Something else we tend to take for granted is where our data is stored, and by whom. And yet the topic is rapidly growing in importance and causing companies to move away, or at least diversify, from the world’s largest cloud service providers.

Are startups too dependent on non-European vendors?

Amazon, Microsoft, and Google are all US-based companies and, accordingly, operate under US legislation. For some European startups and organisations, this hitherto-ignored reality is now a growing cause for concern.

Even in tech circles, it’s a little-known fact that, under the CLOUD Act, the US government can access cloud data held by US companies anywhere in the world. And that's a majority of global cloud data, given that AWS, Microsoft Azure and Google Cloud Platform hold 62% of cloud revenue worldwide.

This is cause for concern among European startups, companies, and citizens, as it effectively undermines data protection efforts set forth in the GDPR.

So, an increasing number of companies, including startups, are looking to move their data to providers who are only subject to European legislation, as the continent’s strict data protection standards mean companies’ most sensitive data is fully protected.

Still, Europe is only now waking up to this reality, and in doing so has come face-to-face with a disturbing disbalance – the EU market share of European cloud providers (CSPs) sits at a low — and decreasing — 13%. This means that 87% of the data stored in Europe could be subject to extra-territorial laws.

Is this a big concern for startups? At the end of the day, their principal cloud requirements are agility and global availability, opting for globally distributed providers that help them best achieve it. And once startups’ cloud needs are fulfilled, they can get back to focusing on their key concerns: product, people and profit (or funding…).

But does that mean they don't care about sovereignty? Not necessarily. A recent EY survey of French startups for France Digitale saw 65% of respondents say they feel over-dependent on GAFAM. Indeed, sometimes—and increasingly often—having the most stringent obligations in regard to privacy, data protection, ownership, and control takes centre stage.

This is the case with, for example, startups such as Golem.ai or Familink, that process highly sensitive public and private data, and for whom data sovereignty is of paramount importance. The latter, for example, which makes intelligent photo frames so that elderly users can enjoy family pictures, decided to repatriate its clients' data storage to France following pressure from its European users to cut ties with their former American providers. Proving the impetus to “go sovereign” can often come from a startup’s clients first and foremost.

What can startups do?

Fully migrating to an EU-based cloud service provider is one of the options for startups looking to protect their and their clients’ data. While it’s no minor endeavour, it’s becoming increasingly accessible thanks to containerisation and the standardised cloud solutions that come with it. Plus, migration projects often lead to the reevaluation of existing infrastructure, optimization, and fat trimming, which may result in a significantly lower monthly bill, as it did for Familink, who cut its cloud bill in half, whilst keeping the same server performance level.

Still, there’s a prevalent myth that keeps many startups from even considering Europe as an option – that the European cloud service offering is years behind the US. Today, this is patently false. Numerous European CSPs have stepped up significantly in recent years and offer US-level cloud services. For instance, Scaleway’s Hive provides hyper-scaler equivalent service for S3 object storage, 100% deployed in Europe.

It’s no longer a choice between performance and sovereignty, as you can have both. Especially when 80% of cloud needs are covered by 20% of the services currently available.

But that doesn’t mean you should put all your eggs in one basket. On the contrary. Another option for startups looking to protect their and their clients’ data is the multi cloud, namely hosting data across different CSPs. Despite adding a layer of complexity, the multi cloud answers acute industry risk-management issues such as security, data regionalisation, cost, lock-in, and geopolitics. It is, quite simply, the future of the industry, with about 90% of enterprises already enacting a multi-cloud strategy in some shape or form.

“Today or in the future, startups need to be able to use sovereign cloud resources, in order to protect their data and technologies, and to answer their clients’ needs, country by country and sector by sector”, says Gilbert Cabillic, CEO of ScaleDynamics, whose Container-as-a-Service (CaaS) platform allows startups to use and switch cloud resources, and “adjust according to their needs in terms of sovereignty”, at any given time, including in a multi-cloud configuration.

It’s not just about the data

In terms of sovereignty, today’s geopolitical context is of particular relevance. The widespread deleterious effects of accidental cloud service outages (e.g. AWS’ 2021 outages) should be heeded as a warning sign about over-reliance on a handful of providers. Doubly so, given that the big three are all US-based, as it begs the question – what would happen if an outage were sustained due to geographical factors or, worse still, intentional?

Trump’s ‘America first’, and other protectionist economic policies have already affected the tech sector, as, for example, Huawei’s Android license was revoked overnight. When the chips are down, there is little doubt that US interests will be prioritised. The Ukraine conflict has also underlined the risk of “splinternets”; no sooner had Russia invaded its neighbour last February than it limited its citizens’ access to Facebook and Twitter. How? With its 2019 Sovereign Internet Law. As such, ongoing geopolitical turmoil is a risk all European companies should take into account.

“Startup management is all about making choices and sovereignty is the ability to choose freely, without external influences. Without data sovereignty, startups are limited in their agility and the way they can produce value. For startups, data sovereignty is a long-term investment, very much like intellectual property, or building a capable team”, says Nathan Richard, Founder & President of Memento Cloud. “The startup ecosystem is like quicksand. Change is permanent, and startups must adapt quickly. In the long run, lacking data sovereignty is like playing with a half-empty hand of cards. What happens, for example, if being locked in with a specific provider prevents you from complying with important regulation?”

Food for thought

At the end of the day, we’re talking about risk management. Cloud services are a foundational technological layer, and the reality is that a technical or political short-circuit in the US, or indeed in China, could paralyse Europe, or intrude on the rights of its citizens.

Today, European cloud providers can meet the vast majority of cloud needs at the same, if not higher, level as their US counterparts, while offering other sovereignty-related advantages.

Startups, too, can participate in rebalancing the equation, and indeed, they must. The future growth and stability of European tech depends on it.

 

Scaleway will cover the majority of 100 European startups’ initial cloud costs, as part of a new program called “The Next 100 Startups Shaping Europe’s Future”. For more information and to apply, click here.

Pascal Condamine is VP Startups at Scaleway and is responsible for managing the Startup Team, which  selects, onboard and accompanies startups into the company's Early Stage and Growth Stage programs, as well as “The Next 100 Startups Shaping Europe’s Future” program.