Knowledge Base
In-depth architecture patterns, implementation guides, and operational constraints for cloud-native systems.
OVHcloud, Scaleway, Hetzner, IONOS, STACKIT, T Cloud Public, 3DS Outscale, Cegedim.cloud, Aruba. EU-native pure-play providers mapped by compliance tier, service breadth, and procurement fit.
The national frameworks, cross-cutting baselines, and regulatory overlays add up to dozens of acronyms. This article is the decision tree that maps 'I am [type of organisation] doing [type of workload] in [geography]' to 'these are the frameworks that actually apply to you'.
A SOC 2 report, a C5 attestation, an ENS audit certificate, an ACN qualification dossier — what to look for, what to ignore, what to ask follow-up questions about. The practitioner skill that turns compliance documents into actual signal.
The EU AI Act applies progressively from 2025 through 2027. For cloud providers, two roles matter: provider of general-purpose AI models, and infrastructure for customer-deployed AI systems. For customers, deployer obligations apply at scale. This article walks through what AI Act actually requires of cloud providers, where it intersects with GDPR and NIS2, and what to plan for.
EUCS has been the most-anticipated and least-delivered EU cloud regulation for half a decade. This article tracks what state EUCS is in as of mid-2026, who's blocking what, what the ANSSI/BSI March 2026 joint statement means, and what realistic adoption scenarios look like. A dated reference article — designed to be re-read against current events.
Provider-managed keys, BYOK, HYOK, External Key Stores. Every cloud sovereignty conversation eventually arrives at key custody. This article walks through the patterns, the hyperscaler implementations (AWS XKS, Azure CMK, Google EKM), the operational trade-offs, and why customer-held keys are the most practical sovereignty answer short of full sovereign cloud.
Norway is in the EEA. Most EU cloud regulation reaches Norway via EEA incorporation, including GDPR (directly applicable) and NIS2/DORA (in progress). On top, NSM's Grunnprinsipper guide ICT security, Sikkerhetsloven governs classified information, and Finanstilsynet supervises financial-sector cloud. This article maps how the Norwegian regime relates to the EU base.
Switzerland is not in the EU and not in the EEA, but is deeply bilateral with both. The cloud framework is composed: FINMA Circular 2018/3 for financial services, the revised nFADP for data protection (GDPR-aligned with lower penalties), and sector-specific regulation for healthcare, defence, and classified information. For Slovak organisations with Swiss customers — and Swiss organisations consuming EU cloud — the regime is adjacent but procedurally distinct.
The UK left the EU but kept GDPR (as UK GDPR), kept ISO standards, and did not adopt EUCS. NCSC's 14 Cloud Security Principles are the operative UK government cloud guidance, with Cyber Essentials and Cyber Essentials Plus as the certification scheme. For EU CSPs serving UK customers (and UK CSPs serving EU customers), the regime is adjacent but distinct.
Microsoft EU Data Boundary, AWS European Sovereign Cloud, Google Workspace EU Data Boundary. Three different commitments, three different scopes, three different things being promised. This article unpacks what each actually covers, what each excludes, and how to read the technical small print.
Hyperscaler joint ventures, EU-native operators, partner sovereign clouds, and dedicated sovereign regions. The European sovereign cloud market in 2026 has more options than three years ago, but the variety hides real differences in what each product actually delivers. This article maps the landscape.
PiTuKri is officially guidance, not statutory. In practice, it is the gate for handling Finnish classified information in the cloud. The Finnish NIS2 transposition (Act 124/2025) has been in force since April 2025; the replacement criteria library is in public consultation and scheduled for finalisation in autumn 2026 — until then, a real gap between the new risk-based law and the 2020 cloud framework exists.
Poland regulates cloud through the National Cybersecurity System (KSC). The NIS2-aligned amendment (informally 'KSC2') entered into force on 3 April 2026 with a pending Constitutional Court review. The parallel National Cybersecurity Certification System (KSCC) was adopted in June 2025 and is operationalising.
Czechia has no dedicated cloud qualification framework. Cloud security is regulated horizontally through the new Cybersecurity Act (264/2025 Sb.), effective 1 November 2025, with a full implementing-decree stack already in force (408, 409, 410/2025 Sb. and others). NÚKIB supervises; CSPs are assessed as supply-chain participants.
BIO2 v1.3 is the Dutch government's security baseline since 5 March 2026, superseding BIO v1.04zv. The Cyberbeveiligingswet — the Dutch NIS2 transposition — was approved by the Tweede Kamer on 15 April 2026 and is in Senate review. The cloud profile is operated by hyperscalers via independent attestation.
ENS is not a cloud-specific framework — it covers every public-sector information system. But its cloud profile (PCE) and three-tier model make it one of the more workable EU regimes for hyperscalers.
Italy's qualification framework is the most formally structured in the EU — statutory timelines, four levels, mandatory public catalogue, and a state-controlled Polo Strategico Nazionale for the strictest workloads.
If you did not choose a source of truth, the live cloud chose for you. IaC repo, cloud APIs, Backstage, CMDB — pick deliberately and document the choice.
Status pages are public communication, not monitoring. The green dot lags reality by 30+ minutes. Service Health helps. Build your own observability first.
No enterprise cloud contract has a billing-level hard cap. Budgets alert. OCI quotas enforce resource ceilings. What is real and what you actually wire up.
Support tiers sell response time. What you buy is triage access and relationship quality. When premium support earns its cost and when it doesn't.
Reservations save 30–72% only if utilisation stays high. The discount you committed to keeps billing after the workload changes. Here is the math vendors skip.
Azure RBAC and OCI IAM look similar until inheritance, deny semantics, and role catalogues diverge. Get the model wrong and least privilege is fiction.
Documentation rots. CCoEs drift to meetings. The fix is treating docs as a maintained product and the CCoE as an enabling team with a real charter.
Most cloud training is free if you know where to look. Certification names expire in 18–24 months. The durable approach: learn by role track, not by exam code.
The service model pyramid tells you nothing operational. What the provider manages, what stays on you, and where lock-in lives — connector, not runtime.
The most useful and most overengineered concept in cloud adoption. What to take from reference architectures, what to skip, and the real cost of retrofitting.
Names are permanent — embedded in IaC, DNS, and certificates. A bad convention is debt you pay forever. The schema that survives Azure and OCI at real scale.
Region choice locks in data residency, resilience, and service availability for years. The portal calls it a dropdown. It is an architectural decision.
Most orgs skip sandboxes or build them too locked-down to use. Either way, engineers find production. How to build one that gets used without eating budget.
Services launch in one US region and stay there a year. Sovereign clouds miss capabilities. 'Available' often means 'with a ticket.' Verify before committing.
The shared responsibility chart is tidy on a slide. In production it falls apart. Managed never means hands-off. What stays on you — every service, every time.
Without enforcement, tagging is fiction. Most orgs believe coverage is higher than reality. The schema, enforcement model, and gotchas on Azure and OCI.
Organisational, billing, and governance boundaries collapse differently across Azure and OCI. Get the mental model wrong on day one and spend years undoing it.
IPAM tracks allocations. An address plan decides what to allocate and what to reserve. Most orgs skip the plan and pay for it in months of remediation later.
Hub-and-spoke, Virtual WAN, OCI DRG v2 — three topologies, overlapping trade-offs. Decision framework and the non-transitive peering gotcha nobody warns about.
Circuit bandwidth is not end-to-end application throughput. Redundancy is rarely as redundant as it looks. What actually survives production.
IP space looks infinite until two VNets try to peer with overlapping ranges. By then the fix is renumbering and weeks of work. IPAM costs nothing on day one.
Governance as a wiki page is fiction. Governance is what the platform enforces. EPAC, Security Zones, quotas, Cloud Guard — the gaps and how to combine them.
DORA Article 30 specifies the contractual content every financial entity must obtain from its cloud providers. The list is long, the substance is operational, and most pre-DORA cloud contracts do not meet it. This article walks through each clause, what it means in practice, and what financial entities and cloud providers actually negotiate.
The Slovak government cloud catalogue is mandatory for the public sector and tied to the national cybersecurity audit framework. As of mid-2026, it is also operationally out of step with the NIS2-era risk-based regime — the methodology still classifies by U1–U4 while the underlying law has moved to risk analysis.
The Critical Third-Party Provider regime is the most consequential innovation in DORA. For the first time in EU law, the European Supervisory Authorities can directly supervise cloud providers — not via their financial-services customers, but as named regulated entities. This article walks through how CTPP designation actually works, what direct supervision means operationally, and what hyperscalers do to prepare.
Single qualification level, 350+ requirements, hard caps on non-EU ownership, immunity from extraterritorial law. SecNumCloud is the framework that defined the modern EU sovereignty debate.
The Digital Operational Resilience Act has been in force since January 2025 and applies to every financial entity in the EU. This article is the overview — what DORA is, its five pillars, and how it fits with national frameworks. For the CTPP regime and contractual content, see the dedicated deep-dive articles.
The Cloud Security Alliance STAR Registry is the closest thing the cloud industry has to a global trust register. Three assurance levels, the CCM as the underlying control matrix, and integration with most major national frameworks. Useful as a navigation layer when comparing CSPs across heterogeneous compliance regimes.
C5 is not a certification, it is an attestation — and that distinction matters. The framework most adopted by hyperscalers, the de facto reference for EUCS Substantial, and the one that pairs cleanly with SOC 2. C5:2026 was published in March 2026, with C5:2020 remaining operative until audit periods beginning on or after 1 June 2027.
NIS2 doesn't just regulate operators directly — it regulates their supply chains, including cloud providers. This article unpacks what NIS2 supply-chain obligations actually look like for cloud customers and what evidence cloud providers must produce, with the per-country variation that matters in practice.
GDPR Article 28 is the operative article for every controller-processor cloud relationship. The EU Cloud Code of Conduct is the most pragmatic instrument for demonstrating Article 28 compliance at scale. This article walks through what Article 28 actually requires and what the CoC actually demonstrates.
SOC 2 is the most commonly referenced cloud security attestation in procurement. It is also the one most often misread — Type 1 confused with Type 2, scope confused with depth, exception language misunderstood. This article walks through what a SOC 2 report actually contains and how to read it for real signal.
Every national cloud security framework in Europe — KsVC, BSI C5, ENS, ACN, SecNumCloud, PiTuKri, BIO2 — references some combination of ISO 27001, 27017, 27018, and 27701. Knowing what each standard actually covers (and where each stops) is the prerequisite for working effectively with any of them.
Every EU member state grades cloud security differently, and the 'European' scheme that was supposed to harmonise them has been stuck for two years. Here is the actual map — who leads, who drifts, and what a multicloud operator has to navigate.
A practical introduction to modern BPM engines. What they solve, how they differ, and how to choose between Camunda, Activiti and Kogito for your organisation.
The standardised foundation for Azure adoption at scale. Architecture, design areas, platform vs. application zones, and the right IaC deployment approach.
Production-grade GitOps with Argo CD across multiple Kubernetes clusters. Progressive delivery, drift detection, and the Azure vs OCI platform choice.
No articles match the selected filters.