The Case for German Sovereign Cloud — Why STACKIT Exists
STACKIT is not a startup cloud provider trying to catch up with AWS on features. It is the cloud infrastructure built and operated by Schwarz Digits, the technology arm of the Schwarz Group, the German company behind Lidl and Kaufland.
The Schwarz Group operates in 32 countries, serves hundreds of millions of customers each year, and processes a volume of transactions that puts it among the largest IT operators in Europe. STACKIT was built to support that scale, under German law and on German soil. Opening it up to external customers came later. The engineering came first.
That background matters. A cloud platform built to support the internal infrastructure of one of Europe’s largest retailers is not a theoretical offering. It is a proven infrastructure with a real operating track record.
German Ownership, German Law
STACKIT is owned by the Schwarz Group, a German company with no US parent and no US controlling shareholders. It sits legally and operationally outside the reach of the CLOUD Act, the US law that allows federal authorities to compel American companies to hand over data, even when that data is stored outside the United States.
AWS, Microsoft Azure, and Google Cloud are all American companies. No matter where they physically store European data, they remain subject to US federal law. STACKIT does not.
This is not a marketing line. It is a legal point that can be verified by looking at the ownership structure. The Schwarz Group is privately held by the Schwarz family. There are no US institutional shareholders in a position to create CLOUD Act exposure.
SEAL-3 Certification
STACKIT achieved SEAL 3 certification under the EU Sovereignty Effectiveness Assurance Level framework. SEAL 3 is the point at which a cloud provider is regarded as legally and operationally protected from non-EU supply chain interference.
In April 2026, the EU Commission awarded a €180 million sovereign cloud contract to four SEAL 3 certified providers. STACKIT was one of them. That is the strongest external validation of STACKIT’s sovereignty position to date, and a clear signal that European institutions at the highest level view STACKIT as a trusted infrastructure provider.
ISO 27001 and BSI C5
STACKIT holds ISO 27001 certification, the international standard for information security management. This is a baseline requirement for cloud providers operating in regulated markets.
For European enterprise customers, the more significant certification is BSI C5. C5, or Cloud Computing Compliance Criteria Catalogue, is the cloud security standard set by the German Federal Office for Information Security. It is designed specifically for the German regulatory environment and is often required for public sector and financial services cloud procurement in Germany.
BSI C5 covers 17 areas of cloud security, including data protection, cryptography, supply chain security, and incident management. Holding C5 is a requirement for cloud procurement by German federal agencies and Länder governments.
For European businesses with German customers, partners, or regulatory obligations, a provider with C5 certification is much easier to defend in a compliance audit.
Data Centres: Germany and Austria
STACKIT operates only from data centres in Germany, including Bad Friedrichshall, the headquarters of Schwarz Digits, as well as additional sites in Germany and Austria. It does not operate data centres outside this footprint.
For businesses with explicit German or Austrian data residency requirements, whether contractual, regulatory, or policy-driven, this is a straightforward fit. Data stays within the DACH region.
OpenStack Foundation
STACKIT’s infrastructure is built on OpenStack, the open source cloud infrastructure platform. That means the underlying compute, networking, and storage layers are based on widely used and well-understood open source technology rather than proprietary systems.
For engineering teams, this has practical value. OpenStack APIs are documented, the tooling ecosystem is mature, and there is less dependency on a single vendor at the infrastructure layer. Moving to STACKIT does not mean moving to a black box platform.
Who STACKIT Is For
STACKIT is a particularly strong fit for businesses with German data residency requirements, financial services firms working through DORA compliance, organisations that have already been asked about BSI C5 in procurement or audit, and businesses that want a cloud provider whose ownership structure clearly sits outside US jurisdiction.
It is also a strong choice for businesses that simply want a robust, European-owned cloud platform with a genuine operating track record. The Schwarz Group is not a startup, and STACKIT is not an experiment.
Ready to Have a Conversation?
If you have read this series and recognised your organisation in it, the next step is simple. Get in touch. We will have a chat, ask a few questions, and give you an honest view of what is involved. No charge. No obligation.
Back to: Migrate from AWS to Stackit Series
