May 15, 2025 /Mpelembe Media/ –This whitepaper introduces Google Sovereign Cloud, a solution designed to address digital sovereignty concerns for organisations wary of adopting foreign cloud services. The core issues driving this need are data control (due to evolving regulations), economic dependency (lack of domestic providers), and potential geopolitical disruptions. Google’s approach is built on three pillars: data sovereignty (customer control over data location and access), operational sovereignty (delegating controls to local partners or the customer), and software sovereignty (ensuring workload portability and survivability). The paper highlights how Google offers various features and partnerships to enable these forms of control, with case studies illustrating its application in diverse sectors.
Google Cloud’s approach directly addresses the three core digital sovereignty concerns through a three-pillar strategy. These concerns are:
Concerns around data control: Evolving regulations and the potential for foreign government intervention raise questions about who has ultimate access to sensitive information.
Concerns around economic dependency: The need to reduce risk driven by a lack of domestic cloud service providers and the uneven distribution of technology raise concerns about potential economic imbalances.
The need to proactively plan for potential geopolitical disruptions: This concern focuses on the risk of critical data and service access being cut off.
Google Cloud’s approach to digital sovereignty is guided by three pillars that map to these concerns:
Data Sovereignty: This pillar provides customers with mechanisms to control the location of their data, prevent the provider from accessing their data, and approve access only for specific provider behaviours they deem necessary. To address data control concerns, Google Sovereign Cloud enables users to enforce strict data residency by dictating exact geographic boundaries for data storage and processing. It allows organizations to store and manage data encryption keys outside Google’s infrastructure and control, including using External Key Management where customers or domestic partners can deny access for any reason, such as extraterritorial access requests. Google Cloud also offers extensive visibility into administrative access and the ability to require approval before specific administrative activity occurs. Features like Client-Side Encryption and Confidential Computing further empower customers to be the ultimate arbiter of access to their data. Google Workspace also supports data sovereignty by allowing organizations to choose where customer data is stored, including specific countries or localities, and provides technical controls like Client-Side Encryption to help prevent external access.
Operational Sovereignty: This pillar delegates controls or the full operation of workloads to domestic partners or the customer itself. It includes controls restricting the deployment of new resources to specific provider regions and limiting support personnel access based on predefined attributes such as citizenship, security clearance, or geographic location. To address concerns about economic dependency and reliance on foreign entities, Google Cloud offers options for third-party management and oversight of critical controls, particularly in multiple EU countries. They enable organizations to limit administrative and support personnel access based on attributes like citizenship, clearance requirements, or residency. Partnerships with local providers like S3NS in France, T-Systems in Germany, and others around the world allow customers to deploy workloads with local control and assurance provided by trusted local partners. Google Workspace supports operational sovereignty through flexible key management options and granular vendor access controls, such as Assured Controls, which allow customers to view, manage, and approve vendor actions.
Software Sovereignty: Often referred to as “survivability”, this pillar provides customers with assurances that they can control the availability of their workloads and run them wherever they want, without being dependent on or locked-in to a specific cloud provider. It includes the ability to survive events that require quickly changing where workloads are deployed and what level of outside connection is allowed. To address geopolitical concerns and survivability risks, Google Cloud offers Google Distributed Cloud, which can be deployed in air-gapped configurations without connectivity to Google Cloud or the public internet, allowing for isolated management. This is built to remain disconnected indefinitely. Google Workspace addresses software sovereignty by supporting open file formats and providing public APIs based on open protocols, which facilitates interoperability and data flow into other systems, helping prevent data lock-in. It is also certified for the SWIPO Data Portability Code of Conduct, enabling full data export.
By offering this comprehensive set of controls across Google’s public cloud services, Google Distributed Cloud, and Google Workspace, Google Sovereign Cloud enables organizations to meet their data, operational, and software sovereignty needs.
Some organisations fear foreign cloud services due to three primary concerns that underpin the growing demand for digital sovereignty. These concerns often hinder cloud adoption, particularly in the public sector and regulated industries.
The three main reasons for this fear are:
Concerns around data control Evolving regulations and the potential for foreign government intervention raise questions about who has ultimate access to sensitive information. Governments are creating stricter rules about where data can be stored and who can access it. Examples include the French ANSSI SecNumCloud initiative, which requires important government and critical industry data to be stored and managed within Europe. Conversely, laws like the U.S. CLOUD Act allow law enforcement to compel American companies to hand over data regardless of where it is stored, and the European Union’s e-Evidence Regulation enables cross-border access to electronic evidence. These evolving laws create a complex landscape and force companies to carefully consider data storage location and access control to comply with regulations. Many organisations express concern about foreign government access to sensitive data stored in the cloud.
Concerns around economic dependency There is a need to reduce risk driven by a lack of domestic cloud service providers. The uneven distribution of technology and the concentration of major cloud providers in countries like the U.S. raise concerns about potential economic imbalances and dependence. This drives demand for solutions that rebalance operational capabilities globally and partnerships that empower domestic players to oversee or operate technology to ensure trust. Organisations can be uneasy with reliance on foreign cloud service providers to support critical national or local services and workloads.
The need to proactively plan for potential geopolitical disruptions This concern focuses on the risk that critical data and service access could be cut off. Geopolitical tensions are spilling into the digital world, driving nations to assert greater control over their data and online infrastructure. The pursuit of digital sovereignty is fuelled by the need to protect sensitive information from foreign surveillance and ensure uninterrupted access to critical digital services in disruptive geopolitical scenarios. By managing digital assets locally, countries aim to ensure survivability and safeguard national interests, which inherently involves reducing reliance on foreign entities.
S3NS is a partner of Google Cloud in France.
This partnership is highlighted in relation to enabling organisations in France to meet stringent requirements, such as the French National Cybersecurity Agency (ANSSI) SecNumCloud initiative, which is critical in France for storing and managing important government and critical industry data within Europe.
Specifically, “Le Cloud de Confiance by S3NS” is mentioned as enabling Thales, a France-based global leader in defence and security, to host sensitive data and workloads in the cloud with a SecNumCloud certification. Similarly, for Matmut, a major player in the French insurance market, “Local Controls by S3NS” allows them to combine public cloud innovation with cryptographic controls, paving the way for adopting “Cloud de Confiance” with the SecNumCloud certification.
S3NS, as a local partner in France, operates key controls such as external encryption key management and provides oversight over administrative operations or local support. This aligns with Google Cloud’s strategy to address concerns around foreign government access and reliance on foreign providers by delivering capabilities with local control and assurance provided by trusted local partners.
Based on the sources provided, Iron Mountain operates across 58 countries.
The sources mention that Iron Mountain, known for secure storage, leverages Google Sovereign Cloud’s encryption controls to address complex compliance regulations across these 58 countries, storing digital and physical assets for over 225,000 customers worldwide.
There are two Google Sovereign Cloud partners:
S3NS. S3NS is a local partner in France, mentioned in relation to helping organisations like Thales and Matmut achieve SecNumCloud certification. S3NS operates key controls like external encryption key management and provides oversight over administrative operations or local support.
T-Systems. T-Systems is a local partner in Germany. The University Medical Center Schleswig-Holstein (UKSH) will leverage Sovereign Controls by T-Systems to address data and operational sovereignty concerns as it moves to the cloud.
This eBook will provide valuable insights into the benefits and capabilities of Google Cloud. Mpelembe Network is equipped to support you with Google Cloud Platform resources. Download the eBook