Data sovereignty, cloud and security [Q&A]
As more and more information is stored in the cloud, often with hyperscale providers, the issue of data sovereignty -- where the information resides and who can access it -- becomes increasingly crucial.
We spoke to Sergej Epp, CISO at Sysdig, and previously CISO at Palo Alto Networks, to explore the theme of data sovereignty, cloud and security.
BN: How important is sovereignty in Europe, and how will that include approaches around cloud like security?
SE: In just two years, I've watched data sovereignty go from policy rhetoric to business-critical -- and the geopolitical shifts are impossible to ignore. For many governments, sovereignty now means embracing open source, not just using EU-based datacenters or ticking compliance boxes. Denmark is ditching Microsoft by fall 2025, and the Netherlands has built an entire 'Open Unless' policy. This isn't a theory anymore.
Open source is crucial for comprehensive, transparent security, and it actually equips you to inspect what's happening in your cloud environment. Increasingly, governments expect that security layer itself to be transparent -- not just some black box they have to trust blindly.
Consider national security: would you outsource it to another nation or rely on defense technologies that you can't control? The answer is likely no. These questions of sovereignty and transparency are exactly why we're seeing increasing interest from European defense and government sectors, especially in recent months.
Across the world, people rely on open source tools like Falco, which is the open source standard for real-time cloud threat detection. It gives you real visibility into what's running in production, with code you can actually audit and trust. And Falco isn’t just being used by large cloud platforms, banks, and tech companies, but by governments and critical infrastructure across the EU.
BN: What challenges do companies face in planning ahead, and what will force their hands?
How important is open source in this regard?
SE: I've been reading about Etteln recently, a tiny German village that just beat Hong Kong to become the world's most digital community. Every house and farm is connected with fiber-optic, they have a virtual town hall, and all residents have access to the village’s digital services. Their secret? Building on open foundations that they could actually understand and control.
Here's what I see forcing every company's hand today: AI regulations demanding explainability, the EU Data Act requiring portability by 2027, and runtime security becoming a mandate for regulations like NIS2. When your infrastructure choices determine compliance, transparency and control must be built into your digital foundation.
What’s important to note is that you don't need to go completely open source to attain sovereignty. In fact, most organizations run mixed environments. The key is having visibility into what's actually executing, regardless of what's built on top of it.
The argument is not about open versus proprietary anymore. It's about having transparent foundations you can audit and trust. Whether you're running commercial solutions or open tools, you need that runtime visibility layer underneath everything else.
BN: How will this affect long-term trends around industries, particularly those that are critical national infrastructure?
SE: AI is rewriting the entire software stack, and I see that as Europe's biggest opportunity in decades. When everything gets rebuilt from scratch, it upends the status quo. This is Europe's ‘iPhone moment’ for digital infrastructure and software.
The challenge is that, although Europe has world-class AI and cyber talent, most of these people work for European companies. Critical infrastructure needs experts, not consultants. We can take a page out of the US’s book here, with ‘revolving door careers’ where top talent moves between government, defense contractors, and the private sector. Better salaries, more equity, and real impact.
There is only one other missing piece: real customers, not just funding. The US cyber sector exploded because the Pentagon bought cutting-edge technology from startups. In an AI-disrupted world, startups don't just need money, they need smart customers and fast feedback loops. European defense and infrastructure should consider being beta customers for security startups if they want to protect themselves at the breakneck pace of innovation.
My take? The countries that control their infrastructure software stack will stay sovereign. Those who don't will rent their sovereignty from others.
BN: How will this also move into the physical world too, with concerns around defense and resilience?
SE: Today’s weapon systems are basically just data centers with armor. Drones, tanks, F-35s -- they're all running containerized applications and processing massive amounts of data in real-time. When your tank is a computer, cybersecurity becomes a battlefield advantage.
Here's the scary part: you build a tank to last 40 years, but software gets updated every 40 days. How do you maintain control over something that long? You must be able to see what's actually executing inside those containers on their weapons systems. Open source tools, and platforms built on open source standards, equip you to do just that.
We're seeing this everywhere -- autonomous systems, battlefield AI, and smart munitions all running on containers. When defense meets digital control, runtime security isn't just about data anymore.
Image credit: Teerasan/depositphotos.com
