ASD calls for secure European cloud infrastructure

ASD has published a comprehensive position paper addressing critical vulnerabilities in Europe's digital infrastructure. The paper responds to the European Commission's upcoming Cloud and AI Development Act and outlines urgent measures needed to build a truly sovereign European cloud ecosystem that protects both industry and citizen interests.

The reality Europe faces

Europe's digital dependency represents more than a technical challenge – it poses fundamental risks to the continent's autonomy and security. Currently, three major US-based cloud providers control 65% of Europe's cloud services market, creating a structural vulnerability that affects everything from government operations to critical infrastructure that citizens rely on daily.

This dependency means European data – including sensitive information about citizens, businesses, and government operations – often flows through systems controlled by non-European entities. The implications extend beyond technical concerns to encompass data privacy, service reliability, and Europe's ability to maintain digital independence in an increasingly connected world. Mario Draghi's recent competitiveness report emphasised this vulnerability, noting that Europe significantly lags behind the United States and China in data centre capacity.

The risks are tangible and immediate. Service disruptions can occur due to changes to rules outside Europe, while non-EU countries may gain undue access to sensitive data. For ordinary Europeans, this translates to potential vulnerabilities in healthcare systems, financial services, and the digital infrastructure that underpins modern life.

Defence and security: where stakes are highest

The defence and security sectors face particularly acute challenges in this fragmented digital landscape. These industries require cloud infrastructure that meets stringent security, availability, and confidentiality standards that often exceed commercial offerings. Yet several critical barriers impede progress.

Security fragmentation across member states creates significant operational challenges. Different countries employ various classification systems – France's "Diffusion Restreinte," Germany's "VS-NfD," Spain's "Difusión Limitada," and Italy's "Riservato" – with no mutual recognition mechanisms or harmonised standards for cloud compliance. This patchwork approach makes secure cross-border collaboration extraordinarily difficult.

The absence of unified certification compounds these problems. Currently, no single EU-wide certification scheme exists to verify that cloud services meet European sovereignty guarantees. Each member state operates its own national cybersecurity authority, but no pan-European mechanism exists to jointly assess or certify cloud services for handling restricted defence data. This regulatory fragmentation slows deployment and creates legal uncertainty for defence programmes that require seamless collaboration across borders.

Modern defence programmes involve complex networks of stakeholders including ministries of defence, industrial partners, SMEs, and technology providers across multiple member states. Current cloud solutions fail to enable the level of interoperability required for effective collaboration at this scale, hampering Europe's ability to develop next-generation defence capabilities efficiently.

Industry innovation despite regulatory gaps

European aerospace and defence companies are not simply waiting for change. Several major initiatives show that the European security and defence industry is committed to building sovereign digital infrastructure, each addressing specific aspects of the cloud sovereignty challenge.

The AEROSEC project represents a significant collaborative effort. ASD members, Airbus, Dassault Aviation, Dassault Systèmes, Indra, Leonardo, and Outscale are developing a sovereign, secure, and federated cloud platform specifically for defence applications. The project focuses on enabling secure data sharing, federated identity and access management, and multi-cloud capabilities across national and industrial boundaries.

Dassault Aviation and Dassault Systèmes announced their 3DEXPERIENCE partnership in June 2023, developing a secure sovereign cloud environment for next-generation defence programmes including the Future Combat Air System. This initiative leverages OUTSCALE's SecNumCloud 3.2 qualification from France's national cybersecurity agency – the highest security certification available in France.

Leonardo launched the MILSCA project in February 2024, commissioned by the Italian Ministry of Defence. This ambitious initiative aims to define space-based cloud architecture providing high-performance computing and storage directly in space for defence applications.

Meanwhile, Airbus leads the Combat Cloud pillar of the Future Combat Air System programme [https://www.airbus.com/en/products-services/defence/future-combat-air-system-fcas], developing a decentralised, cyber-resilient network spanning air, land, sea, space, and cyber domains.

The naval sector has also mobilised through the EDINAF project, initiated in 2021. A consortium of major European shipbuilders including Damen, Fincantieri, Naval Group, Navantia, Saab, and TKMS developed reference digital architecture for warships. The follow-up phase, beginning in 2027, will define the Naval Combat Cloud, building on cyber-secure, cloud-oriented ship digital architecture.

ASD's recommendations for sovereign cloud infrastructure

ASD's position paper outlines specific technical and policy recommendations essential for creating a robust European cloud ecosystem. These recommendations address both immediate regulatory needs and longer-term strategic capabilities required for digital sovereignty.

The regulatory framework requires several immediate priorities. ASD calls for harmonised security standards across all EU member states for handling classified and sensitive data, establishing clear protocols that enable seamless collaboration while maintaining security integrity. An EU-wide certification scheme for sovereign cloud services would provide the legal certainty currently absent from the market, potentially based on EUCS High+ criteria that ensure providers maintain head offices and decision-making authority within the EU while remaining free from non-EU control.

Sovereign criteria for public procurement represent another critical need. Current procurement rules lack specifications ensuring government systems utilise European-controlled infrastructure, exposing public administrations to significant risks while hampering development of genuinely European cloud services. A unified certification body capable of assessing cloud technologies for restricted defence data would streamline compliance processes and reduce the current fragmentation that slows deployment across borders.

The technical capabilities required for a sovereign European cloud ecosystem encompass several sophisticated systems. Trusted identity and access management systems must operate across multi-cloud and hybrid environments, ensuring robust traceability, strong authentication, and role-based access control across distributed infrastructures. End-to-end protection through fully trusted encryption, including advanced technologies such as homomorphic encryption, becomes critical when handling sensitive or classified information across jurisdictions and distributed systems.

Defence programmes require transparent and modular cost models that allow granular cost attribution based on usage, service type, and mission-specific requirements. Such models support both budgeting flexibility and operational accountability essential for complex, long-term defence projects. Multi-cloud service catalogues with guaranteed service levels would provide a common, EU-managed marketplace of sovereign cloud services, listing European providers that meet certification requirements and offering clearly defined service level agreements.

Why this matters

The successful development of European cloud sovereignty extends far beyond defence applications, creating benefits that touch every aspect of European society. A robust "Cloud BY Europe" ecosystem would enhance data privacy protections for all citizens, ensuring personal and sensitive information remains under European legal frameworks rather than subject to foreign jurisdictions.

Improved service reliability would reduce disruptions caused by distant providers' policy changes or geopolitical tensions. European businesses would gain access to secure, reliable digital infrastructure that supports innovation while maintaining compliance with European values and regulations. Public services – from healthcare systems to educational institutions and emergency response networks – would operate on sovereign infrastructure, enhancing resilience and reducing dependency risks.

The economic implications are substantial. Domestic cloud infrastructure development would create new employment opportunities in high-tech sectors across member states, while reducing the outflow of European capital to foreign cloud providers. Start-ups and SMEs would gain access to European-controlled platforms from inception, fostering indigenous innovation ecosystems.

Perhaps most importantly, sovereign cloud infrastructure would establish the foundation for European artificial intelligence development. As AI systems increasingly depend on vast computational resources and data processing capabilities, European control of cloud infrastructure becomes essential for maintaining technological leadership and ensuring AI development aligns with European values and regulatory frameworks.

The Cloud and AI Development Act represents a pivotal moment for Europe's digital future. By addressing the challenges outlined in ASD's position paper, European policymakers can transform the continent from a digital tenant into a digital sovereign, ensuring technological independence while fostering innovation that serves European citizens and strengthens the Union's strategic autonomy. The industry initiatives already underway demonstrate both the feasibility and urgency of this transformation – what remains is the political will to implement the regulatory framework that will enable Europe's digital sovereignty to flourish.