Who do you trust with your data?
As geopolitical tensions rise and regulatory requirements tighten, the question of where and with whom we process and store our most sensitive data has become critical. For Nordic governments, public institutions, and private enterprises alike, cloud services are now the backbone of daily operations. But not all clouds are created equal and, in some cases, trusting the wrong provider could expose critical functions to unacceptable risk.
Sovereign cloud in an era of geopolitical uncertainty
The journey from on-premise infrastructure to cloud solutions offers clear benefits in terms of scalability, innovation, and efficiency. However, the shift also changes the security equation. Once data leaves the direct physical and legal control of its owner, it may fall under foreign jurisdiction or become dependent on third-country operational processes. These risks are no longer abstract - they are a daily consideration for organisations handling sensitive workloads.
From basement to cloud – and the risks along the way
The shift from on-premise infrastructure, often literally in the basement, to cloud-based solutions has transformed how critical data is stored and managed. The benefits are clear: scalability, faster deployment of new services, cost efficiency, and access to advanced capabilities such as AI-driven analytics. Yet, the journey is neither simple nor without risk, as Christer Enroth, Head of Security, Privacy & Business Continuity Management for Telenor Norway, describes in his article in Stratagem (a Norwegian, non-profit platform for debate and analysis on defence and security).
Once data leaves the direct physical and legal control of its owner, it may fall under foreign jurisdiction, even if stored in Europe, if the cloud provider is headquartered abroad. It may also become dependent on operational processes and support functions located in third countries, be subject to overlapping or conflicting legal requirements, and face delays in incident response when breaches or outages require coordination across multiple jurisdictions.
For organisations handling sensitive workloads, such as defence, healthcare, or critical infrastructure these challenges are not abstract. They are daily realities that require proactive governance and a clear understanding of where sovereignty begins and ends. Read more in Stratagem (in Norwegian)
Growing concern over hyperscaler reliance
Across Europe, governments and businesses are re-evaluating their dependence on global cloud providers, particularly U.S.-based hyperscalers. While these companies offer unmatched scale, advanced automation, and cutting-edge cyber defence capabilities, their global operational models can create strategic dependencies and legal exposure. Data stored in European data centres may still be subject to foreign laws such as the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act, which can compel access regardless of physical location.
Essentially, the debate over digital sovereignty has intensified in recent years, driven by three factors:
Geopolitical risk: potential policy shifts in major powers that could affect data access or service continuity
Regulatory obligations: stricter EU and national rules for sensitive workloads, including critical infrastructure
Operational control: ensuring that decision-making and access rights remain fully within European jurisdiction
Denmark is case in point where visible steps have been to safeguard sensitive public sector data and reduce reliance on hyperscalers for certain workloads:
The Danish Data Protection Authority has restricted the use of some U.S.-based cloud solutions in public schools due to risks of data transfer to non-EU jurisdictions.
The Ministry of Digitalisation has initiated moves toward alternative software and cloud environments operated under European jurisdiction, with a focus on national control for the most sensitive workloads.
Investments in local infrastructure, such as the Technical University of Denmark’s Computerome supercomputing facility, offer secure, sovereign storage and processing for research and health data entirely on Danish soil.
Similar discussions are under way in other EU member states. This is not a rejection of global technology leaders. Hyperscalers can and will continue to play an important role. However, their role is increasingly seen as complementary rather than central, particularly for sensitive or regulated workloads. European policymakers and enterprises are signalling that sovereignty and trust must weigh as heavily as innovation and efficiency in cloud strategies.
At the business level, a recent TechRadar analysis shows that 72 percent of European enterprises now prioritise data control, while over 70 percent still rely on U.S. cloud providers, a signal that technical benefits no longer outweigh considerations of sovereignty. In this context, sovereign cloud strategies whether national, Nordic, or EU-wide are not simply about technology choice. They are about ensuring that the governance, operational autonomy, and legal protections for critical workloads remain firmly in European hands.
What does a “secure” cloud look like?
A secure cloud is not defined by brand or marketing label, but by governance, control, and fit for purpose. Telenor applies a risk-based model for cloud sovereignty that aligns the sensitivity of the workload with the appropriate level of operational and legal protection:
National Sovereign Cloud: Fully operated within national borders, by nationally controlled entities, with data residency and operations under full national jurisdiction. Personnel are security-cleared, and all decision-making authority resides domestically. This is the standard for the most sensitive workloads in critical national infrastructure, such as defence communications, election systems, or national emergency services.
EU/Nordic Sovereign Cloud: Operated entirely within the EU/EEA and governed exclusively under European law. This model enables regional cooperation, shared resilience, and economies of scale for sensitive but not mission-critical workloads. This includes public health systems, regulated finance, or industrial control networks.
Public Cloud: Global providers offering advanced automation, scalability, and cyber-defence capabilities. Suitable for lower-sensitivity workloads, provided that operational control, data residency, and compliance safeguards meet European legal requirements.
This layered approach ensures that each workload is matched with the right level of sovereignty and protection, balancing innovation with security.
Sovereign capability in practice
Across the Nordic region, telecom operators are taking concrete steps to ensure that sensitive workloads can be hosted in environments that meet sovereign requirements. This includes building and operating facilities entirely within national or EU/EEA jurisdiction, deploying security-cleared personnel, and applying operational controls that prevent unauthorised access from outside the jurisdiction.
Telenor is advancing this agenda through a layered sovereignty model and targeted infrastructure investments. One concrete example is the Skygard facility in Norway, which is built on three key pillars:
Security: designed to meet the highest assurance levels for critical workloads, with controlled physical access, advanced monitoring, and strict operational procedures.
Resilience: engineered for uninterrupted operation in the face of technical faults, cyber incidents, or external disruptions.
Sustainability: powered by renewable energy, cooled using natural free-air systems, and equipped with heat recovery to support local communities.
By its nature, Skygard is tailored to Norwegian requirements, but the demand for sovereign cloud capability extends across the Nordic region. Meeting this demand requires solutions that can be replicated and scaled across markets, aligning national priorities with a shared Nordic approach. In this context, Telenor’s position is that sovereign cloud capability must combine legal and operational control with technical excellence and environmental responsibility. Alongside physical infrastructure, this also means developing partnerships, operational standards, and compliance processes that enable national, Nordic, and EU-based cloud solutions to operate at scale, while maintaining the governance and autonomy essential for sovereignty.
Importance of laying the foundations for sovereign cloud
Norway is well positioned to move quickly once the government clarifies the requirements and conditions for a National Cloud, stated Telenor’s Head of Sovereign Cloud Sverre Pedersen, in a recent interview with Norwegian trade publication Digi.
He pointed to Telenor’s existing infrastructure and the importance of local operational control: “We already have many data centres located around Norway… We can also ensure that it is we who have the physical access to the equipment and can safeguard it. And we can operate such services.”
Pedersen also emphasised that resilience depends on distributed capacity and political will: “You only achieve true regional autonomy if you have regional data centres… the degree of it will depend on the authorities’ willingness to pay for that element of the security aspect.”
Finally, he cautioned that getting the requirements and governance framework right is more important than speed: “It is more important to get it right than to get it done quickly… the consequences of doing this wrong are quite significant.” This reflects both the complexity and the stakes of establishing a sovereign cloud that can serve long-term national interests.
Trust built on control
The combination of infrastructure investments, governance frameworks, and political choices defines whether sovereign cloud becomes a viable reality. Facilities like Skygard demonstrate that secure, resilient, and sustainable solutions are possible on Nordic soil, while Sverre Pedersen’s perspective (see box above) highlights the practical conditions that will determine how quickly and effectively such solutions can be deployed.
For workloads that underpin sovereignty, national security, and societal resilience, the safest choice is a cloud that is governed and operated under our own rules—whether national, Nordic, or EU-based. Public cloud services will remain an important part of the ecosystem, delivering innovation and scale for many workloads. But true sovereignty is about control, not just location.
In practice, that means having:
Full transparency over where data resides and who can access it
Technical safeguards that prevent unauthorised access from outside the jurisdiction
Operational autonomy that secures uninterrupted access to data and processing capacity
Contractual and legal frameworks that align with European values and security requirements
And the risk of ‘getting it wrong’ is substantial. Building sovereign cloud requires more than just technology and infrastructure; it requires deliberate decisions by governments and industry to invest in resilience and autonomy. In practice, this means combining sovereign and public cloud capabilities with a common private cloud architecture tailored to highly regulated telecom workloads and sensitive AI use cases. This layered approach is essential for delivering the next level of Nordic resilience and secure cross-border services to pan-Nordic customers. In an increasingly uncertain world, trust in digital infrastructure cannot be assumed. It must be designed, verified, and maintained. Knowing exactly who you trust with your data is no longer optional; it is a strategic necessity.