Managed Security Services: CISO Does Not Bear Sole Liability
Benedikt Langer
8 min. read In many organisations, the CISO is seen as the person who stands accountable for security. ...
Read Article
min Reading Time: 8 Minutes
$80 billion will flow globally into sovereign cloud infrastructure in 2026. Europe is doubling its spending to $12.6 billion – and is projected to overtake North America by 2027. These are no longer IT budget line items. They’re strategic capital decisions that belong on the executive leadership table.
TL;DR
- 💰 Global sovereign cloud spending reaches $80 billion USD in 2026 (Gartner, March 11, 2026).
- 🇪🇺 Europe surges from $6.9 billion to $12.6 billion USD – up 83% in a single year.
- 📊 61% of Western European CIOs are increasing spend with local cloud providers (Gartner).
- ⚖️ NIS2 and the EU Data Act make data locality a compliance requirement – not an optional extra.
- 🏢 DELOS Cloud (Microsoft/SAP/Arvato) goes live in 2026 as Germany’s first sovereign cloud option.
Why the Board Must Decide on Cloud Sovereignty
Cloud infrastructure was long considered an IT department decision: Which provider delivers the best features at the best price? That era is over. Gartner’s March 11, 2026 report shows sovereign cloud has become a geopolitical issue. Driven by regulatory demands and geopolitical risk, 61% of Western European IT leaders are ramping up reliance on local providers.
For boards, this means: Choosing a cloud provider is no longer a technical call – it’s a strategic inflection point. Signing a five-year contract with a U.S. hyperscaler today locks your company into a jurisdiction that can shift overnight – the CLOUD Act, Schrems III, or escalating political tensions between the EU and U.S. All of this elevates cloud sourcing to boardroom status.
“By 2030, more than 75% of enterprises outside the U.S. and China will have a formal digital sovereignty strategy.”
Gartner, Sovereign Cloud IaaS Forecast, March 2026
The Numbers: Europe Doubles Its Spend in One Year
The leap is unprecedented: From $6.9 billion in 2025 to $12.6 billion in 2026 – a staggering 83% growth in just twelve months. For context, the entire European IaaS market grows by roughly 25% over the same period. Sovereign cloud is expanding more than three times faster than the broader market.
Gartner forecasts Europe will overtake North America in sovereign cloud spending by 2027 – not because U.S. companies are investing less, but because European regulation is driving demand: NIS2, the EU Data Act, DORA for financial services, and the planned European Health Data Space.
Europe 2025
$6.9 Billion
Sovereign Cloud IaaS
Europe 2026
$12.6 Billion
+83% in one year (Gartner)
Global 2026
$80 Billion
+35.6% growth (Gartner)
What “Sovereign Cloud” Actually Means for Leadership
Sovereign cloud isn’t a single product – it’s a spectrum. For executives, distinguishing between tiers is critical:
● Data Residency: Data resides physically within the EU. AWS Frankfurt and Azure West Europe meet this standard – but it’s the bare minimum, not true sovereignty.
● Operational Control: A European company operates the infrastructure and manages cryptographic keys. DELOS Cloud (Microsoft/SAP/Arvato) follows this model: Microsoft technology, operated by Arvato under German law.
● Full Sovereignty: European providers with homegrown technology – OVHcloud, IONOS, Stackit (Schwarz Group). Functionally narrower than hyperscalers, yet free of jurisdictional risk.
The Counterargument: Sovereignty Comes at a Price
Not every CIO is convinced. Skeptics raise valid concerns: European sovereign cloud providers still don’t match the full functional breadth of hyperscalers. Costs run 15-30% higher than AWS or Azure. And innovation velocity lags, constrained by smaller R&D budgets.
For leadership, this is a classic risk-return trade-off: How much is regulatory certainty worth? What does an NIS2 violation cost (fines up to €10 million)? What happens to your data if EU-U.S. relations deteriorate? These questions don’t belong in IT – they belong in the boardroom.
Three Questions Every Board Must Ask – Now
1. Where do our mission-critical data reside – and who holds operational access? Not just physically (which data center?), but jurisdictionally (whose laws govern the provider?). A U.S. hyperscaler falls under the CLOUD Act – even if its data center sits in Frankfurt.
2. What happens if we must switch providers? Vendor lock-in is real. Scrutinize exit clauses, data portability, and actual migration costs. Starting September 2025, the EU Data Act grants you new legal levers for portability.
3. Does our cloud strategy align with the regulatory landscape in three years? NIS2 is just the beginning. DORA for financial services, the European Health Data Space for healthcare, and the AI Act for AI workloads are all coming. Optimizing solely for cost today may force costly rework in 18 months.
Conclusion: $80 Billion Is Not an IT Budget
Gartner’s March 11 report makes one thing clear: Sovereign cloud is no longer a niche topic – it’s an $80-billion market. Europe is investing with unprecedented urgency. For boards, this means cloud sourcing is not a delegation to the CIO, but a strategic capital decision. Failing to make that choice deliberately doesn’t avoid it – it simply surrenders control.
Frequently Asked Questions
Is sovereign cloud more expensive than AWS or Azure?
Yes – typically 15-30% more. But focusing solely on upfront cost misses the bigger picture. Factor in the potential cost of an NIS2 violation (up to €10 million), a GDPR fine, or the expense of escaping vendor lock-in. For regulated sectors – finance, healthcare, critical infrastructure – the sovereign premium often proves cheaper than the compliance risk.
Can’t we just use AWS Frankfurt and call ourselves sovereign?
No. EU data residency ≠ sovereignty. As a U.S. corporation, AWS remains subject to the CLOUD Act, granting U.S. authorities access to data – even when stored in Frankfurt. True sovereignty requires operational control by a European entity and key management outside U.S. jurisdiction.
When should leadership – not the CIO – decide on cloud strategy?
Whenever the decision carries regulatory, geopolitical, or strategic binding implications. A five-year hyperscaler contract binds your company to a foreign jurisdiction. Under NIS2, executives face personal liability for risk management. Neither is an IT decision.
What is DELOS Cloud – and why does it matter?
DELOS Cloud is a joint venture by Microsoft, SAP, and Arvato (Bertelsmann). It delivers Microsoft cloud technology, operated by Arvato under German law. It launches commercially in 2026. For organizations needing Microsoft functionality while avoiding U.S. jurisdictional exposure, DELOS offers the most pragmatic sovereign option in the German market.
Should we migrate everything to sovereign cloud immediately?
Not blindly – but evaluate urgently. Recommendation: Classify workloads by data sensitivity. Move business-critical and regulated data (finance, HR, health) to sovereign cloud. Less sensitive workloads (dev/test, marketing) can remain on hyperscalers. This hybrid model is the most realistic path for most DACH enterprises.
Further Reading
- → Digital Sovereignty 2026: Delos, Gaia-X, and the EU Data Act (Digital Chiefs)
- → CIO Agenda 2026: Balancing Cost Pressure and Innovation Imperatives (Digital Chiefs)
- → Cybersecurity Budget 2026: What the CFO Needs to Hear from the CISO (Digital Chiefs)
More from the MBF Media Network
- → Kubernetes Cluster Governance in Mid-Market Companies (cloudmagazin)
- → Data Governance in Mid-Market Companies: Practical Review of the DGG (MyBusinessFuture)
Header Image Source: Pexels