The digital basis of European defense is significantly less European than the security policy claim suggests. According to the Horváth study “Aerospace & Defense”, 72 percent of cloud usage by defense technology companies is via US providers such as Microsoft, Amazon and Google. European providers together only account for 13 percent. For an industry in which current situation, production, logistics and development data have long since become a strategic advantage, this is more than just an IT question.
The study is based on personal in-depth interviews with more than 60 CxOs from defense companies in Germany and Europe. Their finding: Almost every second defense manager surveyed sees the lack of a sovereign cloud as the biggest bottleneck in operational capacities. At the same time, NATO’s critical infrastructure is exposed to ongoing cyberattacks.
Cloud as a strategic dependency
The focus of the debate is not just the location of data centers. The provider structure, legal framework, operating model and access options are crucial. The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) requires US companies to release data upon request from American authorities – even if this data is on servers outside the United States.
This creates a structural risk: European defense data can be processed in European data centers and still be subject to US law if the provider is an American company. The market concentration among a few large US cloud providers further exacerbates this dependency.
“Whoever controls the cloud also controls the outcome of a conflict,” explains defense expert Ralf Gaydoul. However, Europe doesn’t just need more investment in its own infrastructure. First, the countries of the European Union (EU) would have to jointly define what a sovereign cloud should achieve. Without a common understanding of digital sovereignty, every investment will remain piecemeal.
AI needs controllable data spaces
The dependency becomes particularly visible when using artificial intelligence (AI). According to the study, 82 percent of executives surveyed consider AI to be the most disruptive force in the defense sector. Their use changes leadership, control, situation assessment and logistics faster than many classic procurement programs.
The industry is already experimenting widely: 95 percent of the companies surveyed have started AI projects. However, many initiatives are still in early phases. Two obstacles are particularly slowing down scaling: security concerns when handling sensitive data and fragmented data landscapes. However, AI systems are only as powerful as the database they can access. When data is distributed across proprietary platforms, legally vulnerable cloud structures or difficult to integrate silos, the operational benefit remains limited.
Added to this is the technological change in hardware. By 2030, 90 percent of new military hardware will be connected via networked systems. This increases data volume, dependencies and attack surfaces at the same time. Gaydoul sums up the problem: “AI will only become a military advantage if Europe sovereignly controls the database for it. Therefore, the real challenge is not the AI, but the architecture of a sovereign cloud behind it.”
Sovereignty as an operational requirement
The study does not describe an abstract fundamental debate, but rather a practical architectural problem. Defense capability increasingly depends on whether data can be securely processed, shared, analyzed and kept available in an emergency. Cloud platforms become the basis for situation reports, simulations, supply chains, maintenance, deployment planning and AI-supported decision support.
This results in a clear need for action for Europe: sovereign cloud structures must be legally, technically and organizationally defined. These include controllable operating models, European legal areas, clear access restrictions, portable data architectures, strong encryption and fallback options in the event of geopolitical conflicts.
The central message of the Horváth study is therefore: Europe’s defense cannot treat digital sovereignty as a side issue. Anyone who will network military systems, scale AI and protect critical infrastructure in the future will also have to control the cloud on which these capabilities are based.
