Board Brief: Cloud Services

The Cloud, Just someone else's servers.

Cloud services for the longest time were just another spanner in the TI department’s toolkit. However, their place at the intersection of resilience, cost, regulation, and strategic control is increasingly pushing them toward the management and strategy levels. As a result, the central question becomes less about whether the cloud is useful and more about how much control your organization is willing to trade for speed, scale, and simplicity. That tradeoff is where the debate over cloud computing and hyperscalers intersects with digital sovereignty, cybersecurity, and Open Source.

The New Cloud Question

For years, hyperscalers won by default because they offered quick wins and operational convenience, while only moderately increasing costs and long-term management complexity. In today’s age of AI, that model still appears powerful. However, it is no longer politically or strategically neutral. Concerns about jurisdiction, access, and the legal reach of foreign governments increasingly shape cloud procurement worldwide.

That matters because cloud architecture is not just an IT choice. When different jurisdictions come into play, the cloud defines who can compel access to your data, where your workloads can run, and how easily you can change course if the environment shifts. Boards should treat cloud dependence the same way they treat concentration risk in banking, supply chains, or capital markets. If a single provider, jurisdiction, or operating model becomes overly central, the organization has less room to maneuver when conditions change.

Hyperscalers Under Pressure

The hyperscaler debate is not about whether Amazon, Microsoft, and Google are technically capable. It is about whether scale and convenience should continue to outweigh control and jurisdictional certainty. Recent reporting on the tech sovereignty push in the EU, Africa, and Canada suggests the direction of travel is toward stricter procurement standards. Microsoft handing over Dutch Civil Service E-Mails might accelerate the issue.

The EU appears to be moving toward a model in which hyperscalers can still participate, but only if they provide stronger guarantees regarding data residency, operational control, and protection against third-country access. The African Union appears to be following the lead, and Canada is discussing similar measures. Unfortunately, the US and China appear unwilling to let their Big Tech companies compete under this model.

For boards, this means today’s cloud advantage might pose new risks. Price and feature depth still matter, but they are no longer enough on their own. The new standard is whether a provider can satisfy control requirements that are increasingly legal and political, not just technical.

What Sovereignty Means In The Cloud

Digital sovereignty is often misunderstood as an argument for isolation, but that is too narrow a view. The more useful definition is the ability to control the infrastructure, software, standards, and data that underpin operations, as well as the laws and regulations that govern them. In other words, sovereignty is about the degree of actual control you retain over critical digital dependencies.

That framework moves the discussion away from slogans and toward decisions. A company does not need to own everything to be sovereign enough. It does need to know which parts of its cloud estate are negotiable, which are mission-critical, and which should never be left to opaque external dependencies. For example, hosting the outward-facing website externally will have little influence on the control. It’s easy to move, and most data is shared anyway. The calculation would look different for an ERP or CRM system.

It’s also important to look past the marketing language around “sovereign cloud” services. The key question that boards should have IT check is not whether a vendor uses the word “sovereign,” but whether the architecture, operating model, and legal structure actually reduce exposure.

Practical board oversight

The most effective board response is to insist on clarity. Management should be able to explain where cloud dependence is acceptable, where it is risky, and where a more controlled model is required. That requires mapping not just providers, but also data flows, identity systems, support arrangements, and the legal jurisdictions that may apply to each layer.

Boards should also require management and IT to distinguish between ordinary enterprise workloads and sensitive or regulated ones. The growing policy trend in Europe suggests that sensitive workloads may increasingly move into sovereign enclaves or tightly controlled environments. At the same time, the broader market remains global but more heavily shaped by local rules. Thus, risk management demands that different workloads are treated according to their potential risk to the company.

As Replatforming is expensive, slow, and operationally disruptive, it is critical that boards set the right parameters for IT, so that the company can confidently take sovereignty decisions before lock-in becomes irreversible. A board that waits for a crisis will have fewer options than one that sets a strategy long before the external regulatory pressure becomes overwhelming.

Strategy, not symbolism

The right response to the sovereignty debate is not to romanticize local providers or to assume hyperscalers are inherently unfit. It is to force strategic honesty. Some workloads will continue to justify using hyperscalers because their economics and capabilities are hard to beat. Others will demand tighter control because the risk of foreign jurisdiction, concentration, or operational dependency is too high.

That is why the cloud discussion requires strategic oversight and risk management. Boards should ask whether the company can prove control, not merely claim confidence. They should set parameters for compliance with local regulations, define the organization’s leverage in a procurement dispute, and assess whether its cloud strategy still aligns with its risk appetite.

Cloud services are no longer just a procurement category. They are a governance choice, a resilience choice, and increasingly a sovereignty choice. The companies that will be best positioned are those that treat cloud not as a destination, but as a portfolio of dependencies that must be actively managed.

Leave a Reply

Your email address will not be published. Required fields are marked *

More Articles & Posts

Mastodon