The Sovereign Cloud: A Manager's Guide to Open Source Alternatives in the Age of Hyperscalers

Contents

Part I: The strategic imperative: Beyond the cost of control

1.1 Deconstructing the cloud: a basic course for managers
1.2 The golden cage: analyzing the true cost of hyperscaler dependency
1.3 Europe's third way: the Gaia-X vision for a federated future

Part II: The open source cloud stack: Valid alternatives for the modern organization

2.1 Laying the foundation: Open Infrastructure-as-a-Service (IaaS)
2.1.1 OpenStack: The community-driven giant
2.1.2 Apache CloudStack: The turnkey IaaS solution
2.2 Accelerating innovation: Open Platform-as-a-Service (PaaS) and the container revolution
2.2.1 The Kubernetes ecosystem & Red Hat OpenShift
2.2.2 Cloud Foundry: An example for application-oriented platforms
2.3 Enabling collaboration: The sovereign Office & SaaS suite
2.3.1 Nextcloud Hub: The flagship of European digital sovereignty
2.4 The power of fork: A Lesson from OpenTofu

Part III: The migration journey: A strategic guide for decision makers

3.1 Planning the transition: key challenges and strategic considerations
3.2 The support ecosystem: debunking the myth of “being alone”
3.3 A question of profitability: the true total cost of ownership (TCO)

Part IV: The future is open: Trends, recommendations and the way forward

4.1 Emerging horizons: Sovereign AI, sustainable computing and the edge
4.2 Strategic recommendations for a sovereign digital future

Part I: The strategic imperative: Beyond the cost of control

The decision to use a cloud platform is one of the most far-reaching decisions for modern organizations. It is no longer a purely technical matter that can be delegated to the IT department. Rather, it is a fundamental business and strategic policy decision that will determine an organization's ability to innovate, financial planning and digital sovereignty for years to come. The initial euphoria of the “cloud first” mantra, which was often synonymous with the rapid adaptation of the three major hyperscalers - Amazon Web Services (AWS), Microsoft Azure and Google Cloud - is increasingly giving way to a more strategic and critical view.

Growing dissatisfaction with public cloud solutions, the emergence of entire disciplines such as FinOps to control escalating costs and strategic initiatives such as the European Gaia-X project point to a maturing of the market. The question is no longer “Are we in the cloud?”, but “Are we using the right cloud for the right application under the right conditions?”. This report serves as a guide for business, government and education leaders to answer this question in an informed way. It highlights the strategic risks of over-reliance on proprietary hyperscalers and presents robust, future-proof open source alternatives that pave the way to greater control, flexibility and digital empowerment.

1.1 Deconstructing the cloud: a basic course for managers

To understand the strategic implications of different cloud models, it is essential to know the basic service layers. These models differ primarily in the degree of control that an organization retains and the scope of services that are assumed by the provider.

• Infrastructure-as-a-Service (IaaS): This is the most basic layer of cloud computing. You can think of it as renting raw digital real estate: Servers, storage and network resources. The provider provides the physical infrastructure, while the organization retains full control over the operating system, middleware and applications. This model offers maximum flexibility and control. Well-known proprietary examples are Amazon EC2 and Google Compute Engine. The open source world offers powerful alternatives such as OpenStack and Apache CloudStack.
• Platform-as-a-Service (PaaS): At the next level, PaaS provides a development and deployment environment as a service. It can be seen as a kind of “light version” of IaaS. The provider manages the entire underlying infrastructure, including servers, operating systems and databases. The organization can therefore concentrate fully on developing and operating its own applications without having to worry about maintaining the platform. This model is ideal for optimizing workflows and quickly developing tailor-made applications. Examples of this are Heroku or the open source platform Red Hat OpenShift.
• Software-as-a-Service (SaaS): This is the best-known form of cloud computing. These are software applications, such as Gmail or Salesforce, that are fully managed by the provider and provided and used via the internet. The user only consumes the service, without any administrative effort for the underlying infrastructure or the software itself. This model offers the highest level of convenience and the lowest initial costs, but also the lowest level of control and customizability.

The choice between these models is a fundamental trade-off between control and convenience. This trade-off is the common thread that runs through all strategic cloud decisions.

1.2 The golden cage: analyzing the true cost of hyperscaler dependency

The temptation of hyperscalers is undeniable: an almost infinite range of services available at the touch of a button. But this convenience comes at a strategic price that goes far beyond the monthly bill. Excessive dependence on a single proprietary provider creates a “golden cage” that can severely limit an organization's strategic ability to act.

• Vendor lock-in: This is the greatest strategic risk. Vendor lock-in describes a situation in which a customer becomes so dependent on the products and services of one provider that switching to another provider is only possible at disproportionately high cost - be it financial, technical or legal. This dependency often develops insidiously through the use of proprietary APIs, specialized services and deeply integrated configurations that are not based on open standards. Once an organization is trapped in this ecosystem, the provider can raise prices or change terms and conditions without the customer having a realistic fallback option. The recent license changes to established tools such as Terraform by vendor HashiCorp are a cautionary example of this danger.
• Erosion of data sovereignty: Data sovereignty is the ability of an organization or state to control its own data in accordance with its own legal and political framework. The use of cloud services whose providers are subject to access by foreign authorities (such as the US CLOUD Act) is in direct contradiction to this goal and the strict requirements of European regulations such as the General Data Protection Regulation (GDPR). Complete control over who can access data and under what circumstances is not guaranteed beyond doubt in a non-European public cloud.
• Non-transparent and unpredictable costs: Although the “pay-as-you-go” model of public clouds promises usage-based billing, in practice it often leads to complex and unpredictable costs. Expenses can escalate quickly, especially as usage increases. The “scale by credit card” approach is reaching its limits, and entire branches of industry such as “FinOps” have emerged to manage these cost explosions.
• The innovation bottleneck: Proprietary ecosystems, as rich as they may be, can slow down innovation. They force developers to work within the boundaries set by the provider and make interoperability with services from other providers more difficult. Genuine, disruptive innovation often arises at the interfaces between different technologies. In a closed “walled garden”, these interfaces are artificially limited.

1.3 Europe's third way: the Gaia-X vision for a federated future

In direct response to the strategic challenges posed by the dominance of hyperscalers, Germany and France have launched the Gaia-X initiative. It is crucial to understand that Gaia-X is not a product and does not aim to build a “European AWS”. Rather, it is a political and economic strategy that aims to redefine the rules of the digital market.

• Gaia-X is not a cloud provider, but a set of rules: the core objective of Gaia-X is to create a federated, open data infrastructure based on European values such as data protection, transparency and sovereignty. The aim is to develop common standards, tools and governance mechanisms that enable different providers to network their services in a trustworthy ecosystem. The use of open technologies and open source principles is a key technical requirement.
• A framework for trust and fair competition: Instead of creating a monolith, Gaia-X promotes diversity. Through a unified trust framework and a transparent labeling system, users can make informed decisions. For example, a service can receive a label that guarantees that it is fully under European control and immune to non-European access. This creates a fair marketplace in which providers compete not only on price, but on demonstrable quality and sovereignty characteristics. These labels are the market-based instrument for enforcing the political values of Gaia-X.
• From vision to reality: Gaia-X is not just a declaration of intent. The initiative is strongly supported by European politicians and has already led to concrete, funded lighthouse projects. These include projects such as OpenGPT-X to build large, sovereign AI language models and HEALTH-X dataLOFT to create a secure data space for the healthcare sector. These projects show that the principles of Gaia-X are actively being put into practice. The strategic decision to use the open source platform Nextcloud as a collaboration solution for the Gaia-X ecosystem underlines the central role of open source in realizing this vision.

The emergence of Gaia-X must be understood for what it is: a geopolitical and economic answer to the question of how Europe can participate in the global data economy without giving up control of its most valuable resource of the 21st century. It creates the framework in which the open source solutions presented below can develop their full strategic impact.

Part II: The open source cloud stack: Valid alternatives for the modern organization

The open source idea - transparency, collaborative development and independence from individual providers - offers a direct answer to the strategic risks of the hyperscaler model. In recent years, a mature and robust ecosystem of open source cloud technologies has emerged, suitable for use in demanding enterprise, government and research environments. These solutions are no longer experimental niche products, but the foundation of many of the world's largest digital infrastructures.

A crucial aspect to consider when evaluating these solutions is their governance model. It is not just a technical but a strategic question whether a project is managed by a single company or by a neutral, non-profit foundation such as the Apache Software Foundation or the Linux Foundation. The latter offers a strong safeguard against sudden license changes or commercial capture, as the example of Terraform and its fork OpenTofu has impressively shown. Choosing a solution supported by a foundation is therefore a conscious decision to minimize risk.

2.1 Laying the foundation: Open Infrastructure-as-a-Service (IaaS)

Open source IaaS platforms provide a powerful basis for organizations seeking maximum control over their cloud infrastructure. They enable organizations to set up a private or sovereign cloud on their own or rented hardware and replicate the core functionalities of hyperscalers. Two projects dominate this area: OpenStack and Apache CloudStack.

2.1.1 OpenStack: The community-driven giant

OpenStack is not so much a single product as a modular cloud operating system. It consists of a collection of dozens of interconnected services that together form a comprehensive IaaS platform. The core components include:

• Nova: The compute service, responsible for provisioning and managing virtual machines (VMs).
• Neutron: The networking service that enables complex virtual network topologies.
• Cinder: The block storage service that provides persistent storage for VMs.
• Glance: The image service for managing VM images.
• Keystone: The identity service that controls authentication and authorization.

This modular architecture gives OpenStack immense flexibility and power. Organizations can use exactly the components they need and tailor their cloud environment precisely to their requirements.

• Governance and ecosystem: OpenStack is managed by the Open Infrastructure Foundation (formerly OpenStack Foundation), an independent non-profit organization. The code is contributed by thousands of developers and hundreds of companies worldwide, including industry giants such as Red Hat and Canonical (Ubuntu). This decentralized governance model ensures that the project remains neutral and cannot be dominated by the interests of a single company.
• Use cases and users: The strength of OpenStack lies in its scalability and adaptability. It is the preferred choice for organizations with extremely high scalability, security and control requirements. Prominent examples are:
• Research and science: NASA (one of the co-founders), CERN and numerous universities such as Cambridge and Melbourne use OpenStack for massive scientific computing and data analysis.
• Telecommunications: Major telecommunications providers such as China Mobile, T-Mobile and Verizon rely on OpenStack as the basis for their Network Function Virtualization (NFV) infrastructures.
• Governments and public authorities: Because of its transparency and security, OpenStack is used by government and military organizations, including the French Home Office, the UK Civil Service and the US Army Cyber School.

OpenStack is the solution for organizations that want to build a highly adaptable, scalable and controllable cloud infrastructure and are willing to invest in the necessary expertise.

2.1.2 Apache CloudStack: The turnkey IaaS solution

While OpenStack focuses on maximum modularity, Apache CloudStack takes a different approach: simplicity and rapid commissioning. CloudStack is a turnkey IaaS platform that bundles all the necessary components in an integrated solution. This significantly reduces the complexity and time required to deploy a cloud, making it an attractive option for organizations that do not have highly specialized infrastructure teams.

• Key differentiators: A standout feature of CloudStack is its hypervisor agnosticism. It natively supports a wide range of virtualization technologies, including VMware vSphere, KVM, XenServer and Hyper-V. This is a key advantage for organizations already running an existing VMware infrastructure and looking for a smooth transition to an open source cloud management layer. Telecommunications giant AT&T chose CloudStack for this reason, among others, to continue supporting its existing VMware workloads while building a bridge to a modern, KVM-based platform.
• Governance and architecture: CloudStack is a top-level project of the Apache Software Foundation (ASF), one of the most respected organizations in the open source world. This guarantees strict, community-based governance and protects the project from being controlled by a single company. Its architecture is hierarchical (zones, pods, clusters), which enables high scalability from a single management interface.

Apache CloudStack is the ideal choice for organizations looking for a robust, scalable and easy-to-manage IaaS platform that integrates seamlessly with existing infrastructures and provides a fast path to their own private or public cloud.

2.2 Accelerating innovation: Open Platform-as-a-Service (PaaS) and the container revolution

While IaaS lays the foundation, the PaaS layer is the engine for modern application development. One technology has become the undisputed standard here in recent years: containers, orchestrated by Kubernetes. Open source completely dominates this area.

2.2.1 The Kubernetes ecosystem & Red Hat OpenShift

It is important to understand that Kubernetes itself is not the finished platform. It is the incredibly powerful but also complex engine for container orchestration. Kubernetes automates the deployment, scaling and management of containerized applications and is the de facto standard in the cloud-native world.

For most organizations, however, operating “raw” Kubernetes is a huge challenge. This is where enterprise PaaS solutions come in. Red Hat OpenShift is the leading platform. OpenShift is not an alternative to Kubernetes, but an enterprise-grade Kubernetes distribution. You can think of it like this: If Kubernetes is the engine, then OpenShift is the complete, street-legal car with chassis, safety systems, dashboard and navigation system. OpenShift enhances Kubernetes with crucial features that are essential for enterprise use:

• Increased security: Strict security policies and contexts are enabled by default.
• Integrated developer tools: Comprehensive tools for the entire application development lifecycle (CI/CD pipelines, IDE integration).
• Simplified management: A central console and automated lifecycle management for the entire cluster, from the operating system to the application.
• Commercial support: As a Red Hat (part of IBM) product, it provides the comprehensive support that large organizations need.

OpenShift takes the complexity of Kubernetes and wraps it in a stable, secure and supported platform that allows developers to focus on writing code.

2.2.2 Cloud Foundry: An example for application-oriented platforms

Cloud Foundry, originally developed by VMware and now managed by the Cloud Foundry Foundation, represents a different philosophy in the PaaS sector. Its core promise is maximum abstraction of the infrastructure. The developer interacts with the platform via a simple command and the platform takes care of everything else - from packing the application into a container to deployment and scaling.

The fundamental difference to Kubernetes lies in the focus: Cloud Foundry is application-oriented, Kubernetes is container-oriented. This often makes Cloud Foundry easier and faster for developers to use, but also less flexible. While Cloud Foundry played an important role in the early days of the PaaS movement, the dominance of Kubernetes has reduced its relevance. The platform is showing signs of ageing and support is dwindling. The challenge for many organizations today is having to manage a separate Cloud Foundry platform alongside their growing Kubernetes environments, leading to inefficiencies. It remains a valid solution for specific use cases, but for new projects, the Kubernetes ecosystem is usually the more future-proof choice.

2.3 Enabling collaboration: The sovereign Office & SaaS suite

The move away from proprietary hyperscalers does not have to end with the infrastructure. There are also powerful open source alternatives in the area of Software-as-a-Service (SaaS) applications that shape everyday working life. These enable organizations to regain control over their most sensitive communication and collaboration data.

2.3.1 Nextcloud Hub: The flagship of European digital sovereignty

Nextcloud Hub is more than just cloud storage. It is a fully functional, self-hosted collaboration platform and a direct competitor to Microsoft 365 and Google Workspace. The range of functions includes:

• Nextcloud Files: secure synchronization and sharing of files.
• Nextcloud Talk: Integrated, end-to-end encrypted video and audio conferencing and chat.
• Nextcloud Groupware: Calendar, contacts and email management.
• Nextcloud Office: Collaborative editing of documents in real time through integration of office suites such as Collabora Online or OnlyOffice.

History and governance: The history of Nextcloud is indicative of the values of the open source movement. It was created in 2016 as a fork of the ownCloud project. The founder, Frank Karlitschek, and many core developers left ownCloud out of dissatisfaction with the increasing commercialization and created Nextcloud with a renewed focus on the community, transparency and user needs. This history underscores the commitment to true openness.

Broad adoption in the public sector: The best proof of Nextcloud's maturity and trustworthiness is its massive adoption in the European public sector. It is the technology behind the German federal administration's “Bundescloud”. The governments of France, Sweden and the Netherlands use it for secure data exchange. The German state of Schleswig-Holstein has migrated its 40,000 administrative employees from Microsoft SharePoint to Nextcloud. This broad adoption by government agencies, which have the highest requirements for security and data protection, is a strong seal of approval.

Compliance and Gaia-X integration: Nextcloud was designed from the ground up for compliance with strict regulations such as GDPR and HIPAA (in healthcare). Its selection as the official collaboration platform for the Gaia-X initiative cements its status as a cornerstone of the European digital sovereignty strategy. For any European organization looking for a sovereign alternative to the US SaaS giants, Nextcloud is the first and foremost option.

2.4 The power of fork: A Lesson from OpenTofu

A recent event in the world of cloud infrastructure dramatically demonstrated the most fundamental strategic advantage of true open source software: its resilience to control by a single vendor.

The story: For years, HashiCorp's Terraform tool was the undisputed standard for "Infrastructure as Code" (IaC) - a method of defining and managing cloud infrastructure through code. It was available under an open source license (MPL) and was used and extended by a huge community and countless companies. In August 2023, however, HashiCorp surprisingly changed the license to a more restrictive "Business Source License" (BSL). This license is no longer open source in the true sense of the word and restricts use by competitors. This step created massive legal uncertainty and dependency for all those who had built their systems on Terraform.

The community's response: The answer came promptly. A coalition of industry leaders and the open source community took the last truly open version of the Terraform code (version 1.5.6) and forked the project. They created a “fork” called OpenTofu.

The strategic lesson: OpenTofu was designed as a “drop-in replacement” for Terraform. This means that users can switch with minimal effort - essentially by replacing a single program file (terraform becomes tofu). The decisive step, however, was to place the project under the neutral administration of the Linux Foundation, with the aim of making it part of the Cloud Native Computing Foundation (CNCF). This guarantees that OpenTofu will forever remain a true open source software whose future is determined by the community and not by the commercial interests of a single company.

The emergence of OpenTofu is perfect proof that with true open source software, an organization's investment in technology and knowledge is protected. The community can defend against vendor lock-in and ensure the continued existence of critical tools. This is a form of risk mitigation that proprietary software, by definition, can never provide.

Part III: The migration journey: A strategic guide for decision makers

Deciding on an open source cloud strategy is the first step. Implementing it requires careful planning and a realistic understanding of the challenges and opportunities involved. This section of the report moves from the ‘what’ to the ‘how’, providing leaders with a guide to make the transition successful and debunk common myths.

3.1 Planning the transition: key challenges and strategic considerations

An open and honest look at the potential hurdles is the best prerequisite for a successful migration. Managers should not be put off by the complexity, but should see them as manageable challenges that require a clear strategy.

• The skills gap is real: implementing and operating a private cloud platform such as OpenStack is a complex undertaking. They require specific technical expertise in networking, storage, virtualization and automation that is not readily available in many organizations. This is not an insurmountable obstacle, but requires strategic workforce planning. Organizations must decide whether to build these skills internally through training and recruitment, bring in external consultants or rely on a managed service partner to take over operations.
• Migration is a project, not a push of a button: Moving workloads from an existing platform (be it a public cloud or a traditional VMware environment) to an open source cloud is a project that requires careful planning. It starts with a thorough inventory of existing applications, their dependencies, network configurations and security requirements. The different types of migration and their impact on business operations must be taken into account. A “cold migration” (application is shut down, copied and started at the new location) is technically simpler, but causes significant downtime. A “live migration” (migration during ongoing operations) minimizes downtime, but is technically far more complex and requires a corresponding infrastructure.
• Start small, scale wisely: Attempting a “big bang” migration, where all systems are converted at once, is extremely risky and doomed to failure. The best practice is to take a step-by-step approach. Organizations should start with less critical but still representative applications. Such a pilot project serves to gain valuable experience, adapt internal processes, validate the performance of the new platform and achieve rapid success. This creates acceptance within the company and significantly de-risk the subsequent migration of business-critical systems.

3.2 The support ecosystem: debunking the myth of “being alone”

One of the biggest fears that managers often associate with open source is the perceived lack of professional support. The idea of being on your own in the event of a critical system failure and having to look for help in community forums is a major obstacle. However, this idea is a myth that fails to recognize the reality of the modern open source market.

• The risk of unsupported open source: It is important to clearly state the risk. The use of open source software based solely on community support is actually not advisable for business-critical systems. Support is unstructured, not guaranteed to be available and there is no legal liability.
• The reality of the commercial ecosystem: For all large and established open source cloud projects, there is a global and highly competitive ecosystem of companies offering professional, commercial, enterprise-level support. So the choice is not “support vs. no support”, but “support from a monopolist (as with proprietary software) vs. support from a competitive market of specialists”.

For OpenStack, global corporations such as Red Hat and Canonical (the company behind Ubuntu) offer comprehensive support contracts, consulting services, training and certified distributions. There are also a large number of specialized consulting companies such as Appnovation that help with implementation and maintenance.

For Apache CloudStack, the company ShapeBlue, the world's leading CloudStack integrator, offers 24/7/365 support with strict service level agreements (SLAs). This support includes not only fixing issues, but also developing code patches to resolve bugs at the deepest level. The existence of regular European user conferences in cities such as Frankfurt and Vienna also demonstrates a vibrant and well-connected user and vendor community right on the ground.

The key insight for managers is that the problem is not a lack of support. The problem is developing a clear strategy for sourcing the necessary skills and selecting the right support partner. Instead of being trapped in a dependency on a single vendor, organizations can choose the partner in an open ecosystem that offers the best service and value for money.

3.3 A question of profitability: the true total cost of ownership (TCO)

A sound financial analysis is crucial. However, the comparison of the total cost of ownership (TCO) between a public cloud and a self-operated open source cloud must go beyond a simple comparison of license fees.

• Beyond the “free” software: Although open source software is free of license fees, the operation of a private cloud infrastructure is not. The costs include the purchase and maintenance of hardware (server, network, storage), the expenses for electricity and cooling in the data center and - often the largest item - the personnel costs for qualified specialists who operate and maintain the platform.
• The turning point of scaling: The question is not whether a private cloud is cheaper, but when. Analyses show that a private cloud based on OpenStack tends to become more cost-efficient than comparable public cloud use when a certain scale size is exceeded. One study cites a threshold of around 400 managed virtual machines. For large, stable and predictable workloads, the fixed costs of a private cloud can be significantly lower than the variable, often escalating usage-based costs of a public cloud. A real-life case study shows a company that was able to reduce its public cloud costs by more than 50% by switching to a private cloud based on OpenStack.
• The strategic costs of lock-in: A purely technical TCO calculation is incomplete. A strategic TCO analysis must also quantify the financial risks and hidden costs of dependence on a proprietary provider. These include high data export fees (egress fees), forced upgrades to more expensive product tiers and unpredictable price increases such as those seen after Broadcom's acquisition of VMware. Freedom from these constraints is a significant, if difficult to quantify, economic advantage of the open source approach. A slightly higher initial investment in an open platform can be seen as valuable insurance against far greater, unpredictable strategic costs in the future.

Part IV: The future is open: Trends, recommendations and the way forward

Choosing an open source cloud strategy is not a backward-looking decision to merely replicate existing systems. It is a forward-looking decision that enables an organization to not only participate in the next wave of technological innovation, but to actively shape it. The principles of openness, control and adaptability that are at the heart of open source are precisely the qualities needed to meet the technological challenges ahead.

4.1 Emerging horizons: Sovereign AI, sustainable computing and the edge

The technology landscape is evolving rapidly. Three emerging trends will shape the digital agenda in the coming years, and in all three, open source is not just an option, but a key enabler.

• Sovereign AI: The debate on digital sovereignty is already shifting from pure data and infrastructure control to control over artificial intelligence. Sovereign AI refers to the ability of a nation or organization to develop, train and operate AI systems within its own value system and regulatory framework. This is impossible without complete control over the underlying infrastructure and the models themselves. An organization that entrusts its data and computing power to a hyperscaler will inevitably be dependent on its models, APIs and terms and conditions for AI as well. Open source AI models and open cloud platforms are key here. They allow organizations to train and refine cutting-edge models on their own controlled infrastructure with their own sensitive data - free from proprietary restrictions and in compliance with local laws such as the EU AI Act. Initiatives such as the German project OpenGPT-X, which builds on the principles of Gaia-X, are a concrete example of this approach. The decision in favor of an open cloud infrastructure today is the prerequisite for having any strategic options at all in the AI-driven economy of tomorrow.
• Sustainable and efficient computing: In view of rising energy costs and a growing awareness of the ecological footprint of IT, the focus is shifting to efficiency and sustainability. The trend is moving away from monolithic, resource-hungry systems towards lean, purpose-built architectures. Open source is ideally suited to this, as it enables the development of highly optimized and minimal systems that only contain the components that are really needed and therefore consume less computing power and energy. This serves both to reduce costs and an organization's sustainability goals.
• The edge: Data processing is increasingly moving to the edge of the network (“edge computing”), i.e. closer to where data is generated and needed - be it in factories, hospitals, vehicles or IoT devices. These distributed environments require lightweight, secure and interoperable platforms. Open source solutions that are not tied to a centralized data centre model are predestined for this heterogeneous and decentralized future of IT infrastructure.

4.2 Strategic recommendations for a sovereign digital future

Clear, actionable recommendations can be derived from this analysis for managers who want to make their organization fit for the future and regain control of their digital future:

• Mandate for a strategic review: Commission an internal or external review of your current cloud dependencies. The analysis must go beyond pure costs and explicitly assess the strategic risks of vendor lock-in, data outflow and lack of sovereignty. The result should be a clear risk matrix that serves as a basis for future decisions.
• Initiate a pilot project: Avoid a “big bang” migration. Instead, choose a non-business-critical but relevant use case and start a clearly defined pilot project on an open source platform such as OpenStack or Apache CloudStack. Involve an experienced commercial partner for this first project. Use the pilot project to build internal skills, validate the technology and demonstrate a quick, measurable success that serves as a blueprint for further steps.
• Invest in open source expertise: Treat expertise in the field of open source not as a cost factor, but as strategic company capital. Develop a concrete plan for the further training and certification of your existing employees (e.g. through recognized OpenStack certifications) as well as for the targeted recruitment of experts. Strong internal competence is the best insurance against dependencies - both from proprietary vendors and external service providers.
• Actively engage with the Gaia-X framework: For European organizations in particular, it is advisable to align their own digital strategy with the principles of Gaia-X. Use the Gaia-X labeling system (labels) as a guide for the procurement of future cloud services. Demand transparency, portability and compliance with sovereignty standards from all providers - both proprietary and open source-based.
• Prioritize governance: When selecting open source solutions, consider the governance model as a key strategic criterion. Give clear preference to projects governed by neutral, multi-stakeholder foundations such as the Apache Software Foundation, the Linux Foundation or the Open Infrastructure Foundation. The history of OpenTofu has impressively shown that this is the most effective way to minimize the risk of capture by a single company and ensure the long-term openness of the technology.

The path to a sovereign cloud is not an easy one, but it is a strategically necessary one. It leads from reactive cost optimization to proactive shaping of one's own digital capabilities. Open source is no longer just a tactical option for reducing costs, but the key enabler for strategic agility, resilience and long-term innovative strength in an increasingly complex digital world.