KPN and Schwarz Digits have announced a strategic partnership to build a sovereign cloud infrastructure specifically for the Dutch market, with services expected to go live by mid-2027. The announcement, made on May 28, 2026, marks a significant step in the Netherlands' push for digital autonomy, as the new platform will combine KPN's local data center footprint with STACKIT's proven sovereign cloud technology. For Dutch enterprises, government agencies, and public sector organizations, this means a future where sensitive data never leaves the country, governed entirely by Dutch and European regulations.

The move comes at a time when cloud sovereignty has evolved from a niche concern to a boardroom priority. After years of reliance on hyperscale providers, European organizations are reevaluating their cloud strategies in light of geopolitical tensions, fragmented data protection laws, and the reality that data stored with non-European providers can be subject to extraterritorial surveillance. KPN and STACKIT are betting that their joint offering will capture a substantial slice of the Dutch market by offering something the big three cloud providers cannot: ironclad guarantees of data residency, encryption key sovereignty, and exclusion of foreign jurisdiction.

The Partnership Blueprint

KPN, the Netherlands' largest telecommunications company, brings deep domestic infrastructure and a trusted brand to the table. The sovereign cloud will run in KPN's existing Dutch data centers, which are already certified to stringent national and European standards. These facilities are connected via KPN's backbone network, ensuring low-latency access for users across the country. By leveraging its own real estate and connectivity, KPN avoids dependencies on third-party colocation providers, closing one more potential data leakage vector.

On the software and services side, STACKIT—the cloud brand of Schwarz Digits, part of the Schwarz Group (known for retail giants Lidl and Kaufland)—provides a mature, battle-tested platform. STACKIT has already been operating a sovereign cloud in Germany, proving its ability to run mission-critical workloads for enterprises with strict compliance requirements. The cloud platform is built on open-source components and runs entirely on European soil, with no backdoors for foreign intelligence access. Its infrastructure is designed so that even operational personnel from Schwarz Digits do not have uncontrolled access to customer data, a crucial differentiator from standard public cloud models.

“Dutch organizations have been waiting for a viable sovereign alternative that doesn't sacrifice functionality for compliance,” said a joint statement from the companies. “By combining KPN’s infrastructure and trust with STACKIT’s technology, we’re creating a platform where data stays in the Netherlands, under Dutch law, at all times.”

Technical Pillars of the Sovereign Cloud

The STACKIT platform, to be deployed in KPN data centers, offers a full stack of IaaS and PaaS services comparable to mainstream clouds. Expect virtual machines, managed Kubernetes, object storage, databases, and a suite of developer tools. Critically, all services are engineered with sovereignty as a foundational principle, not an afterthought. Key technical differentiators include:

  • Data Residency and Jurisdiction: Customer data is stored exclusively in Dutch data centers, with clear contractual guarantees that no data moves across borders without explicit consent. Legal disputes are handled under Dutch and EU law only.
  • Encryption Sovereignty: Customers manage their own encryption keys via external key management systems, ensuring that even platform operators cannot decrypt stored data. This satisfies the “hold your own key” (HYOK) model demanded by Dutch financial institutions and healthcare providers.
  • Zero-Trust Architecture: The platform implements rigorous access controls. Administrative access is time-bound, fully logged, and requires multi-party authorization. No single operator can reach customer data.
  • Gaia-X Compatibility: STACKIT has aligned its APIs and standards with the Gaia-X framework, a European initiative to create a federated, trustworthy data infrastructure. This future-proofs the KPN-STACKIT cloud for upcoming EU regulations and interoperability mandates.

Why Sovereignty Matters: The Regulatory Backdrop

The Dutch government has been particularly vocal about cloud sovereignty. In recent years, several parliamentary motions urged the public sector to avoid hyperscalers for sensitive workloads unless sufficient safeguards are in place. The National Cyber Security Centre (NCSC) has issued guidelines recommending a risk-based approach to cloud adoption, emphasizing the dangers of extraterritorial legislation like the US CLOUD Act. For Dutch municipalities storing citizen data, the risk of US authorities accessing that data through a parent company’s legal obligations is unacceptable.

Moreover, the Schrems II ruling by the Court of Justice of the European Union invalidated the EU-US Privacy Shield, leaving organizations scrambling for alternatives. While a new Data Privacy Framework has since been agreed upon, many Dutch legal experts remain skeptical about its long-term viability. A sovereign cloud, provided by entities entirely under EU jurisdiction, sidesteps these transatlantic legal gymnastics entirely.

KPN’s deep relationships with the Dutch government give the new venture a clear path to certification for sensitive workloads. The company is already a primary IT provider for many public bodies, and this cloud can slide into existing framework agreements with minimal friction.

The Competitive Landscape

KPN and STACKIT are not entering an empty market. Other European sovereign cloud projects are already in motion, including:

  • Microsoft Cloud for Sovereignty: Microsoft offers a dedicated version of Azure with enhanced residency and encryption features, but many critics point out that it still relies on the same underlying Azure infrastructure, which is ultimately controlled by a US corporation subject to US law.
  • Google Sovereign Controls: Similarly, Google’s solution layers additional controls onto its global GCP platform, but fails to fully address fears of hidden data flows or external law enforcement access.
  • OVHcloud: The French provider operates data centers across Europe and markets itself as a sovereign alternative, though its scale and service portfolio are more limited than the hyperscalers’.
  • Deutsche Telekom / T-Systems: In Germany, Deutsche Telekom partners with Google to offer a sovereign cloud, but this still ties into Google’s technology stack.

What sets the KPN-STACKIT partnership apart is its bottom-up sovereignty. Neither parent company is beholden to foreign parent companies or intelligence agencies. The platform is purpose-built for European compliance, not retrofitted to meet it. For Dutch organizations that have been burned by changing international policies or that simply want to minimize risk, this independence is compelling.

What Dutch Enterprises Can Expect

For the Dutch market, the availability of a truly sovereign cloud is likely to accelerate digital transformation projects that were previously stalled due to compliance fears. Healthcare institutions can finally move electronic patient records to the cloud without violating national data protection laws. Municipalities can build citizen-facing apps on a platform that guarantees data stays within Dutch borders. Financial services firms can leverage cloud elasticity while satisfying rigid regulatory requirements.

KPN is expected to offer direct migration assistance, leveraging its existing professional services arm. Many Dutch organizations already rely on KPN for connectivity and managed services, so adding sovereign cloud to the portfolio creates a one-stop-shop for IT needs. Early adopters are likely to include government agencies with clear mandates to adopt sovereign infrastructure, followed by enterprises in regulated industries.

Developers and IT managers will find familiar tooling on the STACKIT platform. The use of standard APIs means that many applications can be migrated with minimal refactoring. STACKIT also maintains a marketplace with pre-configured software stacks, further easing onboarding. While the global hyperscalers may still have an edge in raw scalability or the sheer breadth of managed services, the vast majority of workload requirements will be comfortably met by the KPN-STACKIT cloud.

Challenges and Uncertainties

Despite the promise, the road to a successful sovereign cloud launch is not without obstacles. Building and operating a full-scale cloud platform is capital-intensive, and gaining market share against entrenched hyperscalers will require aggressive pricing and a compelling feature roadmap. STACKIT, while successful in Germany, is not yet a household name globally. KPN will need to lead with trust and proven reliability, stressing the unique compliance advantages.

Another challenge lies in the very definition of sovereignty. While the platform will legally be under Dutch jurisdiction, some critics may point out that the hardware itself often comes from non-European suppliers. KPN has stated that it is working with vendors to minimize supply-chain risks, but complete hardware independence remains an industry-wide challenge. Additionally, if customers use non-sovereign SaaS applications on top of the infrastructure, they could inadvertently leak data out of the jurisdiction. Education and careful architecture will be essential.

Furthermore, the mid-2027 timeline means that potential customers must plan for a wait. In the interim, some may opt for short-term solutions or continue with their current providers. KPN can mitigate this by offering early adopter programs and clear roadmap visibility.

The Bigger Picture: A Blueprint for Other European Nations

The KPN-STACKIT deal may serve as a model for other countries seeking to bolster their digital sovereignty. The combination of a national telecom incumbent with a sovereign cloud technology provider creates a partnership that is both legally and commercially sustainable. France, Spain, and the Nordics, all with strong telecom operators and a similar appetite for sovereignty, could watch this project closely. If successful, it could catalyze a wave of localized cloud offerings that collectively erode the dominance of US-based hyperscalers in Europe.

For Microsoft and its Azure cloud, the rise of sovereign alternatives presents a strategic challenge. Windows-based ecosystems are deeply integrated with Azure services, particularly for hybrid deployments using Azure Stack HCI. KPN may eventually offer hybrid solutions that tie into on-premises Windows environments, but for many enterprises, the shift to a sovereign cloud could mean rethinking their Microsoft licensing and management strategies. Microsoft’s own sovereign cloud initiatives will need to keep pace, or risk losing a crucial segment of the European market.

Conclusion

KPN and STACKIT are setting out to build more than just a new cloud region; they are crafting a digital fortress that aligns with the Netherlands' strict privacy values and the EU's push for technological autonomy. With a go-live target of mid-2027, the sovereign Dutch cloud promises to deliver the utility of hyperscale platforms without the jurisdictional baggage. As organizations increasingly prioritize control over convenience, this partnership could reshape the Dutch cloud landscape and offer a replicable blueprint for digital sovereignty across the continent. For Windows-focused IT leaders, the message is clear: the days of one-size-fits-all cloud are numbered. Start evaluating how a sovereign platform might fit into your long-term architecture now.