Data sovereignty is about the legal ability to control how data can be shared and used. Sounds simple, but how it’s applied can vary significantly. What does it mean from the perspectives of the European Union (EU) and VMware following the firm’s acquisition by Broadcom?
For the latter, there’s been intense market scrutiny on Hock Tan, Broadcom CEO and president, and his leadership team’s progress with their acquisition goals for VMware’s portfolio. Before the acquisition, VMware was not only vocal in its commitment to delivering products to bolster data and cloud sovereignty, but it also had an established product portfolio strategy aligned to EU sovereignty principles and reference architecture.
I recently spoke with Carme Artigas Brugal, co-chair of the United Nations artificial intelligence (AI) advisory body, who until last year was state secretary for digitalisation and AI for the Spanish government; she also coordinated the task force responsible for negotiating the EU’s AI Act. Artigas provided insights about the foundations of the EU’s position on data and cloud sovereignty.
What’s happened since the acquisition?
In the months after its purchase of VMware closed in November 2023, Broadcom has faced questions as Tan set out to implement the investment strategy that was the driving force for the deal, including completing VMware’s transition to a subscription licensing model and drastically simplifying its product portfolio and go-to-market approach.
As Tan noted in an email marking the first 100 days after the acquisition, Broadcom has made good in its pursuit to simplify VMware’s product portfolio and ensuring consistency in its deployment and engagement. The portfolio is now a standardised, interoperable implementation of the VMware Cloud Foundation technology stack, configured for like-for-like deployments targeting on-premises set-ups and any of the various combinations of private, public, hybrid and multicloud operations.
Clear go-to-market channels for the core products have been established and delivered in what the company believes to be a competitively priced subscription pack. However, the subscription licensing, coupled with a restructured partner programme requiring some relationships to be reclassified, has sparked some concerns in VMware’s ecosystem. Watchful rivals are understandably seeking to exploit these developments and challenge Broadcom’s commitments to delivering data and cloud sovereignty.
The European Union and data sovereignty
According to Artigas, the EU sees data as a strategic raw material for the digital economy, and so it has sought to protect that resource. Elaborating, she said that “the EU, in principle, started developing GDPR, which was the General Data Protection Regulation that applies in the whole European Union, to protect personal data, but it also wants to protect industrial data.”
Recent key data protection laws in the region embody the principles and goals outlined in the EU’s strategy for data, which aims to create “a single market for data that will ensure Europe’s global competitiveness and data sovereignty.”
The EU strategy recognises that besides being a resource for economic growth, competitiveness, innovation and job creation, data has the capacity to drive progress in society through improved healthcare, safer and cleaner transport, more cost-effective public services, energy efficiency and improved sustainability.
The EU strategy also seeks to further the region’s leadership in the global data economy by providing an environment where high-value publicly held data sets from across the EU can be widely and freely available to all companies in member countries, along with a framework that supports industry-specific data-sharing and collaboration.
The strategy is reflected in the current network of EU data protection laws and support vehicles that are designed to ensure that more data becomes available for use in the economy, and keep companies and individuals who generate the data firmly in control. As Artigas explained, “data sovereignty refers to the principle that digital data is subject to the laws and governance structures within the context of the European Union. So, data generated within the EU must be governed by EU laws.”
-
Common European Data Spaces, a growing vehicle that embodies the single market framework for data through the creation of interconnected common data spaces for strategic sectors such as health, agriculture, manufacturing, energy, mobility, financial, public administration, skills and media.
Combined, the EU strategy and laws serve to protect the rights and interests of European citizens, foster shared industrial and technological development, and establish that digital data generated or stored in the EU must be governed by EU laws, ensuring EU data is localised, processed and backed up in the EU according to these rules.
The EU and cloud sovereignty
For the EU to achieve data sovereignty as laid out in its strategy, cloud sovereignty is perhaps the single most important arrow in its quiver.
As Artigas explained, “Cloud sovereignty doesn’t mean that we don’t want any cloud provider from outside Europe, as that would be insane. It would not be practical and it would not be competitive. What we say is that within our club we define the rules.” Effective sovereign clouds, whether private, public or hybrid, have the necessary safeguards and protections, even if the cloud provider isn’t based in Europe. As a result, EU data in the cloud must be localised, processed and backed up within Europe according to EU data regulations like GDPR and the Data Act.
This translates to local datacentres and infrastructure for storage, processing and backups. It also relies on technology like “confidential computing” to provide data privacy even during processing, and the use of encryption techniques that split encryption keys between local and foreign providers to maintain residency control and protection.
This approach looks for cloud providers operating in the EU to align with initiatives that establish standards for federated cloud environments, to ensure interoperability between various platforms and respecting EU sovereignty rules. Equally important is qualified support for the EU Cloud Services Scheme (EUCS), a standard that evaluates the technical security controls of a cloud provider.
Establishing European data sovereignty may be viewed by some as a defensive move to ward off foreign governments seeking legal incursions into systems holding European data held by businesses in their jurisdiction. The reality is a more progressive stance for establishing “infrastructures of trust” through standards, certifications and agreements that facilitate global data flows and protect European data.
Ultimately, this approach looks to engender trusted international partnerships that embrace equivalent data protection standards to the EU for secure and safe data transfers. This may help to dispel claims of hijacking intellectual property developed elsewhere and to focus on safeguarding the intellectual property potential held within European data to drive industrial competitive progress in Europe.
Returning to Broadcom, in December 2022, Tan wrote an article which set out his intentions for VMware customers to be able “to exercise their own sovereign choices when storing and managing data.” Recognising a governmental focus on the economic and geopolitical power of data to drive growth, innovation and global competitiveness, VMware made a renewed commitment to its portfolio as “a key enabler in the adoption of sovereign clouds.” This added weight to the continuation of VMware’s data and cloud sovereignty support, but also the future development of tools and solutions.
Reassurance for VMware’s European ecosystem
Reviewing both the EU’s strategic approach for data and cloud sovereignty and Broadcom’s stated commitment to delivering a robust yet simple product portfolio, there are good reasons for EU-based customers, partners and others to feel reassured and optimistic.
Secondly, in a recent blog post, Broadcom vice president Ahmar Mohammad highlighted how the firm is providing European cloud suppliers with a single interface for a smooth cloud experience that facilitates hybrid cloud environments by allowing customers to transfer cloud licences. This creates flexible deployment options for customers and reduces supplier lock-in — a key concern for regulators.
The sovereign cloud offerings also address safeguards for data and metadata in a sovereign cloud jurisdiction, consistent with local and national requirements. This means that any Europe-based cloud service provider using Broadcom’s products to manage, store and process data and metadata in a local, sovereign platform automatically aligns with the GDPR and regional security standards.
Opportunity is within reach to deliver more in Europe
The principles in the EU data strategy ensure that the benefits are equally available to all organisations complying with all EU data regulations. This raises the competitive prospects for Broadcom, because rivals from other jurisdictions that respect EU sovereignty rules, support local infrastructure, make demonstrable commitments to the European market and policy goals, and comply with standards can claim equal advantages. This is a position well understood by the likes of Microsoft, Google and Intel.
There’s already considerable content from Broadcom that demonstrates both its understanding of the scope of opportunities and its commitment to the ethos of EU data and cloud sovereignty. The company must now show that it can enable commercial advantage and innovation in support of data spaces being created for different industries throughout the EU.
These spaces allow data protected by European rules to be shared and used to spur innovation, with examples including France’s agrifood data space targeting the agricultural and food sectors and Germany’s car industry data space. A unifying standard technology stack such as VMware Cloud Foundation will help to achieve consistency in data sharing.
Bola Rotibi is chief of enterprise reserach at CCS Insight.