- Cloud decisions for governments are strategic national security choices.
- Modern defense depends on securely connecting and acting on data fast.
- Sovereignty and secrecy rules limit use of public Cloud, especially US providers.
- Geopolitical tension boosts demand for sovereign and European Clouds.
Government and defense organizations face increasing threats from cybercriminals and state actors. The Cloud is the vector for these threats, but it is also vital to the data management and analysis required to run countries, fight wars and promote prosperity.
This means choices around Cloud providers and architectures are not just commercial and technology decisions. They are strategic, even existential.
And the dominance of US organizations in the Cloud space, plus accelerating geopolitical disruption, makes these choices more fraught than ever.
Read on to better understand the world of government data and Cloud security, and how US legislation creates opportunities for European CSPs.
Security, secrecy and the Cloud
Speaking at the Royal United Services Institute in December, NATO’s Assistant Secretary General for Cyber and Digital Transformation, Jean-Charles Ellermann-Kingombe, said the war in Ukraine had highlighted the role of technology and data on the battlefield, from drones and AI for targeting, to the marriage of cyber and kinetic attacks.
But modern conflict doesn’t simply reward the side with the most data, Ellermann-Kingombe said. “It rewards the side with the ability to connect it, understand it and act on it first.”
This means governments and armed forces need Cloud architectures capable of protecting their most critical data and workloads. This is a world where “secret” and “top secret” are not just buzzwords or labels, but inform very specific requirements.
Understand government secrecy definitions
If you want to sell secure Cloud solutions to governments, it helps to understand the terms they use. Broadly speaking, the UK, US and their allies recognize three main categories of information.
Let’s take the UK as an example. The majority of information held or processed by the UK government is classed as “official”. Disclosing it would result in no more than “moderate” damage. Europe takes a similar approach, while the US further divides this class of data.
Under the UK system, the “secret” designation is applied to “very sensitive” information, disclosure of which could “threaten life (an individual or group), seriously damage the UK’s security and/or international relations, its financial security/stability or impede its ability to investigate serious and organised crime.”
Top secret describes “exceptionally sensitive information assets that directly support or inform the national security of the UK or its allies AND require an extremely high assurance of protection from all threats.”
Unsurprisingly, the custodians of this data are very picky about where they place it.
A February 2025 document quoted the UK’s National Cyber Security Centre’s advice that “the public Cloud is not designed to protect SECRET and TOP SECRET information, including SaaS deployments using Public Cloud for hosting.”
As the 2024 guidance from the UK Cabinet Office states, secret information requires “enhanced” controls, including secure networks and dedicated physical infrastructure.
The requirements for top secret information are even more stringent, demanding “secure networks on highly secured dedicated physical infrastructure, and robustly defined and implemented boundary security controls.”
That infrastructure must be on British soil and separated from the internet at large. And it’s not just the infrastructure itself that must meet strict requirements. The individuals working on these systems must be vetted, which means operators face both technology and people-related challenges.
So how do governments put these requirements into practice? Let’s stick with the UK as an example…
A golden era for sovereign Clouds?
Government decisions on such infrastructure attract significant scrutiny, even though the pool of potential suppliers is limited. The UK’s intelligence services struck a deal with AWS back in 2021, covering the hosting of secret data in the Cloud, in UK-based data centers.
The home secretary at the time, Priti Patel, came under pressure to explain why a US firm was selected for the task.
Nevertheless, in September 2025, the UK struck a £400m deal—this time with Google—to strengthen “secure communication links between the UK and US, in addition to the extensive intelligence and security partnership our two countries already share.”
UK Secretary of Defence, John Healey, said at the time, “Google Cloud’s investment will build up our world-leading secret tech for the future.” At the same time, the MoD said, “The technology has strict data sovereignty and security controls, ensuring that the MOD’s critical data remains under direct UK control.”
Similar deals are in progress in Europe. France has given the green light to tie-ups between native companies and US Cloud providers.
Germany’s approach favors native companies. But the country is also ground zero for AWS’s European Sovereign Cloud, launched in January 2026. AWS says this “represents a physically and logically separate” EU-based Cloud infrastructure.
The Seattle-based giant says, “AWS European Sovereign Cloud-restricted data will not be accessible, including to AWS employees, from outside the EU.”
NATO backs the cooperation approach. In his RUSI talk, Ellermann-Kingombe, said that sovereignty was key, and that NATO’s approach was “one of confidence through cooperation.”
“We must acknowledge the trade-offs… full sovereignty often comes with reduced scalability and innovation speed,” he said.
What does Cloud sovereignty really mean?
But, Ellermann-Kingombe said, tie-ups between US hyperscalers and “trusted European operators… deliver jurisdictionally isolated Clouds that respect local control while maintaining innovation speed.”
He was confident that “we can protect what must remain sovereign, our secrets, our decision making, our command authority, without losing the innovation and resilience that come from…cooperation and partnership with industry from Allied nations”.
Looking ahead to future technologies such as AI-supported command and control and quantum-resilient cryptography, he claimed, “One thing is certain, no nation and no company can achieve this alone.”
The Trump White House, by contrast, appears to believe that going it alone is precisely what it should do, as it strives for dominance in new strategic technologies such as AI and the infrastructure that supports them.
Moreover, Trump’s recent sabre-rattling over Greenland and its potential to undermine NATO might make its partners wary of future collaboration, thus opening a door for European Cloud providers that are ready to act.
Read CloudFest’s complete guide to sovereign Clouds
Who can you trust?
Indeed, many observers are much less positive about building sovereign top-secret Clouds in collaboration with US providers. They point to decades-long close links between the US intelligence community and the US tech industry. US legislation, such as the US Cloud Act, compels US companies to turn over data, regardless of where it is located.
In June 2025, Microsoft France’s Anton Carniaux, director of public and legal affairs, told a senate inquiry, that when it came to the US Cloud Act, it was “contractually committed to our clients, including those in the public sector, to resist these requests when they are unfounded.”
But faced with a legally justified injunction from US authorities, could it guarantee it would not disclose information about French citizens without Paris’ explicit consent?
“I cannot guarantee that, but, again, it has never happened before,” he said.
That might have been reassuring once upon a time. But, geopolitically speaking, since Carniaux spoke, we’ve had a succession of things that have never happened before.
When it comes to using the Cloud for top secret workloads, ongoing global disruption can only create further opportunities for providers who understand the needs of governments and can offer truly sovereign solutions.
