8 min Reading Time

82 percent of German companies want to end technical dependence on U.S. cloud providers. Yet 78 percent remain dependent in practice. The gap between aspiration and reality is the central challenge for corporate boards in 2026. Because digital sovereignty is no longer an IT issue – it’s a board-level decision with geopolitical, regulatory, and economic dimensions. GAIA-X delivers the framework. The Sovereign Cloud Stack provides the technical foundation. And Schwarz Group is investing €11 billion in STACKIT. But the U.S. CLOUD Act remains in force. For boards that fail to act now, dependency will become a strategic risk.

Why Digital Sovereignty Is Now a Strategic Priority

According to a recent survey, 78 percent of European executives report their leadership teams are more concerned about digital sovereignty today than a year ago. In Germany, that figure rises to 81 percent. This is no longer an abstract debate – it’s concrete board decisions on cloud strategy, data sovereignty, and regulatory compliance.

Three drivers have elevated the issue onto the strategic agenda. First: The U.S. CLOUD Act permits U.S. authorities to demand data from U.S. companies – regardless of where those data are stored. For European firms using AWS, Azure, or Google Cloud, this creates a direct legal conflict with the GDPR. The EU-U.S. Data Privacy Framework offers a temporary bridge – but the fundamental conflict remains unresolved.

Second: The geopolitical landscape has shifted. U.S. trade policy under successive administrations demonstrates that political dependencies carry economic consequences. Per Bitkom, 50 percent of German companies say U.S. government policy is forcing them to rethink their cloud strategy.

Third: Regulation makes sovereignty mandatory. The EU Data Act (in force since September 2025), DORA for the financial sector, and NIS2 for critical infrastructure establish a regulatory framework where data sovereignty is no longer optional. Federal CIO Dr. Markus Richter puts it plainly: “Digital sovereignty is absolutely essential.”

GAIA-X: From Concept to Implementation

GAIA-X has moved beyond the phase where its biggest output was paper. That changed. In November 2025, the initiative released Trust Framework 3.0 “Danube,” enabling federated trust structures across domains and geographies. Over 15 European data spaces are now operational – and built on GAIA-X standards. Cloud Temple became the first company certified at GAIA-X Label Level 3 – the highest tier.

CEO Ulrich Ahle sums it up: GAIA-X has transitioned from concept to implementation. Trust, interoperability, and innovation are no longer theoretical pillars – they’re the operational foundation of real, functioning digital ecosystems.

For boards, GAIA-X isn’t a product to buy – it’s a framework ensuring interoperability. Companies wanting to switch cloud providers need standardized interfaces. GAIA-X delivers exactly that: shared standards preventing lock-in to any single vendor. The Sovereign Cloud Stack (SCS), backed by 24 companies and defined as the compliance standard of the “Germany Stack” initiative, provides the technical underpinning.

Europe’s Cloud Landscape: Who’s Investing?

Market share remains sobering: European providers hold just 15 percent of the European cloud market, per Synergy Research. AWS, Microsoft, and Google control 70 percent. But the investment momentum is shifting.

STACKIT (Schwarz Group): The Lidl parent company is investing €11 billion in its cloud division. A new data center in Lübbenau – one of Europe’s largest – will host up to 100,000 GPUs. Schwarz Digits (the group’s digital arm, which includes STACKIT) generates roughly €1.9 billion in annual revenue. Its partnership with Google is notable: Google Workspace runs in Schwarz-operated data centers – with German data residency. The model? U.S. software, yes – but on European infrastructure, under European control.

Deutsche Telekom / T Cloud: Over 4,000 enterprise customers use T Cloud Public – including DAX-listed corporations. In November 2025, Telekom announced its Industrial AI Cloud in Munich: a €1+ billion investment deploying up to 10,000 GPUs – operated exclusively by European staff. Deutsche Telekom aims to close the feature gap with U.S. providers by end-2026.

AWS European Sovereign Cloud: Even U.S. providers are responding. On 15 January 2026, AWS launched its European Sovereign Cloud in Brandenburg: a €7.8 billion investment, structured as a standalone German GmbH (AWS European Sovereign Cloud GmbH), led by EU-based executives – and physically and logically isolated from AWS’s global infrastructure. It’s a concession to European sovereignty pressure. Whether it’s sufficient remains an open question: the parent company remains U.S.-based, and the CLOUD Act still applies.

The EU Data Act: Why Switching Is Getting Easier

The EU Data Act has been fully applicable since September 2025 – and fundamentally reshapes the power balance between cloud providers and customers. Chapter VI governs cloud switching: customers may terminate cloud contracts with just two months’ notice. Until January 2027, only direct switching costs may be charged. As of January 2027: no switching fees whatsoever. IaaS providers must ensure “functional equivalence” during migration. Other providers must offer free, open interfaces to enable seamless transitions.

For boards debating cloud sovereignty, the Data Act changes the calculus: Lock-in – the strongest argument against switching (“we can’t leave; migration costs would be too high”) – weakens significantly after 2027. Any board planning a multi-cloud strategy – or migration to a European provider – now knows exit costs will be capped by regulation.

Who’s Already Switching?

The movement is real – even if gradual. Airbus issued a tender in December 2025 for migrating mission-critical systems to a sovereign European cloud: worth over €50 million, a ten-year contract, starting early January 2026. Schleswig-Holstein migrated 40,000 email accounts from Microsoft Exchange/Outlook to Open-Xchange/Thunderbird. The German Armed Forces signed a seven-year contract with ZenDiS in April 2025 for openDesk (as a Microsoft 365 replacement). Several federal states have mandated migration away from Microsoft 365 in government agencies.

In the private sector, the picture is more nuanced. Bitkom data show: 100 percent would prefer a German provider – if functionality matches. 61 percent accept an EU-based provider. Only 6 percent favor a U.S. provider. But preference ≠ reality: The feature gap between AWS/Azure/Google and European alternatives remains substantial – especially in AI services, managed databases, and global scalability.

BSI C5: Germany’s Quality Seal for Cloud Security

The BSI’s Cloud Computing Compliance Criteria Catalogue (C5) is evolving from a niche standard into a cross-sector benchmark. Over 60 providers are already C5-certified – including AWS, Microsoft, Cisco, DeepL, and Doctolib. Since July 2025, C5 Type-2 attestation has been mandatory in healthcare. A new version, C5:2025, is in community draft – and will become mandatory for assessments from 2027 onward.

For Germany as a business location, C5 is an export success: a cloud security standard stricter than SOC 2 – and applicable across industries. European providers able to demonstrate C5 certification gain a trust advantage over non-certified competitors – even over U.S. providers who treat C5 as a low priority.

The Honest Counterpoint: Sovereignty Has a Price

Digital sovereignty sounds good. But it comes at a cost. European cloud providers are more expensive than AWS and Azure. The feature gap is real: Organizations needing AI workloads on GPU clusters won’t yet find the same breadth of offerings at STACKIT or T Cloud as they do with AWS SageMaker or Azure OpenAI. And migrating a mature, multi-service environment from AWS to a European provider remains a project lasting months – or years – and costing millions – even with the Data Act eliminating switching fees.

There’s also a conceptual problem: Data residency (storing data in Germany) ≠ data sovereignty (exercising control over data). If AWS establishes a German GmbH and stores data in Brandenburg – but its parent company sits in Seattle – the CLOUD Act still applies. The AWS European Sovereign Cloud is progress, but not a full resolution of the jurisdictional conflict.

And European providers’ 15 percent market share hasn’t grown since 2022. While the absolute market expands (€36 billion in H1 2025, +24 percent), European providers grow only proportionally – not disproportionately. That means U.S. hyperscalers continue gaining market share – even amid all the sovereignty debates. The question is whether sovereign cloud investments (STACKIT’s €11 billion, AWS’s €7.8 billion, Deutsche Telekom’s €1+ billion) will durably shift the balance – or merely cement the status quo.

What Boards Must Decide Now

1. Align cloud strategy with sovereignty tiers. Not all data require the same sovereignty level. Public websites and non-critical SaaS can remain on U.S. clouds. HR data, financial records, and IP-sensitive workloads belong on European or sovereign infrastructure. Classifying data by protection requirements is the foundation of every decision.

2. Embed multi-cloud as a strategic principle. Dependence on a single provider is the greatest risk. Multi-cloud (intentionally using two or three providers) reduces lock-in and strengthens negotiating power. GAIA-X and the Sovereign Cloud Stack deliver the interoperability standards that make this possible.

3. Leverage the EU Data Act as an exit option. As of January 2027, there will be no switching fees. Boards that prepare an exit strategy before then can execute it without financial penalty. Those who wait will remain locked in – without the excuse “it’s too expensive.”

4. Demand C5 attestation from cloud providers. Every cloud provider serving the company must either hold a C5 attestation – or present a clear timeline toward one. From 2027, C5 becomes a cross-sector standard. Signing contracts today without C5 clauses will trigger renegotiation later.

Conclusion

Digital sovereignty has moved from wishful thinking to strategic imperative. 82 percent of German companies want to break free from dependency; 78 percent remain trapped. GAIA-X supplies the framework, the Sovereign Cloud Stack the technology, and billions in investments – from STACKIT, Deutsche Telekom, and AWS – the infrastructure. The EU Data Act and the CLOUD Act intensify urgency. Gartner forecasts Europe will overtake North America in sovereign cloud spending by 2027. For boards, the message is unambiguous: Cloud strategy is no longer an IT decision. It’s a question of corporate independence – and one that must be answered not next year, but now.

Frequently Asked Questions

Further Reading

CIO Reboot: €245 Billion – and Where the Money Flows (Digital Chiefs)

Board Governance: Digital Competence in the Supervisory Board (Digital Chiefs)

Zero Trust as a Location Factor (SecurityToday)

Reboot Germany: €735 Billion in Investments (MyBusinessFuture)

Header Image Source: Pexels / Christina Morillo (px:1181467)