DigitalTransformationTalk: Turning digital sovereignty policy into practice

Speaker A: Foreign. Good morning, good afternoon, good evening, wherever you are, whatever your time zone. Welcome. This is Digital Transformation Talk, and I am your host, Kevin Crane. Welcome to the show. Today we will be talking about turning digital sovereignty into practice. Now, to be clear, digital sovereignty refers to the concept that digital data is subject to the laws and regulations of the country or region where it is collected, stored, or processed. In other words, data is owned and controlled under the framework of that jurisdiction, and organizations must comply with the local requirements for privacy, security and access. But here's the thing. Digital sovereignty is no longer a, uh, political debate. It is becoming a core engineering challenge for tech leaders. With regulations tightening and geopolitical risk rising, control over data is now a strategic imperative. In fact, a recent study found that 84% of companies now view data sovereignty as a central component of their strategy. So in our conversation today, we'll dig into three critical areas to consider. First, we'll look at how infrastructure and vendor decisions must evolve, identifying where traditional cloud strategies can fall short under sovereignty pressures, and what to do about it. We'll also look at new governance, compliance, and resiliency models for data control, exploring what engineering teams need to build to implement sovereignty in practice. And we'll look at putting it all into action, developing a roadmap that aligns infrastructure and data control and compliance and resilience goals. We're gonna dig in in just a second, but first, I wanna say thank you to everybody attending today, and that includes the folks that are joining us live on LinkedIn. And hello to everyone joining us today on Zoom. Thank you all for joining us during today's discussion. We'd like to hear from you, too. So we'd like to encourage everyone attending today to participate. So join in with your comments in the chat section. If you have a question along the way, just jump on in. I will attempt to get some of your questions and comments into the flow of the show. All right, we have a lot of ground to cover and a great panel of guests to do it with, so let's get going with our first guest, Andreas Prince, Global Head of Sovereign Solutions at suse. Andreas, are you with us?

Speaker B: Absolutely, and good to see.

Speaker A: Hello, Andreas, where are you calling in from today?

Speaker B: I'm calling in from the Netherlands. Gray winter weather here.

Speaker A: Wonderful wintry weather. Well, thank you so much for joining us. It's great to have you with us, Andreas. Also joining us is Francisco Romero, Head of Sovereign Cloud at Vivicta. Francisco, where are you calling in from today?

Speaker C: Hello, Kevin. Nice to be here. I'm calling from Finland, like Andreas, it's still cloudy and rainy winter day here.

Speaker A: Ah, uh, wonderful. Thank you, Francisco, for joining us. And also with us today is Robert Erickson, vice president of customer and partner success at evrock. Robert, welcome aboard. Where are you calling in from today?

Speaker D: Hi Kevin. I'm calling in from a little bit sunnier place. I'm sitting in our office down in the south of France, so.

Speaker A: Very good. All right, well, wonderful. Gentlemen, it is great to have you with us today. Look, I'd like to start our discussion, uh, out today by pointing our attention to an article published recently by Data Center Dynamics. It talks about NATO's communication and information agency and how they have struck a deal with Google Cloud to deploy Google's distributed cloud in its air gapped form. This is a version isolated from the public Internet. This move will support NATO's joint analysis, training and education center, bolstering its data sovereignty and resilience and secure AI and cloud capabilities. I'm wondering what the panel thinks about this article. Um, I'd like to start with you Andreas, if I could. What are your thoughts about the article and does it miss anything important that we should be considering?

Speaker B: Well, first and foremost, it wasn't for me kind of an unexpected move, but I do think a really interesting move at the same time. Unexpected that a company like Natto is still picking a hyperscaler. But I do think that that is a kind of a good and a nuanced trend that we see happening in the market. So people becoming aware of digital sovereignty and uh, because they are aware, they start to make very conscious decisions. And I can imagine that they have really good agreements with GCP in place on how they shape up the sovereignty, the autonomy. Um, so unexpected. But at the same time I do think a very, very interesting move that uh, that happened there.

Speaker A: Now Francisco, tell us a little bit more about this idea of its air gapped form. Uh, this is isolated from the public Internet. Tell us a little bit more about how that works and what are your thoughts on the article?

Speaker C: I think that, you know, it's interesting because, you know, from the Europe we have, we are used to think about the European Union, sovereignty of things and that's kind of Europe and so on. NATO of course, a bit different because it's not just Europe, right. There is also US is also part of that and even other countries. So the cost of sovereignty there is a bit different than the one we are used to from the European un. But I do understand the choice of Google Cloud because we even were working sometimes with Google to kind of investigate the possibilities of deploying the same solution as our sovereign cloud offering. And it does make sense. Google itself is really built a lot on security. So it's just about the sovereignty part which is a bit missing. As when hosted in an M. American owned proprietary stuff, then it's you know, questionable. But from the security technical standpoint, security wise, Google is very solid. So I can understand the choice there.

Speaker A: Now Robert, what are your thoughts on the article? Now some folks might argue that this is really not sovereign. I'm no expert. You tell me, what are your thoughts?

Speaker D: Yeah, my guess, it didn't come to me. That's such a big surprise that they go with the likes. They're well known brands and names in this space. Uh, I would have hoped to have thought a little bit further than that. Of course as Francesco uh, mentioned here, it's uh, us a big player in NATO, I mean by far the biggest one of all the nations in there. I would have personally hoped they were thinking a little bit wider and that Europe had pushed a little bit more around their own solutions in that space at least to kind of hedge the exposure from one place to another from that perspective. But I do understand it from a, uh, they are ahead from a technology perspective. But I think we do have some great offerings in Europe, uh, that should be considered. But having said that, it's not like everything goes in the way of those names that were mentioned. I think we're going to see a lot more common and I think NATO knows better than putting all the eggs in one basket there. But I generally hope that we see a little bit more focus to a uh, more spread dynamic in that instance. And I think that's where the European countries need to step up and show we're not going to rely on the Americans for all the protections in the broader sense, which I think historically been the thing, uh, we need to move in there more still be a great partner in that space, but also take much more ownership, uh, on several fronts, not just the technology side of things.

Speaker A: All right, well the article is from Data Center Dynamics. It's here in the webinar chat featured. Everybody take a look at the article and let us know what you think. As well we'd like to understand uh, what you think about the article. Does it resonate with you? Do you have uh, anything that the article ah, misses that we should be considering? All right, well gentlemen, um, we've got a great session ahead of us today, so I'd like to jump into our first discussion point and that is what data sovereignty means for your engineering teams and platforms. Engineering leaders are increasingly prioritizing sovereignty in their infrastructure. According to IDC, nearly 70% of organizations say digital sovereignty is important. It's strengthening things like customer and partner and government trust. Andreas, I'm wondering how are engineering teams rethinking platform design to meet digital sovereignty requirements?

Speaker B: Yeah, so when I, about half a year, a year ago started to focus on the topic of sovereignty, I saw a lot of resemblance with the big agile and cloud transformations that we've had in large corporates. Right. So large bank insurance companies making with their teams the jump from monoliths to microservices and they really had to rethink and re architecture application patterns etc. And then from a people in the process more the agile way of working DevOps etc. Really have to rethink how teams collaborate and the responsibilities etc. And how I experience digital sovereignty at this moment is that yet again they need to rethink how they make architectural choices. Right. Do you go for a hyperscaler? Do you want to get alternatives? Do you go to a hyperscaler but still only use a kind of compute and decouple from a cloud native layer for example. So the interesting element that we're in when we speak to customers is that teams are no longer just executing features but they are really considering hey, what are the choices I need to make, what are the technologies I need to pick before I implement anything that is moving to production. That's one and that's easier when there's new developments going on. Um, but also like in the, in the, in the transformation there, the first few years to cloud native also real RE architecture has to happen and I do think that is really where teams struggle because what is the business value in the short term if you're not adding new features but you're just ah, moving with your teams to a more sovereign solution. So I really see a kind of a, yeah a challenge for large enterprises in how they prioritize this type of work.

Speaker A: And Andreas, which technical challenges do you see most often when companies try to implement sovereignty aligned infrastructures and how do we balance control and flexibility?

Speaker B: Well the, the biggest, in my mind the biggest challenge obviously when it comes down to implementation, right, it's lots of man hours. But the biggest challenge is understanding what, where am I as a company most vulnerable? Um, right from a software or from a people perspective or from a support perspective or a lifecycle management of my applications and truly understanding the full spectrum of sovereignty that I do think is still where many companies are at. And you first need to do that assessment to understand what are the areas that I need to transform first to reduce my risk before we move to um, execution. So I see a lot of teams struggling there. Then I do think from a technical perspective where the challenges is really decoupling um, from a lot of the services that you use from a hyperscaler, for example towards a tier 2 or still on an hyperscaler, but decoupled from the specific aws, GCP or Azure type of, type of service. And that's just a lot of work to uh, get that done.

Speaker A: Francisco, from your perspective, how does digital sovereignty impact the way your engineering teams build and maintain cloud platforms?

Speaker C: Yeah, so we always think that sovereignty is always relative to the domain you are talking about. So we have been talking about EU level of sovereignty, but also in Vivicta we have been for many years working on the country level of sovereignty. Right. And when we talk about those domain levels it means that everything for us, it means that everything you need for delivering the capacity services or cloud services, it needs to be within the domain. Right? So if the domain is Europe, means that every tools, people, especially working there, uh, data, uh, needs to be within that domain. But it's also very important the provider. Right. And there is so much about um, the provider kind of um, framework which is relevant to sovereignty because you may have all the data for example in the eu, all the people working there in the eu, but once again if you want to warranty the data sovereignty which is in the end of the day is not so much the infra but it's the data that you want to secure the sovereignty. Uh, if the company running the service for you is outside your framework, domain framework, legislation wise, regulation wise, then that's where you have the risk. Uh, are you having full control or not? And um, so from our part we can guarantee being who we are in all the company owned by European stakeholders. So we can guarantee that from a stakeholders ownership point of view we can deliver on sovereign value. Um, but of course uh, it's always about the like, uh, Andre is the level of risk that organizations are willing to take. Right. Um, and in the end of the day what we see is the hybrid setup. So it's kind of very hard for organizations to give away the wealth of service of the public cloud, the big hypervisors, American providers, et cetera because there's so much there. But then they need a plan B. They need, okay, that's okay, we can use those but maybe the production data, uh, you know, the citizens data, uh, you know, the kind of the healthcare data, maybe that you don't want to have on the public cloud, but you want to have an alternative. And, um, that's with the flexibility angle you were talking about, Kevin. So that's the challenge. But that's exactly why we are here, if I may say, as a reinterrator, to help the customers to build the right level of sovereignty for their workloads, to have the right data, the right cloud, and pretty much helping them with their very hard task of being compliant with everything they have ahead of them. So, uh, it's a balancing act. Uh, but the ecosystem, there are tools in the ecosystem, both in public and private cloud, that help the customers. This is about managing, defining your risk management principles, and then having the right help from the right providers to help you mitigate and build the right solutions.

Speaker A: There you mentioned balance. And I always like to ask about this whole idea of balancing. What are some of the top considerations, Francisco, for balancing performance, scalability, regulatory compliance.

Speaker C: Yeah, so very, uh, clear example is we have a lot of customers that have this hybrid application lifecycle management, which means that they do the application development in, uh, native public cloud, for example, but there is only like, uh, mockup data, uh, fake data, synthetic data, but then the actual production workloads with the real production data, with the real sensitive data, then they host that one, for example, in our data centers or in a real sovereign European provider where they can warranty that. The legislation that applies that is just the European legislation. So that's a very clear balancing act. Then the trick, of course, how do you make sure that the data flow and the integration between public and private cloud or sovereign cloud work and are, uh, automation and scalable and so on. But that's a, uh, very common balancing act. Uh, another use case is disaster recovery. You may want to have your primary site in public cloud, but then you build this disaster recovery for your critical workloads elsewhere. So again, risk management there.

Speaker B: Interesting.

Speaker A: Robert.

Speaker B: Excuse me.

Speaker A: Go right ahead.

Speaker B: Just to hook in there. Interestingly enough, I heard, um, uh, a customer story that would do this doctor Pattern, right? So they would say, hey, let's go for the hyperscaler, uh, which is my primary, and then a local data, uh, provider, data center provider as my backup. Uh, and they pick that choice due to the fact that the Netherlands. Right. Could be flooded. Right. So the hyperscaler. Right. But now they flip that around. They said no. My primary concern from a sovereignty perspective lies on security. And I Treat the sovereignty risk bigger. Therefore I go for my primary route for a more local oriented data center, M as a backup I go for the hyperscaler. Right. So really depending on the angle you take, you can pick one route um, or the other.

Speaker C: And I think that just to add on that, I think the price discussion is all coming in because I think that we have the hype of let's go all public cloud in and um, many are realizing that that might not be cheaper necessarily because the competition in the private space is so fierce that you know, it's getting really financially wise, very sensible to move there too. So it's a, you know, the risk includes also the financial risk there. So. But I agree with saying.

Speaker A: All right now Robert, how do engineering teams integrate sovereignty requirements into the development of life cycle, uh, into the development lifecycle without slowing innovation?

Speaker D: Yeah, I mean it's a tricky question from that perspective. Of course you want to maintain that part of it, but you can do that from different aspects I guess. Uh, you can have some environments where you can allow for more kind of innovation, elaborate and just test out new ideas. But as you kind of move closer to real production, ah, data, uh, or production environments to run things, you need to start consider other aspect of it. I mean we have heard both Andreas and Francisco talk a lot about the security aspect. So of course it needs to be worked in. And if you're looking on what is changing then with the engineering teams, it's the whole lifecycle management and how do you actually approach it. You need to think about who are the people involved perhaps. I mean it's a people aspect, it's a process. So what tooling do we use and so on and so forth. And it becomes also much more important to fully understand the whole software stack that you are building. Because as you know many engineers being using open source components and so on and so forth in certain environments that may be less critical. But you really need to focus on how you harden the system as you do that. And that is where we see the biggest shift as in uh, how you actually then go and uh, build uh, and before then of course doing the extensive testing before you're deploying into those types of environments that require you to be much tighter with those things. Certain industries definitely have starting to ramp up that, uh, and you see a much, much greater understanding of the importance of that. For example within the public sector or within the defense sector. There you really see people start caring much, much more about it. Who are the people involved in from building the software all the way to then uh, deploying and operating it in the production environment, so to say. So going back to your question is how much of this is then impacting the ability to innovate? As I said, you need to strike a good balance. Uh, but if you get the right type of uh, I guess culture and ways of working, uh, Andreas touched a little bit on this, this transformational way of thinking from uh, how do we go about doing it? When that gets embedded in the organization, you're not going to lose so much of it because a lot of this is process and tooling that you can automate into the way you do it. So you don't lose as much agility as you perhaps think when you, when you're moving into this space. You need to really architect it in from the beginning. You can't really bolt it on afterwards, I would say.

Speaker A: Now Robert, what about existing platforms? Are there differences in our approach or strategies that we should consider when working with existing platforms? What lessons have you learned about operationalizing sovereignty requirements on existing platforms?

Speaker D: Yeah, I think this is where it gets a bit more tricky because historically often you just bought software packages off the shelf. I mean you may not have been too concerned on the internal workings of it, uh, and those things that is starting to become a lot more important. And it was, if you think about uh, the openness of the platform, um, what standards are used. Is it a proprietary software? Uh, I think some of the traditional software packages have less flexibility into it because of course, I guess historically it's been a smart approach to try and paint people into a certain solution because that gives you the stickiness. I think that's where things are shifting. People expect much more open platforms, ecosystems, uh, to work, uh, together. And that's when it then becomes much trickier to take care all the platforms and applications that perhaps were not built with that openness in mind. So if you look on the audibility and uh, transparency of how the internal workings work, you may not get to that as easily with existing platforms. And that really makes it harder to build that uh, sovereignty into an existing platform. Uh, but it just boils down to making sure you fully understand how those platforms work and find ways to isolate the challenges that may still exist within them.

Speaker C: If I may. Speaking of that, Robert, exactly is like it depends on what kind of platform you're talking about because very often you will have a fairly old architecture platform that might not work anymore in the cloud ecosystem or might not enable the cloud work way of working as you would like to. So then it might not be. So it's not just about the sovereignty, but that's the actual platform enable the way of working that. Also Andreas was talking about, those are very important considerations when you're thinking about uh, do you want to do that on really old platform or do you just try to build something new with modern technologies and solutions that will also deliver sovereignty. So it's uh, a. It's not simple.

Speaker B: Yeah. And no, it's, it's definitely not simple. And not to scare people away, uh, here in panel conversation, but if you think about. Right. People always try to think in black and white, but the world, when it comes down to it, isn't that simple. Right. So you could argue, as some people would say, hey, proprietary is uh, is wrong and open source is right. Well even if you would just pull a random open source library from the Internet, the main question is who's supporting it? What are the licenses being used in there? How many vulnerabilities are in there? Imagine a critical vulnerability is detected. Will it be patched very quickly? Right. So open source at first glance from a sovereignty perspective looks really good. But if it's an old project that no one is maintaining, is your organization then all of a sudden maintaining that or should you come to proprietary software choices? Uh, right. That are supported from jurisdictional region. You see, it's, I mean, although. Right. I'm a big fan and believer of open source. That's not the answer because also where does your support come from? Right. Or are you running on an unsupported open source project? If not, are then the people in Europe? Does that matter for your organization? Right. So there are many, many of these questions that need to be answered. Don't. Where, Kevin, where you started? Where is my data stored? Right. That's a very important perspective. But there are many other perspectives when it comes down to uh, sovereignty.

Speaker D: But that is a super important point there, Andreas, that you touched on. I think it's been always pivot like Open source is the answers to everything here. But the points that you pull out are super important. But what we need to think about more is probably the openness and transparency of those platforms or components. So that's really where you're going to do it. Do you understand what it is that you're building your uh, solution on top, if that is there. And of course the important bit, do I have the support for that from uh, the people that build it or maintained it? It's the dependencies. Do I understand my dependencies and do I understand the platform and Some of the concept behind open source, with transparency open, basically you can inspect it as much as you want, which may be perhaps in the old days was quite, uh, opaque. It's easy with those. But of course it comes with its own challenges. So, uh, it's finding that balance that is the hard bit when you're building for sovereignty.

Speaker C: Yes.

Speaker A: All right, gentlemen, I want to move on to our next discussion point. We are here today with Robert Erickson from evrock, Francisco Romero from Vimvicta, and Andreas Prince from suse. Uh, and gentlemen, we have a comment coming in from Emil. Thank you, Emil, for your comment here today. And Emil says regarding the article, uh, that we opened with, uh, being digital sovereign is not black and white. There are a lot of nuances around this. See the European digital sovereign, uh, framework for reference. Now, Andreas, I know you mentioned this in our, when we were talking before the show. Andreas, uh, what are your comments? A little bit. Can you give us a perspective with respect to the digital sovereign? Ah, framework.

Speaker B: Yeah, absolutely. So, um, I do feel that many companies, they struggle with articulating how sovereign and on what aspect they need to be sovereign. And the EU acknowledged that. And they've written only six page document, which I do think for the EU is very limited but very clear. And what they do is they articulate eight objectives when it comes down to sovereignty, and then four or five measurement levels on how sovereign you are. And then you can make a matrix and articulate your level of sovereignty, but more important, where you want to, uh, evolve. And when it comes down, it's not so black and white. The framework, the objectives, they range from strategy, jurisdictional, technological, environmental, supply chain. Right. So it's a very wide set of elements that a company needs to consider when it comes down to making choices, uh, for their application and their entire application stack, including infrastructure. Um, and I do think many companies could very well say, hey, uh, environmental matters most to me, or the supply chain matters most to me, or where my operational support comes from matters most to me. And that's where the nuance, I do think where Emil M. Is speaking about really comes from. And the framework is extremely helpful to quickly assess and understand, uh, where you are and where you want to bring your landscape from a sovereignty perspective.

Speaker A: All right, very good. Now I'd like to move us on to discussion point two, because I think it's a very important discussion point and I want to find the time to get to it. And that is how vendor choice, cloud strategy and infrastructure decisions impact digital sovereignty. Uh, according to GARTNER, More than 61% of CIOs and IT leaders in Western Europe say geo political pressures are pushing them toward local or regional cloud providers. This is showing that infrastructure decisions are now deeply entwined with sovereignty concerns. Um, Andreas, how should companies evaluate vendors and cloud providers to ensure compliance with digital sovereignty requirements?

Speaker B: Well, some people would argue I'm a vendor so I have no rights to speak about it. Ah, when I take a look at uh, our customers, what we see happening is vendor lock in is certainly a hot topic. So a lot of our customers, they definitely don't want to be linked to a single vendor. Um, but most of them want to be linked to two vendors. And I've heard a story on a, um, more of a defense industry type of business and they want to have four uh, choices in parallel. Obviously number one and two had the best solution for the job, um, but also alternative, um, at hand to when needed be able to switch. Um, so when we combine the previous topic at that sovereignty framework and then the vendors you pick, I do think that that is a very nice way of also looking at strategic choices you need to make. Uh, is for example the infrastructure of your uttermost importance. Well then definitely go for a party like evrog, because then you are dedicated on European soil with European, uh, people with technology, et cetera, et cetera. But if it's a bit more nuanced, well you could pick a local provider and a hyperscaler depending on your business. So we spoke about the mission criticality, Francisco spoke a little bit about that. And then applying that to all your different type of workloads I do think would give a very nuanced uh, vendor strategy. I can say that open source is absolutely, uh, back in the top decision, uh, criteria, uh, from where it's ever been in the last 10, 15 years. It's absolutely a driver to uh, make decisions at this moment.

Speaker A: Well gentlemen, we have another question coming in from Myla and Maila. Thank you for your contribution today. With global regulatory demands changing so quickly, how can companies build a tech stack that stays compliant without RE architecture? I'll open it up to the entire group.

Speaker D: Gentlemen.

Speaker A: Uh, do you have a comment for Maila?

Speaker C: Definitely, yeah. I mean if we go back to the specific of the sovereignty, actually in my mind that's one of the challenges that there isn't really a clear regulatory framework yet. There are recommendations here and there, but you know, the only, um, let's say the most detailed set of requirements to evaluate sovereign cloud that I've come across came from VMware think about that. So that was the most concrete set of requirements for defined sovereign cloud. Of course they were very much driven because they saw the business opportunity there and they were one of the first ones talking about sovereign cloud. Uh, so if you think about what are the regulatory framework we are talking about, it's you know, European Union doesn't yet have a very well defined. There is this uh, like Andrea said, this sort of framework recommendation but it's not really a regulation body so you really need to um, what are the regulations we are talking about and for sovereignty there isn't really a specific one, it's more like a perception. Uh, just to give you an example how unclear things are. Recently the Ministry of uh, Interior affairs in Finland, I think it was, they chose to go with Amazon for hosting the Finnish elections data because it was 5 million cheaper than private cloud options. So there wasn't anything that prevented them from putting, putting the Finnish kind of elections data into a public cloud American company. So that tells you that the regulation is very kind of, uh, but I understand the question and it's not simple. Uh, but there are other which are more relevant maybe for infrastructure like CIS needs to. Those are more concrete regulations that do impact the infrastructure and they have requirements, uh, they require of course constant life cycle management and sometimes it's a big investment and you can talk about several million to keep your uh, infrastructure compliant with that.

Speaker B: Yeah. So just to comment, I do think um, digital sovereignty or data sovereignty or autonomy or resilience. Right. Depending on the label you put on it, I would almost argue is a business consideration. Right. When it comes down to the public sector obviously. Right. A country might have a say uh, in business resilience for their public sector or the mission critical infrastructure when it comes down to regulatory requirements. You mentioned that there's PCI, DSS, there's the Cyber, there's Dora, there's NIST2. Right. So there's a lot of regulatory um, uh initiatives and laws already um, about to be implemented or implemented in the countries or in Europe, um, in particular and they absolutely describe for example how you need to do risk management. So you can learn a lot on how to do secure supply chain etc and that will contribute to your sovereignty. What we see happening um, in some of our early conversations as soon as the framework was launched is that customers uh, including public sector were calling out the framework in particular. So we are expecting that it will become more and more part of the procurement process uh, and that companies are aware of the risk factor and would Articulate hey, this is what I would like to see. And therefore these vendors are in and these vendors are out because they don't match how we think about the resilience and the risk of resilience now.

Speaker A: Robert. Uh, Andreas. I'm sorry, go right ahead. Robert, I interrupted you.

Speaker D: Yeah, no, I was going to say if we go back to Milad's question around us in Canada moving incredibly fast at the moment. But if you look on the underlying needs for many of the organizations where sovereignty is super important, it doesn't move as fast. If you can through see through the hype, uh, you can establish frameworks, processes, way of working, uh, work with open standards and those type of things to future proof your architecture for regulatory change. That I think is a key point to make here and you should really design whatever you build for uh, replaceability so make sure it's a modular and replaceable components within there. So if certain vendors fall in or out of the categories that we're talking about, uh, making sure that then there is an option for moving for something different because things will change but the underlying needs are not changing as fast as perhaps the tech are doing. So I think that's a key point. It may feel like it's hard to keep up but if you take a step back it's kind of same fundamentals around. How do you move data between things? How do you share data? Uh, are you ensuring the data is in the right place? Is use technologies, different technologies that help you do that in different ways? Uh, I guess that would be my kind of build on that question that was raised.

Speaker A: Well Robert, you're driving us right to where I wanted to go next, which is our discussion point three which is building a future proof tech stack that meets changing global requirements. Robert, how do you help clients ensure that their platforms can quickly adapt to new or changing sovereignty rules?

Speaker D: I think we touched on probably some of those concepts already. First of all you need to understand the dependencies that you do have uh, and therefore you build for that also what are the critical components on it. You don't need to implement all of those things. Uh ah, for everything you do. Certain systems, certain applications may be less uh sensitive but you focus on the one that really matters. That's where you need then to build with, with those principles in mind around replaceability, uh m make sure that you don't do maybe prioritize feature richness because some of that may be proprietary features that sits within the tooling. Make sure that there are ways a uh, pass away from the tools that you choose, do you have that replaceability and optionality as you move forward? That's really a way to make sure that the platform is future proof. So always look for options. And I think historically people have done that within regulatory industries. I just think it's a few more criteria coming into the play. I mean, personally background in financial services. I mean, we were required to evidence that we could move from one cloud provider to another. Uh, in those instances, you probably pick two hyperscalers in the U.S. uh, nowadays, maybe you would ask yourself, is that enough? Or do you need to think differently because there are other risks, uh, that you need to mitigate with those things. And all of this needs to be coming back to how do you actually build your applications and the architecture that you're having? If you wonder why the lights go on and off here, it's like we have some electricity problems in the building. Uh, I don't know. I'm lucky that the WI fi is holding up and my laptop is on battery, but it's just coming on and off.

Speaker A: Well, hang in there, Robert. If we lose you, we'll know why. So we hope that it's all a good sign. Um, now, Francisco, I want to get to you in a moment here, but Andreas, we're talking about. I'm curious, what elements of a tech stack do you feel are most crucial to consider and to future proof against evolving regulations?

Speaker B: Yeah, so, um, there are two elements in my mind where you should look at. So one is, um, where Robert already, uh, called out is the portability. Imagine you want to move from one to the other. What is then the decoupling layer? And that's really an enterprise architect type of conversation. What is the decoupling layer that allows you to host your business application? One cloud or one provider versus the other provider? And very often when we speak about the cloud native stack, that very well might be your kubernetes layer. So do you pick then, um, a hyperscaler specific option at gke, for example, or eks, Right. Which is really tied into the ecosystem there, or do you decouple and go for a vanilla Kubernetes RK2K3S lightweight distribution? Because if you do so right, then it doesn't matter if you port it towards a European cloud provider, because it will still work. So think about decoupling and where that can, where that can happen. That would be, in my mind, the first one. The other one, which I do think is extremely important when you think about control, is that you need to understand how the supply chain looks like and how it's created. Um, we've seen from the pandemic with the physical supply chains how uh at risk we are as Europe uh, but the whole world comes to a still stand when nothing is happening. And similar applies to software. So understanding how your software is created, who assigned it, what is in there, what are the libraries used, the licenses, the vulnerabilities is really important. And if you cannot prove that in your tech stack I do think you should really focus on these areas to see if you can make change first. Um because yeah with the supply chain attack for example your immediate, your entire app uh stack is and your business application is at risk. So decoupling and supply chain uh would be two for me strategic areas to consider um, really investigating deeply and making changes where needed.

Speaker A: Now Francisco, I'm curious about the types of financial investments I should be prioritizing. How should organizations prioritize their investments in infrastructure to remain agile under shifting regulatory demands.

Speaker C: So I think that the first place where I would start investing is in a very good state of the art data governance. Because in my mind the whole starts from making sure that you know exactly the requirement for your data. Many, many times I talk to customers they are worried about the infra layer but then they if you okay, so what workloads data you, you need to put in what uh, against what data classification requirements. Very often the answer is very vague. So I think that it's important to develop the culture. Okay, let's start by having a good data governance that is describes very well what data uh my organization needs for the critical functions needs to be sovereign or not and you need to use the criteria that you get the requirements you need to follow and so on. Those are, you know, if you are in the financial system you have some, if you are in the public sector you have another ones. But that would be my first place of invest. Make sure you do have that in control because that will make sure that you know where what you need to react to in case something changes. Uh so that would be my point number one. Once you have established okay this is the data that I need to have more care about then diversify your strategy of storage don't have it's I think what Andreas was saying and Robert so don't have all the eggs in one basket, right? So you have a working primary site. But the most important thing if you want to react fast to possible changes in the ecosystem, uh legislation, geopolitical, et cetera, uh don't wait until that happens to have another Place where your data is safe, but you know, you have a active site backup site and then you can uh, move from one to the other and they will respond to different requirements. And of course the third one is like Andreas and was talking about the application architecture. Nowadays you want flexibility, do containers. That's it. You need to in the containers kubernetes. If you want flexibility, portability. If you are still on the virtual machine monolithic application, you have a big problem for the mobility. So start thinking about rearchitecting your applications to work containers and kubernetes. Yes.

Speaker A: Now gentlemen, we're almost out of time, but before I move forward, um, I'm wondering what are some of the common pitfalls or what's one common pitfall engineering team should avoid? Robert, is there a pitfall we should be on the top of our list?

Speaker D: Uh, I mean the one I would probably call out there is not fall for the kind of the tech hype. Everything new is not the best. Always. Yeah. Try and take a step back and make sure that, that you assess the technologies that you're planning to use, make sure they are mature and from a sovereign perspective. And the things that Andreas touched on, I mean you can find tons of fancy open source things that three kids have dreamt up in a basement. As in you need to understand those things before you jump on the bandwagon. So the pitfall there is make sure you understand what you get into. Kind of be solid step and think it through. Uh, understand the dependencies that falls with the decisions you make. So take a step back before you make a big call on architecture, application or things that you're planning to change would be my takeaway on that.

Speaker A: And uh, Francisco, um, what's one pitfall that we should avoid?

Speaker C: Uh, I think, uh, having everything in one place. That's in my mind the number one, uh, do a resilient architecture where you have duality of things. Don't have a single point of failure, especially in your data architecture. The rest you can restore, but the data needs to be sound and safe.

Speaker A: And Andreas, what are your thoughts on what, What's a pitfall engineering teams should avoid when building a future proof tech stack?

Speaker B: We didn't speak about AI yet, uh, in this webinar, amazingly so.

Speaker D: Yes.

Speaker B: Let me introduce it from a sovereignty perspective here. I do think we're underestimating the risk of all of our development stack. Right. So the tools we use day to day, from Office 365 to G Suite to Copilot, ChatGPT, whatever we use um, because it's not only the data, right, that we're leaking to other areas, but these tools are getting so smart in sniffing so much data, uh, on our processes, right? So they're not only stealing, but they're not only understanding our data, but they're also understanding how our process, our organization is actually operated. So I would say double concerns, right? I'm a big fan of AI. Everyone who knows me, uh, will definitely agree there. But, uh, we should be very, very careful when it comes down to, uh, digital sovereignty and the use of AI and then primarily in all the tools that we use in our development stacks, uh, in creating our business applications.

Speaker A: All right, everyone, we are here. This is Digital Transformation Talk. We're here with Andreas Prince, Global, head of Sovereign Solutions at suse, Francisco Romero, head of Sovereign Cloud at Vivicta, and Robert Erickson, Vice President of customer and Partner success at evrock. Gentlemen, it's been great speaking with you today. I'm wondering if each of you could please provide us with one quick action item that our viewers can use to take advantage of your ideas and advice today. Robert, do you have an action item for us?

Speaker D: Yeah, I think from an action perspective is to make sure you do kind of map out your dependencies and really understand what does this mean for you. I think that may not have been done enough. So you figure out what are the critical areas that you really need to focus your time investment, uh, and all of those good things in, uh, because it's not going to go across the whole organization should make sure that you then focus on the right areas. That would probably be my first one. Make sure you understand where you stand internally and where to focus that energy.

Speaker A: Very good. That is Robert Erickson from evrock. Thank you, Robert, for being with us. Francisco, do you have an action item for us today?

Speaker C: I think in the present context, with so many things change, I think it's very important that, uh, technological leaders revise their, uh, business continuity plans. I think that's, um, very important to make sure what kind of contingency situations you are prepared for and how. And you know, if you are confident of what you have, fine. If not, think about options.

Speaker A: Very good. That is Francisco Romero from Vivicta. Thank you, Francisco, for being with us today. Andres, how about you? Do you have an action item for us?

Speaker B: Well, I had the exact same as Robert, so. Ah, thanks for sharing that. But let me give another advice. Um, I would advise board members or executives to make it a board room conversation because it is such a big wake up call. I would say in the entire industry that it's about time to make it also a top priority for a company. If it's not yet being discussed there. Your business resilience. Absolutely. Start doing that because this might be a time to make fundamental, um, changes to, uh, your architecture and how you operate your business, that is.

Speaker A: Andreas Prinz, global head of sovereign solutions at SUSE Andres Francisco. Robert, it's been great speaking with you today. Thank you so much for your perspectives and advice. Really spot on. I hope we get a chance to talk again soon. And to everyone joining us today, thank you, too. We want to thank Emil and Myla for their contributions today. You have won yourself a highly functional and highly fashionable, uh, AI Talk coffee mug. So, uh, we will be in touch with that, uh, here shortly. So thank you for that. And are you looking for some more great sessions? Well, everyone, you can join us, ah, for our sister show, AI Talk on December 2nd. We've got a great panel of guests scheduled discussing the topic of data as the missing link between AI and digital transformation. That should be another great session. And if you'd like to find me, you can do so on LinkedIn. I'm happy to connect there. You can check me out. I'm Kevin Crane, and you can check out my weekly audio podcast, the Digital Transformation Podcast. But for now, that'll do it for this episode of Digital Transformation Talk. And until next time, I am Kevin Crane saying thanks for watching.