherence.

Structuring the procurement process: The EVB-IT Cloud contract framework

To standardize and legally secure the procurement of cloud services by public authorities, the "Supplementary Contractual Terms for the Procurement of IT Services – Cloud" (EVB-IT Cloud) were introduced. This set of terms, available since March 2022, is intended to apply to authorities at the federal, state, and local levels.

The EVB-IT Cloud covers various cloud service models, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), and Managed Cloud Services (MCS). It consists of several documents: sample terms and conditions, a sample contract, a technical criteria catalog for defining performance parameters, and provisions for incorporating the provider's terms and conditions. A data processing agreement (DPA) is also mandatory.

A key requirement of the EVB-IT Cloud is proof of compliance with the basic criteria of the BSI's Cloud Computing Compliance Criteria Catalogue (C5). While this was already legally mandated for federal agencies, the application of the EVB-IT Cloud now effectively makes C5 compliance a prerequisite for state and local authorities as well. The EVB-IT regulations take precedence over the standard terms and conditions of cloud providers. The contract templates are publicly available, although official translations for international providers are lacking.

Critics question, however, whether the EVB-IT Cloud is consistently applied in practice and whether it provides sufficient incentives for the procurement of open-source software, or whether it needs to be refined. Standardization through the EVB-IT Cloud is thus a double-edged sword: it simplifies procurement for public sector clients and raises the security level through the C5 requirement. At the same time, the complex and rigid requirements can pose a hurdle for smaller or foreign providers unfamiliar with the German system. This could unintentionally favor larger players who are better prepared to meet the specific requirements, thus counteracting the goal of promoting a diverse ecosystem. Careful monitoring of the impact and, where necessary, flexible adjustments are therefore essential to ensure that the EVB-IT Cloud does not hinder innovation or disproportionately disadvantage smaller European providers.

Integration of an independent and cross-data source-wide AI platform for all company matters-Image: Xpert.digital

Ki-Gamechanger: The most flexible AI platform-tailor-made solutions that reduce costs, improve their decisions and increase efficiency

Independent AI platform: Integrates all relevant company data sources

• This AI platform interacts with all specific data sources
  • From SAP, Microsoft, Jira, Confluence, Salesforce, Zoom, Dropbox and many other data management systems
• Fast AI integration: tailor-made AI solutions for companies in hours or days instead of months
• Flexible infrastructure: cloud-based or hosting in your own data center (Germany, Europe, free choice of location)

• Highest data security: Use in law firms is the safe evidence
• Use across a wide variety of company data sources
• Choice of your own or various AI models (DE, EU, USA, CN)

Challenges that our AI platform solves

• A lack of accuracy of conventional AI solutions
• Data protection and secure management of sensitive data
• High costs and complexity of individual AI development
• Lack of qualified AI
• Integration of AI into existing IT systems

More about it here:

• AI integration of an independent and cross-data source-wide AI platform for all company matters

Building European alternatives: Gaia-X and the Sovereign Cloud Stack

Gaia-X: Vision, progress and practical implementation

The Gaia-X project, initiated by Germany and France in 2019, pursues the vision of creating a federated, open, secure, and transparent data infrastructure for Europe, based on European values ​​such as data protection, sovereignty, and interoperability. It aims to reduce dependence on non-European cloud providers and strengthen Europe's digital sovereignty.

Gaia-X is not a single cloud platform, but rather a framework and ecosystem. It defines common standards and rules (policy rules, trust framework) and promotes the development and use of interoperable components, often based on open source. The goal is to connect providers and users and enable the secure exchange of data in so-called data spaces. The structure includes a central non-profit organization (Gaia-X AISBL), national coordination bodies (such as the Gaia-X Hub Germany), and numerous projects that aim to implement concrete use cases in various sectors, such as mobility, industry, and healthcare.

The German Gaia-X Hub, whose office is operated by acatech and whose project duration is planned until the end of 2025, serves as a central point of contact in Germany. It consolidates information, organizes working groups by industry (domain), supports projects, publishes materials, and hosts events. Current activities (as of early 2025) include explaining architecture documents, promoting conformity assessments and digital credentials, and further developing tools (Gaia-X Federation Services, XFSC). A key focus is the creation of an interoperable cloud-edge infrastructure.

Suitable for:

• Industry-X: Promoting European and global logistics and supply chains through industry initiatives Catena-X and Gaia-X

Dealing with criticism: Challenges and future of Gaia-X

Despite its ambitious goals, Gaia-X faces considerable criticism. Critics point to slow progress, excessive bureaucracy, high complexity, and a partially unclear benefit. The membership of major US hyperscalers (AWS, Microsoft, Google) and companies with sensitive security concerns, such as Palantir, in the Gaia-X consortium is also a subject of controversy. Prominent founding members like the French cloud provider Scaleway and the German company Nextcloud have left the project. Reasons cited include the obstructionist stance of US corporations and the assessment that the project has failed, or is even "dead," in its original ambition to create a genuine European alternative. Media reports suggest that some observers consider Gaia-X a failure, at least with regard to its goal of building a European hyperscaler competitor.

Representatives of Gaia-X reject this assessment, emphasizing the ongoing work on standards and the project's role in enabling data ecosystems and promoting collaboration. The focus, they say, is on creating interoperable data spaces, not necessarily on building a single, massive cloud.

It is becoming clear that Gaia-X may be undergoing a strategic realignment. The initial expectation that Gaia-X would produce a direct European hyperscale competitor has given way to a more pragmatic view in light of criticism and slow progress. Building a competitive hyperscaler against established global players has proven extremely difficult. The complexity of coordinating diverse European interests and the involvement of US corporations diluted the vision of a purely European alternative. Focusing on the role of a standardization body and ecosystem enabler for federated data spaces appears to be a more realistic and achievable goal. This builds on European strengths in specific industries and in regulatory harmonization (GDPR). The success of Gaia-X should therefore be measured less by whether it directly displaces US hyperscalers, but rather by its ability to establish common rules, promote interoperability between different (including European) providers, and enable secure, sovereign data exchange in key European sectors (e.g., automotive, mobility). Its long-term impact depends on the adoption and practical implementation of its standards and frameworks.

 The Sovereign Cloud Stack (SCS): A technical foundation for sovereignty

As a more concrete technical initiative within the Gaia-X framework, the Sovereign Cloud Stack (SCS) has established itself. It is an open-source project that was originally funded by the German Federal Ministry for Economic Affairs and Climate Action through the Open Source Business Alliance (OSBA). SCS provides standardized, interoperable, and fully open-source software components for building cloud infrastructures (IaaS) and container platforms (CaaS). It is conceived as a concrete implementation based on the principles of Gaia-X.

The goals of SCS are to define certifiable standards, ensure openness and transparency (no "Open Core" model), promote sustainability, and enable the federation of compatible cloud instances. A key concern is avoiding vendor lock-in. Technologically, SCS is based on established open-source projects like OpenStack and Kubernetes, but aims to standardize and simplify their use. SCS provides a reference implementation.

Project funding ended in late 2024, but the work is being continued by a consortium of companies within the OSBA and the community. Several cloud providers are already developing offerings based on SCS (e.g., plusserver with pluscloud open). SCS is also being discussed as a potential standard for the planned Swiss Government Cloud. However, the federal government's specific plans for using SCS, for example within the framework of the DVC, are still unclear. While SCS defines its own levels of sovereignty, this taxonomy is criticized for focusing primarily on control and neglecting aspects such as performance or broader technological dependencies (e.g., hardware).

While Gaia-X struggles with broad acceptance and a clear definition of its role, SCS offers a concrete, open-source technology stack that is already being implemented by providers and is being considered for government projects. SCS directly addresses the technical challenges of interoperability and vendor lock-in that are central to the sovereignty debate. Its focus on open-source software aligns with the government's strategic goals. By standardizing proven components, SCS lowers the barrier to entry for providers who want to offer Gaia-X-compatible services. SCS could thus become the de facto standard for a truly sovereign European cloud infrastructure under the Gaia-X umbrella, even if Gaia-X evolves more into a governance and data space framework. Its success depends on further adoption within the community, adoption by providers, and integration into public procurement (e.g., via the DVC).

Market dynamics: The German cloud landscape

Market share overview: US dominance versus European competitors

The global market for cloud infrastructure services (IaaS, PaaS, hosted private cloud) is a growth market with enormous volumes. Worldwide revenue reached approximately US$330 billion in 2024, an increase of US$60 billion compared to 2023. The fourth quarter of 2024 alone saw expenditures of US$91 billion, representing a 22% increase year-over-year. This growth in 2024 was significantly fueled by investments in generative artificial intelligence (GenAI). Strong growth continued into the second quarter of 2024 with US$79 billion in revenue (also a 22% year-over-year increase).

The market is clearly dominated by the three major US hyperscalers: Amazon Web Services (AWS) holds a global market share of approximately 30-32%, followed by Microsoft Azure with 21-23% and Google Cloud with 11-12%. Together, these three providers control a large portion of the global public cloud market (approximately 68-73%). Microsoft and Google tend to exhibit higher growth rates than the market leader, AWS.

This global dominance is also reflected in Europe. Although the European cloud market has grown considerably since 2017 (to over €10 billion per quarter by mid-2022), European providers have continuously lost market share – from 27% in 2017 to just 13% by mid-2022. At that time, the three US hyperscalers already controlled 72% of the European market. Germany, along with the UK, is among the largest cloud markets in Europe.

While less detailed, up-to-date market share data is available for the German market, analyst reports confirm the picture of US dominance. The ISG Provider Lens™ for 2024 identifies AWS and Azure as the clear market leaders in Germany. Google Cloud, T-Systems' Open Telekom Cloud (OTC), and IONOS form the "following trio" in the Leader quadrant, which noris network also joined in 2024. Providers such as OVHcloud (France) and STACKIT (Schwarz Group) were classified as "Rising Stars" in 2023, but according to ISG, they did not make it into the Leader segment in 2024. SAP and Deutsche Telekom are considered the leading European providers, but each only achieved a market share of around 2% in Europe in mid-2022. In 2020, the Software-as-a-Service (SaaS) segment dominated the market in Germany with 67%, followed by IaaS (21%) and PaaS (12%).

Estimated market shares for cloud infrastructure providers (IaaS/PaaS) in Germany (2024)

Estimated market shares for cloud infrastructure providers (IaaS/PaaS) in Germany (2024) – Image: Xpert.Digital

The estimated market shares for cloud infrastructure providers (IaaS/PaaS) in Germany in 2024 paint a clear picture of market distribution. Amazon Web Services (AWS) is considered the leader with a market share of over 30%, as confirmed by ISG 2024 and Synergy, which also highlight its dominance in Europe. Microsoft Azure follows with an estimated share of over 20% and is also classified as a leading provider. Google Cloud, as a follower, achieves a market share of approximately 10 to 12% and, according to ISG, belongs to the "Leader Trio," similar to Open Telekom Cloud (OTC) and IONOS, which are also listed in this category. Noris network is described by ISG as a leader in its segment, while SAP is listed as the European market leader with a market share of around 2%. OVHcloud and STACKIT, on the other hand, are classified as "Rising Stars" for 2023, based on ISG reports. The remaining market share is shared by other providers, although analysts say precise percentages for Germany are difficult to obtain. The analysis is based on data from ISG and Synergy, which primarily examines the market relationships within Europe.

This market structure highlights the enormous challenge facing European providers. The cloud market is a scale business that demands massive, long-term investments as well as the highest levels of operational excellence. US hyperscalers benefit from their early market entry, vast capital resources, global reach, and network effects. European providers struggle to achieve these economies of scale individually. Initiatives like Gaia-X and SCS attempt to enable a kind of virtual scaling through federation and standardization, but this is inherently more complex than the expansion of a single company. A significant shift in market share will require either massive, coordinated European investments (e.g., through IPCEI projects) or the success of Gaia-X/SCS's federated approach in creating an attractive, large-scale ecosystem. Individual European providers are unlikely to challenge the top three in the broad IaaS/PaaS market.

Focus on German and European providers: offers and potential

Despite the dominance of US hyperscalers, there are a number of relevant German and European cloud providers that could benefit from the state sovereignty efforts:

Deutsche Telekom / T-Systems

Offers the Open Telekom Cloud (OTC) and specific sovereign solutions such as the Open Sovereign Cloud (OSC), which focuses on data security, compliance (BSI C5, ISO 27001), and operation in Germany. Also collaborates with other providers such as OVHcloud within the Gaia-X context.

SAP

As a leading European software company, SAP offers comprehensive cloud services via SAP Enterprise Cloud Services (ECS) and the Business Technology Platform (BTP), which also undergo BSI C5 audits. It is considered one of the leading European cloud providers.

IONOS

Positioned as a leading European hosting and cloud provider, particularly for SMEs, but also increasingly for larger companies and the public sector. Offers IaaS (Cloud Cubes, Compute Engine) and S3 Object Storage, both BSI C5 certified. ISG considers itself part of the three leading contenders in the German market. Operates data centers in Europe and the USA. Highlightes its certifications (C5, IT Baseline Protection) to build trust in the public sector and regulated industries. Available to public administrations via marketplaces such as govdigital.

OVHcloud

A major French cloud provider with a strong focus on Europe and data sovereignty. It also offers BSI C5-certified services and collaborates with T-Systems within the Gaia-X framework. It was classified as a “Rising Star” in Germany in 2023.

STACKIT

The cloud division of the Schwarz Group (Lidl, Kaufland) positions itself as a sovereign German cloud alternative, particularly for the public sector and critical infrastructures (KRITIS). It has also received BSI C5 certification for its services and is available via govdigital.

plusserver

A German provider that offers a cloud platform based on the Sovereign Cloud Stack (SCS) with its “pluscloud open”, thus strongly emphasizing open source and sovereignty.

More

secunet/Syseleven and noris network are other German providers that are mentioned in the context of cloud services.

These providers are increasingly focusing on specialization to differentiate themselves from the global hyperscalers. They emphasize aspects such as data sovereignty, the use of open source, compliance with specific German or European requirements (especially BSI C5), or offer industry-specific solutions. This focus on niches where global providers may have weaknesses or enjoy less trust (e.g., in the highly regulated German public sector) appears to be a promising strategy. Instead of trying to copy the hyperscalers broadly, they can score points through targeted offerings and high security standards. Government strategies and procurement regulations can support this specialization by specifically creating demand for such sovereign and certified solutions.

Selected German/European cloud providers with a focus on sovereignty

Selected German/European cloud providers with a focus on sovereignty – Image: Xpert.Digital

(¹ Status refers to specific services/regions according to sources; ² Selection of relevant certificates)

Selected German and European cloud providers place great emphasis on sovereignty and offer specialized solutions for diverse target groups and industries. Deutsche Telekom, or T-Systems, offers sovereign cloud services with its Open Telekom Cloud (OTC) and Open Sovereign Cloud (OSC), which boast both BSI C5 status and ISO 27001 certification and are particularly attractive to the public sector and regulated industries. SAP impresses with its SAP Enterprise Cloud Service (ECS) and SAP Business Technology Platform (BTP), both of which are BSI C5-compliant and ISO 27001 certified, and are geared towards businesses and regulated sectors. IONOS offers solutions such as Compute Engine, Cloud Cubes, and S3 Object Storage, which are also BSI C5 certified. With additional certifications like ISO 27001 and IT Baseline Protection, IONOS primarily targets small and medium-sized enterprises (SMEs), the public sector, and regulated industries. OVHcloud from France covers a broad spectrum with a variety of IaaS, PaaS, and SaaS solutions, placing particular emphasis on EU data sovereignty. STACKIT, the Schwarz Group's cloud solution, offers STACKIT Cloud, a sovereign, BSI C5 Type 2-certified option for the public sector, commerce, and critical infrastructure (KRITIS). Similarly, plusserver's SCS-based pluscloud open is also Type 2-certified and targets both the public sector and businesses. All providers are also qualified by important certifications such as ISO 27001 and focus specifically on the needs of their respective target markets.

Suitable for:

• Top Ten Data Management Systems (DMS) – From Document Management Systems to Cloud Database Management (DBMS)

The role of security certifications: BSI C5 and ISO 27001

Security certifications play a crucial role in the evaluation and selection of cloud providers, particularly in the context of digital sovereignty and for use in the public sector or regulated industries.

BSI C5 (Cloud Computing Compliance Criteria Catalog)

This catalog of criteria, developed by the German Federal Office for Information Security (BSI), has established itself in Germany as the leading standard for cloud computing security. It defines minimum requirements for the information security of cloud services and is based on internationally recognized standards such as ISO 27001, the BSI's IT Baseline Protection, and the Cloud Controls Matrix (CCM) of the Cloud Security Alliance (CSA). A key feature of C5 is the requirement for transparency regarding so-called environmental parameters, including information on data location, service provision, jurisdiction, and disclosure obligations to authorities. This is intended to enable customers to conduct a sound risk assessment. Compliance with the C5 criteria is confirmed by audits from independent auditors. The use of C5-compliant services is mandatory for federal authorities, and C5 is increasingly becoming a requirement for state and local authorities as well as companies in regulated sectors (e.g., healthcare). Numerous providers, including both the US hyperscalers (AWS, Microsoft Azure, Google Cloud) for their European regions and the leading German and European providers (T-Systems, SAP, IONOS, OVHcloud, STACKIT, plusserver), have C5 certifications for relevant services.

ISO/IEC 27001

This is the leading international standard for Information Security Management Systems (ISMS). ISO 27001 certification confirms that a company has implemented systematic processes for managing information security. Its scope is broader than that of C5 and covers the entire management system, not just specific cloud services. Many cloud providers view ISO 27001 as a foundational certification upon which more specific certifications like C5 can be built. Almost all relevant providers in the German market hold ISO 27001 certification.

IT baseline protection

The BSI's methodology for implementing IT security measures. C5 builds on the principles of IT baseline protection. Some providers, such as IONOS, also obtain specific IT baseline protection certification to demonstrate a particularly high level of protection.

The increasing importance of these certifications, particularly the BSI C5, makes them a crucial factor for market access in Germany. For providers seeking to serve the public sector or regulated industries, a C5 certification has become virtually indispensable. This applies to both European and US providers, who are making considerable efforts to meet the requirements. While this raises the overall security level and provides customers with a standardized basis for comparison, the certification process also demands significant investment from providers. This could potentially favor larger companies, but at the same time offers specialized European providers the opportunity to specifically qualify for sensitive markets by meeting these high standards.

Benefit from Xpert.Digital's extensive, fivefold expertise in a comprehensive service package | R&D, XR, PR & Digital Visibility Optimization - Image: Xpert.Digital

Xpert.Digital has in-depth knowledge of various industries. This allows us to develop tailor-made strategies that are tailored precisely to the requirements and challenges of your specific market segment. By continually analyzing market trends and following industry developments, we can act with foresight and offer innovative solutions. Through the combination of experience and knowledge, we generate added value and give our customers a decisive competitive advantage.

More about it here:

• Use the 5x expertise of Xpert.Digital in one package - starting at just €500/month

Navigation on the way forward: Feasibility and challenges

Assessment of the feasibility of Germany's cloud independence goals

While experts generally welcome Germany's ambitions to achieve greater independence in the cloud sector, they often view them with a degree of skepticism regarding their full feasibility. Complete technological self-sufficiency appears unrealistic or at least extremely costly to many. The focus is therefore increasingly shifting towards a gradual reduction of critical dependencies and strategic management of the remaining dependencies (see Section II.B), rather than complete isolation. The need to continue benefiting from global innovations, including those from US providers, is acknowledged.

The German government's multi-cloud strategy is seen as a pragmatic way to gain flexibility and reduce vendor dependencies without completely decoupling from established players. Open-source software (OSS) is considered a crucial building block for greater sovereignty and interoperability, as demonstrated by the development of the Sovereign Cloud Stack. However, obstacles to public sector procurement of OSS remain.

Ultimately, the feasibility of the objectives depends crucially on the consistent implementation of political strategies in procurement practice (see Section III.A), the success and scaling of European initiatives such as Gaia-X and especially SCS, the effective use of procurement instruments such as EVB-IT Cloud and the DVC, and the overcoming of the numerous challenges.

Suitable for:

• The dangers of Vendor Lock-in: Why companies should avoid dependencies

Identifying key obstacles: Technical, economic, and human factors

The path to greater cloud sovereignty is fraught with significant obstacles:

Technical complexity

Building and operating competitive, large-scale cloud infrastructures is technologically extremely demanding. Integrating diverse systems in multi-cloud or federated environments (as envisioned for DVC or Gaia-X) places high demands on interoperability. Ensuring security in such complex, distributed systems is a constant challenge.

Economic factors

The enormous investment costs for building data centers and cloud platforms make it difficult to compete with the economies of scale of global hyperscalers. High energy prices in Germany represent a locational disadvantage for data centers. At the same time, the dependence on proprietary software carries the risk of rising licensing costs and a lack of price transparency. Budget constraints in the public sector and the need for cost-benefit analyses influence investment decisions.

Skilled worker shortage

A shortage of qualified personnel for the setup, operation and use of cloud technologies, especially for advanced or alternative open-source-based solutions, represents one of the biggest hurdles.

Market inertia and dominance

The established market power of US hyperscalers makes it difficult for alternatives to gain a foothold. Existing investments, familiar ecosystems, and user trust create significant inertia.

Regulatory and compliance burden

Navigating complex regulations (GDPR, industry-specific rules) and obtaining necessary certifications (such as BSI C5) requires considerable effort and resources.

Gaia-X-specific challenges

Internal problems such as bureaucracy, complexity, slow progress and conflicting interests within the Gaia-X initiative itself hinder its effectiveness.

Expert perspectives on the future path

Despite the challenges, experts emphasize the need to continue pursuing the path to digital sovereignty. Cloud technologies are considered essential for modernization, particularly in public administration. The following points are deemed crucial for continued success:

Focus on standards and interoperability

The establishment and enforcement of open standards is crucial to enable interoperability and avoid lock-in effects.

Strengthening European cooperation

Coordinated action at European level (e.g. via the Joint Declaration Cloud or IPCEI-CIS projects) is essential to achieve economies of scale and prevent market fragmentation.

pragmatic approach

Dependencies should be reduced gradually. This should involve relying on open source and technical security measures such as encryption, without completely foregoing external innovations.

Strengthening the local ecosystem

The framework conditions for data centers in Germany need to be improved (energy prices, permitting procedures). Supporting start-ups and investing in research and development are also important.

It is becoming clear that achieving significant cloud independence is a long-term undertaking requiring substantial and sustained effort. Overcoming the lead of the US hyperscalers, changing established IT practices, building a competitive European ecosystem (providers, skilled workers, standards), and addressing complex policy issues cannot happen overnight. Rather, it is a generational task of building digital skills, fostering an open-source culture, and consistently implementing sovereignty-oriented policies across legislative terms. Initiatives like Gaia-X and SCS lay important foundations, but their full impact will likely only unfold over years or even decades. Therefore, evaluating the German strategy requires a long-term perspective. Short-term shifts in market share are likely to be minimal. Key progress indicators will be the adoption of standards (C5, SCS), the growth of a viable European provider ecosystem (including in niche markets), the successful implementation of the DVC, and the demonstrable ability of the public sector to strategically manage its cloud dependencies, including effective exit strategies.

Strategic Recommendations

Synthesis of German strategy and progress

Germany is pursuing a clear strategic objective to strengthen digital sovereignty in the cloud sector. This is driven by the recognized risks of dependence on US hyperscalers – particularly in light of the CLOUD Act, vendor lock-in, and security concerns. The chosen approach is pragmatic and multifaceted: A multi-cloud strategy aims to ensure flexibility, while the government, as the anchor customer, is to promote domestic and European providers through targeted procurement policies (supported by EVB-IT Cloud and C5 certification). Projects such as DVC and Delos Cloud are intended to link the modernization of public administration with sovereignty goals. At the European level, Germany is focusing on initiatives such as Gaia-X, which may evolve from its initial vision of a hyperscaler competitor into a standardization framework, and the more technically concrete Sovereign Cloud Stack (SCS), which creates an open-source foundation for interoperable clouds.

Despite these efforts, the German cloud market remains dominated by US providers. However, progress is evident: standards such as BSI C5 are becoming established, European providers are developing specialized sovereign offerings, and SCS is emerging as a promising technical alternative. Nevertheless, complete digital independence remains a distant goal. The challenges regarding scalability, costs, skills shortages, and technical complexity are considerable. Success depends on consistently translating strategic goals into procurement practices and sustainably strengthening European alternatives.

Recommendations for policy and industry

Based on the analysis, the following recommendations can be derived:

Clearly define and operationalize sovereignty

A clear, tiered, and measurable definition of digital sovereignty is needed to serve as a basis for procurement decisions. What does sovereignty mean specifically at the technical, operational, and legal levels, and what levels are acceptable?

Consistently utilize procurement power

The EVB-IT Cloud guidelines should be consistently applied and, where necessary, strengthened with regard to the preference for open-source software (OSS) solutions. The DVC portal must be used effectively to make sovereign and European offerings visible and to facilitate their procurement. Tender procedures should be critically reviewed to ensure they do not unintentionally favor established hyperscalers.

Investing in SCS and Open Source

The sovereign cloud stack should be actively promoted and used in public sector projects (DVC, federal cloud development). Existing barriers to the procurement of open-source software (OSS) must be identified and removed. The development and maintenance of open-source components relevant to sovereign cloud solutions should be financially supported.

Promoting the European ecosystem

Support for European cooperation projects like IPCEI-CIS should continue. The framework for data center operators in Germany (energy costs, permitting procedures) needs to be improved. Cloud-native startups and SMEs require targeted support. Investments in the training and further education of cloud professionals are essential.

Gaia-X focuses

Gaia-X efforts should focus on developing and establishing practical standards, enabling data spaces, and ensuring interoperability, rather than directly competing with hyperscalers. Transparency and clear governance are crucial for regaining trust and addressing criticism.

Suitable for:

• Gaia-X: Data security and interoperability between different systems and actors in the Smart Factory and Industrial Metaverse

Improve transparency and monitoring

Data on cloud usage in the public sector should be published regularly (market share of different providers, costs of open-source software vs. proprietary solutions). The progress of key projects such as DVC and Delos, as well as the effectiveness of sovereignty measures, must be made transparent and monitored. Compliance with regulations (e.g., BSI requirements for Delos) must be verified by independent bodies.

Develop exit strategies

For critical applications running on non-sovereign or proprietary platforms, proactive and binding technical and organizational exit strategies must be planned and prepared. This is a key aspect of risk management and ensuring long-term operational capability.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the AI ​​strategy

☑️ Pioneer Business Development

Konrad Wolfenstein

I would be happy to serve as your personal advisor.

You can contact me by filling out the contact form below or simply call me on +49 7348 4088 965 (Munich) .

I'm looking forward to our joint project.

Xpert.Digital is a hub for industry with a focus on digitalization, mechanical engineering, logistics/intralogistics and photovoltaics.

With our 360° business development solution, we support well-known companies from new business to after sales.

Market intelligence, smarketing, marketing automation, content development, PR, mail campaigns, personalized social media and lead nurturing are part of our digital tools.

You can find out more at: www.xpert.digital - www.xpert.solar - www.xpert.plus