In February, Operation Epic Fury, the United States’ war against Iran, revealed that the cloud—the rented stack of data centers, compute, and software services—is a core part of operations, not a back-office IT service. During the campaign, peak daily usage of one Pentagon AI targeting system rose 4,425 percent. Cameron Stanley, the Pentagon’s chief digital and AI officer, summed up the lesson: “My biggest fear is really not the adversary at this point. My biggest fear is, can we keep up?”
For NATO, the answer is no. Allies are each making procurement decisions about cloud infrastructure for national civilian and defense purposes that will boost capacity—but they’re being pulled in opposite directions in harmful ways that will compound over the coming decades.
The first pressure, driven by politics, is the balkanization of cloud capacity. When the International Criminal Court’s lead prosecutor, Karim Khan, suddenly found himself locked out of his Microsoft email account in 2025 after U.S. sanctions targeted the court, allied governments awoke to a hard fact. The digital substrate on which their states, militaries, and economies run is not neutral plumbing. It is broadly American, and it can be turned off. French President Emmanuel Macron put the lesson plainly: “There is no such thing as happy vassalage.”
European capitals have been racing to address that vulnerability ever since, pouring money into “sovereign stacks” including national clouds, data residency requirements, and mandates that locals operate the infrastructure. That impulse is now hardening into blocwide policy with the release of the European Commission’s tech-sovereignty strategy which encourages homegrown alternatives across chips, cloud, and AI.
The second pressure, driven by operational considerations, is the concentration of cloud capacity. Operation Epic Fury highlights how cloud infrastructure has become central to what military theorists call the operational tail—the logistics, sustainment, and support that enable combat forces to fight. That tail now runs largely on three commercial providers: Amazon Web Services, Microsoft Azure, and Google Cloud—the “hyperscalers” whose data centers, networks, and compute platforms provide much of the digital infrastructure for both civilian and defense sectors.
Historically, the operational tail was a rear-area concern, comfortably behind the lines. It is now contested. Adversaries can reach into the tail through cyberattack, long-range strikes on data centers, anti-satellite weapons, and political pressure on the commercial providers that own most of the relevant infrastructure. Future conflicts – particularly an Article 5 event – will require enormous compute capacity that can be jointly accessed from anywhere within the alliance. None of that is currently possible.
Reducing exposure to U.S. leverage risks degrading coordination and fragmenting the alliance’s capability. A French defense workload that cannot move to a German cloud is no more interoperable than a French workload that cannot move off Microsoft Azure. A series of siloed sovereign stacks is the cloud equivalent of different shell-casing sizes—a major interoperability problem that, in a future conflict, leaves NATO unable to distribute innovations quickly or surge capacity to allies when it matters. Conversely, accepting the dependence of U.S.-dominated systems leaves the alliance with infrastructure that can be turned off by a single, and increasingly unreliable, sovereign actor.
NATO has been here before. In the decades after the alliance’s founding, NATO confronted what could have been a fatal coordination problem: every member fielding its own rifle calibers, fuel grades, communications protocols, friend-or-foe identification systems, and so forth. However superior their kit may have been, allied forces that could not interoperate could not fight together.
The solution was not to build a single U.S.-dominated NATO weapons industry; it was to standardize the interfaces among national industries. The alliance produced a body of agreements called Standardization Agreements, or STANAGs. Today there are hundreds of STANAGs, covering everything from 5.56 mm ammunition to fuel additives to identification, friend or foe protocols. Compliance with STANAGs became, in effect, the price of belonging.
There is no STANAG for the cloud. We need one.
Picture the cloud as a layered stack. At the bottom is core infrastructure: raw compute, networking, and the storage where data physically lives. Above that sits the platform layer: managed databases, container registries, analytics engines services that engineers use to build and run applications. At the top is the model and application layer: the AI systems, dashboards, and software that warfighters and analysts actually touch. Each layer locks in the layer above it: If you cannot move your data, you cannot move your platform; if you cannot move your platform, you cannot move your applications.
Fortunately, at one critical layer of the stack, the market has already converged. The key is to start with object storage, where Amazon’s S3, launched in 2006, has become the de facto global standard, supported by most major commercial providers, by every credible open-source implementation, and by most of the credible national-champion clouds across Europe and Asia. Cloudflare, DigitalOcean, IBM, MinIO, and a long list of others all offer S3-compatible storage. In effect, the alliance has an easy win in front of it: a de facto standard for storage that it just needs to turn into a de jure one.
This, in and of itself, would significantly boost interoperability within the alliance, but it should serve as a start, not an end point. Above object storage, at the platform layer, there are fewer de facto standards. But agreeing on common specifications for these platform services—so that an application built on one provider can move to another without being rebuilt—is no less essential than agreeing on them for storage.
The challenge is that the major providers have either built deliberately incompatible offerings or wrapped partial open standards in proprietary management systems that reintroduce the switching costs standards were meant to remove. Standardizing the interface layer is something NATO, with its collective buying power and political heft, is uniquely positioned to do.
That is precisely why NATO needs to first standardize around storage. Locking in S3 compatibility inside the alliance’s federated cloud procurement does three things at once. First, it captures an immediate operational and economic win—the ability to move workloads, fail over between clouds, and allow for genuine price competition at one of the highest-volume layers of the stack. Second, it builds the procurement muscle, the institutional precedent, and the coalition the alliance will need to fight the harder battles above. Third, it signals to the market that convergence is coming and so reshapes the providers’ incentive structure toward prioritizing and organizing themselves around standards on mature technologies.
This window of opportunity won’t stay open long. European allies risk fragmenting into multiple sovereign stacks. Germany’s recent procurement decisions are instructive. The country has increased its digital-sovereignty rhetoric: its coalition agreement frames digital sovereignty as “power, economic, and social policy”; its Sovereign Tech Fund channels public money into open-source infrastructure; and its Federal Office for Information Security sets some of the strictest cloud security requirements in Europe. The European Commission’s just published tech-sovereignty strategy focuses on capacity and not interoperability by creating a sovereignty test that measures control, not portability. More critically, it is silent about mandating the interface standards that would let workloads shift providers. This risks confounding any interoperability strategy NATO pursues.
Internally, NATO itself is in the midst of making consequential decisions about cloud. The Allied Software for Cloud and Edge Services, or ACE, a high-visibility project to build a federated, classified-capable cloud architecture for allied forces is in its early acquisition stages.
The next step would be to embed in those contracts, as a non-negotiable technical requirement, a single specification at the storage layer: Object storage must be compatible with the S3 interface. The technical work can run through the relevant NATO body—the Digital Policy Committee (formerly the Consultation, Command, and Control Board), through its capability panels—with the NATO Standardization Office providing the formal STANAG path. From there, the alliance climbs the stack in phases – making de jure standards de facto wherever possible. Any sponsoring ally could propose itself as custodian.
Member states—and now the EU Commission itself, with its push to boost players such as OVHcloud, SAP, and Mistral—may read a NATO interoperability requirement as a threat to those investments. It is the opposite. Standards expand the market for any provider competitive enough to clear them; they only threaten those that depend on lock-in. A French sovereign cloud that meets a NATO storage standard becomes purchasable by every other ally.
Another barrier is likely to come from the hyperscalers such as Amazon and Microsoft, who have spent two decades competing on proprietary capabilities and may, by reflex, resist any standardization. This is not insurmountable. The hyperscalers retain a structural advantage: the ability to scale capacity vertically into surge demand and horizontally across multiple continents. A NATO requirement does not ask the hyperscalers and model providers to surrender their commercial differentiation; it asks them to make the foundation interoperable, which is something they should rationally, but quietly, want.
A final set of objections may come from Washington, where successive administrations have been wary of European digital sovereignty. But this is not a digital sovereignty initiative. It is a multicloud interoperability initiative—and critically, it is the architecture the United States has already adopted for itself.
The Pentagon’s Joint Warfighting Cloud Capability, or JWCC, is a four-vendor multicloud contract awarded in December 2022 to Amazon, Google, Microsoft, and Oracle for precisely this reason: to prevent the kind of single-vendor lock-in that would expose U.S. warfighting infrastructure to a commercial outage, a corporate decision, or a political turn at any one provider.
Nor is it a one-off: The Pentagon is preparing an expanded successor, JWCC Next, that doubles down on this approach. Multicloud-by-design is not a European sovereignty grievance; it is the U.S. Department of Defense’s stated procurement philosophy.
Creating truly autonomous clouds is also simply unworkable for many NATO members. They are not realistic for Canada, for Norway, for Portugal, for the Baltic states, for any of NATO’s smaller southern-flank members because none has the capital to build globally available and hyperscaler-sized data centers, the engineering depth to operate them with sufficient reliability, or a domestic market large enough to amortize the cost.
A digital sovereignty doctrine that may possibly work for two or three of NATO’s largest members is a doctrine that fragments the alliance at the moment it can least afford fragmentation. The right ambition is to treat the bottom of the cloud stack like a utility—interoperable, substitutable, defense-grade—so that every member, large or small, can plug into and draw upon it on their own terms.
A standards-based approach delivers that, enabling allies of every size to have capacity and independence. It also works for partners outside the alliance—Australia, Japan, South Korea, India—who would benefit from an interface standard set by a credible defense-grade procurement body.
The question for NATO, then, is not, “Can we each build our own stack?” That question has a depressing answer for almost everyone in the room, and an unsatisfying one even for those who can attempt it. The question is, “Can we move our workloads?” That question has a workable answer—but only if the alliance acts inside the procurement window it has already opened.
