Why AWS Creates a Separate Company in Europe: Digital Sovereignty and Sovereign Cloud, the Blueprint Shown by German BSI

I am Shiga from Berlin. I recently found a short video that accurately represents Germans' awareness of privacy.

https://www.youtube.com/watch?v=7OqRRYtcDH0

Seven years have passed since my blog post about GDPR in 2018 and response methods for companies without European bases. At that time, before GDPR came into effect on May 25, 2018, I stated that by centering data protection initiatives on cloud platforms like AWS, companies could maintain compliance while enabling flexible expansion. I also predicted that the C5 certification defined by the German Federal Office for Information Security (BSI) would become the standard for European cloud services.

Since then, the geopolitical environment has changed significantly, and Europe is accelerating efforts to secure independence in cloud, payment, and AI infrastructure around the concept of "digital sovereignty." I'd like to organize these trends.

Impact of the CLOUD Act and Europe's Response

The Essence of Sovereign Cloud

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), established in the US in 2018, is a law that allows US law enforcement agencies to force US companies to access data stored overseas, regardless of the physical storage location. This fundamentally conflicts with GDPR, creating serious compliance risks for European companies.

Many global providers have established data centers in Europe and sell them as "sovereign clouds," but sovereignty is not just about where data is stored. What's important is who controls that infrastructure. If a cloud provider is headquartered in the US, the CLOUD Act still applies.

To address this issue, the European Commission announced the Cloud Sovereignty Framework in October 2025. This framework defines unified criteria and scoring methods to evaluate how well cloud services meet EU sovereignty standards. At its core is the Sovereign European Assurance Level → SEAL ranking system, which grades services from strategic, legal, operational, and technical perspectives.

Cloud and AI Development Act

The European Commission plans to propose the Cloud and AI Development Act in Q1 2026. This bill aims to triple EU data center capacity within 5-7 years and build a common framework for public sector cloud use. On December 9, 2025, the EU Council agreed to amend the EuroHPC Joint Undertaking regulations, establishing a framework for creating AI Gigafactories in Europe. This is part of the Cloud and AI Development Act, concretizing the AI Continent Action Plan.

This initiative is coordinated with the GAIA-X initiative led by Germany and France, accelerating the independence of European digital infrastructure.

The EU Data Act, which came into effect in September 2025, is also important. This law aims to gradually eliminate vendor lock-in by 2027 and ensure interoperability between cloud providers, allowing companies to more freely control their data.

Independence of Payment Systems

Digital Euro

Beyond cloud infrastructure, payment system independence has also become a strategic priority for the EU. On December 19, 2025, the EU Council formally agreed on a negotiating position regarding the creation of the digital euro. Danish Economy Minister Stephanie Lose stated:

"The digital euro is an important step toward a more robust and competitive European payment system that can contribute to European strategic autonomy and economic security, and strengthen the euro's international role."

On the same day, ECB President Lagarde declared at a press conference, "We have completed our work. The technical and preparatory work is done. Now it's up to the European Council and the European Parliament," announcing that the technical preparations for the digital euro are complete.

According to the current outlook, assuming the joint legislative bodies adopt the digital euro regulation in 2026, pilot exercises will begin in mid-2027, with issuance starting in 2029. Currently, the core of Europe's digital payment systems is provided by non-EU operators, which could constrain the ability to act quickly and independently in times of crisis.

European Payments Initiative (Wero)

The European Payments Initiative (EPI) is rolling out the digital wallet "Wero" supported by 16 European banks. Wero is based on instant account-to-account payments, eliminating intermediaries in the payment chain and their associated costs. Launched in Germany in 2024, it is expanding to France, Belgium, and the Netherlands.

In June 2025, EPI and the European Payments Alliance (EuroPA) announced cooperation to explore the development of cross-border digital payment solutions to improve payment interoperability across Europe. This partnership could potentially cover 15 European countries (about 382 million people, or 84% of the EU and Norway).

Strategic Cooperation Between BSI and STACKIT

Background of the Press Release

On March 18, 2025, BSI announced strategic cooperation with cloud provider STACKIT, under Schwarz Digits (press release). The purpose of this cooperation is to jointly develop sovereign cloud solutions that can also be used by the federal government.

BSI uses cooperation agreements as a means to examine cloud solutions in detail and with due diligence. These agreements form the legal framework for exchanging highly confidential information and conducting in-depth technical analysis and evaluation. BSI has signed cooperation agreements with SAP, Oracle, Google Cloud, AWS, and now STACKIT.

Core Technical Requirements

BSI emphasizes data encryption and key management in these collaborations. The press release states:

"Cryptographic protection mechanisms, specifically data encryption during transmission over networks and during storage, are essential components in this context. This is particularly important because third-party resources are used for storing this information in cloud offerings."

Particularly noteworthy is the mention of post-quantum cryptography. With the potential development of quantum computers, there is a risk that current encryption methods could be broken in the future. BSI considers the risk of "store now, decrypt later" attacks (acquiring encrypted data now to decrypt it in the future) and demands the adoption of encryption methods that cannot be efficiently attacked even with quantum computers.

Furthermore, it's important that a combination of appropriate security architecture and external key management can make it technically impossible for cloud service providers themselves to access plaintext. In this case, data is also protected from requests based on the CLOUD Act because the cloud service provider is not given the technical means to access the requested data.

About STACKIT

STACKIT is the cloud provider of Schwarz Digits, the IT and digital division of Schwarz Group (parent company of Lidl and Kaufland), Europe's largest retail group. Developed in 2018 to drive Schwarz Group's digital transformation, it now offers services to external companies and public institutions.

STACKIT's features include:

• Data sovereignty: All data centers located in Germany and Austria, fully GDPR compliant
• Certification: BSI C5 certification, ISO 27001, ISO 20000, ISAE 3000 (SOC 2), ISAE 3402
• Open source: Based on OpenStack, avoiding vendor lock-in
• Regulatory industry compliance: Supporting financial institutions as an ICT service provider compliant with KRITIS criteria and DORA

At the TECH Conference Heilbronn in May 2025, plans were announced to expand STACKIT as a "hyperscaler from Germany." The ecosystem is growing with offerings like SAP S/4HANA Cloud on STACKIT, collaboration with Aleph Alpha on PhariaAI, and secure communication service Wire on STACKIT.

US Hyperscalers' Response: AWS's Advanced Approach

Among US IT giants, AWS is taking the most active and comprehensive approach to Europe's data sovereignty requirements.

AWS European Sovereign Cloud

AWS plans to launch AWS European Sovereign Cloud by the end of 2025 in Brandenburg, Germany, with a planned investment of €7.8 billion (approximately 1.3 trillion yen). Last weekend, Commvault was announced as a launch partner for AWS European Sovereign Cloud, indicating that preparations for the launch are in the final stages.

This is not just an addition of a European region, but a fundamentally different approach in the following ways:

Independent corporate structure: AWS European Sovereign Cloud will be operated by a new parent company under EU law with three subsidiaries. Two Managing Directors based in Germany, Kathrin Renz (appointed June 2025) and Stéphane Israël (appointed October 2025, a veteran executive with extensive experience in the European technology sector), will oversee decisions on corporate governance, compliance, and security. An independent advisory committee of at least four EU citizens (including one independent member unrelated to Amazon) will also be established.

Europe's own certification authority (EU-TSP): AWS will establish a European Trust Service Provider (EU-TSP) dedicated to AWS European Sovereign Cloud to operate certificate issuance functions autonomously within the EU. They completed a cryptographic key signing ceremony in a secure location within the EU and generated the root CA in the presence of external third-party auditors. All key material is located within the EU, and only EU residents have the authority to operate, control, and reconfigure the EU-TSP.

Europe-specific Security Operations Center: A Europe-specific Security Operations Center (SOC) reflecting global security practices will be established and operated by EU citizens as responsible managers.

Cooperation agreement with BSI: AWS has signed a cooperation agreement with BSI and is developing governance and technical standards for operational separation and data flow management.

Technical protection: AWS Nitro System provides strong physical and logical security boundaries that prevent anyone, including AWS employees, from accessing customer workloads and data running on Amazon EC2. It is also designed to continue operating even if connections to other regions of the world are interrupted.

Differentiation as a US IT Giant

What differentiates AWS's approach from other US hyperscalers is that it implements "sovereign cloud" not just as a marketing term, but in legal structure, corporate governance, and technical architecture.

AWS European Sovereign Cloud is built as an independent partition. This is similar to the approach for AWS China and AWS GovCloud (US), with its own IAM stack and billing/usage measurement system. This level of separation is necessary because even access and financial metadata must maintain independence.

It is designed with BSI C5 certification, NIS2 directive, and future EU Data Act compliance in mind, aiming to be a realistic option for European public procurement and regulated industries to meet sovereignty requirements while choosing a US hyperscaler.

BSI Director's View

BSI Director Claudia Plattner stated in the press release:

"To overcome the challenges of our time, we must keep pace with technological innovation. Control by domestic and European actors is crucial to enable effective protection of critical systems in Germany and Europe. To make digital products and services securely available independent of external influence, political interests, and geopolitical scenarios, it is important to technically strengthen them so that safe and controlled use is guaranteed under all circumstances."

Implications for Japanese Companies

Access to the Changing European Market

Europe's data protection efforts, which began with GDPR, have now evolved into a comprehensive "digital sovereignty" strategy encompassing cloud infrastructure, payment systems, and AI. Japanese companies operating in the European market should consider the following:

1. Check cloud providers' legal jurisdiction: Not just where data is stored, but also the provider's headquarters location and applicable laws (especially the CLOUD Act). However, approaches like AWS European Sovereign Cloud are emerging that mitigate this risk through technical, legal, and organizational measures.

2. Prepare for SEAL evaluation: Evaluations based on the Cloud Sovereignty Framework may influence not only public procurement but also private companies' procurement decisions.

3. Review encryption and key management: As required by BSI, technical access restrictions through external key management are an effective means of reducing legal risks.

4. Diversify options: Understand both AWS European Sovereign Cloud and European providers like STACKIT to be prepared to make appropriate choices based on workload characteristics.

Classmethod's Outlook

Classmethod Europe has been implementing responses to European data protection regulations from Berlin since 2018. We have been monitoring European cloud compliance trends since obtaining the first AWS C5 certification.

The announcement of the BSI-STACKIT cooperation and the launch of AWS European Sovereign Cloud indicate that the European cloud market is entering a new phase. It is noteworthy that while BSI is advancing cooperation with existing hyperscalers like AWS, Google Cloud, SAP, and Oracle, it is also building cooperative relationships with European sovereign cloud providers like STACKIT.

Classmethod will continue to provide AWS-centered support. In particular, AWS European Sovereign Cloud will be an important option for customers who have been using AWS to meet sovereignty requirements while utilizing AWS's full power. At the same time, we are also considering future initiatives with European sovereign clouds like STACKIT. Especially when Japanese companies enter European public procurement or regulated industries (finance, healthcare, public services), choosing the appropriate platform according to the nature of the workload may bring competitive advantage.

Europe's movement toward digital sovereignty should be seen as a new business opportunity rather than a regulatory compliance cost. As with GDPR implementation, companies that can proactively and correctly adapt to the transformation will ultimately benefit.