Why sovereign cloud is becoming a strategic priority in Europe

I guess it’s not an overstatement to say that we live in an era where data is the new oil. Governments, regulators, and cybercriminals are all racing to control or exploit it. European organizations are now at a crossroads: they can either hand their most sensitive data to foreign hyperscalers bound by the U.S. CLOUD Act, or they can reclaim their digital independence right here on home soil.

That’s where STACKIT comes in. It’s a sovereign cloud that didn’t start in a Silicon Valley garage or a government office; it was born in the heart of Europe’s largest retailer, the Schwarz Group (the names behind Lidl and Kaufland). It should come as no real surprise that the German "answer" to AWS would be coming from another retail powerhouse who extend the reach of their inhouse IT to the wider market. 

While plenty of cloud providers talk about sovereignty, STACKIT is in fact something unique. They offer their services on the background of the battle-tested scale of a global retail giant combined, with total independence. Because there are no outside investors calling the shots, the focus can stay on true digital sovereignty. Plus, it’s built on a 100% open-source OpenStack foundation, which means you aren't just swapping one 'black box' for another.

Why sovereign cloud matters now
Why sovereign cloud matters now

In this post I would like to present our view on why and when StackIT is a good choice and what we learned during our own adoption journey. 

Understanding the architecture behind STACKIT

Behind the sovereignty and compliance narrative, STACKIT is ultimately built as a modern cloud architecture designed around open technologies and portable infrastructure layers.

At its foundation lies OpenStack, which provides the core infrastructure layer responsible for compute, networking, and storage across sovereign data centers in Germany and Austria. Unlike many hyperscale platforms that rely heavily on proprietary infrastructure stacks, this open foundation helps keep workloads portable and interoperable.

On top of this infrastructure layer, STACKIT provides cloud-native platform capabilities such as managed Kubernetes (STACKIT Kubernetes Engine) and container services. These components allow teams to build modern microservices architectures while still maintaining strict EU data residency.

For data-intensive workloads, the ecosystem increasingly supports open data platform architectures, including lakehouse approaches built around technologies like Apache Iceberg and platforms such as Dremio. This enables organizations to run analytics, data engineering pipelines, and AI workloads while keeping sensitive datasets within sovereign infrastructure.

Security and governance are integrated across all layers of the stack. Features such as confidential computing, strong identity controls, and certifications like BSI C5 ensure that the platform meets the compliance requirements of regulated industries including public administration, finance, and healthcare.

Together, these layers form an architecture designed to balance three goals: regulatory sovereignty, infrastructure portability, and modern cloud-native development.

Key architectural layers of the STACKIT sovereign cloud

Architecture layer Key technologies in STACKIT What it enables
Infrastructure layer OpenStack-based infrastructure, sovereign EU data centers (Germany & Austria), georedundant regions Control over data residency and infrastructure sovereignty while maintaining cloud scalability
Platform layer Kubernetes (STACKIT Kubernetes Engine based on Gardener), container services, Terraform support Portable cloud-native workloads and hybrid/multi-cloud architectures
Data layer Lakehouse architectures, Apache Iceberg, STACKIT–Dremio partnership Sovereign analytics, data engineering pipelines, and AI workloads
Security & governance layer Confidential computing, BSI C5 certification, GDPR compliance, EU data residency Compliance-ready infrastructure for regulated sectors

Sovereign cloud with STACKIT: Strenghts

Sovereign cloud with STACKIT: Pros and cons
Sovereign cloud with STACKIT: Pros and cons

Enhanced data sovereignty and compliance

Data sovereignty isn't just a buzzword. Quite the opposite. It's a practical necessity, especially when you're dealing with sensitive workloads in regulated environments. After years of working in Germany myself, I've seen firsthand how quickly compliance concerns can stall entire cloud projects when the provider's legal home base introduces uncertainty.

STACKIT stands out here because it was built from the ground up as a truly sovereign cloud. All data collection, storage, and processing happens exclusively in EU data centers located in Germany and Austria. Imagine your crown jewels (data) being just as securely stored as those of the largest European retailer, who take this matter dead seriously. Full alignment with all relevant regulation and laws comes as a default, not at a premium price. 

This sovereignty-by-design approach gives clear advantages for sectors like public administration, healthcare, and finance, where NIS2, DORA, the AI Act, and similar regulations leave little room for ambiguity. 

Security and reliability

Security in cloud setups goes beyond certifications; it means infrastructure that holds up under real-world pressures like geopolitical shifts or regulatory scrutiny. Sensitive workloads, like HR systems or citizen data, historically often had to remain on-premises due to justified concerns over foreign oversight, even when data was stored in Europe.

STACKIT counters this with georedundant data centers in Germany and Austria, delivering high availability (up to 99.98%) and ensuring operations continue through failures or disruptions. Data stays fully within EU jurisdiction, protecting against sanctions or extraterritorial demands that can affect non-European providers.

The platform carries rigorous, independently audited certifications, including BSI C5 Type 2 (one of Germany's strictest cloud security standards from the Federal Office for Information Security) alongside ISO 27001, ISAE 3000 (SOC 2), ISAE 3402, and ISO 20000. While hyperscalers often hold comparable international certifications, the BSI focus and German origin make STACKIT particularly compelling for public-sector and regulated approvals, especially involving citizen data.

Multi-layered protections, Confidential Computing, disaster recovery as a service (DRaaS), and partnerships like SentinelOne for AI-driven cybersecurity (deployed sovereignly) add robust defense without compromising control. 

Cost efficiency, open architecture, and reduced vendor lock-in

After more than a decade working with cloud platforms I can say that the fear of "cloud gravity", i.e., where data becomes too heavy or expensive to move elsewhere, often paralyzes decision-making. STACKIT addresses this through its open-source foundation, specifically OpenStack. 

This technical choice is a strategic advantage, as it effectively prevents vendor lock-in. For enterprises, especially when combined with Container services offered by StackIT, this means the freedom to migrate to alternative providers or pull workloads back on-premises without facing the prohibitive exit fees or massive re-platforming costs typical of other vendors, especially hyperscalers.

Another reason why we can say that STACKIT is cost efficient, is that it offers transparent pricing and interoperability. Companies can integrate the platform with third parties, for example, those that offer sustainable, compliant computing power. By prioritizing open standards, STACKIT allows for seamless hybrid setups. Organizations can keep their most sensitive, regulated data under strict sovereign control while blending in innovative tools for non-critical workloads.

In practice, this open architecture provides a level of infrastructure portability that is difficult to achieve on proprietary hyperscale platforms. For organizations planning long-term digital strategies, reducing dependency on a single cloud ecosystem can be just as important as meeting immediate compliance or performance requirements.

Avoiding long-term cloud dependency with sovereign cloud
Avoiding long-term cloud dependency

Sovereign cloud with STACKIT: Trade-offs 

Limited feature parity with hyperscalers

One clear trade-off with STACKIT comes up when trying to map features against the U.S. hyperscalers. The breadth of their more advanced services doesn't match what AWS, Azure, or Google Cloud offer. Many of the customer teams I’ve worked with in my career needed specialized AI/ML pipelines, global content delivery networks, or deep integrations with enterprise tools. These are areas where you would need to augment StackIT with third party solutions to be en-par with the big three. 

Analyses from 2025–2026 highlight this as a standard compromise in sovereign European clouds. Providers prioritize full compliance to EU laws, open-source compatibility, and avoidance of vendor lock-in over replicating the full service catalog of hyperscalers. European setups are primarily built for regulated sectors where compliance trumps innovation speed.  

Potential higher costs and migration challenges

While STACKIT emphasizes sovereignty, unfortunately, there are downsides in the shape of higher operational expenses compared to hyperscalers' massive scale economies. Sovereign setups often involve premium pricing for isolated EU infrastructure, dedicated compliance tools, and local support – resulting in a typical 15–20% price difference. This is also visible in the more costly "sovereign versions" of the global hyperscalers. 

Migration from AWS/Azure/GCP also adds complexities like re-architecting apps due to feature gaps and potential upfront costs, though STACKIT mitigates some through open standards and no egress fees for data export. It’s less likely than many may think that these types of projects are happening, unless ROI isn’t a priority for why the move happens. 

Emerging market presence

As a relatively new entrant in a market, StackIT’s primary challenge is simply one of scale and maturity. In my personal view, the ecosystem of a platform is often as important as the infrastructure itself. Hyperscalers like AWS or Azure benefit from a massive universe of third-party integrators, pre-configured marketplace apps, and a global pool of certified architects.

For STACKIT, being the "new kid on the block", it means its ecosystem of partners and community resources (while consistently expanding) is still in its early stages. Yes, it’s ideally  tailored to German and broader GDPR-first projects, but certain features or automated integrations might lack the deep polish of platforms that have been iterating for fifteen years.

So, in my opinion, some IT departments need to be prepared for a higher overall onboarding tax. Until its adoption reaches a critical mass, organizations might find fewer community-driven troubleshooting guides or a smaller talent pool of specialists specifically trained on the STACKIT interface. For now, adopting STACKIT requires a more hands-on approach to building out a bespoke digital environment.

Real-world use cases where STACKIT works best

Sovereign cloud with STACKIT: Use cases
Real-world use cases of sovereign cloud with STACKIT

Sovereign AI projects

STACKIT truly stands out in regulated European environments where two conditions are met: 1) data is sovereign and 2) it enables cutting-edge AI and data projects. From my experience, the biggest barriers to AI adoption were always around moving sensitive data off-premises – legal teams blocked it due to hyperscaler risks. STACKIT changes that equation. How come? 

All projects involving data that we prepare for AI – transferring it to compliant, AI-ready storage – suddenly become feasible. We keep everything in Europe under a European provider, which avoids hyperscalers entirely. Yet we escape the old on-prem limitations: no more running out of RAM overnight, no GPU shortages. We scale elastically as needed.

STACKIT excels at the first stage of preparing data for AI use. Clean, enrich, version datasets on sovereign infrastructure that models can operate on without regulatory friction. This opens the door to building solutions like data mesh or lakehouse architectures purely on European soil.

A key enabler here is the STACKIT-Dremio partnership, delivering a fully managed, sovereign data lakehouse. It combines data lake flexibility with warehouse performance powered by Apache Iceberg for open, engine-agnostic tables, schema evolution, and governance. Dremio handles ingestion, processing, querying, and analytics while also ensuring full data residency and compliance. No proprietary U.S. tools like Microsoft Fabric, AWS Redshift, or Snowflake. Instead, an alternative open stack with Iceberg support, direct table access, and high-performance querying via Apache Arrow.

This stack lets regulated organizations (public admin, healthcare, finance) run production AI workloads: train models on sensitive health or manufacturing data, build predictive systems, or power generative tools. All with elastic scaling, strong governance, and zero extraterritorial exposure. Data engineering teams gain Git-like workflows for lakehouse management, fine-grained access, and lineage tracking, making sovereign AI practical and scalable.

Highly-regulated workloads and supply chains that require confidential computing

For years, organizations handling intellectual property or highly-sensitive citizen data have retreated to on-premises infrastructure because the risk of unauthorized access felt unmanageable. STACKIT was designed to change that equation.

But in many cases, the companies moving to sovereign cloud are not the ones defining the strictest security requirements. They are suppliers. If you build software, analytics platforms, or digital services for governments, banks, healthcare providers, or critical infrastructure operators, you often have to meet security standards that exceed your own internal policies.

In Germany, this is increasingly visible in public-sector supply chains and industries working with sensitive identity or infrastructure systems. When the end client requires sovereign infrastructure and strict data handling guarantees, the entire delivery chain must comply.

STACKIT provides a platform that makes this possible without forcing companies back to fully on-prem environments. It offers a sovereign cloud that combines the agility of cloud infrastructure with security controls expected in highly regulated ecosystems.

A key element here is confidential computing. Data remains encrypted not only at rest and in transit, but also while it is being processed.

This unlocks several important capabilities:

  • Secure multi-party collaboration – organizations can run joint analytics (for example in healthcare research or fraud detection) without exposing raw data to other participants.
  • Verifiable security – workloads remain protected even on shared infrastructure, helping organizations meet Zero Trust and digital sovereignty requirements.
  • Audit-ready transparency – detailed documentation and traceability support compliance with frameworks such as GDPR or BDSG.

For companies operating in regulated supply chains, this creates a practical path forward: meeting strict client requirements while still benefiting from modern cloud infrastructure.

Companies looking to unlock operational data for advanced analytics

In many industrial organizations, valuable operational data remains trapped inside legacy transactional systems such as Manufacturing Execution Systems (MES) or traditional Microsoft SQL Server environments. These platforms run critical operations but are not designed for large-scale analytics, predictive modeling, or AI workloads.

With data centers located close to major industrial regions in Europe, STACKIT provides a sovereign cloud environment that allows manufacturers to process operational data without the latency, bandwidth constraints, or regulatory concerns often associated with distant hyperscale regions. This proximity makes it far easier to move beyond siloed systems and start building unified data platforms for advanced analytics and AI.

Engineering (Kubernetes)

From my experience, Kubernetes rollouts often stalled over sovereignty and integration concerns. Teams needed managed clusters that stayed EU-resident while fitting existing multi-cloud setups.

STACKIT Kubernetes Engine (SKE), built on the open-source Gardener project, delivers CNCF-compliant, fully managed Kubernetes with automated scaling and high availability across georedundant data centers in Germany and Austria. Data residency remains strictly EU, eliminating U.S. CLOUD Act risks.

A 2025 CLOUDETEER evaluation (March–April) tested SKE in hybrid environments with Azure and AWS. Here are the main findings: 

  • strong Terraform IaC support for cluster provisioning, 
  • reliable observability integration, 
  • secure secrets management via STACKIT Key Management Service, 
  • and fast provisioning – making it suitable for PoCs and production.

The OpenStack backbone delivers real scalability and fault tolerance, which lets clusters grow smoothly without downtime worries. Open standards keep you free from lock-in, and while native persistent storage leans toward ReadWriteOnce for block volumes, you can add ReadWriteMany (RWX) for shared stateful apps via integrations like Longhorn. Responsive support and strong compliance (GDPR, BSI C5) make hybrid strategies straightforward. You can run containerized services, microservices, or phased sovereign migrations without ditching your existing hyperscalers.

Is STACKIT the right fit for your organization?

Yes, if the following matter to your business:

  • Critical data staying on German jurisdiction. Your compliance team has full visibility into where data resides, who accesses it, and how it is processed. Critical data remains on German soil under German law, reducing exposure to cross-jurisdiction issues such as the US CLOUD Act or GDPR data transfer concerns. Such an approach also guarantees clear compliance for current regulations and the upcoming EU AI Act.
  • Compliance with German legal frameworks. Contracts, billing, and support all work under German jurisdiction. For organizations working with public sector clients or regulated industries, this simplifies procurement processes, legal reviews, and vendor governance compared with cross-jurisdiction cloud providers.
  • Reduced vendor lock-in through open standards. Because STACKIT is built on open-source technologies and open standards, workloads remain far more portable than in many hyperscale environments. Organizations can replicate similar setups on-premises or migrate to other European providers without major rebuilding. This architectural flexibility helps maintain long-term control over infrastructure choices.
  • You need extra low latency.  With data centers in Baden-Württemberg and Upper Austria, STACKIT sits close to major industrial regions in southern Germany. This proximity enables cloud adoption for latency-sensitive systems such as MES or factory analytics. Production firms can now shift critical systems to the cloud without performance hits from distant access.
  • Strategic independence from competitors. For some organizations, cloud infrastructure choice is also strategic. STACKIT provides a European alternative that supports regional technology ecosystems rather than strengthening global hyperscale platforms.

Sovereign cloud vs hyperscalers: Architectural trade-offs

Architecture dimension STACKIT sovereign cloud Hyperscalers (AWS / Azure / GCP)
Data jurisdiction Data processed and stored fully within EU infrastructure (Germany / Austria) Data often processed in EU regions but operated by non-EU parent companies
Legal exposure Designed to minimize exposure to extraterritorial regulations such as the U.S. CLOUD Act Potential exposure to foreign jurisdiction depending on provider structure
Infrastructure stack Built on open technologies such as OpenStack and other open standards Heavily based on proprietary infrastructure layers
Vendor lock-in risk Lower – workloads built on open technologies remain portable Higher – deep integrations with proprietary services make migration harder
Service ecosystem Smaller but growing partner ecosystem focused on European markets Massive global ecosystem of tools, services, and integrations
Innovation pace Slower release cycles for advanced services Rapid innovation across AI, data platforms, and developer tooling
Typical use cases Regulated industries, sovereign AI, public sector platforms, industrial workloads Global SaaS, AI platforms, consumer apps, large-scale internet services

Building a sovereign cloud with STACKIT – making the right choice

The growing interest in sovereign cloud platforms shows that the debate around cloud adoption in Europe is no longer only about scale or features. For many organizations, questions of data jurisdiction, regulatory clarity, and long-term infrastructure control have become just as important as raw technological capability.

STACKIT represents one of the emerging European approaches to this challenge. Built on open technologies and designed with sovereignty and compliance in mind, it offers an alternative model for organizations that need cloud flexibility while maintaining strict control over where data resides and how infrastructure is governed.

If you’re exploring sovereign cloud solutions or designing a hybrid architecture that balances sovereignty with innovation, feel free to reach out. Our team can help you evaluate different options and design a cloud strategy aligned with both regulatory and technical goals.