The editorial argues that the structural problem is jurisdictional: no US-headquartered company can guarantee the US government won't compel data access under the CLOUD Act, regardless of where servers physically sit. AWS's 'European Sovereign Cloud' still has Amazon.com Inc. as its parent entity, making legal exposure inescapable.
Reports that DNB's decision was driven by jurisdiction rather than price or features. The central bank determined that hosting critical financial infrastructure on a US-owned cloud platform created unacceptable regulatory and legal exposure under tightening EU frameworks like DORA.
The editorial emphasizes that Schwarz Digits has been building STACKIT since 2020, originally to serve Schwarz Group's own massive retail operations across 13,900+ stores in 32 countries. This real-world scale gives STACKIT operational credibility that purpose-built sovereign cloud startups often lack.
Points to the EU's Digital Operational Resilience Act (DORA), which entered full application in January 2025, as imposing strict requirements on how financial institutions manage ICT third-party risk — including data residency and who can be legally compelled to access it. DNB's move is framed as an early, high-profile response to this regulatory pressure.
Reports the decision in the context of European financial regulators tightening requirements around operational resilience and data sovereignty, with the ECB's oversight framework creating a compliance environment that favors European-headquartered providers.
De Nederlandsche Bank (DNB), the central bank of the Netherlands, has chosen STACKIT as its cloud provider — ditching Amazon Web Services in the process. STACKIT is the cloud computing division of Schwarz Digits, the technology arm of Schwarz Group. If that name doesn't ring a bell, the brands will: Schwarz Group is the parent company of Lidl and Kaufland, Europe's largest grocery retailer by revenue.
Yes, a European central bank is now running on infrastructure built by a supermarket conglomerate. The decision wasn't about price or features — it was about jurisdiction. DNB determined that hosting critical financial infrastructure on a cloud platform owned by a US-headquartered company created unacceptable regulatory and legal exposure.
The move comes as European financial regulators tighten requirements around operational resilience and data sovereignty. The ECB's oversight framework and the EU's Digital Operational Resilience Act (DORA), which entered full application in January 2025, impose strict requirements on how financial institutions manage ICT third-party risk — including where data lives and who can be compelled to hand it over.
This is not a story about Lidl getting into tech. Schwarz Digits has been building STACKIT since 2020, initially to serve Schwarz Group's own massive retail operations — 13,900+ stores across 32 countries generate serious compute and data demands. The division has since opened STACKIT to external customers, positioning it as a European-sovereign alternative to AWS, Azure, and GCP.
The structural argument is simple: no US-headquartered company can guarantee that the US government won't compel data access under the CLOUD Act, regardless of where the servers physically sit. AWS's "European Sovereign Cloud," announced in 2024, operates EU-based data centers with EU-resident staff, but the parent entity remains Amazon.com Inc., a US corporation. Microsoft's EU Data Boundary and Google's sovereign cloud offerings face the same fundamental limitation.
For a central bank, this isn't theoretical. Central banks handle monetary policy data, financial stability assessments, supervisory information about commercial banks, and payment system infrastructure. A US government subpoena reaching any of that data — even theoretically — is a risk that European regulators have decided they can no longer wave away.
Schwarz Group, by contrast, is a German family-owned company with no US parent, no US stock listing, and no US legal obligations that would override German and EU data protection law. STACKIT's entire value proposition is that its corporate structure makes certain legal attack vectors impossible, not just unlikely.
The timing matters too. DORA requires financial entities to maintain a register of all ICT third-party arrangements and assess concentration risk. If your central bank, your commercial banks, and your payment processors all run on AWS eu-west-1, a single regulatory action, outage, or geopolitical event creates systemic risk. European regulators are increasingly treating hyperscaler concentration as a financial stability issue.
Let's be honest about the trade-offs. STACKIT is not AWS. It doesn't have 200+ services, 30+ regions, or two decades of operational maturity. Developers accustomed to the depth of AWS's service catalog will find STACKIT's offering narrower — compute, storage, Kubernetes, databases, and a growing but modest set of managed services.
But that framing misses the point. DNB isn't choosing STACKIT because it's technically superior to AWS — it's choosing STACKIT because AWS cannot solve the jurisdiction problem no matter how many data centers it builds in Frankfurt. The technical gap is real but narrowing, and for many central banking workloads — which skew toward traditional enterprise computing rather than cutting-edge ML pipelines — STACKIT's current capabilities are sufficient.
Schwarz Group's scale also matters here. This is a company with €167 billion in annual revenue, not a scrappy startup. They have the capital to invest in cloud infrastructure for the long term, and their own internal consumption provides a floor of demand that most European cloud providers lack. When your biggest customer is also your parent company, you don't face the cold-start problem that killed previous European cloud initiatives.
The Hacker News discussion around this story surfaced predictable reactions — amusement at the "Lidl cloud" framing, skepticism about feature parity, and genuine interest from European developers tired of navigating sovereignty compliance on US platforms. Several commenters noted that STACKIT's Kubernetes offering (based on Gardener, originally developed by SAP) is genuinely solid.
If you're building software for European financial institutions, regulated healthcare, or government clients, the implications are concrete:
Cloud provider jurisdiction is becoming a hard requirement. Not "where are the servers" but "where is the parent company incorporated and what legal obligations does that create." Expect RFPs and procurement frameworks to include corporate jurisdiction as a pass/fail criterion, not a scored factor. If your architecture assumes AWS or Azure, you may need a credible multi-cloud or migration story.
The European cloud market is fragmenting by design. STACKIT joins OVHcloud, Scaleway, IONOS, and the GAIA-X-adjacent offerings in a growing tier of European-sovereign providers. None individually matches AWS's breadth, but the regulatory environment is deliberately creating demand for them. If you're an infrastructure team at a European bank or insurer, start evaluating at least one EU-sovereign provider now — DORA's concentration risk rules will eventually force the conversation anyway.
Don't mistake this for protectionism working. This is a jurisdiction-driven procurement decision, not a "buy European" sentiment play. DNB would happily stay on AWS if Amazon could legally guarantee immunity from US government data requests. They can't, so DNB moved. That's a rational technical decision with legal inputs, and it will repeat across every European institution where data sensitivity meets regulatory scrutiny.
The grocery-chain-runs-a-cloud-now jokes write themselves, but the underlying trend is serious. European digital sovereignty has spent years as a policy aspiration with minimal procurement impact. DNB's decision suggests the gap between policy rhetoric and actual buying decisions is closing. Watch for ECB guidance on cloud concentration risk in the second half of 2026 — if it comes with teeth, STACKIT and its European peers will have a pipeline that US hyperscalers genuinely cannot compete for, no matter how many sovereign cloud products they launch.
> will sign a major contract tomorrowOk so nothing has actually happened. These migrations are difficult and expensive, and often fail. It will be interesting to see an update in 5 years on how this went.
Here’s the service:https://stackit.com/en
Wait... Lidl has a cloud service now?
Makes sense. I never worked with this particular provider, but I must say that for many (many) use cases, Europe has very capable providers, and the big US players are not necessarily the best choices.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Years ago I was making the case that instead of digging ourselves into the Amazon eco-system with S3 storage, EC2 instances, DynamoDB and various other Amazon specific cloud products... we should just host virtual machines and have everything in there using open source products.People looked at me l