The cloud plays a key role in this. But not every cloud solution is suitable for the public tasks of municipalities. Maintaining control over your data is essential. This means knowing not only where your information is stored, but also which laws govern it, who has access to it, and how to mitigate the risks of loss, misuse, or dependency.

This article gives you five tips for developing a cloud strategy that is not only technically sound, but also administratively defensible and legally sound.

As the data controller, you are legally responsible for how data is stored and processed. You cannot outsource this responsibility to a vendor.

Therefore, choose a cloud partner that can demonstrably demonstrate that it is not a legal entity of a country with extraterritorial claims (such as the US or China), and ensure that this is also contractually stipulated in a DPA and associated processing agreement.

Most tenders use technical and financial criteria as starting points, but data sovereignty is either neglected or considered an abstract concept. Sovereignty should be a strategic assessment criterion.

Include in your program of requirements:

Formulate data sovereignty as a hard, no-knock requirement and substantiate it legally. Involve your procurement lawyer, DPO, and CISO early in the process.

The public sector has long been accustomed to relying on large, established vendors. But in the cloud and data domain, visibility and control are more important than scale.

A cloud partner who dodges these questions or dismisses them with "our security is best-in-class" doesn't fully understand the public context. Therefore, don't judge cloud providers by their branding or market share, but by their ability to offer openness, collaborate, and respect the public values ​​of transparency, autonomy, and accountability.

The NIS2 may have been postponed, but in the short term, municipalities will likely be required to comply with the NIS2 directive, which requires the European Union to impose stricter information security, incident reporting and risk management on critical and important entities.

In combination with existing frameworks such as the Baseline Information Security for Government (BIO), this means that municipalities must structurally recalibrate their cloud strategy:

Many generic cloud solutions offer insufficient guarantees on these points and are also legally difficult to audit. Have your cloud architecture assessed against NIS2/BIO requirements, including logging, escalation procedures, chain of custody, and compliance.

Digital autonomy isn't an IT project, but a strategic choice. The right cloud partner understands this and is able to offer technical solutions that align with public goals, such as reliability, accessibility, transparency, and control. Choosing a partner who shares these values ​​allows you to collaborate on solutions that combine security, innovation, and administrative legitimacy.

Assess suppliers based on their ability to adapt to public ambitions. This means not only considering technological specifications, but also their vision of responsibility, sustainability, and control.

The luxury of free cloud use is over. When it comes to digital responsibility, municipalities are increasingly in the spotlight. Citizens expect transparency, regulators demand compliance. And technology is developing faster than ever.

Controlling data isn't an IT issue, but a management task. It's about knowing where your information is located, understanding who has access to it, and being able to explain why you make certain choices. A sovereign cloud strategy provides the foundation for this. It's a prerequisite for maintaining security, autonomy, and accountability in the digital domain.

In our whitepaper, we demonstrate how a sovereign cloud enables organizations to effectively manage data security and comply with complex regulations.

Download the white paper and discover how your municipality can shape digital autonomy.