The geopolitical changes of recent years highlight the need to enable armed forces for Multi-Domain Operations (MDO). The technical backbone for this requires a cloud infrastructure to enable smooth, secure data processing in real time, to process large amounts of data agilely and to exchange it between sensors, weapon systems and command centres. Cloud (infra)structures in the defence industry place considerable demands on data governance – i.e. the legally compliant and responsible management of data – as well as digital sovereignty, i.e. control over cloud structures. In addition, MDOs are closely linked to the topics of cyber security and software-defined defence.
Digital sovereignty: data locations and data access
For government agencies – especially military and security authorities – the location of data processing is a critical factor. Sensitive military data must be stored and processed in national or (in the case of non-export-restricted information) EU-based data centres in order to prevent access by foreign jurisdictions.
This means that MDO-suitable cloud structures should be operated in dedicated data centres and technically prevent external access or data leaks.
Export control and the cloud
Data locations are also a decisive criterion for cloud infrastructures because companies in the defence sector must strictly comply with export control regulations. Under export control law, making technical data electronically available to recipients abroad is considered an export, in addition to transferring it abroad. According to the Dual-Use Regulation (Regulation (EC) 428/2009), ‘export’ explicitly includes ‘the transfer of software or technology by electronic means [...] to a destination outside the EU’ and thus also addresses pure access to the technology, regardless of the physical location of the server.
If an arms manufacturer uploads design plans (dual-use technology or military equipment) to a cloud and employees or subcontractors outside Germany or the EU can access them, this is – depending on the specific case – an export transaction subject to authorisation. In this scenario, remote access by a company's own developer from a third country to the company server in Germany can also count as an export.
Confidentiality, secrecy protection and classified data
Protection of confidentiality is a top priority in military IT systems. In Germany, the German government's Secrecy Protection Manual (GHB) regulates the handling of classified information (VS) – including specifications for IT systems (Appendix 4 ‘VS-NfD Information Sheet’). Cloud solutions that process classified information must meet these strict requirements. Even unauthorised handling of information subject to the lowest VS classification level, VS-NfD, can result in criminal prosecution. Consequently, authorities require companies that handle VS data to self-accredit their IT systems: By 1 September 2025 at the latest, all affected companies had to prove to the client that their systems meet the requirements of the VS-NfD information sheet – above all, technical isolation and robust segmentation, as well as compliance with encryption standards.
In addition, organisational measures must be implemented, such as mandatory security checks of employees in accordance with the Security Check Act (SÜG).
Data protection requirements
Although limited, personal data can play a role in MDO. In principle, the requirements of the General Data Protection Regulation (GDPR) apply, although activities to safeguard national security or government actions in the event of defence are not covered by the GDPR. Routine data processing is exempt from this, meaning that data protection must be observed for certain aspects of cloud infrastructures in MDO scenarios.
If, for example, an external cloud provider is used for non-classified applications of the German Armed Forces (such as office services), data processing agreements must be concluded in accordance with Art. 28 GDPR. In addition, basic data protection requirements must be complied with, either directly or indirectly as industry best practices. The positive flip side: high protection standards for classified data usually automatically mean that personal data is also protected (e.g. because all transport routes are encrypted, all accesses are logged, etc.).
International framework
For multinational MDOs, such as those within the NATO framework, the challenges of secure cloud infrastructures increase even further. Different national confidentiality levels must be harmonised and secure data bridges created. Compliance with national standards is a prerequisite for meeting international requirements.
Secure cloud infrastructures for MDO capability
Companies that offer IT services or cloud solutions for the defence sector must therefore be able to comply with a considerable set of regulatory requirements and processes, ideally ‘by design’.
The basics include a functioning compliance management system for confidentiality and export control. This includes expanding the information security management system (ISMS) to include modules for classified data. Another key criterion is compliance with technical sovereignty. In addition to the location of the hosting, this includes the application of appropriate encryption standards and access exclusively by authorised personnel (with security checks if necessary). Interoperability also ensures compatibility with European cloud platforms (GAIA-X compatible or similar). The cloud should also technically ensure that export regulations are implemented ‘by design’ through forward-looking data governance, for example by blocking access for users from certain countries. Robust SLAs for data security and proof of supply chain risk management ensure the necessary cyber resilience for cloud infrastructures.
