To have keys in your hand, not the servers nearby

On the path to digital sovereignty, we often behave like seekers who circle the summit on the map instead of taking the first step. We confuse location with status, data centre postcode with control. Enlightenment does not begin at the temple, but in practice: whoever holds the keys determines who is allowed in.

In reality, we see that we often do not hold the keys.

We are dependent on technology from third countries, especially on hyperscalers from the USA. The federal Government in Germany is working with the Bundescloud, but it is also experimenting with the DELOS Cloud, which is run by Microsoft and SAP. But the picture in Germany has many shapes and colors. Many official actors use many different cloud services. A great many of those are - and you know their names: Google, AWS, Microsoft, Oracle.

In terms of the temple analogy. they hold the key. They provide updates (or they don’t), the deliver maintenance (or they don’t), they encrypt (or they don’t). And as long as key management and support channels remain in the hands of third parties, self-determination remains a dream, even if the servers are located in Frankfurt and European law applies.

The thing with laws is, that extraterritorial laws such as the US Cloud Act or the Chinese Data Security Law continue to have an effect if providers do business or come from named countries and (have to) keep access paths open. And then there are outages, as we have seen just a couple of days ago. Take the AWS outage in a server in Virginia that crippled many web-based services. And with it: many businesses.

What does that all mean? Primarily: We need to talk about sovereignty and what that abstract concept even means. We follow the debates around it and observe that it is often about where the data is located, rather than who has technical control over it. "End-to-end encryption, open standards and the freedom to move applications from one cloud to another at any time are crucial", our CEO Elias writes in Tagesspiegel Background. According to Gartner® "Solutions such as Codesphere are full-service out-of-the-box cloud integrated development environment (IDE) and DevOps platforms that enable product managers at SaaS providers to build and operate across multiple infrastructure and platforms, including public cloud and private clouds, without potential cloud provider lock-in."

Why is that important? The status quo shows how convenient dependence has become. The federal and state governments and other official services like Bundespolizei distribute critical workloads across dozens of public cloud services, often with proprietary architectures and without open interfaces. This increases costs, complicates things and deprives the administration of control. Even projects that sound ‘air-gapped’ retain de facto dependencies on updates, support and platform roadmaps. This provides short-term reassurance, but in the long term it cements the lack of freedom.

In addition, the AWS outage a few days ago showed what happens when we rely too heavily on a single service: a DNS problem in the us-east-1 region paralyzed services across the globe—from Alexa to Snapchat to Fortnite. For many companies, nothing worked anymore. If a single hiccup in the US region of Virginia can bring European workloads to a standstill, we lack operational independence.

So, what is a solution here? We regard the Deutschland-Stack as a big leap forward. It promises a different path: an interoperable, EU-compatible foundation that enforces security, standardizes open interfaces and makes migration easy. “Instead of a patchwork of isolated solutions, a modular, scalable and EU-compatible layer model for infrastructure, development and runtime environments is emerging, based on European products,” writes Elias in Tagesspiegel Background.

Multi-region and multi-cloud, open interfaces instead of lock-in, portability with genuine cloud exit and proprietary key management. Those who implement this can relocate workloads in the event of disruptions or geopolitical pressure instead of persevering. If it is built consistently, sovereignty becomes a design feature, not an option. That would be practice, not preaching; a daily ritual that does not proclaim independence, but creates it.

Practice also includes the art of letting go: Can less attachment to proprietary services lead to more portability? Yes, it can. And in the product world, this means thinking about applications in a cloud-agnostic way, favoring containers and open standards, and incorporating a viable abstraction layer. This is not a new dogma, but a craft that creates agility—including ‘geopatriation,’ i.e., the ability to confidently relocate workloads in the face of geopolitical pressure. Analysts recommend precisely this approach because it reduces dependencies without sacrificing the speed of innovation and at the same time increases the level of sovereignty.

Or you can even work on premises, if necessary. Telio, for example, uses Codesphere to secure and operate AI applications in prison systems. For Australian prisons, Codesphere enabled an on-premises speech recognition system that detects critical content (e.g., escape plans, signs of depression) without processing data online. Thanks to Codesphere's patented orchestration, the model runs on local infrastructure, reducing costs by a large margin compared to the previous setup and enabling deployment in other countries. The model was jointly developed by Telio and Codesphere; Codesphere also provides ready-made AI building blocks and development tools. The result: AI workloads remain in the data center, meet stringent security requirements, and scale efficiently. The same is true for the financial sector. We help L-Bank run AI on their own servers to meet the needs of regulation.

We provide the tools that make this path easier. Platforms that bring development and operations together, make portability the default, and connect both public cloud and private environments without lock-in. Such platforms act like a good meditation cushion: they don't replace the practice, but they make it possible, stable, and scalable on a daily basis.

Ultimately, digital sovereignty is less a place than a state of mind. It arises when procurement shows courage and buys European solutions so that they can grow. It arises when architectures are open and keys remain with the data owner. It arises when we build systems in such a way that a change is not a break, but a step forward. The path to enlightenment is a ritual of repetition: setting standards, encrypting, porting, verifying, every day, not just in strategy papers. Those who follow this path do not become louder, but freer.

Source: Gartner Report, Design SaaS Solutions for Sovereignty or Get Left Behind, By Rene Buest, Fernando Pereiro, 4 August 2025. 

https://www.gartner.com/document-reader/document/6807734?ref=solrAll&refval=506378773&  (Accessible to Gartner clients only)

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.