„Appearance of sovereignty is not enough. True data sovereignty requires European solutions!”

Last updated: 10.03.2026 09:00

In mid-January 2026, the German Federal Office for Information Security (BSI) announced a cooperation with the US cloud provider Amazon Web Services (AWS). We ask FOUR Vice President Carsten Fiegler: How should the BSI's cooperation with US hyperscalers such as AWS be assessed with regard to the digital independence that Europe is striving for?

The BSI wants to support AWS "in designing the security and sovereignty features of its (...) European Sovereign Cloud (ESC)." The ESC from AWS is therefore an independent "cloud infrastructure that is located entirely within the EU and whose operation will be physically and logically independent of the global AWS instance."

Carsten Fiegler comments:

"The announcement of a 'European Sovereign Cloud' by AWS in cooperation with the BSI raises fundamental questions. Data sovereignty is not created solely through data center locations in Europe or accompanying regulatory measures; it requires technological and legal independence. As long as central control mechanisms, parent companies and therefore potential access options are located outside the EU, a structural relationship of dependency will remain. Public clients and regulated sectors in particular should take a close look here.

From our daily work at VIER with companies and public institutions, we can see how strongly the need for genuine controllability has grown. Today, organizations want to be able to understand which models are actually connected, where data is processed and under which legal framework conditions this takes place. Trust is not created by labels, but by verifiable architecture. At the same time, powerful AI applications from Germany - including solutions from VIER - are available. They enable companies to make targeted use of European or national cloud environments and implement regulatory requirements such as the EU AI Act in a structured manner.

The decisive factor here is not so much the individual tool as the architectural principle: an AI gateway enables binding control and compliance-compliant documentation of which LLMs (e.g. exclusively European) and which cloud solutions are actually used. Sovereignty is therefore technically traceable and not just contractually guaranteed. Digital sovereignty is not determined by the notification of a hyperscaler, but by the overall technical and legal architecture. If you want to create long-term resilience and trust, you should consistently rely on European technological expertise."