Navigating the Future of Data Sovereignty in EMEA | Immerse Stockholm 2026

Hi guys. Uh, so my name is Christian. I'm Dutch. I'm based in Brussels. I've been there for about 20 years. And um, I'm what you might colloially call a lobbyist, which sounds very scary, and I'm probably going to convince you it's not as scary as you thought it would be. Cloudflare has a team of people that um that interact with governments and regulators on a day-to-day basis. And for Europe, I'm the one who gets to lead that team. We have about six people, Berlin, London, other places. Um, I'm going to talk about something that has kept me unbelievably busy for the last 12 months and probably will keep me unbelievably busy for the next 12 months as well and maybe longer. Um, I'm going to talk about digital sovereignty. Now, just a step back. This has very little to do with it, but I want to set the scene a little bit. I had a very cushy job about five years ago in a law firm. I'd been there for 12 years. Life was fairly easy. And then I got a call and said, "Hey, have you heard about this company, CloudFare?" And uh you know, maybe maybe you want to set set up build their their team of of lobbyists in Brussels. So looked into it and then I came across this [snorts] um which is our project Galileo which is a project where we provide for those who don't know free cyber security services enterprise level to vulnerable groups on the internet. And I thought, hey, that's super cool stuff. Uh because it's still a very young company and still they're putting money towards that kind of thing. That's that's pretty unbelievable, right? Um I'm telling you this not to just give you a fuzzy feeling in your stomach and hopefully you do feel that a little bit. I definitely felt it. It's real. Uh it's something that's run out of the team that I'm part of. Um and it keeps growing and over the years uh huge amounts of vulnerable internet users have joined this program. We run it with a huge number of NOS's. global 33% of it is in Europe. Uh all very cool stuff. But why am I telling you this? So the nice thing about being in the position I'm in is I get to work with a very senior management in Cloudflare, including our founders, Matthew and Michelle, who are still around, which is also quite something that's that's quite special for a company of our 15 year years of age. And I got to look them in the eye and work with them on a number of sensitive topics. And they really mean it. They really are that idealistic about the internet and what it means for society. And that's pretty cool if you're the guy who has to interact with governments because governments are, you know, in the business of shaping societies. So that was pretty nice until about a year ago, people started saying, "Yeah, but you're an American company." Yeah, but I'm a European. I'm I'm based in Brussels. So where's the problem then, right? Why would that be why would that be would that be an issue for me? Um, and that's what I want to talk about now. Cloudfare is an American company and for those who you know haven't haven't come across it yet this is a topic that is on a huge amount of people's minds including governments and certainly also our customers the issue of digital sovereignty which you could summarize as maybe over reliance on American or foreign technology uh and I'll talk about that in a second and how do we think about that as cloudflare that's that's what I'm going to uh I'm going to talk about uh today so what is actually digital sovereignty you have to break it down a lot of people have like notions and ideas. There's there's a bunch of things. Ultimately, it's probably about reducing technological dependencies and this is no secret. Europe mostly relies on American tech. Uh and that's an issue for a lot of a lot of people and and we need to do something about that. Probably a good idea anyway. But it can also be about data privacy and control. Yeah. But wait a minute. Cloudflare is very pro privacy. We build it into our technologies to the level that I have to have very difficult conversations with law enforcement because we don't just hand over the data of our users for instance which in some countries you know other companies might do that uh or digital resilience you know it's about protecting infrastructure uh ensuring stability it can also be about competitiveness um Mario Draghi former uh central banker former prime minister of Italy wrote a report about two years ago about how are we going to make Europe more competitive and one of the central tenants of that was we need to become less reliant on foreign tech. we need to do much more with European companies which is a bit tricky if you work for an American company right so this is really all that's my universe these days finally growing European businesses so so what are the alternatives to US technology and and and how do we think about that as as an American company I think you fair question right so that's that's that's the the topic of what I want to talk about today now policy makers politicians people members of the European Parliament uh civil servants of the European Commission, national governments, the Swedish cyber ambassador, people like that I get to talk to, my team gets to talk to and uh and then we have to have conversation about what what do you guys do about this and how does that relate to a company like Cloudflare there's a whole bunch of things that they do and I want to run you through very briefly what that is on on the top left standard standards and certifications. So there are sovereign cloud criteria they already exist. Uh they're being developed even more. Uh the latest set is about two weeks old and it's a very interesting set if you haven't have a look at it from the German cyber security regulator, the BSI and yes we look at that and and we measure ourselves against that as well. There's also in in process EU cyber security certifications themselves. There is something called EUCS which is nearly final but has been stuck in political negotiations for a few years especially because the French government wanted to include a whole number of digital sovereignty related criteria including you have to have your headquarters in Europe you have to have a board that's made up entirely of Europeans things that we don't have as cloudfare right so how do you think about that [snorts] regulations and this stuff is still happening this one for those who haven't heard about kada kada you will hear about it it stands for cloud and AI development act. It is a piece of legislation that the European Commission will propose in two or three weeks and it's going to be big and it's going to be big for us as well. So, as you can imagine with my with my team, we we are in in pretty much weekly contact with the European Commission about what it does and what it says. They listen to us. They take that seriously, but at the same time, of course, they're aware we're an American company and you know, this was about protecting European Europeans, right? um it will have criteria for what constitutes sovereign. There will be an annex which lists actually what those criteria look like and they want to use that in public procurement across Europe. It's not going to be rules that have to be followed but there will be guidelines for governments. That's interesting, isn't it? Because then how does that relate to our technology and I'll get to that in a second as well. Then there is CSA 2 the the cyber security act which is about supply chains and uh in particular uh getting foreign technology out of European supply chains. I can tell you this one's already been proposed especially European telos are up in arms about it uh because if they are no no longer allowed to use Chinese technology in their uh tech stack things become more expensive. So they're really lobbying hard against it. Actually, your own telecommunications companies. I'm not in the in the room when that happens. I just noticed this stuff is controversial. You need to think that through, right? Um, a couple of other things, ecosystem funding, there there is dedicated capital for that. 28 28th regime, which is kind of the idea that we have 27 countries in Europe. Let's come up with one set of rules on top of that, a 28th regime which makes it easier to offer services and provide your technology across Europe, makes it easy to scale for maybe new European startups. Lock in multicloud. I'll talk about this more on the next slide, but policies around that. And then open source advocacy. The European Union has a plan to stimulate open source much more than they've done until now. So, how does that relate to Cloudflare? And that's what I'm going to talk about now. How do we think about that? So I want to take a step back. We are a cyber security company in addition to many other things and we feel very much without cyber security there cannot be sovereignty and that's an important thing to to note there. And one reason I in the beginning when I started talking about this wasn't really worried about it is there really is not or at least not yet a European alternative for a cyber security company that offers the kind of protections that we offer. That doesn't mean however that we can just lean back and take it easy. No, not at all. And that's exactly why I'm here to talk to you about this today. Um threats are borderless. We have a global network. It's been explained. Uh, one thing you need to deal with cyber threats is a network that actually recognizes those threats at threats at the edge, mitigates them at the edge, never even imports them within for instance the European borders. Important notion there as well. And then data localization. Now that's one thing that for instance uh the French government has been pushing quite hard including ANIE, the French cyber security regulator. They want data localized within for instance France or within the European Union or in another region. If you do that, you make the whole system weaker. Now, why am I telling you this? Let's say there will be a European Union alternative to Cloudflare. By nature, this will have to be a company that runs a global network and will run into the same conversations that we are running into. So, kind of difficult to square cyber security as we see it with sovereignty and keeping it all European or regional if you want. Had these conversations in Brussels. I can tell you we have having them in Canada. we're having them in Australia. These are global issues, right? So, we also need to come up with global solutions. This isn't a particularly European thing anyway. So, that's one thing that that we that we stress uh at Cloudflare. Then, what's the actual future? And this is this is really important. The vision that we're trying to put forward is this real sovereignty is the ability to choose the best technology for your needs as an individual uh company or organization. But for that you do need a multi- vendor ecosystem. If you think about it, one of the really big issues is that we're completely over reliant on a few very large hyperscalers and that this creates systemic risk. Always makes me think of two summers ago when we had the crowd strike incident and all the focus in the media was on crowd strike. But the actual problem was the amount of organizations that use Microsoft, wasn't it? that's why all those flights got delayed or cancelled actually. So that's what we're talking about with the European Commission as well and they're doing stuff about it in Brussels. Um there are policies that promote multicloud. Um what you should also do is look at redundancy. If you're foreign tech provider all of a sudden falls away, make sure that you have a plan B in place, you know, and and it's been talked about before as well. They're trying to lower barriers for small vendors. There will be policies around that as well. Great idea. We welcome that. We welcome competition. We think uh there should be you know the multi- vendor ecosystem and this this emphasis on interoperability and open standards which which I'll talk about in the next slide. But ultimately reducing hyperscaler over reliance is going to be an incredibly important thing. So we've noted with very significant interest that in the UK the competition regulator and now also in Brussels DG competition of the European Commission they've opened investigations into Microsoft and AWS to see are they actually playing fair or do they have mechanisms which make it very difficult for other companies to compete for those same customers and grow and become valid alternatives right uh and that's an important thing uh to note I think there's quite a lot that individual countries and companies can do and we all need to talk about what does a fair marketplace look like so that we can grow multiple companies and and the best technologies emerge for for people to use. So that's that's really something that that we're that we're focused on uh with with a lot of governments uh in many different places. [snorts] Finally, [clears throat] Cloudflare, how does this relate to all of us? On some level, I'm quite comfortable because by nature, by design, this company has been built with interoperability in mind. Our technology is interoperable and what you want is that multi- vendor approach that that multi cloud architecture and that's literally what we're offering our customers. We welcome that. We want to work with other vendors. So, open standards egress fees, we don't we don't charge those. It's a t a topic that they've tried to to deal with already in in European legislation. Uh in France, they're looking at all the detail of what is actually a fair price to charge customers if they want to take their data out of one cloud to maybe run it in an app on another cloud because every time you do that, you pay which is another reason to stay within whichever hyperscaler you're at. Um so no no no egress, zero egress and and Glavair has a has a whole history around it. You can find blogs by Matthew even going back seven, eight years where he he railed against this and and said these these are unfair costs and they lock you in. Um yeah so so interoperability working with any cloud privacy I've already talked about it. We build it into our technology. I think it's it's it's uh it's not something that people question but it is definitely part of the whole discussion around digital sovereignty. Anyway then this one control of data our customers have control of that have control of their data where is it where it's cached where it is inspected where it's decrypted uh we have a data localization suite and our engineers are working on uh an even more granular even more robust uh data controls for our customers which I expect we will probably be uh running over the the next year or two. Um, so genuinely a rearchitecture that makes it even stronger. And then finally, this is what I do with my with my with my team. We're in a dialogue with governments. I'm not saying I have all the answers to this, but I think we all need to be very clear about what the problem is and what the solutions are. And there's not one simple solution. And I don't think anybody has a final answer on what is sovereign. There isn't completely sovereign tech currently out there anyway. And as you can see, I take this issue very very seriously with my with my team and and we we have a lot of ongoing dialogues with governments with regulators about it and that's important but at the same time we we got to just keep talking and building because uh ultimately the challenge is real uh and we feel that we we are part of the solution here. So wanted to share that with you. So, it's a bit of a step back the the bigger ecosystem and the sort of concerns that we see as Cloudflare, but hopefully um was able to convince you that this is the sort of stuff that we are very thoughtful about as a company and uh and that we are trying to to find solutions for the future for. Thank you very much. [applause] All right, I don't see any questions to Christian. So maybe we flip to the next slide and see if we can uh if we can get some people in asking some questions while we're setting up for the next session. So we should really go to your first slide because that's where we have the the QR. So you have the QR. I'm not going to stand in front of it. If you have any questions, you can also raise your hand and I'll I'll come pick it up. But uh add it to the chat. This is an area where we usually get quite a lot of questions, right, Christian? Yeah. Yeah. [clears throat] Let's give it a [cough] People are typing. That's exciting. We should have Valerie typing. I was really impressed by the pace of her typing. It was almost like she's an engineer in disguise. Okay. FISA 702 [laughter] [sighs] Cloud Act. There is um this is not a new issue at all. It's actually been an issue that's been on many people's minds for uh for quite a long long time. We um we have a history of fighting um let's say legally doubtful orders by government to hand over information. In fact um and this is a matter of public record uh we even when we were five or six years old as a company we started a a lawsuit against the FBI and we won. Uh it's part of that uh is the reason I I I joined this company because it's so serious about this kind of thing. Um of course we're subject to the rules of the the countries that we operate in. We follow those rules that that goes without saying. But at the same time we engage on what those rules should be and how how they are applied as well. I think if that uh if that brings one conclusion to mind is you know if if there's one company that could be trusted to deal with that with integrity, it is Cloudflare for sure. Cool. I have another one actually. Thank you for that. So, and this is a long one, so I'm going to see if I can shorten it down a little. So, data localization weakens cyber security is only true if localization means isolation. The stronger question is whether today's global centralization also creates cyber security and sovereignty risk through dependency, concentration, and limited jurisdictional control. And there's the question is like how do we preserve global scale security while ensuring accountable control over critical data keys and access decisions. Yeah, that's exactly the problem I was getting at. I don't think we have a final one simple. There's certainly not a simple answer or one answer, but it's something that we are continuously thinking about uh at Cloudflare. Uh I started with the scale. I talked about the network. I talked about the the global threats that we're looking at. we're operating in all these individual jurisdictions where governments, customers may have individual uh uh uh requirements. So I think it's about control and being clear about what those controls are. It's about giving that control to customers, making sure they are the ones that can make those choices. So that's one thing that we do. Uh second, one of the principles of Cloudflare, transparency. We do that in as much transparency as we possibly can. Uh, and three, I think, yeah, we we I think are always open to be tested and open to be criticized to to become even better than we are already. And this is certainly one area where that's why we have those dialogues with customers, with governments to uh to keep finding better solutions. Again, I'm not saying we have the final answer, but nobody does. I am saying we're taking this very [music] seriously. Perfect. Thanks a lot, Christian. It was a great session.