The article frames DNB's move as driven by concrete regulatory shifts — DORA's ICT concentration risk requirements, Schrems II fallout, and CLOUD Act/FISA 702 exposure. The argument is that contractual workarounds for US jurisdiction are no longer sufficient for European financial infrastructure.
The editorial argues that the regulatory math has fundamentally changed: DORA explicitly requires financial institutions to assess concentration risk and demonstrate resilience against legal compromise of any single third-party provider, making US hyperscaler dependency untenable for critical European financial functions.
The editorial acknowledges the headline absurdity of a central bank choosing 'the Lidl cloud' but argues the decision is less absurd than it sounds. STACKIT was built as Schwarz Group's internal cloud platform before being commercialized, operates exclusively from German/European data centers, and has no legal ties to US jurisdiction — precisely the properties a central bank needs.
The editorial explicitly states that the era of papering over jurisdictional concerns with contractual clauses and regional data residency configurations is ending for European financial infrastructure. DNB is framed not as an outlier but as joining 'a growing list of European institutions actively de-risking their dependency on US cloud providers,' suggesting a broader structural shift.
De Nederlandsche Bank (DNB), the central bank of the Netherlands and a key institution in the European Central Bank system, has announced it is leaving Amazon Web Services in favor of STACKIT — a cloud platform operated by Schwarz Group, the German retail conglomerate that owns Lidl and Kaufland. Yes, you read that correctly: a central bank is entrusting its infrastructure to a company best known for discount groceries.
The decision is less absurd than the headline suggests. Schwarz Group launched STACKIT as its internal cloud platform years ago and has since commercialized it as a European-sovereign alternative to the US hyperscalers. STACKIT operates exclusively from German and European data centers, with no legal ties to US jurisdiction — which means no exposure to the CLOUD Act or FISA 702 compelled-disclosure provisions. For a central bank handling monetary policy data, payment system infrastructure, and financial supervision records, that distinction is not academic.
DNB joins a growing list of European institutions actively de-risking their dependency on US cloud providers. The move reflects years of regulatory momentum in the EU, from Schrems II invalidating the Privacy Shield in 2020 to the more recent EU Data Act and Digital Operational Resilience Act (DORA), which imposes strict ICT risk management requirements on financial entities starting in 2025.
The regulatory math has changed. For most of the 2010s, choosing AWS, Azure, or GCP was a no-brainer — superior tooling, global scale, unmatched ecosystems. Compliance teams could paper over jurisdictional concerns with contractual clauses and regional data residency configurations. That era is ending for European financial infrastructure. DORA explicitly requires financial institutions to assess concentration risk in their ICT supply chains and demonstrate that critical functions can survive the failure — or legal compromise — of any single third-party provider. When your cloud vendor is subject to US government data requests that may conflict with EU law, the risk register gets uncomfortable fast.
STACKIT is not a toy. Schwarz Group is the fourth-largest retailer on the planet, with €154 billion in annual revenue. They built STACKIT to run their own logistics, supply chain, and point-of-sale systems across 13,000+ stores in 32 countries. That is a non-trivial operational footprint. The platform offers Kubernetes-based container orchestration, managed databases (PostgreSQL, MariaDB, Redis), object storage, and IaaS primitives. It's not going to match AWS's 200+ service catalog, but for workloads where sovereignty trumps breadth, the core compute and storage layers are production-grade.
The "grocery chain cloud" framing misses the point. The Hacker News commentary predictably fixated on the Lidl angle, but the real story is about supply chain diversification applied to infrastructure. European institutions are discovering what manufacturing figured out during COVID: single-source dependency on a geopolitically misaligned supplier is a strategic vulnerability, not an efficiency win. Schwarz Group's retail parentage is actually a strength here — they have the capital to sustain a cloud business that doesn't need to be profitable on its own, and they have zero incentive to monetize customer data or compete with their cloud tenants' businesses (unlike a certain bookstore-turned-cloud-provider).
This isn't just DNB. The German public sector has been moving toward STACKIT and similar European providers (OVHcloud, IONOS, Open Telekom Cloud) for several years. The Bundeswehr explored sovereign cloud options. German federal states have adopted open-source-first cloud policies. But a central bank — one embedded in the ECB system — is a different signal entirely. Central banks are the most conservative technology adopters on Earth. If DNB has decided the sovereignty risk outweighs the migration pain, that's a leading indicator for every regulated European enterprise.
If you're building software for European financial institutions, government agencies, or healthcare — start auditing your cloud dependencies now. The question is shifting from "can we configure AWS to be compliant?" to "can we demonstrate to regulators that our infrastructure choices don't create jurisdictional conflicts?" These are different questions with different answers.
Multi-cloud just became a compliance requirement, not an architecture preference. Teams that invested in Kubernetes, Terraform, and cloud-agnostic abstractions are going to find those bets paying off. Teams that went deep on proprietary AWS services (Lambda, DynamoDB, Step Functions) face a harder migration path. If you're deploying for regulated European customers, your architecture's portability is now a business-critical feature, not a nice-to-have.
Practically, this means evaluating whether your CI/CD pipelines, monitoring stacks, and data stores can run on providers like STACKIT, OVHcloud, or IONOS without a rewrite. For most teams running containerized workloads on managed Kubernetes, the answer is probably yes. For teams deeply coupled to a specific hyperscaler's managed services, budget six to twelve months for extraction.
The European sovereign cloud market is about to get very crowded and very well-funded. STACKIT, OVHcloud, and Deutsche Telekom's offerings will compete for a wave of mandated migrations. The hyperscalers won't sit idle — AWS already operates "sovereign" regions in Europe, and Microsoft has its EU Data Boundary initiative. But the DNB decision suggests that contractual promises from US companies are no longer sufficient for the most sensitive workloads. The question for the next two years isn't whether European sovereign cloud will grow — it's whether the European providers can scale their engineering talent and service catalogs fast enough to absorb the demand. For developers, the takeaway is simple: portable architectures win. Bet on standards, not services.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.