Digital sovereignty in the tension between DORA, NIS2 and cloud providers

The AWS European Sovereign Cloud promises instant data sovereignty. But the reality is different: 72% of companies struggle with legacy systems that cannot simply be moved to sovereign clouds. DORA and NIS2 are increasing the pressure. A reality check for decision-makers.

On 15 January 2026, the AWS European Sovereign Cloud launched in Brandenburg. The promise: data sovereignty for regulated industries – entirely within the EU, under EU law, operated by EU personnel. Similar initiatives such as Gaia-X or national cloud strategies suggest that choosing the right cloud will solve the sovereignty problem.

The reality is very different. According to a study by Computerwoche/CIO/CSO, 72% of companies in Germany are facing the challenge of modernising business-critical legacy systems.¹  A Slalom study shows that 61% continue to use outdated platforms for the majority of their business applications. ²  Even more drastic: 76–100% of critical applications are affected in 11% of companies.

What does this mean in practice? A bank can operate its new customer portal in a sovereign cloud, but its core banking system runs on 20-year-old COBOL. An insurance company modernises its front end, but claims processing is tied to proprietary legacy databases. A public authority digitises citizen services, but the specialist procedures run on old applications that no one wants to touch anymore. The question is not, “Where to in the cloud?” The question is, “What do I do with the 60% of my IT landscape that cannot be easily migrated?”

Digital sovereignty is not a cloud problem. It is an architecture, migration and operational problem in hybrid IT landscapes. The real challenges lie elsewhere:

62% of companies classify parts of their business-critical applications as so outdated that they no longer meet today’s requirements.³  40% of outdated systems are in-house developments¹ , grown over decades, interlinked with dozens of other systems, documented by employees who have long since retired. A real-world example: An insurance company operates its claims processing on a 25-year-old in-house development. The system is connected to SAP (on-premises), Salesforce (cloud), various specialised procedures and external service providers. DORA requires annual resilience tests. The question is not: “Which cloud is sovereign?” The question is: “How do I effectively test the resilience of a system that no one fully understands anymore?”

DORA has been in force since 17 January 2025, and NIS2 should be transposed into national law by October 2024, but the German NIS2 Implementation Act (NIS2UmsuCG) was not passed until 2025. The requirements are specific:⁴

The problem: These requirements apply to IT landscapes in which, according to a Stripe study, developers spend 17 hours per week solely on maintaining legacy code. 40% of the IT budget goes towards maintaining technical debt, not innovation or compliance.

How can an organisation that can barely maintain the operability of its legacy systems also carry out DORA-compliant resilience tests?

According to Gartner^, 90% of companies operate hybrid infrastructures – a mixture of on-premises, private cloud, public cloud, legacy systems and modern microservices. This is not a temporary phase, but a long-term reality.
The challenges are enormous:

Studies show that 67% of cloud migration projects exceed their budget and 43% take longer than planned.⁹  The reason is rarely the cloud itself, but rather the complexity of migrating from long-evolved, tightly coupled legacy systems.

On 15 January 2026, AWS officially launched the European Sovereign Cloud (ESC) in Brandenburg. AWS positions it as a self-sufficient cloud for Europe with strict separation from all other AWS regions. The promises sound tempting.

The ESC is physically and logically separated from all other AWS regions. It has its own Identity & Access Management (IAM), separate billing systems and its own Route 53 infrastructure with EU TLDs. It is operated by AWS European Sovereign Cloud GmbH, a wholly owned subsidiary of Amazon.com Inc. based in Germany.
It is managed by Stéphane Israël and Stefan Hoechbauer, both EU citizens. An advisory board consisting exclusively of EU citizens – including two independent representatives – is intended to ensure additional governance control. AWS promises that operations will gradually be taken over exclusively by EU citizens residing in the EU. During a transition phase, mixed teams of EU citizens and EU residents are currently still working, but exclusively within the EU.

AWS promises complete separation from other AWS regions, its own identity and access management, and operation exclusively by EU personnel under EU law. The service portfolio is impressive. Around 90 services at launch: Compute (EC2, Lambda), Storage (S3, EBS), Databases (Aurora, RDS, Neptune), Containers (EKS, ECS), AI/ML (SageMaker, Bedrock). An investment of €7.8 billion by 2040 underscores the seriousness of the undertaking.

ESC is technically impressive, but it does not solve the core problem:

It does not address the legacy reality. A 20-year-old COBOL system cannot simply be migrated to AWS ESC. A proprietary in-house development with hundreds of dependencies is not a cloud workload. An established SAP landscape cannot be moved overnight.

It creates new complexity. ESC is deliberately isolated; there is no networking with other AWS regions. This means:

It does not completely solve the US legal problem. AWS European Sovereign Cloud GmbH is a wholly owned subsidiary of Amazon.com Inc. This means it is potentially subject to the US CLOUD Act and FISA 702, even though AWS promises to review every request and inform customers¹². The legal grey area remains. It ignores the complexity of migration. Anyone who believes that sovereignty means “pushing the system into the ESC” overlooks the following:

ESC can be useful for new workloads with high compliance requirements:

ESC is overkill for:

ESC is not a solution for:

The uncomfortable truth: even the most sophisticated cloud won’t help those who can’t modernise their 20-year-old core systems.

Digital sovereignty does not come from choosing a provider. It comes from architectural expertise, migration capability and operational excellence.

The first step is honesty. 41% of companies admit that they are unable to get rid of their legacy systems despite pressure to modernise. The reason is often that no one knows exactly what the system does, who it is connected to, and what will happen if it is touched.
A realistic assessment means:

Not every system needs a sovereign cloud. But every critical system needs a well-thought-out strategy.

The reality of the next 10-15 years is hybrid. Legacy systems run in parallel with cloud workloads. On-premises infrastructure coexists with sovereign clouds and standard public clouds.
The crucial questions are:

This requires more than cloud expertise. It requires architectural excellence in complex, mature IT landscapes. Someone who not only understands the cloud but also understands legacy systems. Someone who not only advises, but also develops, modernises and operates.

According to Lünendonk, 76% of companies expect that at least 20% of their business-critical core applications will need to be modernised in the next 5 years.³ The question is: How?

Big bang migrations fail. 68% of companies report that legacy systems hamper their effectiveness – main reasons: maintenance costs (44%), expenses (37%), isolation due to non-integrated systems (37%).¹²

Gradual modernisation works:

This requires people who can do both: understand legacy systems AND build modern architectures.

DORA and NIS2 require strict third-party risk management. This means:

The cloud provider (whether AWS ESC, Azure, GCP, OVHcloud) is just one of many suppliers. Legacy system maintenance, managed services, software development, middleware operation – all are third parties that must be managed in compliance with DORA.

The question is: Who can manage this end-to-end? Who understands legacy, cloud, operations AND compliance?

The AWS European Sovereign Cloud is not a game changer for Europe. It is a symptom – a symptom of the need for digital sovereignty. But it does not solve the real problem.

The real problem is that most companies in regulated industries operate hybrid IT landscapes with massive legacy components. 72% are facing modernisation of business-critical systems. 61% use outdated platforms for the majority of their applications. 40% of the IT budget goes towards technical debt.

Digital sovereignty does not mean, “I choose the right cloud.”
Digital sovereignty means: “I can modernise, operate and migrate my systems, and I have options.” Anyone who takes this seriously needs:

This is not a cloud migration project. This is strategic IT transformation. And you don’t get that with a provider decision. You get that with someone who can develop, modernise AND operate – from a single provider. 2026 will be the real test: DORA supervision will begin its first full audit cycles, and supervisory authorities will be able to impose sanctions for the first time. NIS2 transition periods will expire. At the same time, new solutions such as AWS ESC will go live. Those who act strategically now instead of just reacting will gain a competitive advantage. Those who rely exclusively on cloud providers risk creating new dependencies.

In force for the financial sector since 17 January 2025.
Key requirements:

KRITIS extension, implementation by October 2024.
Affects, among other things:

Key requirements:

Date of access to online sources: 12 February 2026