AWS European Sovereign Cloud: why is it important?

Digital Sovereignty refers to the ability of a state or a region to control and manage its own digital assets, including data, communications, and services, ensuring that they align with the region’s enhanced data residency needs and ethical standards.

A few days ago, Amazon Web Services (AWS) has introduced the AWS European Sovereign Cloud: a specialised and independent cloud infrastructure tailored for highly-regulated industries and public sector organisations in Europe.

In the forthcoming AWS European Sovereign Cloud, similar to existing AWS Regions, customers maintain control and assurance that AWS will not access or utilise their data without consent, offering the most robust sovereignty controls among leading cloud providers.

“This is a game-changer for highly regulated industries and the public sector in Europe, providing them with an independent cloud option to meet evolving data residency and resilience requirements within the European Union (EU).”

Adam Gaca

VP of Cloud Solutions, Future Processing

This independent cloud will be exclusively operated and supported by AWS staff residing in the EU. It caters to clients with heightened data residency requirements, allowing them to retain all generated metadata (including roles, permissions, resource labels, and configurations for AWS operation) within the EU. Additionally, it will operate independent billing and usage metering systems.

What’s more, legislation plays a critical role in shaping cloud strategies and operations, influencing everything from data center locations to the design of cloud services and the management of customer data.

As digital sovereignty and privacy concerns become more pronounced globally, AWS’s approach to navigating this complex legislative landscape becomes increasingly relevant and challenging.

AWS Digital Sovereignty Pledge: what’s inside?

AWS’s pledge towards Digital Sovereignty encapsulates several key aspects:

• Sovereign-by-Design Cloud: AWS services has been designed to be sovereign-by-design from its early stages, focusing on critical data protection features and controls. This approach was shaped by inputs from industries with stringent security and data privacy requirements, like financial services and healthcare. AWS has developed robust encryption and key management capabilities, achieved compliance accreditations, and made contractual commitments to address these customer needs​​.
• Data Residency Guardrails: AWS has introduced data residency guardrails, providing customers greater control over the physical location of their data storage and processing. This feature aligns with the increasing emphasis on data sovereignty in compliance with regulations like the General Data Protection Regulation (GDPR)​​.
• Control over Data Location: AWS customers have always had control over where their data is located. In Europe, for instance, they can choose to deploy data in any of eight regions. AWS commits to expanding these data residency controls, offering more refined controls and transparency​​.
• Comprehensive Encryption: AWS allows for encryption of data in transit, at rest, or in memory. The company is committed to continuing to invest in encryption features, enabling customers to encrypt all their data everywhere, whether the encryption keys are managed inside or outside the AWS Cloud​​.
• Transparency and Trust: AWS emphasises transparency in how its services process and transfer data. It also challenges requests for customer data from law enforcement and government agencies, providing guidance and compliance evidence to help AWS customers meet regulatory requirements​​.
• Partnerships for Digital Sovereignty: AWS collaborates with local partners to address digital sovereignty requirements. For instance, in Germany, T-Systems offers Data Protection as a Managed Service on AWS, providing expertise and services for data residency and encryption key management​​.

The impact of AWS’s Pledge for global cloud services and providers

AWS Digital Sovereignty can have a significant impact on the global cloud services industry. It reflects a growing trend among cloud service providers to address concerns around data sovereignty, privacy and security.

Setting industry standards:

AWS’s move could set new benchmarks for data sovereignty and security. As one of the leading cloud providers, AWS’s actions often influence industry standards and best practices. Their commitment to enhanced data sovereignty controls may prompt other providers to adopt similar measures.

Increased trust and reliability:

By offering AWS customers that their data will be managed in accordance with regional legal requirements and won’t be accessed or used without consent, AWS builds greater trust. This is crucial for attracting and retaining customers, especially those in highly regulated industries like government, healthcare and finance, where data sensitivity is paramount.

Encouraging local data center expansion:

European Sovereign Cloud may lead to an increased focus on developing local data centers in different regions, aligning with national data residency laws. This localisation can result in improved service delivery and performance due to data being stored closer to the end-users.

Innovation in Cloud technology:

The pledge may drive innovation in cloud technology, as AWS and other providers might develop new tools and services.

Competitive differentiation:

AWS digital sovereignty could become a key differentiating factor in the highly competitive cloud services market. Small cloud service provider might face challenges in matching the level of control and security that a giant like AWS can offer. This could lead to market consolidation or compel smaller players to find niche areas where they can compete effectively.

Challenges for global operations:

Implementing stringent data sovereignty measures could introduce complexities in managing global cloud infrastructures. Providers must balance the need for localised control with the efficiencies of a globally integrated cloud environment.

Influence on policy and legislation:

AWS’s actions and the broader industry response may influence future policy and legislative decisions related to digital sovereignty and data governance, as lawmakers consider the capabilities and commitments of leading technology providers.

How AWS Cloud helps you comply with GDPR and other regulations

Key EU data governance regulations include the GDPR and the European Data Governance Act. The GDPR governs data protection and privacy, while the Data Governance Act focuses on increasing trust in data sharing and facilitating the availability of data across the EU.

AWS Cloud allows customers to control the location of their data with services like Amazon EC2 and Amazon S3. To comply with regulatory requirements, AWS has introduced AWS Dedicated Local Zones. These are customer-specified locations or data centers managed by AWS and operated by local personnel, providing the same benefits as AWS Local Zones with added security and governance features.

Moreover, Amazon has also innovated with the AWS Nitro System to restrict access to customer data, ensuring that no one, including AWS staff, can access customer workloads on EC2 without authorisation.

AWS provides tools and infrastructure to support compliance but does not take over the entire responsibility for meeting regulatory requirements.

What steps should you take to align with Digital Sovereignty on AWS?

To align with European AWS Cloud, consider the following steps:

1. Choose the right Cloud Partner: it is crucial to find someone who already has the right people, knowledge, and skills to leverage this opportunity strategically at scale.
2. Ensure compliance: Regularly audit and ensure that your AWS infrastructure is compliant with local and regional data protection laws and regulations.
3. Data management: Implement data management policies that define how data is stored, processed, and secured.
4. Access control: Utilise AWS services and tools to restrict data access to authorised personnel only.
5. Encryption: Encrypt data at rest and in transit using AWS encryption services, managing keys either within AWS KMS or externally as required by sovereignty regulations.
6. Resiliency and disaster recovery: Set up resilient cloud architectures with multi-region availability and disaster recovery plans that comply with sovereignty needs.
7. Continuous improvement: Stay informed about the latest cloud security trends and independent sovereign cloud features. Continually refine your cloud strategy to adapt to evolving European Union regulations and technologies.

Engage with experts and AWS partners, like Future Processing, who have experience in CloudOps, cloud consulting and modernisation. We can provide support tailored to your business needs and sovereignty requirements.