1. Why sovereign cloud is crucial now
Digital sovereignty is no longer a political buzzword. It has become a tangible economic necessity. The world is more uncertain, fragmented and conflict-ridden than it was just a few years ago. Trade conflicts, geopolitical power shifts and growing political tensions are now having a direct impact on digital infrastructures. Cloud computing is not exempt from this. Companies and authorities are thus faced with an uncomfortable reality: Those who use the cloud today do not only decide on technology, but consider implications regarding the law, dependencies and risks. Every cloud architecture transports a legal regime, a political order and a question of control at the same time. Often unnoticed. Often underestimated.
What used to be considered a question of efficiency is now a question of resilience. Global cloud models promise scale and innovation, but at the same time bring new vulnerabilities. Extraterritorial laws, state access rights and geopolitical interests meet highly sensitive data, critical business processes and government tasks. At the latest since the intensification of international conflicts, it has become clear that digital dependencies are real dependencies.
Cloud technology as a strategic infrastructure
Europe is reacting to this not out of protectionism, but out of necessity. The debate about digital sovereignty is an expression of a learning process. It follows the realization that economic ability to act cannot be secured in the long term without legal and technological control. The cloud is thus becoming a strategic infrastructure. And sovereignty is a prerequisite for trust, security and future viability.
The geopolitical situation has made these dependencies visible. Global power shifts, trade conflicts and extraterritorial legislation have long had a direct impact on European IT infrastructures. The U.S. CLOUD Act allows U.S. authorities to access data of U.S. companies regardless of the physical storage location. This is supplemented by regulations such as the Foreign Intelligence Surveillance Act. This makes it clear that server locations alone do not create sovereignty. The deciding factor is which law a provider is subject to.
Europe's necessary path: Digital sovereignty leads to resilience
The industry association Bitkom clearly classifies this development. Europe must understand digital sovereignty as the ability to use digital technologies in a self-determined way. The focus is on control over data, infrastructures and decision-making processes, not the mere origin of individual providers. Digital sovereignty is thus becoming a location factor and a prerequisite for innovation, competitiveness and trust in digital services.
Ivanti has developed the Ivanti Neurons for MDM — Sovereign Edition — EU solution to provide companies and public institutions with legally compliant access to modern cloud technology. The declared goal: not to play off innovation and automation against regulatory requirements, but to consistently combine the two. The solution is a response to increasing geopolitical risks and European regulation and creates the basis for secure, future-proof cloud use in the European market.
2. How sovereign cloud solutions combine technology, operations and law
Many providers are reacting to the developments with purely cosmetic adjustments. Most of the time, the servers are then simply relocated to the EU. Contracts will be supplemented. The legal core remains untouched. This is exactly where so-called "semi-sovereign cloud models" fail.
Real sovereignty only arises when technology, operation and law are considered together. The Ivanti Sovereign Cloud follows exactly this approach: It combines the technological power of Ivanti Neurons for MDM with the operational and regulatory expertise of sector27 as a fully independent European operator. Sovereign cloud is not created by a single security feature. It is the result of the interplay of technical, organizational and legal measures. It is only this combination that makes digital sovereignty resilient and verifiable.
Ivanti Neurons for MDM as a technological foundation
Ivanti technology serves as the foundation for the sovereign cloud solution: Ivanti Neurons for MDM is a cloud-based unified endpoint management solution for securely managing, securing and automating all endpoints in the Everywhere Workplace. It supports iOS, Android, macOS, Windows, ChromeOS as well as specialized and industrial devices. The platform provides centralized control of device configurations, security policies, compliance measures, application management and zero-trust access.
The architecture is highly available, scalable and designed for regulated environments. Ivanti Neurons for MDM meets recognized security standards and has SOC 2 Type II and CSA STAR certifications, among others. Ivanti's commitment to CISA's Secure by Design principles is much more than a U.S. standard. It forms the technological foundation that helps customers meet European requirements such as the NIS2 Directive and the upcoming EU Cyber Resilience Act (CRA). By proactively hardening cloud infrastructure and maximizing visibility into the software supply chain, Ivanti ensures that customers in Germany and Europe are deploying a solution that meets tomorrow's regulatory security requirements today.
Ivanti Neurons for MDM continuously validates devices, users, and contexts before granting access to corporate resources. This implements an adaptive security model that is not based on trust, but on verifiable states.
sector27 as a sovereign operator
What makes the solution sovereign, however, is the operating model and its safety-related design. The Sovereign Cloud instance is operated entirely by sector27. The operation takes place on a dedicated infrastructure located exclusively in the European legal area. Hosting and platform operation are entirely the responsibility of the European operator. Administrative sovereignty, system control and operational responsibility are clearly separated from the software manufacturer and are organizationally and technically secured.
The technical environment is based on the requirements of the BSI IT baseline protection. The data center used is certified accordingly. This means that not only the data center, but especially the processes for operating cloud solutions have been audited. sector27 GmbH plans, operates and provides a standardized basic platform for specialist applications on behalf of customers. The subject-specific application is either administered by the customers themselves or, if desired, partners. The basic platform consists of IT systems with their required operating systems, network infrastructure and management and monitoring systems. The systems are operated in a secure infrastructural environment of the client. The scope of certification also includes the operation of IT-Grundschutz-compliant EMM systems (Enterprise Mobility Management), which are based on the basic platform.
Security-relevant processes thus follow a structured information security management system.
Measures for the availability, integrity and confidentiality of the systems are systematically implemented and regularly reviewed.
Maximum protection — also for staff
Personnel security is also an integral part of the operating model. The solution thus meets key requirements for use in security-critical and regulated environments, and at the same time addresses the requirements defined in the European Cybersecurity Certification Scheme for cloud services, especially at the high level of trust.
Ivanti itself has no operational access to productive data. Manufacturer-side support is exclusively anonymized and encrypted at third level level. Ivanti also has no access to the data at the third level — unless sector27 (or the partner) actively transmits it to Ivanti after anonymization. This ensures a clear organizational and technical separation between product development and cloud operation.
Deployment and responsibilities: The Ivanti Sovereign Cloud Model
The foundation of this initiative is Ivanti Neurons for MDM — Sovereign Edition — EU. While Ivanti as a manufacturer remains responsible for continuous product development, the provision of updates and the technological roadmap, the physical operation and hosting of the infrastructure is carried out exclusively by the specialized partner sector27 in a highly secure European data center.
This clear structure guarantees that customers always use an identical, manufacturer-tested Ivanti product on a sovereign infrastructure operated by sector27, regardless of the sales channel they choose. It also gives customers the freedom to choose how to leverage their existing partner relationships without sacrificing a sovereign infrastructure.
Classification in the context of the EU Cloud Sovereignty Framework
The Ivanti Sovereign Cloud in the form operated by sector27 has been evaluated by the renowned Cyberintelligence Institute along the Cloud Sovereignty Framework of the European Commission. The eight defined sovereignty goals and the respective SEAL levels from 0 to 4 are decisive.
The solution achieves the level of Digital Resilience (SEAL-3) in key dimensions.
Here, the report confirms substantial European control over operations, governance, decision-making structures and security organization.
In other core areas — in particular legal classification, operational management, supply chain and technological development — a strong European anchoring is found, albeit with remaining structural dependencies on manufacturers. These primarily concern upstream product development and the global supply chain, but not the operational service sovereignty of the specific cloud service.
The opinion therefore comes to the conclusion that the solution as a whole can be assigned to the SEAL-2 level ("data sovereignty") with a clear approximation to SEAL-3 ("data resilience").
The remaining non-European dependencies do not lie in the area of operations, data control or security organization, but in the manufacturer's product development. For an international software provider, this is structurally unavoidable.
This positions the Ivanti Sovereign Cloud model at the upper end of what is realistically achievable for a global software solution under European operations.
3. Classification by the Cyberintelligence Institute
Sovereignty cannot only be described, it can be measured. This is exactly where the Cyberintelligence Institute (CII) comes in. The institute is an independent, interdisciplinary research and analysis center with a focus on cybersecurity, digital sovereignty and geopolitical risk assessment of digital infrastructures. It works at the interface of technology, law and politics and advises public institutions, companies and security-relevant organizations. The aim of the CII is to make complex digital dependencies visible, comparable and assessable.
The Cyberintelligence Institute assesses cloud sovereignty not politically, but structurally. The decisive question is whether European control is substantial in strategic, operational and security organisational terms and whether remaining third-country references are critical or merely structurally upstream.
In the overall assessment, the report finds that material non-European dependencies remain in the software and supply chain, but that they do not dominate the operational management of the service.
It is precisely this differentiation that is central. The framework requires complete technological autonomy for SEAL-4, including product development and supply chain. For international manufacturers, this level can in fact only be achieved through completely new European development.
The Cyberintelligence Institute's Cloud Risk Matrix confirms that true sovereignty does not come from data localization alone, but from verifiable European control structures. It is precisely these that are pronounced in the present model.
Download the Cyberintelligence Institute legal opinion here.
4. Legal evaluation of the sovereign cloud solution
Extraterritorial law as a structural risk
At the center of the legal debate is the question of applicable law. Professor Kipker makes it clear that U.S. regulations such as the CLOUD Act and the Foreign Intelligence Surveillance Act in particular pose a permanent risk for European cloud users. These laws allow government access to data of U.S. companies regardless of where it is stored. This legally devalues the physical localization of data.
According to Professor Kipker, cloud models in which the operation remains under the legal control of a third country are not compatible with European data protection and security requirements in the long term. This applies in particular to public clients, critical infrastructures and regulated industries.
Limits of semi-sovereign cloud models
Professor Kipker is clearly critical of so-called semi-sovereign cloud approaches. These include models in which data centers are operated in the EU, but legal control remains with the foreign parent company. From a legal point of view, this is not enough to establish digital sovereignty.
He emphasizes that European supervisory authorities and legislators are increasingly distinguishing between formal compliance and actual control capability. Cloud offers that only rely on contractual clauses or additional technical measures without eliminating legal access power are not sustainable.
Significance for regulation and market access
With a view to upcoming regulations, Professor Kipker sees a clear development: NIS2, DORA and the European Cybersecurity Certification Scheme from the CSA are not only tightening requirements for security, but also for verifiability and governance. Cloud models that do not have a legally sovereign operating structure risk exclusion from sensitive fields of application.
This is particularly relevant for the public sector and for companies that are part of critical supply chains. Here, cloud sovereignty becomes a prerequisite for tenderability. In this context, Professor Kipker speaks of a new market entry threshold for cloud providers.
Future-proofing as a strategic advantage
Professor Kipker also points out that cloud sovereignty not only minimizes risks, but also creates strategic advantages. Companies that invest in legally resilient cloud architectures today secure regulatory freedom, planning security and trust with customers and partners.
Legal resilience is thus becoming a competitive factor. Not as an abstract principle, but as a concrete prerequisite for growth in regulated markets.
5. Target groups and application scenarios
Sovereign cloud is by no means a niche topic for special cases or particularly security-critical organizations. It increasingly affects all companies and institutions whose business model is based on trust, availability and legal resilience. In a digitalized economy, this is no longer the exception, but the rule.
With growing regulatory density, the benchmark is shifting. Cloud decisions are no longer made solely on the basis of functionality, cost or scalability. They become part of risk, compliance and corporate governance. NIS2, DORA, the EU AI Act and upcoming certification regimes such as EUCS make it clear that digital infrastructures will be subject to the same requirements as classic critical business processes in the future.
This means that the circle of affected organizations is constantly expanding. What is still considered a special requirement of the public sector today will become the standard for regulated industries tomorrow and the horizon of expectations of customers, partners and supervisory authorities the day after tomorrow. Sovereign cloud is thus becoming a prerequisite rather than an option.
Public administration and state institutions
For authorities at municipal, state and federal level, cloud sovereignty is already a central award criterion. Data protection, confidentiality and legal freedom of access are non-negotiable. Models with extraterritorial risk are de facto ruled out.
This means that it meets the requirements for use in particularly sensitive administrative environments.
Critical infrastructures and regulated industries
Energy, healthcare, financial services, transportation and telecommunications are under growing regulatory pressure. NIS2 and DORA require not only technical security, but also resilient governance and resilience concepts. Cloud models that contain legal uncertainties increase operational risk. The Cyberintelligence Institute expressly points out that such risks will no longer be acceptable in the future.
Companies with high compliance requirements
Even beyond classic critical infrastructure industries, the need for sovereign cloud solutions is growing. Companies with an international presence, sensitive data or high compliance requirements must anticipate regulatory developments.
Gartner predicts that by 2027, the majority of multinational organizations will implement an explicit sovereign cloud strategy. Sovereignty is increasingly influencing the choice of provider.
For these companies, the solution offers planning security without having to do without modern cloud functionalities.
Cloud late adopters and security-conscious organizations
Last but not least, the solution is aimed at organizations that have been deliberately reluctant to use the cloud so far. For them, sovereignty is often the ticket to cloud use.
A legally robust, auditable and transparent operating model lowers the barriers to entry and creates trust. This is a decisive factor, especially in the area of endpoint management, as mobile endpoints often represent sensitive access to company data.
6. Conclusion
Digital sovereignty cannot be retrofitted. It must be part of the architecture from the very beginning. Anyone who sees the cloud only as infrastructure misjudges its legal and strategic dimension.
The Ivanti Neurons for MDM — Sovereign Edition — EU solution shows how true sovereignty can be put into practice. Not through marketing terms, but through clear structures. Technology, operation and law are intertwined.
The combination of Ivanti Neurons for MDM as the technological foundation and sector27 as an independent European operator meets the requirements of current and future regulations. They address the key risks of extraterritorial dependencies and create a resilient basis for security, resilience and trust.
Sovereign cloud is not a political statement. It is a strategic decision. Those who make these decisions today will remain capable of acting tomorrow.
References
- Bitkom e.V.: Europe's Path to Digital Sovereignty, Press Release, 2024.
- Cyberintelligence Institute: Requirements for National and European Cloud Sovereignty, Prof. Dr. Dennis-Kenji Kipker, 18.05.2025.
- Cyberintelligence Institute: Cloud Risk Matrix and Sovereignty Assessment, 2026.
- Ivanti: Ivanti Neurons for MDM Data Sheet, 2023.
- Gartner: Sovereign Cloud Strategy Market Forecast, quoted from Ivanti Market Overview.