Would you like to see any changes to the current proposals before they’re gets passed into legislation? “At the moment, they have these four different risk levels, and the most critical one — No. 4 — is one where they accept only open source and European solutions. This is the highest risk level, but this is only for 1% of the market. I hope that it’s better understood that more than 1% should care about this more.
“If you have something which is completely not critical, maybe doesn’t possess any personal data at all — sure, it’s totally fine [to use non-EU suppliers]. But if you have GDPR requirements, espionage protection, no vendor lock-in, and so on, then there should be more of that [the highest requirement level].”
US firms have attempted to address European customers’ concerns in different ways, with sovereign marketed cloud services and joint ventures with European providers. Microsoft 365 Local is designed to run on premise. Where do you draw the line between what’s actually a sovereign solution and what some call ‘sovereignty washing? “Sovereignty has different dimensions, of course. But if you look at the problem of the CLOUD Act alone, which gives foreign agencies full access to the data here, then the whole idea that it’s enough to have European data centers — that’s not enough. It’s clearly written in the CLOUD Act, that even with [European] data centers, or subsidiaries, it still applies.