Day 0 Event #270 Everything in the Cloud How to Remain Digital Autonomous

Summary

This discussion at the Internet Governance Forum focused on digital autonomy in the context of cloud computing concentration among major global providers. The panel examined concerns about strategic dependencies on a handful of predominantly US-based cloud services like AWS, Microsoft Azure, and Google Cloud, and their implications for national security, data protection, and digital resilience.

Anke Sikkema from the Netherlands Ministry of Economic Affairs outlined her country’s Digital Open Strategic Autonomy (DOSA) agenda, which aims to remain globally open while addressing strategic dependencies in the digital sector. She described recent debates in the Netherlands, including concerns when their domain registry provider wanted to move to Amazon Web Services, leading to parliamentary initiatives and revised government cloud policies. The Dutch approach emphasizes being “open where possible and protective when necessary.”

Jeff Bullwinkel from Microsoft acknowledged the legitimacy of sovereignty concerns while emphasizing that trust is fundamental to technology adoption. He outlined Microsoft’s European digital commitments, including doubling infrastructure capacity in Europe by 2027, implementing an EU data boundary, and committing to resist government orders to seize or suspend cloud services. He stressed the importance of focusing on innovation opportunities at the model and application layers, not just infrastructure.

Agustina Brizio provided a Global South perspective, highlighting how Latin American countries face particular challenges with hyperscaler dependency and limited regulatory capacity. She advocated for multi-cloud architectures, investment in local cloud capabilities, and stronger public procurement policies that include data localization and transparency requirements. She emphasized the need for more democratic governance mechanisms for cloud infrastructure, viewing it as a public good requiring social oversight.

The discussion concluded that addressing cloud concentration requires balanced approaches combining protection, promotion, and partnership among governments, industry, and civil society stakeholders.

Keypoints

## Major Discussion Points:

– **Cloud Market Concentration and Digital Autonomy Concerns**: The discussion centered on how the dominance of a few major cloud providers (primarily US-based like AWS, Microsoft Azure, Google Cloud) creates strategic dependencies that raise concerns about national security, data protection, and digital sovereignty for countries worldwide.

– **Regional Approaches to Cloud Sovereignty**: Different regions are taking varied approaches – Europe is developing initiatives like GAIA-X and sovereign cloud policies, while Latin America faces greater challenges due to power imbalances and regulatory gaps when dealing with hyperscale cloud providers.

– **Trust, Transparency and Accountability in Cloud Services**: The conversation emphasized that trust is fundamental to cloud adoption, with discussions about how cloud providers can maintain trust through transparency, accountability measures, and compliance with local laws and regulations.

– **Multi-stakeholder Governance and Shared Responsibility**: Speakers highlighted the need for collaborative approaches involving governments, private sector, civil society, and academia to address cloud governance challenges, rather than relying solely on government regulation or corporate self-regulation.

– **Balancing Innovation Benefits with Sovereignty Concerns**: The discussion explored how to maintain the significant benefits of cloud computing (efficiency, scalability, innovation) while addressing legitimate concerns about data control, security, and national digital autonomy.

## Overall Purpose:

The discussion aimed to explore the complex challenges of digital autonomy in an era dominated by concentrated cloud computing markets. The goal was to examine how different stakeholders can work together to manage strategic, regulatory, and operational risks while preserving the benefits of cloud services and fostering more diverse, secure, and locally accountable cloud ecosystems.

## Overall Tone:

The discussion maintained a balanced and constructive tone throughout. It began with acknowledgment of legitimate concerns about cloud concentration, evolved into a nuanced exploration of different regional perspectives and approaches, and concluded with a collaborative spirit emphasizing shared responsibility. The speakers were respectful of different viewpoints, with government and industry representatives acknowledging each other’s concerns while civil society voices provided critical but constructive perspectives from the Global South. The tone remained professional and solution-oriented rather than adversarial.

Speakers

– **Jenna Fung**: Program Director of NetMission.Asia, a youth-focused network in Asia Pacific dedicated to engaging and empowering young people in internet governance. Served as on-site moderator for the session.

– **Anke Sikkema**: Deputy Director, Digital Economy, Netherlands Ministry of Economic Affairs. Studied international relations at the University of Groningen in the Netherlands and started her career in Brussels as European Policy Advisor at VNO-NCW.

– **Jeff Bullwinkel**: Vice President and Deputy General Counsel, Corporate, External and Legal Affairs of Microsoft. Focuses on the company’s legal and corporate affairs across Europe, the Middle East and Africa.

– **Agustina Brizio**: Lawyer with a master’s degree in public policy, currently pursuing an MPA in digital technologies and policy at University College London. Innovations and digital technologies manager at Asuntos de Sol, where she leads efforts to strengthen democracy through inclusive tech policies in global south. Focuses on intersections of technologies, equity, and governance with particular interests in AI, cybersecurity, and digital rights.

– **Corinne Katt**: Head of Team Digital at Human Rights NGO Article 19, and a recovering postdoc who wrote work on the political economy of cloud.

Additional speakers:

None identified beyond the speakers names list.

# Digital Autonomy in the Cloud: Navigating Sovereignty and Innovation in an Era of Market Concentration

## Executive Summary

This discussion at the Internet Governance Forum’s Day Zero Event 270 examined the complex challenges surrounding digital autonomy in the context of concentrated cloud computing markets. The panel brought together diverse perspectives from government policy makers, industry representatives, civil society advocates, and Global South voices to explore how the dominance of a handful of predominantly US-based cloud providers affects national sovereignty, democratic governance, and innovation opportunities worldwide.

The conversation explored practical approaches that balance multiple competing values: sovereignty versus openness, security versus innovation, and local control versus global efficiency. All participants acknowledged the legitimacy of concerns about strategic dependencies on major cloud providers like AWS, Microsoft Azure, and Google Cloud, whilst recognising the substantial benefits these services provide for economic efficiency, innovation, and cybersecurity.

## Key Participants and Perspectives

The discussion was moderated by **Jenna Fung**, Program Director of NetMission.Asia, who noted this was her “first time moderating an open forum in this setting.” She opened by explaining key concepts including data residency (where data is physically stored), data sovereignty (legal control over data), and digital autonomy (ability to make independent decisions about digital infrastructure).

**Anke Sikkema**, Deputy of Directors of Digital Economy at the Netherlands Ministry of Economic Affairs, presented the European governmental perspective through her country’s Digital Open Strategic Autonomy (DOSA) agenda. Her approach emphasised being “open to the outside world where possible and protective when necessary.”

**Jeff Bullwinkel**, Vice President and Deputy General Counsel at Microsoft, provided the industry perspective whilst acknowledging the legitimacy of sovereignty concerns. He emphasised trust as fundamental to technology adoption, citing “a famous Dutch statesman in the 18th century” who said that “trust arrives on foot and leaves on horseback.”

**Agustina Brizio**, representing Global South perspectives as an innovations and digital technologies manager at Asuntos de Sol, highlighted the particular challenges faced by Latin American countries in dealing with hyperscale cloud providers, emphasising power imbalances and the need for more democratic governance mechanisms.

**Corinne Katt** from Article 19 contributed perspectives on the intersection of cloud computing with human rights and democratic oversight, particularly regarding concerns about government access to data.

## The Netherlands’ Digital Open Strategic Autonomy Approach

Sikkema outlined the Netherlands’ comprehensive approach to addressing cloud dependencies through their DOSA agenda, which emerged from growing concerns about strategic dependencies in the digital sector. A key catalyst was when SIDN, the .nl domain provider, wanted to migrate to Amazon Web Services, sparking national parliamentary debate about digital sovereignty.

This led to revised government cloud policies and the “Clouds on the Horizon” bill, drafted by Dutch parliament members with multi-stakeholder input. The Dutch approach centres on three key governmental roles: protecting through legislation, promoting innovation, and fostering partnerships.

Sikkema highlighted European Union initiatives including the Data Act and Digital Markets Act as regulatory tools that help mitigate risks whilst promoting investment. She also discussed collaborative European projects like Gaia-X and Eurostack, which aim to build collaborative digital infrastructure that provides alternatives to complete dependency on global hyperscalers whilst maintaining interoperability.

## Industry Perspective: Trust, Security, and Innovation

Bullwinkel acknowledged the legitimacy of sovereignty concerns whilst emphasising that trust forms the foundation of all technology adoption decisions. He announced Microsoft’s new sovereign cloud approach, revealed “just last week” in Amsterdam by CEO Satya Nadella, including plans to increase European capacity by 40% and double capacity between 2023-2027, implement an EU data boundary, and commit to resisting government orders to seize or suspend cloud services.

He outlined Microsoft’s security capabilities, noting that the company processes “77 trillion different signals” daily for cybersecurity and can invest in security at levels that exceed individual government capabilities. He used the example of Ukraine, which suspended its law requiring government data to be stored within borders during the conflict, achieving better data sovereignty by dispersing digital assets across Europe when Russian missiles targeted local data centres.

Bullwinkel also highlighted successful European companies like Mistral AI and Hugging Face as examples of innovation happening at the model and application layers using hyperscale infrastructure. He mentioned Microsoft’s partnerships with European companies including Leonardo in Italy, Proximus in Belgium, and Telefonica in Spain.

## Global South Challenges and Democratic Governance

Brizio provided crucial perspectives from Latin American countries, highlighting how Global South nations face particular challenges with hyperscaler dependency due to limited regulatory capacity and significant power imbalances. She cited Argentina’s experience with Arsat, a telecoms provider with data center capabilities, as an example of regional approaches to building local capacity.

Her arguments focused on the democratic governance implications of cloud concentration, noting that vendor lock-in prevents governments from making autonomous decisions and undermines democratic oversight. She advocated for multi-cloud architectures as a strategy to prevent vendor lock-in and maintain governmental decision-making autonomy.

Brizio called for stronger public procurement policies that include data localisation and transparency requirements, viewing these as powerful tools for governments to influence cloud provider behaviour. She emphasised the need for investment in national and regional cloud capabilities to support local innovation ecosystems.

Her most significant contribution was reframing cloud infrastructure as a public good requiring social oversight, calling for more democratic governance mechanisms that move beyond technical expert discussions to include broader societal stakeholders.

## Trust and Transparency Challenges

A recurring theme throughout the discussion was the fundamental challenge of building and maintaining trust in cloud services. Katt raised specific concerns about the US Cloud Act and its implications for European data protection, questioning whether company commitments to resist government data requests can overcome fundamental legal framework issues.

The discussion revealed that trust-building requires ongoing attention and cannot be easily resolved through technical measures alone. Different speakers proposed different approaches: corporate commitments and technical solutions versus stronger regulatory frameworks and democratic oversight mechanisms.

## Innovation and Economic Opportunities

Despite sovereignty concerns, all speakers recognised the significant innovation and economic opportunities created by cloud computing, particularly in the era of artificial intelligence. Bullwinkel emphasised that innovation opportunities exist across infrastructure, model, and application layers, arguing that European companies are successfully building innovative services on hyperscale infrastructure.

Other speakers argued that some level of infrastructure independence is necessary to support local innovation ecosystems and maintain decision-making autonomy. This tension between leveraging global capabilities and building local capacities highlighted the complexity of balancing innovation with sovereignty concerns.

## Regional Approaches and Collaboration

The discussion revealed different regional approaches to addressing cloud sovereignty challenges. European initiatives like Gaia-X and Eurostack represent collaborative approaches to building alternative infrastructure whilst maintaining interoperability with global services.

The Global South faces different challenges, with limited resources for building independent infrastructure but greater vulnerability to power imbalances with hyperscale providers. Brizio’s emphasis on hybrid public-private models and regional cooperation suggested potential pathways for developing countries to achieve some autonomy whilst leveraging global capabilities.

Bullwinkel mentioned his recent visits to African countries including Kenya, Egypt, Nigeria, Tanzania, and Rwanda, noting the diverse approaches being taken across different regions.

## Practical Solutions and Recommendations

Several practical solutions emerged from the discussion. Multi-cloud architectures were widely supported as a strategy to prevent vendor lock-in and maintain decision-making flexibility. Public procurement policies were identified as powerful tools for incorporating sovereignty requirements into government cloud adoption.

Investment in national and regional cloud capacities was seen as important for supporting local innovation ecosystems, though speakers acknowledged the challenges of building sustainable technical capacity and stable policy frameworks, particularly in developing countries.

The discussion also highlighted the importance of open and interoperable standards as alternatives to complete technological independence, allowing organisations to maintain flexibility whilst benefiting from global innovation.

## Multi-Stakeholder Governance

The conversation demonstrated the importance of multi-stakeholder approaches to cloud governance. All speakers agreed on the need for collaboration between governments, industry, and civil society, though they differed on implementation approaches.

The discussion highlighted that effective multi-stakeholder governance requires creating structures that provide meaningful participation and decision-making power to all relevant parties, including civil society and affected communities, rather than simply gathering stakeholders around a table.

## Conclusion

The discussion concluded with recognition that addressing cloud concentration requires balanced approaches combining protection, promotion, and partnership amongst governments, industry, and civil society stakeholders. The conversation moved beyond binary thinking about dependence versus independence to explore nuanced frameworks for managing trade-offs contextually.

As Fung noted in closing, digital autonomy can be “a slippery slope sometimes,” requiring careful navigation of competing interests and values. The speakers agreed that the conversation about digital autonomy should continue in national and regional contexts, with each stakeholder group taking specific steps to achieve meaningful digital autonomy whilst preserving the benefits of cloud computing for innovation, efficiency, and security.

The conversation ultimately reframed cloud governance from a purely technical or economic issue to a fundamental question about how societies should govern critical digital infrastructure in an interconnected world, emphasising the need for democratic participation and oversight in decisions that affect everyone’s digital future.

Jenna Fung: Testing. Can you guys hear me? Awesome, everyone. Hello. Welcome to Day Zero Event 270, Everything in the Cloud, How to Remain Digital Autonomous. I’m your on-site moderator today. My name is Jenna Fung, Program Directors of NetMission.Asia, a youth-focused network in Asia Pacific dedicated to engaging and empowering young people in internet governance. It is my first time moderating an open forum in this setting with the headphones on, and it’s kind of weird to hear your own voice when you moderate too. So please bear with me if I make any mistake, but welcome. I’m glad you guys decided to join today’s sessions, what I’m sure will be a dynamic and important conversation because this is a very interesting topic that interested me these days. And I believe it’s the same to all of you because you decided to attend this meeting and be with us today out of all the session. As we know, cloud computing is now the backbone of today’s digital economy. We encounter it without even noticing it, from backing up your photos from our phones, using smart home devices, or video doorbell, or even use tools like Google Docs or Zoom calls to prepare for your very IGF workshop coordination too. So we encounter cloud services these days even without realizing it, but as more and more of our infrastructure services and data move to the cloud, we are also starting to ask tougher questions, especially… about who controls these systems and what that means for national security, data protections, or even long-term digital resiliency. So right now, much of the world relies heavily on a few handful of major cloud providers, like mostly also US-based as well, like AWS, Microsoft, Azure, and Google Cloud. Of course, a lot of amazing work has been done. But recently also Europe and some other regions starting to have their different concerns about their strategic dependency on cloud usage. And in Asia, we are seeing more mixed pictures with some countries also turning to regional providers like Alibaba or Tencent, which they are mostly Chinese company. But only a few countries managed to build a robust, strong domestic cloud ecosystem to encounter the emerging and ever-changing environment that we are in today. So now to set stage for today’s discussions, I don’t know if you guys get a chance to read the titles again and again, because to me, it is very complicated. And it’s a concept that we have to unpack before we can construct a conversation that’s meaningful for us, where we can bring this topic back to our own country for further discussion. So I would like to briefly surface a few concepts before I start introducing our speaker today, which they will help us to get through all those questions we have. Terms like data residency, we might have heard before where people talked about data store or process physically within certain national borders. And later on, people also talked about data sovereignties, which elevate the concept into legal realm, signifies like data is not only physically be within a country, but also subject to certain countries’ laws and regulations. And ultimately, The aspirations in this domain is our topic today, digital autonomy. And so, we want to explore this bigger picture together. What does this concentration of cloud powers of a certain handful of great services that provides cloud services means for digital autonomy and what role should government play in ensuring security and compliance, especially when it comes to sensitive data, whether it’s personal or national. So, should countries be investing in sovereign cloud initiatives? These questions I want to plant in your head as we started this conversation later on. We’ll also have an open floor Q&A to the audience. But now, allow me to introduce our speaker. So, to my right is Anke, Deputy of Directors, Digital Economy, Netherlands Ministry of Economic Affairs. She studied international relations at the University of Groningen in the Netherlands and she started her career in Brussels as European Policy Advisor at VNO-NCW. And later on, returned to The Hague, where she is a civil servant at the Ministry of Economic Affairs. Now, of course, work as a Deputy of Digital Economy, Netherlands Ministry of Economic Affairs. Welcome, Anke. And to my right is Jeff from Microsoft. Jeff is the Vice President and Deputy General Counsel, Corporate, External and Legal Affairs of Microsoft. He’s been actually working in many different regions before, but now mainly focusing on their companies’ legal and corporate affairs across Europe, the Middle East and Africa. So, later on, we’ll hear from Jeff, who might have, you know, happen to be able to share more insights from, you know, a broader regional perspective. And online we have Agustina just checking with our online moderators if Agustina is with us. Awesome. Agustina is a lawyer with a master’s degree in public policy, currently pursuing an MPA in digital technologies and policy at University College London. She is innovations and digital technologies manager at Asuntos de Sol, where she leads efforts to strengthen democracy through inclusive tech policies in global south. And she recently did some research focusing on the intersections of technologies, equity, and governance with particular interests in AI, cybersecurity, and digital rights. So we get a really good panel today and I want to pass it over to our speaker because I’ve been speaking a lot already. We have plenty of our policy questions, many of them very compact, and I believe you can access them on the IGF website as well. First question actually to start with, to what extent is the current concentrations of the cloud computing market among global providers a problem for digital autonomy, security, and or innovation? Very compact questions, but I am aware that in Europe, for instance, the Netherlands have started some initiative around a more sovereign cloud initiative. And I may now perhaps pass it over to Anka to share some experience that you might have working in this area and then we can unpack and try to answer that question together.

Anke Sikkema: Okay, thank you very much. I think I take it off. Yes, easier. Yes, thank you very much. And I think it’s a good opportunity to be here and discuss these questions with you here at the IGF in this multi-stakeholder setting. Because there’s a lot to say, I don’t have the answers, and that’s why we’re actually here to discuss this all together from different angles. And what I can tell in response to the first question is a bit more about the situation in the Netherlands. Before I start, I’d like to stress, because we will talk about concerns mainly, I would like to stress the benefits of cloud for economy and for society as a whole. It’s an efficient way to storage data, it’s user-friendly, and we can’t think of a world without it. But however, we had some quite extensive debates lately about strategic autonomy in general, and more specifically, dependencies in the cloud market back home. And I would like to take you to 2023, when our government published a so-called DOSA agenda. And DOSA is an acronym for Digital Open Strategic Autonomy. We’ve been thinking about this for a longer time. And in this acronym, the word open is deliberately in this agenda, because we think it’s important to act globally as open as possible. But on the other hand, it aims to address strategic dependencies in the digital sector, and cloud is one of the priorities in this agenda. So the idea is to see where these dependencies are in which technologies. What happened is that research agencies in the Netherlands indicated that the market position of European… players is relatively weak, I don’t think it’s a surprise to say this anymore, in the cloud market. And another thing is that the use of cloud entails certain risks when it comes to maintaining control and access to sensitive and protected data. So it’s extra important when we talk about government data. What we see a bit broader than only in the Netherlands is in the EU. Of course, we are part of the EU and the EU has taken important legislative steps to protect and to mitigate the risks. So you can think about the European Data Act, the Data Governance Act and the Digital Markets Act. But on the other hand, it also started more to promote and to invest in projects in cloud and data infrastructure. So these two parts happened. And then in 2024, we had two interesting things. And I talk a bit from the government perspective and from the political world I work in. First of all, our country code top-level domain provider, which is SIDN from the .nl, announced that it wanted to move its domain registration system to Amazon Web Services, because its current system was becoming outdated and needed to renew. But this actually started a wide national debate, because people thought even technically advanced organizations as SIDN are not were not able to run certain systems in a European cloud party. So our minister was asked to investigate this case, and that’s actually what we did. And secondly, two members of Dutch parliament presented a draft bill with the catchy title Clouds on the Horizon. They expressed their concern regarding the dependency of the Dutch society and the Dutch government on big U.S. cloud providers. So this bill was drafted, and I think it’s good to mention here as well that that was also kind of a multi-stakeholder way of organizing this, because it was a group of stakeholders who drafted this together with those members of parliament from the technical community, civil society, academia, and from business community. And we see that the change of the geopolitical landscape led to a revised cloud policy when it comes specifically to use of government data in the cloud. So what we would like to say is that still, when I come back to the first agenda that I mentioned, so this DOSA agenda, Digital Open Strategic Autonomy, we say open to the outside world where possible and protective when necessary. So that’s how we look at it right now. Thank you.

Jenna Fung: Thank you, Anke, for sharing. Better to take it off. Thank you, Anke, for sharing the perspective from the Netherlands government. Now I actually would like to turn the same questions over to Jeff. Slightly different, because like I said, this is like a really compact situation. And also, as Anke mentioned earlier, it is concern and risk many of the time about how to control the data. And I saw you took a lot of notes, and you probably have some insights. But I want to add a little bit of the context on top of the questions. You know, in these days, especially with AI being so, you know, proliferating, and it is growing every single day without us being able to predict how exactly it is going. and many sees that as like amplifying some global concerns especially around this topic. I wonder if you could speak to how you know such a big service cloud service provider like Microsoft you know in the situation what’s their roles and responsibilities as someone especially not only businesses but some some of the governments also rely on your system because one of the examples is Canadian government use your system. So I would like to turn it over to you.

Jeff Bullwinkel: Well thank you Jenna for the introduction and for the chance to be here as well. Thanks to people in the room and those joining online for what I think is really a very timely conversation and a very important conversation and grateful to be sharing the platform here with Anke and Agustina as well online. I say a few things in response to that question Jenna perhaps building a bit on what Anke said as well and the first is to acknowledge very clearly that the concerns that we are hearing about today are very natural and understandable and appropriate frankly and I think it’s just very important to state that very directly. I would say that in many respects the concerns that we hear about around data privacy, data security, data and digital sovereignty are not new concerns. In many respects I think these concerns have been with us for a long time. I mean we can think back even to over now over 10 years ago whenever Snowden first fled the U.S. with four laptops and went to Hong Kong initially and then on to Russia and at that time you know trust became an issue and trust in technology frankly speaking became an issue and I think that we’re seeing some of those concerns around trust on the surface again in a very clear way and so while I would say that the concerns are not perhaps new around again sovereignty, autonomy and the like they are I think more pronounced perhaps and more frequent. in terms of how they come up in our own conversations given what is, after all, a relatively volatile geopolitical environment. And so that certainly does cause us as a company, as a major provider of services, to think hard about what we need to do to maintain trust. And trust really is the critical element here. And I had the privilege, by the way, Anke, of living in your great country for five years. And I learned at that time that a famous Dutch statesman in the 18th century once said that trust arrives on foot and leaves on horseback, which I think is absolutely true when it was said and certainly true now. And so we think about the fact that people will simply not use technology they don’t trust, and that guides everything that we do. And so I would say that as a company, we have a high degree of responsibility to think about these issues in the right way. In relation to AI, as you say, Jenna, this is the era of AI after all. I mean, it is here. It’s not new either, by the way, but it certainly is having a profound impact on every aspect of society in really very exciting ways. But again, the trust issue certainly looms large. It was eight years ago, in fact, that Microsoft as a company decided to articulate a set of responsible AI principles that were at that time designed to govern our own conduct and make sure that as we develop and deploy AI systems, we would do so in a way that reflects privacy and security, safety and reliability, fairness, inclusiveness, ultimately transparency and accountability. But equally, we’re just one company in one sector and we don’t make the rules. And so while we have our own approach to what I might describe as self-regulation, ultimately it’s up to governments to make the rules and for companies like ours to follow them. So in light of the most recent, I guess, dynamics we’re seeing geopolitically, we’ve taken some additional steps as well that perhaps get to some of the questions that Anka I think so effectively articulated. And this is a global audience in the room and a global audience, to be sure, online. But since we’re here in Europe, I would just emphasize, as a reference point, that we just about a month and a half ago articulated a set of European digital commitments that are very much designed, again, to get to the issues that I think are top of mind. One element of that really is making sure that we have a cloud and AI ecosystem that is broad and diverse. And we have our own infrastructure investments we make across Europe. Obviously, quite a lot of investment in the Netherlands, for sure, but elsewhere across Europe. In fact, we’ve committed to increased capacity over the next couple of years in Europe by 40%, which means that over a five-year period between 2023 and 2027, we’ll have double our capacity in infrastructure for hyperscale cloud services and AI services across Europe, with over 200 data centers in 16 different countries. These are investments that, for us, reflect an appreciation of the interdependence of what we are doing together with our European partners and allies. These are data centers that are not built on wheels. They are governed by the laws of the European countries in which we operate, just as the infrastructure we have elsewhere in the world is governed by local laws, and we’re not at all confused about that. Another element we’ve focused on with our new digital European commitments is this importance of maintaining digital resiliency, I’ll say, in this era of geopolitical volatility. And so, for instance, we’ve committed in this context to push back, including with litigation, in the event that there might be any order from any government anywhere in the world for us to seize or suspend cloud services, and that’s something that we think is especially important in today’s current environment. A third element we have in our European digital commitments is really focused on making sure we’re doing everything we can do to continue protecting and defending the Privacy of European Data, and in that connection we actually have invested over some years now in an EU data boundary for the Microsoft Cloud that allows us to commit to our customers that their data is stored and processed within the European Union and after countries as well. And we’ve taken also additional steps, too, in relation to sovereign controls to make sure that we are being responsive to the sorts of things we’re hearing from customers, from partners and from government stakeholders as well. So we’re doing various things in this area that we hope are going to be responsive to the concerns that are out there, but I’d also maybe just conclude by echoing the comment that Anke made, that it is natural and appropriate to focus on the challenges and the problems, but I think also the opportunity is so immense in this era of AI, and I hope in this conversation we can talk a bit more about that as well, because it’s pretty exciting what is happening.

Jenna Fung: Awesome. Thank you so much, Jeff. So far right now we can hear some key words coming up in the context of thinking, you know, the current concentrations of cloud computing markets. We can hear that there’s legitimate concerns around control of data, but at the same time around, you know, trust in this kind of services and the service provider as well. Before I turn it over to Agostina to add a little bit, I also want to bring up the second question because of Agostina’s background in that, and we can slowly ease into that part as well, because we talk a lot about dependencies on this dominant cloud providers, and you know, based on the topics around trust and legitimate concerns around controls of sensitive data, I wonder if Agostina can shed some light on how the situations are like in Global South, and you know, there’s a, you know, it’s probable that some other regions are using different kinds of service providers, not necessarily just U.S. based, but perhaps like Agostina can speak to more about the situations. Thank you. My transition right here is, earlier Jeff mentioned about transparency in accountabilities and that is also something that comes up a lot when different stakeholders bring up this very topic. And so leading us to question two, if we have to explore some shared approach that government, private sectors, civil society to manage strategic and regulatory and operational risk like the ones, some of the ones that we just mentioned and to whole service provider now very prominent private cloud services like the US-based companies but there’s other chances that you know different kinds of organizations or initiatives will emerge. Well this kind of like shared approach that we would want to take so that we are not losing the benefit of this kind of cloud service providing us because you know with the structure we have nowadays we are enjoying the cloud efficiency essentially and also you know scaling globally this is also something we’re enjoying but if we want to hold them accountable what are some shared approaches that different stakeholder could take. So now I would like to turn it over to Agustina and I’m so sorry if I make it overly complicated by you know putting the two questions together but I hope that you can give us some context from the perspective of Global South that will be very interesting to our audience today. Agustina over to you.

Agustina Brizio: Yeah thank you so much Jenna I will try to comprise everything. I’ll start with some key points that basically are some common threats. Some were already covered both by Anke and by Jeff, and I think they just light up the main discussions we have towards service providers. And when we think about cloud services in general, there’s a global concern about what’s happening with this key infrastructure upon we are basing our digital ecosystem and how we have a few dominant providers, maybe US-based companies that are in some point basically defining and shaping a little how digital landscape is going to be with some interventions from states regarding policy and some specific aspects. But we see, especially from the Global South, that many of this loss has a lot of challenges, mainly because of the transnational layer regarding both cloud and the Internet, and also about the power imbalances that usually these companies have when they face government. So in cloud services specifically, and since both Jeff and Anke talked about how relevant they are and how key they are to thinking the future of technology, this problematization is not about a matter of market shares or how it should be distributed among providers. It basically is how we are seeing who is taking decisions on the digital foundation of our societies. So here in Latin America, in general, we have a big dependency on these hyperscalers. We usually use mainly US providers, and that’s not only for the administration platforms that we use in governments, but it’s also where we host data, where a lot of our public policies are based on, and we cannot just take outside the picture the fact that many of the hyperscalers don’t even have a presence within the region. So it adds up a more complex layer on how to basically be able to regulate. or in some way exercise in an active way the concept of sovereignty translated into the digital world. And since many of these are basically relying on United States frameworks, because these companies are legally constituted there, this also poses a different layer of problematization into the democratic oversights that general society may execute through governments over these territories. So this, at least in Latin America, it’s not only like eroding our democratic construction, but it also diminishes the ability that governments have to respond into crisis, safeguard data or even to be able to design their own independent digital policies. So we’ve seen, especially in Europe, that several approaches have been led within a policy like GDPR, AI Act and the competences law market. There has been a lot of action from the state towards working in collaborations with these companies or trying to put like a digital rights framework within the development of these technologies. But still, when we are thinking it from the global south, there’s a really big imbalance and we have a massive regulatory gap towards how to basically work with this hyperscale because we want to have cloud services, we want to be able to develop better technological landscapes. But there hasn’t been like a concrete, there’s not like a tool that can be possibly used to basically reclaim some kind of tools regarding this so we can just foster progress. So I’m not going to get in depth in the problematic aspect. I think that probably a lot of our audience and people present their idea are quite aware what’s the problem with this big tech companies in general and how they affect not only markets, but also political sovereign decisions from governments. But I think that when we think about what to do with that, which is probably the thing we should all be trying to address more than the problems, there are some different actions that actually can be carried out in order to balance a little this power imbalance and this inequality situation. So that are, of course, really away from just technical fixes because it requires for governments and for every stakeholder actually to rethink the concept of sovereignty because when we usually talk about sovereign cloud initiatives or sovereign technologies, our mind instantly goes, okay, we need to have things within our territory developed by us and we have seen that this is not sustainable at a large scale. That requires too much investment and a lot of human talent that is not currently available, at least during the global subcountries. So we’re required to basically recognize and think as the folks on the cloud, as a strategic within the state. It’s not something that comes out and it’s just provided by a company for the government to be able to develop some services in a digital way. So we require from governments to think about different strategies in which you can address this ultra-concentrated market. For instance, and taking some of our experience in Argentina over the past years, there is always the solution to adopt a multi-cloud architecture in order to basically not have all the public services laid out on one provider generating a very critical situation. So in that way, when you think about different providers, not only the big ones, but also prioritizing local providers, you’re basically thinking about a more open standard guaranteeing portability and interoperability from a regulatory framework. At least this is a specific way in which basically as governments, we can rely on still using the cloud, still seizing all the opportunities and the power the cloud has in terms of innovation and of developing, but avoiding a little or not falling into the event or lock-in, which is probably the most critical situation, not in terms of a technological problem of interoperability. The problem with lock-in relies on the fact that the government is no longer able to take an autonomous decision once you have everything deployed in one provider, because we have a lot of problems with interoperability, without moving things, so by being able only to take some kind of decision regarding how services are provided, how data is stored. So I think keeping in mind this flexible structure helps a lot in order to be able to seize cloud services so we don’t have to sacrifice our performance while still retaining a little autonomy in terms of how to make decisions. And I think that to encompass this strategy of the multi-cloud architectures, there is a lot of investment required in both national and regional cloud capacities in this sense. So in Argentina, we did experiment a little with this. We have a telecoms provider, Arsat, it’s a company that basically provides internet services, satellite services, and it has a data center that is able to provide at least some kind of cloud services, and we wanted it to grow a little bit. So we tried with this approach. to basically foster innovation, target some specific investment within the company working with these big service cloud providers. So, our main goal with this kind of situation was to see that it is possible to think about different cloud models that not only are entirely public or entirely private that can actually have a blend and still maintain a little of public decision of frameworks that actually foster accountability, transparency and also in some way are thinking about the country’s long-term sovereignty because having a steady strategy that is rooted in some local actors also backs up into the educational ecosystem, the productive ecosystem, you are able to develop more targeted services to our local companies. So, it’s like a fuel to a general economy market into a productivity model, but this model is required basically to have a strong technical capacity, strong stable policy and basically a public mandate which was basically at least the thing we have a little more difficult within Latin America in general because we have a not very steady political landscape to encompass thinking about how we address tech in the long term as we are seeing that EU is more able to do so. And this is also very important because when we think about how we can shape cloud services or digital technologies in general, this is not something that can be achieved by the state itself. So, this requires to rethink how public and private sector interact among each other, how local industry, academia and civil society is incorporated in an effective governance framework, not only one that gathers multi-stakeholders in a table but then has only one or two stakeholders making the decision. So, that’s like the second key point of this, we need to rethink how we govern technology from a regional perspective, especially now that the geopolitical aspect of tech is being like so polarized and so critical. So, in this general context, we need to think a little more in a systemic way and being able to develop not only spaces to have different voices heard, we need to have like real enforcement mechanisms. And to finish on this about what actions can we actually take, I think our public procurement is amazing. level here. So the decisions are taking by government should take all this problems and this aspects into consideration. So we as governments we should be including in every public procurement contract things as data localization, as having over standards, as having a more transparent governance because those are the key aspects that governments actually can tweak a little in order to have some kind of impact in a landscape that it’s so big that they are not able to cover. So this is at least especially in our region, with the power imbalances we usually face, I think that these are like part of the key things that we can actually do that are doable and are achievable. And in that way, in an indirect way, at least help a little into targeting technical independence, because I think that the key thing with cloud services that are like, as the Internet was at one point, the other layer of every aspect of the digital ecosystem, we need to be able to permeate into that ecosystem, our values of justice, of inclusion, and now more than ever, of having a collective control of what’s happening there, because that’s why we kind of need to have solid infrastructures. But when we’re talking about infrastructures, it’s not just about thinking how efficient they are, how to make them more resilient and more secure, but we need to have a really social and democratic governance mechanism towards these infrastructures, because they are in some way becoming like a public good. So I think that this is at least one of the key issues on how we understand the cloud, what’s the layers and what’s the names we’re going to put on them to see what are the most effective policies and how to get basically all stakeholders engaged. Otherwise, this is always a discussion that seems to be reliant to engineers and to technicals, because the cloud is like that infrastructure that only concerns the technical community, whilst as we’re thinking, as you were saying, Jenna, with AI and everything, cloud is being like the spine of all the digital ecosystems. So I think that’s why we need to have a more socio-technical approach even to this, to start thinking how we want to govern it.

Jenna Fung: Awesome. Agostina, this is perfect timing, because I was about to stop you as well, because you bring up some really key, important topics into the conversation. because you bring up the conversation about democracy as well. But coming back to the original questions that we start with, I think some of the really key principle as we try to think of some effective policies to deal with the situations or share approach to counter our dependency on this very concentrated cloud services that we’re relying on these days is some of the things countries been doing in Latin America, for instance, is to, for instance, diversify their ecosystems and interoperability is also something that’s important. Perhaps the audience also have their own view, depends on what you subscribe to. And I would love to hear what you think it’s important for us to be a shared approach as you bring back the insights you get from this panel today, back to your own role, whether you are a policymaker or just someone working in NGO or whether you’re a student or not, because this is like a conversation where we need to have more stakeholder, but not so much only the government having control or the companies who are providing the services. So I guess like that’s one thing later on as we open the queue, we can continue and further the conversation right there. But one thing I really want to, for us to continue and dive deeper is about the part about more diverse and perhaps secure as well, as well as local, locally accountable cloud ecosystem as well. Because based on some examples that Agustina shared with us, looks like there’s like, these are some of the not only proposal. but some of the actions done by some countries or community out there. And so I wonder, as we are moving on with our conversations, what are some of the mix of perhaps market-driven innovations, regulatory oversights and potential public interests will be most effective in supporting this kind of development make the cloud ecosystem more diverse, secure and locally accountable. Of course, we have people from private sectors and government in person with us and we might have very different view and perhaps we can merge a little bit with our last question as well because now with the development of a conversation right here, I think our speaker right here also took some notes which we can kind of consolidate so we can open the queue sooner and answer those questions too. Of course, I want to explore, what’s the mix of different strategies like market-driven innovations, regulatory oversights and potential public investment could be effective in supporting the development of more diverse, secure and locally accountable cloud ecosystem. And what the role should governments, industry or different stakeholders in this room play in fostering domestic cloud innovation through whichever methodologies. I don’t want to make suggestions here to limit your thoughts. And so maybe I’ll pass it over to you, Anke and then later on to Jeff and see what’s insight you guys can put it out here before we go into Q&A.

Anke Sikkema: Yes, thank you very much. And I think that those are a lot of questions at the same time. I think we could talk about this for days maybe. So, but I’m trying to keep it short because I think it’s also important to hear more from you. or for the people to have some time for Q&A in this hour as well. When we talk about the role of governments, what we saw and what are three key words that I would like to express here, and those are protect, promote and partnership. So these three words are also at the core of the DOZA agenda I talked about before. Protect is about the legislation and it’s not only about protecting users but also to protect market parties, to create a level playing field. To promote is to stimulate innovation and the entry of new providers and to create scale and it’s only possible by partnership. As Agustina also said, it’s not only governments of course, it’s a partnership of businesses, governments and also academia who can work together. This cooperation I think is very important and in Europe we have this example of Gaia X where this was this consortium of 100 companies who work together. What we also see now is a new initiative which is called the Eurostack. Maybe some of you have heard of it. It’s an idea for a European industrial policy initiative bringing together tech, governance and funding for Europe-focused investments to build and adopt a suite of digital infrastructure. So it’s on all layers of the stack, from connectivity to cloud computing, AI and digital platforms. I think it’s good to be realistic in what is feasible, but it’s an interesting idea. What we see is that the concerns we had in the Dutch cloud market are not unique. are in more member states of the European Union, so it’s important to work together. And I think maybe to address the point that Jeff is making, and maybe it’s over to you then, I think it’s also good to look at the chances, not only at the concerns, but to look at all the possibilities there are in the digital sector and what it brings to the economy, but what it brings to society as a whole as well. So let’s find a balance in this discussion to look at both sides and to make them reinforce each other. Thank you.

Jenna Fung: Jeff, do you have any response?

Jeff Bullwinkel: Happy to pick up off Anke’s comment and also maybe respond to some of the things that Agustina said in her helpful intervention. One way to focus on the positive in relation to what can be achieved through hyperscale cloud services, say from Microsoft, in relation to important things around cybersecurity, for one thing, as well as innovation, I think for another. And thinking about cybersecurity, which is indeed top of mind or needs to be for all of us, we do have the ability to invest at scale, excuse me, in a way that does exceed what not just other companies might do, but even governments in some cases. And so, for instance, every day we have the ability to aggregate about 77 trillion different signals from our cloud services in a way that allows us to understand how the threat environment is evolving and therefore guard against cyber attacks and threats even before they eventuate. And that’s something that we want to make sure we do in partnership with government stakeholders as well through sharing threat intelligence and that sort of thing. I’d also maybe pick up on the question in relation to data residency as it relates to sovereignty and the sense people have of needing the right level of control. Ukraine’s digital infrastructure as well as critical infrastructure controlled by private companies that Microsoft detected and it was allowed to, working with Ukrainians and with President Zelensky’s office directly, to guard against effectively. At the time of this cyber attack and the kinetic attack, Ukraine had on its books a law that required government data to be stored within the borders of Ukraine. They suspended that law and that allowed Microsoft and some other companies to actually migrate their data from Ukraine across our own infrastructure in the European Union, paradoxically perhaps giving them data sovereignty by dispersing their digital assets across Europe. And in fact, it was not surprising that among the first buildings to be hit by Russian missiles and tanks were Ukrainian government data centers. And so it’s worth thinking about that in relation to this broader topic of sovereignty or perhaps I would say. Equally, I think it is helpful to think about this new economy that’s developing around AI, this era of AI, because indeed there is this new technology stack that has developed and there are three fundamental layers to the stack. One is infrastructure. The second layer is around models, foundation models themselves, and the third is around applications, and ultimately of course it goes to end users. I do think this conversation today and maybe more generally often tends to focus perhaps undue attention on the infrastructure layer at the expense of everything else. Of course, it’s critical. The infrastructure is absolutely critical, naturally. As I mentioned, we as a company have built immense infrastructure across Europe, around the world, precisely to make sure that we can be now, as we always have been, an open platform company on which others can innovate and grow. It may well be the case that governments across Europe, around the world, Latin America perhaps, decide to invest public resources in their own infrastructure, and that’s, of course, their prerogative. We might have a point of view about whether that’s the right use of resources given what’s already built, but we don’t have a vote. That’s quite clear. But I think if you focus so wholly on the infrastructure layer, you overlook the innovation that’s happening at the model layer and the application layer. And that’s what really is so exciting today, because there’s so much that is happening around the creation of foundation models, large or small, that can run on hyperscale cloud services infrastructure, including that provided by Microsoft. And here we are in Europe, and even taking just two examples of French companies, Mistral AI, that people may have heard about, Hugging Face, are two French champions that actually operate not just on Microsoft infrastructure, but others as well, but doing immensely exciting things at the model layer for the benefit of communities across Europe, across France, across Europe, around the world. And ultimately, of course, applications also are proliferating at immense speed, because the innovation opportunity for people, individual entrepreneurs, small companies, large enterprises, is absolutely immense. And so people shouldn’t overlook how much can be done, is being done, including for the benefit of communities across the global north and the global south. And in fact, I had the benefit, even over the past year, spending some time in Africa, I was visiting Kenya and Egypt and Nigeria, Tanzania, Rwanda, and in All of these different markets have the ability to meet with some people who are doing amazing things at the foundation model layer and at the application layer, so we shouldn’t lose sight of that. The last thing I would say, of course, is that it’s incumbent on a company like Microsoft to make sure that as we have this infrastructure we’ve built, it needs to be open and accessible. Indeed, one of our core European digital commitments builds upon an announcement we made about a year and a half ago around our AI access principles. It’s really all about making sure that as a company, again, we are providing open access to those who want to use infrastructure in a way that benefits people more broadly.

Jenna Fung: Thanks, Jeff. It’s interesting that I’ve been hearing all the remarks from all our speakers and I realize how the recent geopolitical atmosphere brings us back to the very conversations and discuss about how we deal with infrastructure. The internet today is very different from what the tech people imagined the internet could have been decades ago. I was not born yet, so I don’t know what exactly it is. We only have four minutes left, so it’s really the time for you guys to talk about what really matters to you. It’s time to speak for yourself and what makes sense for any kinds of stakeholders, government, private sectors, or yourself, civil society, to do because this is the critical moment where exactly we bring us back to the conversation around market concentrations. We talked about infrastructure exactly. How do you guys see it? Do we have any online questions? We have one onsite. Amazing.

Corinne Katt: Test, test. Yeah, you guys can hear me? Sorry. It’s so confusing when you can’t hear yourself. So thank you so much for the wide-ranging conversation. My name is Corinne Katt. I am the head of Team Digital at Human Rights NGO, Article 19, and also a recovering postdoc who wrote their work on the political economy of cloud. The question that I had, especially for Jeff Bullwinkle, was around the notion of the sovereign cloud, which I know has come up quite often, and I’m in that sense quite tied into the debates in the Netherlands, which is where I’m originally from. I was part of the, I guess, the group of people who vocally pushed back and saw some real dangers with, especially the Dutch government, moving to a cloud that we don’t fully control. And I was wondering if you could give your assessment of where the debate stands now, as I’ve obviously read European commitments, but it’s still unclear to me how that would preclude Microsoft from being beholden to the Cloud Act, the US Cloud Act. And I was wondering what you could say and what further information you could give about that. Thank you.

Jeff Bullwinkel: Well, thanks for the question. And again, I think this concern about sovereignty autonomy, as I mentioned, really is not new, but it is pronounced, and it’s coming up in a more, I think, focused way, given the somewhat volatile geopolitics of it. We have, for a long time, been focused on trying to build a public cloud that is sovereign by design, effectively. And we actually enhanced that recently with an announcement that was made just last week. In fact, in your home country, your country of origin, when our CEO Satya Nadella was in Amsterdam for a major event, and he gave a talk in which he announced a new approach to sovereign cloud in Europe in the context of these broader European digital commitments that I mentioned earlier. And he described, excuse me, he described a couple of different approaches. One is sovereign public cloud, which has various elements of control to it. And secondly, a sovereign private cloud, which is designed really for customers. And perhaps it could be the Dutch government as one such customer that has a particular set of needs that are very specialized, where you want to have absolute autarky, autonomy, disconnectedness, you know, separate and apart from the global internet. That’s certainly something we can provide as well and have announced as part of this broader effort around sovereignty. So we understand the nature of the challenge, I would say. In this announcement also that Schaake made, he emphasized as well the critical role that our European partner companies play, including in the Netherlands, but also across Europe. And we do, in fact, do a lot of work already with various European companies in the context of our broader cloud services with a focus on value-add services they can provide that often do focus on sovereignty considerations. You know, one such company is Leonardo in Italy, Proximus in Belgium, Telefonica in Spain. There are various companies out there we work with quite closely and will work with more with a focus on sovereignty. In connection with the Cloud Act, and this really gets to this question of U.S. government access to data, as I say, this is nothing new. It goes back to Edward Snowden, you know, 12, by now 12 or so years ago. There are lots of things that we have done as a company to make sure that we guard against the risk of intrusive access to data that really is our, it belongs to our European customers first and foremost. And so Microsoft’s view is, now always has been, that first of all, it is our customers’ data, not our data. And so as and when we have a request for access, we actually committed some years ago already to defend against that access request for data up to and including litigation with the U.S. government, even in the Supreme Court. And we actually have a strong track record of doing just that. And the last point I guess I would make as well is that in the context of cloud services today, you know, most European companies in this space also themselves have global aspirations. And therefore also, much like Microsoft or another U.S. headquarter company, will be susceptible. to a jurisdiction in the same sort of way. And so I think the question really for all of us is, what kinds of steps can a company with global aspirations take that will be effective? But make no mistake, we are very mindful of the fact that, as a company, we are investing in Europe, for Europe, with our European customers and partners and government stakeholders in mind, and in a way that will protect their data against improper access. That, by the way, goes also for services around the world, I would say. Awesome.

Jenna Fung: Since we are over time, I will intentionally not allow our speaker to do any remarks, because on this very topic, digital autonomy, you know, it is a topic that we should ask to every single one of you who are in there, because you can see, you know, today on this panel, we have prominent voices from the government, from the private sectors, but at the end of the day, it’s also related to the people, and each and every one of us are the one who should answer those questions. And on this very topic, it’s hard for us to leave the term sovereignty, and it is a slippery slope sometimes. So how should we approach it? What makes sense to you? And what should we do? Perhaps that’s something and a question that you can bring home and continue the conversation elsewhere. I think that concludes our conversation here today. Thank you so much for being with us. Thank you. . . . . . .

Agreement points

Cloud computing provides essential benefits despite legitimate concerns

Speakers

– Anke Sikkema
– Jeff Bullwinkel

Arguments

Cloud computing provides essential efficiency and user-friendly services that benefit economy and society

AI era creates immense opportunities across infrastructure, model, and application layers

Summary

Both speakers acknowledge that while there are legitimate concerns about cloud concentration, the benefits of cloud computing for economy and society cannot be ignored. They emphasize the need to balance addressing concerns with recognizing opportunities.

Topics

Economic | Infrastructure | Development

Concerns about cloud market concentration and digital sovereignty are legitimate and natural

Speakers

– Anke Sikkema
– Jeff Bullwinkel
– Agustina Brizio

Arguments

Strategic dependencies on US-based cloud providers pose risks to national security and data control

Market concentration among few major providers creates legitimate concerns about digital sovereignty

Global South faces power imbalances and regulatory gaps when dealing with hyperscale cloud providers

Summary

All three main speakers agree that concerns about the concentration of cloud services among few providers are legitimate, natural, and appropriate, though they come from different regional perspectives.

Topics

Legal and regulatory | Cybersecurity | Infrastructure

Multi-stakeholder collaboration is essential for effective cloud governance

Speakers

– Anke Sikkema
– Jeff Bullwinkel
– Agustina Brizio
– Jenna Fung

Arguments

Government role involves three key elements: protect through legislation, promote innovation, and foster partnerships

Companies must follow government-made rules while maintaining self-regulation through responsible AI principles

Effective governance requires rethinking how public and private sectors interact with academia and civil society

Key questions about cloud governance require multi-stakeholder input beyond just government and companies

Summary

All speakers emphasize that addressing cloud governance challenges requires collaboration between governments, private sector, academia, and civil society, rather than any single stakeholder acting alone.

Topics

Legal and regulatory | Human rights | Economic

Similar viewpoints

Both speakers from government/policy backgrounds emphasize the importance of regulatory frameworks and government procurement policies as tools to address cloud dependency issues while maintaining benefits.

Speakers

– Anke Sikkema
– Agustina Brizio

Arguments

EU legislative measures like Data Act and Digital Markets Act help mitigate risks while promoting investment

Public procurement policies should include data localization and transparency requirements

Topics

Legal and regulatory | Economic | Infrastructure

Both speakers recognize that effective data sovereignty may require flexible approaches rather than strict data localization, though they approach this from different perspectives (private sector vs. government policy).

Speakers

– Jeff Bullwinkel
– Agustina Brizio

Arguments

Data sovereignty can sometimes be better achieved through distributed infrastructure rather than local storage

Multi-cloud architecture prevents vendor lock-in and maintains government decision-making autonomy

Topics

Infrastructure | Legal and regulatory | Cybersecurity

Both speakers support the development of regional and collaborative approaches to building cloud infrastructure capabilities, seeing this as a way to address dependency concerns while fostering innovation.

Speakers

– Anke Sikkema
– Agustina Brizio

Arguments

European initiatives like Gaia X and Eurostack aim to build collaborative digital infrastructure

Investment in national and regional cloud capacities can support local innovation ecosystems

Topics

Infrastructure | Economic | Development

Unexpected consensus

Flexibility over strict data localization requirements

Speakers

– Jeff Bullwinkel
– Agustina Brizio

Arguments

Data sovereignty can sometimes be better achieved through distributed infrastructure rather than local storage

Multi-cloud architecture prevents vendor lock-in and maintains government decision-making autonomy

Explanation

It’s unexpected that a major cloud provider (Microsoft) and a Global South policy advocate would agree that strict data localization isn’t always the best approach to sovereignty. Both recognize that flexibility and strategic distribution can be more effective than rigid local storage requirements.

Topics

Infrastructure | Legal and regulatory | Cybersecurity

Trust as fundamental challenge requiring ongoing attention

Speakers

– Jeff Bullwinkel
– Corinne Katt

Arguments

Trust is fundamental – people won’t use technology they don’t trust, and trust arrives on foot but leaves on horseback

US Cloud Act creates concerns about government access to European data despite company commitments to resist

Explanation

Despite being on different sides of the cloud sovereignty debate, both the Microsoft representative and the human rights advocate acknowledge that trust issues are fundamental and ongoing challenges that require continuous attention and cannot be easily resolved through technical solutions alone.

Topics

Legal and regulatory | Human rights | Cybersecurity

Overall assessment

Summary

The speakers showed remarkable consensus on the legitimacy of cloud sovereignty concerns, the need for multi-stakeholder collaboration, and the importance of balancing benefits with risks. They agreed that current market concentration creates real challenges while acknowledging cloud computing’s essential role in modern digital economy.

Consensus level

High level of consensus on problem identification and governance principles, with differences mainly in emphasis and proposed solutions rather than fundamental disagreements. This suggests a mature understanding of the issues across stakeholders and potential for collaborative policy development, though implementation details may still require negotiation.

Different viewpoints

Role of hyperscale cloud providers in cybersecurity vs. sovereignty concerns

Speakers

– Jeff Bullwinkel
– Agustina Brizio

Arguments

Hyperscale providers can invest in cybersecurity at levels exceeding individual governments, processing 77 trillion signals daily

Global South faces power imbalances and regulatory gaps when dealing with hyperscale cloud providers

Summary

Jeff emphasizes the security benefits and scale advantages of hyperscale providers, while Agustina focuses on the power imbalances and democratic oversight challenges they create, particularly for Global South countries

Topics

Cybersecurity | Legal and regulatory | Development

Infrastructure focus vs. innovation layer emphasis

Speakers

– Jeff Bullwinkel
– Anke Sikkema
– Agustina Brizio

Arguments

Focus shouldn’t be solely on infrastructure layer but also on innovation happening at model and application levels

European initiatives like Gaia X and Eurostack aim to build collaborative digital infrastructure

Investment in national and regional cloud capacities can support local innovation ecosystems

Summary

Jeff argues against excessive focus on infrastructure layer, preferring emphasis on model and application innovation, while Anke and Agustina advocate for building independent infrastructure capabilities as foundation for sovereignty

Topics

Infrastructure | Economic | Development

Distributed vs. localized data storage for sovereignty

Speakers

– Jeff Bullwinkel
– Agustina Brizio

Arguments

Data sovereignty can sometimes be better achieved through distributed infrastructure rather than local storage

Public procurement policies should include data localization and transparency requirements

Summary

Jeff uses Ukraine example to argue that distributed storage can provide better sovereignty protection, while Agustina advocates for data localization requirements as a tool for maintaining government control

Topics

Legal and regulatory | Cybersecurity | Infrastructure

Unexpected differences

Benefits vs. risks framing of cloud services

Speakers

– Jeff Bullwinkel
– Agustina Brizio

Arguments

AI era creates immense opportunities across infrastructure, model, and application layers

Cloud dependency affects democratic oversight and government ability to respond to crises

Explanation

Unexpected because both acknowledge cloud benefits, but Jeff consistently frames the discussion around opportunities and innovation potential, while Agustina emphasizes democratic erosion and crisis response limitations – representing fundamentally different risk-benefit calculations

Topics

Economic | Human rights | Legal and regulatory

Trust-building approaches

Speakers

– Jeff Bullwinkel
– Corinne Katt

Arguments

Trust is fundamental – people won’t use technology they don’t trust, and trust arrives on foot but leaves on horseback

US Cloud Act creates concerns about government access to European data despite company commitments to resist

Explanation

Unexpected because Jeff emphasizes trust-building through company commitments and technical measures, while Corinne questions whether these commitments can overcome fundamental legal framework issues like the US Cloud Act – suggesting structural vs. voluntary approaches to trust

Topics

Legal and regulatory | Human rights | Cybersecurity

Overall assessment

Summary

Main disagreements center on whether solutions should focus on company commitments and distributed infrastructure versus building independent capabilities and stronger regulatory frameworks, with particular tension between innovation opportunities and democratic governance concerns

Disagreement level

Moderate disagreement with significant implications – while speakers share concerns about market concentration, their different approaches (corporate self-regulation vs. government intervention vs. democratic governance) could lead to incompatible policy directions and highlight fundamental tensions between efficiency, innovation, and sovereignty in cloud governance

Partial agreements

Similar viewpoints

Both speakers from government/policy backgrounds emphasize the importance of regulatory frameworks and government procurement policies as tools to address cloud dependency issues while maintaining benefits.

Speakers

– Anke Sikkema
– Agustina Brizio

Arguments

EU legislative measures like Data Act and Digital Markets Act help mitigate risks while promoting investment

Public procurement policies should include data localization and transparency requirements

Topics

Legal and regulatory | Economic | Infrastructure

Both speakers recognize that effective data sovereignty may require flexible approaches rather than strict data localization, though they approach this from different perspectives (private sector vs. government policy).

Speakers

– Jeff Bullwinkel
– Agustina Brizio

Arguments

Data sovereignty can sometimes be better achieved through distributed infrastructure rather than local storage

Multi-cloud architecture prevents vendor lock-in and maintains government decision-making autonomy

Topics

Infrastructure | Legal and regulatory | Cybersecurity

Both speakers support the development of regional and collaborative approaches to building cloud infrastructure capabilities, seeing this as a way to address dependency concerns while fostering innovation.

Speakers

– Anke Sikkema
– Agustina Brizio

Arguments

European initiatives like Gaia X and Eurostack aim to build collaborative digital infrastructure

Investment in national and regional cloud capacities can support local innovation ecosystems

Topics

Infrastructure | Economic | Development

Key takeaways

Cloud market concentration among few major providers (primarily US-based) creates legitimate concerns about digital autonomy, data sovereignty, and democratic oversight

Trust is fundamental to cloud adoption – users won’t adopt technology they don’t trust, and maintaining trust requires transparency and accountability from providers

A balanced approach is needed that captures cloud benefits (efficiency, innovation, cybersecurity) while addressing sovereignty concerns through diversification and regulatory frameworks

Multi-cloud architecture and avoiding vendor lock-in are essential strategies for maintaining government decision-making autonomy

Effective cloud governance requires multi-stakeholder collaboration between governments, private sector, academia, and civil society rather than single-actor solutions

Government roles should focus on three pillars: protect through legislation, promote innovation, and foster partnerships

Public procurement policies can be powerful tools for incorporating data localization, transparency, and sovereignty requirements

Innovation opportunities exist across all layers of the technology stack (infrastructure, models, applications), not just infrastructure

Regional cooperation and hybrid public-private models can provide alternatives to complete dependency on global hyperscalers

Resolutions and action items

Participants should bring the conversation about digital autonomy back to their own countries and contexts for further discussion

Governments should incorporate data localization, open standards, and transparency requirements into public procurement contracts

Investment in national and regional cloud capacities should be prioritized to support local innovation ecosystems

Multi-cloud architectures should be adopted to prevent vendor lock-in and maintain decision-making autonomy

Unresolved issues

How to effectively address US Cloud Act concerns regarding government access to European data despite company commitments

What specific mix of market-driven innovation, regulatory oversight, and public investment would be most effective for developing diverse cloud ecosystems

How to balance the benefits of hyperscale cloud services with sovereignty concerns in practice

How to achieve sustainable local cloud development given limited investment capacity and human talent in many regions

What constitutes the optimal definition and implementation of ‘digital sovereignty’ versus complete technological autarky

How to ensure democratic governance mechanisms for cloud infrastructure that increasingly functions as public goods

How smaller countries and Global South nations can effectively negotiate with powerful hyperscale providers given existing power imbalances

Suggested compromises

Adopt ‘open to the outside world where possible, protective when necessary’ approach as demonstrated by Netherlands’ DOSA agenda

Implement sovereign cloud solutions that offer different levels of control – from sovereign public cloud to completely disconnected sovereign private cloud

Develop hybrid public-private cloud models that leverage global capabilities while maintaining some local control and decision-making authority

Focus on creating open and interoperable standards rather than complete technological independence

Pursue regional cooperation initiatives (like European Gaia X and Eurostack) that pool resources and expertise while maintaining some autonomy from global providers

Use partnership approaches with hyperscale providers that include European companies providing value-added sovereignty-focused services

Trust arrives on foot and leaves on horseback – a famous Dutch statesman quote that guides everything we do. People will simply not use technology they don’t trust.

Speaker

Jeff Bullwinkel

Reason

This metaphor powerfully encapsulates the central challenge in cloud computing discussions. It reframes the entire debate from technical specifications to fundamental human psychology and trust-building, acknowledging that all technological solutions are meaningless without user confidence.

Impact

This comment shifted the conversation from purely technical and regulatory concerns to the human element of technology adoption. It provided a philosophical foundation that influenced how subsequent speakers framed their arguments, with trust becoming a recurring theme throughout the discussion.

The problem with lock-in relies on the fact that the government is no longer able to take an autonomous decision… So we require from governments to think about different strategies in which you can address this ultra-concentrated market.

Speaker

Agustina Brizio

Reason

This comment redefines vendor lock-in not as a technical problem but as a democratic governance issue. It challenges the audience to think beyond efficiency metrics to consider how technological dependencies can erode governmental decision-making autonomy and democratic oversight.

Impact

This intervention fundamentally elevated the discussion from market competition concerns to democratic governance implications. It introduced the concept that cloud dependency isn’t just about economics or security, but about preserving democratic institutions’ ability to make autonomous decisions.

Ukraine suspended their law requiring government data to be stored within borders, and paradoxically achieved data sovereignty by dispersing their digital assets across Europe when Russian missiles targeted their data centers.

Speaker

Jeff Bullwinkel

Reason

This real-world example challenges conventional thinking about data sovereignty and physical location. It demonstrates how rigid interpretations of sovereignty can actually undermine security and autonomy, forcing a reconceptualization of what digital sovereignty means in practice.

Impact

This concrete example forced all participants to grapple with the complexity and potential contradictions in sovereignty concepts. It shifted the discussion from theoretical policy frameworks to practical realities, influencing how other speakers addressed the balance between ideological positions and pragmatic needs.

We need to have a more socio-technical approach… because cloud is being like the spine of all the digital ecosystems. This is always a discussion that seems to be relegated to engineers and technicals, whilst cloud is becoming the infrastructure that affects everyone.

Speaker

Agustina Brizio

Reason

This comment challenges the technical framing of cloud discussions and argues for democratizing the conversation. It recognizes that infrastructure decisions have profound social implications and shouldn’t be left solely to technical experts, calling for broader stakeholder engagement.

Impact

This observation broadened the scope of who should be involved in cloud governance discussions. It influenced the moderator’s closing remarks about how ‘each and every one of us’ should answer these questions, moving the conversation from expert-driven to citizen-inclusive governance models.

Open to the outside world where possible and protective when necessary – this is how we look at Digital Open Strategic Autonomy.

Speaker

Anke Sikkema

Reason

This formulation provides a nuanced middle path between technological nationalism and complete openness. It acknowledges that absolute positions are impractical while providing a framework for making contextual decisions about when to prioritize openness versus protection.

Impact

This balanced approach influenced how other speakers framed their arguments, moving away from binary thinking toward more nuanced policy positions. It provided a practical framework that other participants could reference when discussing their own regional approaches.

This conversation tends to focus perhaps undue attention on the infrastructure layer at the expense of everything else… you overlook the innovation that’s happening at the model layer and the application layer.

Speaker

Jeff Bullwinkel

Reason

This comment challenges the entire premise of focusing primarily on infrastructure ownership and control. It argues that innovation and value creation happen across multiple layers of the technology stack, potentially making infrastructure ownership less critical than commonly assumed.

Impact

This reframing attempted to redirect the conversation toward innovation opportunities rather than dependency concerns. While it didn’t fully shift the discussion’s focus, it introduced important complexity about where value and control actually reside in modern cloud ecosystems.

Overall assessment

These key comments collectively transformed what could have been a narrow technical discussion about cloud market concentration into a rich, multi-dimensional conversation about democracy, trust, sovereignty, and innovation. The most impactful interventions challenged binary thinking – moving beyond simple dichotomies of dependence vs. independence, local vs. global, or security vs. innovation. Instead, they introduced nuanced frameworks for thinking about these trade-offs contextually. The discussion evolved from identifying problems to exploring practical approaches that balance multiple competing values. The Ukrainian example and trust metaphor were particularly powerful in grounding abstract policy concepts in human realities, while the calls for socio-technical approaches and democratic participation broadened the conversation beyond technical experts to include broader societal stakeholders. Overall, these comments elevated the discussion from a policy workshop to a fundamental examination of how societies should govern critical digital infrastructure in an interconnected world.

How can the EU data boundary for Microsoft Cloud be further strengthened to ensure complete protection against US Cloud Act requirements?

Speaker

Corinne Katt

Explanation

This question addresses a critical gap in understanding how Microsoft’s European commitments actually protect against US government data access requests, which remains a key sovereignty concern for European governments and organizations.

What specific mechanisms can ensure effective multi-stakeholder governance frameworks beyond just gathering stakeholders at a table?

Speaker

Agustina Brizio

Explanation

This highlights the need for research into practical governance structures that give meaningful decision-making power to all stakeholders, not just token representation, which is crucial for democratic oversight of cloud infrastructure.

How can Global South countries develop sustainable technical capacity and stable policy frameworks for long-term cloud sovereignty strategies?

Speaker

Agustina Brizio

Explanation

This identifies a critical research area for understanding the specific challenges and solutions needed for developing countries to achieve digital autonomy without sacrificing technological benefits.

What are the most effective public procurement contract terms and enforcement mechanisms that governments can use to influence cloud provider behavior?

Speaker

Agustina Brizio

Explanation

This represents a practical area for further research into how governments can leverage their purchasing power to achieve sovereignty goals while maintaining service quality and innovation.

How can the balance between ‘open where possible, protective when necessary’ be operationalized in practice across different types of government data and services?

Speaker

Anke Sikkema

Explanation

This requires further research into developing clear frameworks and criteria for determining when protective measures are necessary versus when openness should prevail in cloud service decisions.

What lessons can be learned from the Ukrainian data migration case study for other countries’ data sovereignty strategies during crisis situations?

Speaker

Jeff Bullwinkel

Explanation

This case study raises important questions about how traditional data residency requirements may need to be reconsidered in light of physical security threats and crisis management needs.

How can innovation at the model and application layers be better supported and recognized in sovereignty discussions that tend to focus primarily on infrastructure?

Speaker

Jeff Bullwinkel

Explanation

This suggests need for research into more comprehensive approaches to digital sovereignty that consider the entire technology stack and innovation ecosystem, not just infrastructure ownership.

What specific steps should each stakeholder group (government, private sector, civil society) take to achieve meaningful digital autonomy?

Speaker

Jenna Fung

Explanation

This overarching question was posed to the audience as a call for continued discussion and research into practical actions that different stakeholder groups can take to address cloud concentration concerns.