Digital Sovereignty in the Cloud: Europe's Path Out of Technological Dependence

Executive Summary

Jörg von der Heydt, Regional Director DACH at Bitdefender, discusses in an interview the necessity of digital sovereignty in Europe. Germany and the EU are technologically dependent on non-European providers and legal systems – a risk that is exacerbated by geopolitical crises (Corona, Ukraine, Iran). Bitdefender positions itself as a European cybersecurity partner with partnerships to European cloud providers such as Secunet (Germany) and OVH-cloud (France). Key requirements are data control, independence from foreign legal systems, and EU-certified cloud infrastructure.

Persons

• Jörg von der Heydt (Regional Director DACH, Bitdefender)

Topics

• Digital Sovereignty
• Cloud Security
• EU Technology Independence
• Cybersecurity Infrastructure

Clarus Lead

European dependence on US-American cloud providers and their legal systems is becoming a strategic risk for critical infrastructure. The case of French judge Nicolas Gillou at the International Criminal Court – who was locked out of digital proceedings – illustrates the vulnerability. While technical solutions for digital sovereignty exist, entrenched dependencies and shortage of skilled workers significantly delay their implementation. Relevant for decision-makers: The Federal Office for Information Security (BSI) has already classified sovereignty requirements as binding.

Detailed Summary

The central challenge does not lie in the storage location, but in the legal independence from cloud providers. The US American Cloud Act enables data access even on servers in Germany, provided the provider is a subsidiary of a US company. Legal sovereignty therefore requires a cloud partner with jurisdiction in the European legal system – a condition that, according to von der Heydt, is only limitedly met.

Bitdefender has solved these requirements with two models: In Germany, the BSI-certified public cloud of Secunet operates the central cybersecurity platform; France uses OVH-cloud. Customer data does not leave the respective national cloud in either case. This is particularly critical for email security, as this channel is central to social engineering and phishing attacks.

A second bottleneck is staffing. The massive shortage of skilled workers in cybersecurity makes sovereign solutions the exception rather than the rule in practice. According to von der Heydt, the solution lies in AI support for security analysts: automated threat detection and prioritization enable preventive rather than purely reactive defense. What is crucial is that security-critical services operate under the European legal framework – regardless of the physical location of employees.

Key Messages

• European cloud sovereignty fails less due to technology than due to legal independence and personnel resources
• The US Cloud Act undermines local hosting; a cloud provider with European jurisdiction is required
• Cybersecurity platforms are critical infrastructure components: outages (e.g., mail security gateway) paralyze communication
• AI and European cloud partners (Secunet, OVH-cloud) are levers to overcome the shortage of skilled workers

Critical Questions

1. Evidence/Data Quality: How does Bitdefender document technical data isolation in the Secunet cloud? Which independent audits confirm that customer data is not transferred to US systems?

2. Conflicts of Interest: Bitdefender promotes European cloud partners with which it is commercially intertwined – how is independence in partner selection ensured?

3. Causality/Alternatives: The shortage of skilled workers is cited as the main obstacle. Are technical sovereignty and personnel shortage causally linked, or are these separate problems with different solution approaches?

4. Feasibility/Risks: BSI certification is mentioned – do these standards apply to all European cloud providers, or do gaps exist with smaller providers?

5. Compliance/Legal Security: Is the EU legal framework sufficient if data is physically located in Germany/France but transmitted over international networks (border-crossing scenarios)?

6. Sovereignty-Washing: The interview partner warns of "sovereignty washing." According to which criteria can genuine sovereignty be distinguished from marketing claims?

Sources

Primary Source: Interview Digital Sovereignty: Who Controls the Cloud? – https://www.it-daily.net/it-sicherheit/cloud-security/digitale-souveraenitaet-cloud (04.05.2026)

Verification Status: ✓ 04.05.2026

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact Check: 04.05.2026