+44 20 363 016 59 info@preo-ag.com
  1. Home
  2. Blog
  3. Avoiding Microsoft Cloud Risk Dependency

Date: 

7 Jul 2025

Author: 

PREO AG

On-Premise vs. Cloud

Germany, France, Italy – Guidelines and requirements for greater cloud security

The European security architecture has long been threatened by more than just the ongoing war in Ukraine. For several years now, geopolitical security experts have been talking about hybrid warfare being waged by the major autocracies, particularly Russia and China, against the countries of the Western world. A primary target here is the digital infrastructure of government institutions and public bodies, as well as companies in critical infrastructure sectors such as finance, health, energy supply and transport.


In this regard, advancing digitalisation is more of a curse than a blessing. The more digital our society becomes, the more vulnerable it is to a wide variety of attack scenarios targeting its hardware and software architecture. Sabotaged submarine cables in the Baltic Sea, successful cyber attacks on public administrations and hospitals, and major data leaks at cloud companies, such as Microsoft recently, are just a few examples from the past few months.


EU-wide and national regulations for greater security in cloud computing

In the European Union, companies and public institutions are subject to various regulatory requirements when using cloud services. As a general rule, the provisions of the EU-wide General Data Protection Regulation (GDPR) must be observed. In addition, national data protection laws, security regulations and industry-specific regulations vary from country to country. In many cases, these were tightened once again following the Schrems II ruling by the European Court of Justice in July 2020, which overturned the EU-US Privacy Shield, the basis for data transfers from Europe to the US. This is only logical, especially when it comes to securing sensitive data, because since then it has been the responsibility of the data exporter to check, before transferring data, for example to a large cloud provider, whether the rights of the data subjects in the third country enjoy the same level of protection as in the EU.


Against this backdrop, we took a look at the three largest EU countries, Germany, France and Italy, to see which regulations and requirements apply specifically to public authorities, public bodies and critical infrastructure companies and are intended to ensure greater data security and data sovereignty in cloud computing. We also show in practice why the Union of Municipalities of Romagna Forlivese (UCRF) in northern Italy opted for on-premise operation instead of the cloud for used Microsoft licences



Country example 1: Germany

There are no bans on the use of cloud services in Germany, but there are clear legal and regulatory requirements. Nevertheless, even government institutions continue to underestimate the existing risks. According to the German Informatics Society (GI), at least six federal states are currently planning to introduce the Teams video conferencing system or the complete Microsoft 365 cloud office package into their administrations. According to IT experts, this jeopardises Germany's data sovereignty and the data protection of millions of citizens and companies due to increasing dependence on the Microsoft cloud. The risks lie primarily in security and the unpredictable development of licence costs. 


Companies in the critical infrastructure sector in particular, but also government institutions and public administrations, must therefore ensure that


  • their data is processed securely,
  • the cloud provider complies with the GDPR,
  • industry-specific requirements are taken into account,
  • corporate compliance requirements are met, and
  • national or European providers such as IONOS, T-Systems or Nextcloud are preferred wherever possible.



Financial sector: The responsible Federal Financial Supervisory Authority, BaFin for short, has laid down specific requirements for the use of cloud services for banks and insurance companies in its MaRisk and BAIT regulations (banking supervisory requirements for IT).


Healthcare: In addition to the provisions of the GDPR and the Federal Data Protection Act (BDSG), the use of cloud services is also subject to the Patient Data Protection Act (PDSG). Among other things, stakeholders must ensure that highly sensitive data is stored and processed either in Germany or the EU.



Country example 2: France

The regulations in France are quite similar to those in Germany. The provisions of the GDPR also apply in the second most populous EU country. These are also supplemented by national security and data protection laws and strong promotion of digital sovereignty. The most important aspects are:


In France, in addition to the GDPR, the national data protection regulations of the Loi Informatique et Libertés apply, which are monitored by the data protection authority CNIL (Commission Nationale de l'Informatique et des Libertés). The aim here is also to ensure maximum security in the storage and processing of personal data and its localisation. Sensitive sectors such as critical infrastructure, public authorities and government institutions are often only allowed to use certified cloud providers such as SecNumCloud. In general, France promotes the use of national or European providers and prefers sovereign solutions. For example, the French government has established partnerships with cloud providers such as Orange and Capgemini to create a sovereign alternative to US providers such as Microsoft, AWS and Google.


Financial sector: The French banking supervisory authority Autorité de Contrôle Prudentiel et de Résolution (ACPR) has specific requirements for financial institutions regarding the use of cloud services, similar to those of BaFin in Germany.


Healthcare: The storage of health data is subject to particularly strict regulations, such as the Hébergeur de Données de Santé (HDS). Cloud providers that want to store or process health data require HDS certification. As a result, hospitals and insurance companies, for example, prefer to store and process their health data in their own on-premise data centres and largely refrain from using cloud solutions.



Country example 3: Italy

In Italy, the following regulations and restrictions apply to the use of cloud services:


  • In addition to the GDPR, the national data protection law Codice della Privacy sets high requirements for the processing of personal data.
  • Government institutions, authorities and public administrations must give preference to national or European cloud providers.
  • IT security standards: Cloud services for critical infrastructures are subject to strict security requirements.
  • Italy supports the use of sovereign European cloud services, such as the national cloud Polo Strategico Nazionale (PSN).



Italy has developed its own strategy with three categories specifically for the use of cloud services in government institutions and public administration:

  1. The use of the national cloud PSN, in which critical and highly sensitive data from public organisations must be stored, has clear priority.
  2. Cloud services from European providers can also be used, provided they comply with the GDPR and other national security standards.
  3. International cloud providers are permitted for less sensitive data, but only on the basis of strict national security and data protection requirements, which they do not meet in most cases.


Financial sector: The Italian central bank, Banca d'Italia, and the supervisory authority, CONSOB, have defined specific requirements for banks and financial service providers, particularly with regard to data localisation and the security standards of cloud services.


Healthcare: Similar to France and Germany, Italy has strict regulations for highly sensitive health data, such as data storage and processing within the EU.



Example Italy: Local government opts for used software instead of cloud solution

The Union of Municipalities of Romagna Forlivese (UCRF) was looking for a solution to meet its software licence requirements for a VMWare cluster and plan for future needs without exceeding its limited budget. The UCRF opted for the legally compliant and audit-proof purchase of used software licences from PREO, which offer both significant financial advantages and the desired compliance and flexibility.

Particularly important: by purchasing used software for on-premises operation, around 50 percent of the licence costs were saved compared to the respective new version, which was of crucial importance, as Dr Riccardo Raffaelli, Head of Information Systems, confirms: ‘As in any public administration, the economic aspect is of crucial importance, as it is a matter of the correct and careful management of public funds. The solution of sustainably reducing licence costs by purchasing used software is an excellent option, especially for public administrations.’ Read the full customer case study here.

The Romagna Forlivese Municipal Association (UCRF) was formed in 2014 through the merger of three associations: Unione Montana Acquacheta - Romagna Toscana, Comunità Montana dell'Appennino Forlivese and Associazione di Comuni della Pianura Forlivese. Today, the association comprises a total of 14 municipalities with over 67,000 inhabitants.

With PREO, you can rely on an experienced and reputable B2B provider.

PREO offers companies, organisations and public administrations a wide selection of used licences for on-premise operation or integration into hybrid cloud solutions at any time. These include, in particular, current and older programme versions of widely used standard software from market-leading manufacturers such as Microsoft or Adobe. Whatever your needs, with PREO, customers have all the advantages on their side and benefit from


  • significant savings on ongoing licence costs of up to 70 percent compared to the respective new version.
       
  • 100 percent legally compliant and audit-proof licence acquisition with maximum transparency in all processing steps, including complete documentation in the PREO licence portal ‘Easy Compliance’.

  • Personal advice on all questions relating to licence transactions or the integration of used software licences into classic network structures or hybrid cloud models.

  • Existing capacities for software licence management in large IT infrastructure projects with thousands of workstations and cross-border locations.

  • Greater sustainability in the IT sector by promoting an active circular economy and reducing the company's carbon footprint. Speaking of sustainability: PREO is the only reseller of used software listed with a current scorecard at EcoVadis, the world's largest provider of sustainability ratings.

  • Expertise from numerous reference projects that PREO has already successfully implemented for well-known companies from various industries and sectors.



Request a free quote nowDouble arrow

Press and Marketing

Press and Marketing Nina Steffens

Do you have questions about materials, press releases or events? Feel free to contact

Nina Steffens
Corporate Communication Manager

P +49 151 24066668
M n.steffens@preo-ag.com

CURRENT LEGAL SITUATION

Current legal situation

Everything you need to know about the legal situation regarding "trade with used software"

What is the current jurisdiction? Where do legally compliant licences come from? What has to be considered when buying used software? We answer this and much more information on our page "Legal situation".

The legal situation Double arrow

BUY SOFTWARE SAFELY

Purchase used software

What do you have to consider when buying used software?

Do you need information on buying used software licences, licence audits or about the cooperation with PREO? You will find answers on our page "Buying used software".

Purchase used software Double arrow

PRODUCT OVERVIEW

View PREOs products

Do you need a specific software for your company or project?

Browse our product portfolio and find the right licences. Simply select the used software you need and add it to your request list with one click.

View products Double arrowDouble arrow