Gaia-X And The Sovereign Cloud: From Unicorns And Rainbows To Storm Clouds
Gaia-X launched to great fanfare in 2019 as a joint initiative of the German and French governments to reclaim data sovereignty from non-European public cloud providers. Despite hefty promises, production-ready services have not been delivered to the market, with customers continuing to wait like poor Godot. While the hype around Gaia-X has fizzled out, the project brought attention to the importance of data sovereignty, accelerating already planned commitments by global hyperscalers to do more on this topic. Through tracking the progress of Gaia-X since 2019 and speaking to Forrester customers and market participants, we found in our research that:
- Gaia-X has failed to launch meaningful public cloud and data services. Gaia-X did not deliver concrete implementations beyond limited proofs of concept, and the project timeline slipped several times. According to the original plan, working and operating prototype services were supposed to be available by the summer of 2021, but Gaia-X has had limited impact on the European public cloud landscape. The lack of consensus between members and analysis paralysis continue to cause problems. Meanwhile, hyperscalers from the US and China (Amazon Web Services, Microsoft, IBM, Google, Alibaba) continue to dominate the market.
- Local European providers and hyperscalers have lost patience. While Gaia-X has been building bureaucracies and PowerPoint presentations, local European providers joined forces to establish regional sovereign clouds. Hyperscalers did not stay behind but rather united with local European firms in collaboration initiatives: They benefit from hyperscaler technology and know-how but keep data within EU and other such partnerships, not only to help in complying with privacy regulations such as the General Data Protection Regulation but also to ensure adherence to local certification standards such as Cloud de Confiance in France or C5 in Germany.
- Clients care about what cloud providers can do, not where they come from. Hyperscalers are upgrading their offerings to give users easier control over their data. This is done by simplifying existing capabilities and investing in new tools and capabilities such as customer-managed encryption, virtualization technologies, or confidential computing. To support those technical and operational controls, hyperscalers also point to strengthened contractual commitments to disclose the minimum data required by law and some commitment to safeguard data so that it does not leave the EU and European Economic Area under any circumstances. Even if vendors give themselves stamps of “GDPR-compliant,” it is important that technology leaders ask questions about specific capabilities that can demonstrate how vendors comply with European data privacy and security regulations, as well as certification with schemes such as SecNumCloud in France and Germany’s C5.
Forrester clients who want to read the research discussing the future of Europe’s sovereign cloud can find it here.
(Written with Zaklina Ber, Forrester senior research associate)