Why your AI is only as sovereign as your cloud

AI adoption complicates the cloud sovereignty picture for businesses, says Jeanne Dauzier. How do you find a balance between risk and competitiveness? This article is part of our Algorithm to Advantage campaign.

Since the emergence of cloud technology, the potential for governmental authorities to access company data hosted in the cloud has been a hotly debated issue. The rise of AI has only muddied the cloud sovereignty waters further. 

AI models use vast amounts of computing power and data storage. Cloud infrastructure is the only place to access that capacity on such a scale. 

As AI becomes essential to businesses’ operations, even more of their activity is moving to the cloud. And the market is dominated by the hyperscalers, which are predominately American and Chinese. 

So how has AI changed the cloud-sovereignty landscape, and what are the implications and risks? 

The ground rules aren’t set in stone 

Cloud sovereignty is complex, not least because it has no single, accepted definition. 

In simple terms, sovereignty means the protection of cloud platforms, and the data they host, from foreign intervention. But jurisdictions interpret "protection" differently. 

France and Germany, for example, take a conservative stance. Here, datacentres are only considered sovereign if they’re legally shielded from access by authorities from other nations (outside of any requirements under EU or EU member state laws). 

Crucially, that means being insulated from laws with extraterritorial reach, like the US Cloud Act or FISA. This obliges American companies to supply data requested by US authorities – wherever in the world it is stored. 

The approach in the UK and Italy acknowledges that the market is essentially the US and Chinese hyperscalers. Their governments require cloud offerings to be "trustworthy" rather than completely sovereign.

They must be protected by contractual and technical guardrails, such as data localisation and encryption. This debate is notably seen around the EUCS – the European Cybersecurity Certification Scheme for Cloud Services, progress on which has been deadlocked for some time around this very issue.

The geopolitical context of the last few months has further brought the topic at the forefront of every IT department in the EU. 

To meet the demands of the EU market, hyperscalers are introducing sovereign cloud propositions - often in collaboration with EU market players - designed to address the sovereignty expectations of the French and German public sectors. 

The trade-off: competitiveness v risk

The explosion of AI use exacerbates the risks associated with cloud sovereignty, which play out at both national and organisational levels. 

Geopolitically, there are obvious concerns about countries’ critical infrastructure being exposed to intervention from other states. But there’s a balance to strike between national security and economic competitiveness.

European cloud service providers (CSPs) can’t yet match the services offered by those in the US and China. But preventing local businesses from using the hyperscalers bars them from the latest AI capabilities – potentially inhibiting their productivity, efficiency and ability to innovate.

To address this, the EU is legislating to promote the creation of cloud infrastructure on the continent.

Still, for businesses, until a European framework for digital sovereignty is agreed upon, operating across EU jurisdictions means getting to grips with different legislative requirements for cloud sovereignty.

Using CSPs based outside the Union may be a regulatory breach, depending on national laws and the nature of the business. In France, companies deemed of critical national importance, such as defence contractors and utilities providers, must use entirely sovereign cloud environments located in France.

There are also data risks. Are you comfortable with foreign governments having a legal right to access confidential or commercially sensitive information? The prospect of handing over product designs or customer data to a state where your competitors are based is unlikely to be palatable.

Address cloud risks through AI governance

A robust AI governance framework – built on the following steps – will enable you to address cloud sovereignty risks and adopt AI as safely as possible.

1. Factor cloud considerations into your AI strategy. Think through the sovereignty implications when defining your strategy for AI adoption, and when deciding what partnerships to enter into, with which cloud providers. 
2. Put the right structures in place. Data localisation, and the risk of third-party access, must be part of your risk assessment for AI use cases. Iron these out before validating any applications that will require critical company data.
3. Align AI adoption with your IT and data strategies. Your approach to AI implementation, your data strategy and your IT infrastructure strategy, including cloud use, should be looked at jointly, not in silos. 
4. Keep up to date with the legislative agenda. The cloud sovereignty landscape is constantly evolving. It’s crucial that you stay abreast of developments like the EU AI Act, EU Data Act, GDPR and EC’s Apply AI Strategy.

How we can help 

You can’t eliminate the cloud sovereignty risks inherent in AI use altogether. But you can manage them. 

Our technology lawyers can help you identify and mitigate your risks, ensuring the AI you adopt is as trustworthy as possible. 

We’ll work with you to design and implement a risk management and governance framework that’s tailored to your sector, strategy, operations and risk appetite.