Try it Now
Get a Demo
Login

Talks & Chats

Episode 7: Exploring Sovereignty Strategy for IT Resilience with Andreas Prins

Experiments in Chaos • Feb 2026

In this episode, Andreas Prins joins Benjamin Wilms for a discussion on IT sovereignty and its role in business resilience. With geopolitical tensions and rising uncertainty, organizations need a strategy for future-proofing the continuity and control of their IT stacks. As AI technologies cause many executives to rethink their data privacy strategies, sovereignty will only become more important.

Episode Transcript

Benjamin Wilms: Hello and welcome back to my next podcast session. Today, I’ve got the pleasure to talk with Andreas from SUSE. We know each other since a couple of years, and yeah, very nice to have you here. And maybe you can introduce yourself a little bit, what you’re doing at SUSE.

Andreas Prins: Yeah, absolutely. Happy to, uh, do it and also happy to be here and dive much deeper into a very exciting topic, which will be sovereignty. And I’m the global head of Sovereign Solutions here at SUSE. My role actually is to bring all the initiative that SUSE has from their product portfolio, their partner ecosystem together into a, a market motion go-to market where our customers, primarily Europe, middle East, and Africa, have a lot of sovereignty questions and actually need products and services that help them.

And I oversee that initiative in the broader SUSE a very small team from a personnel perspective, but a very broad reach and lots of collaboration with, uh, lots of colleagues in many, many different functions.

Benjamin Wilms: Nice. And yeah, before we, we, yeah jump into the topic, we were joking a little bit in the beginning that, I mean, it’s quite hard for me to pronounce it the right way, and maybe you can explain how it’s been pronounced correctly. So you told me IGN is okay, Soreen is okay. But maybe for the audience, you can explain like what is behind a potential buzzword and what is like the real meaning and how to pronounce it right.

Andreas Prins: Yeah, that’s absolutely, um, absolutely fine. What I understood from a colleague, who’s been in the press and in the media before, 70% of the world would say sovereignty, uh, so sovereign or sovereignty, and about 30% would say sovereignty, right? So primarily in the Netherlands, but also in Germany, but also a little bit in England.

Uh, I’ve noticed that people pronounce it that way. Um, but that’s just right how it sounds. But it’s much more important, I do think, is to truly understand what it actually is and what we see happening at our customers, right. Primarily due to the geographical tensions right between the continents, with presidents and countries, uh, being at war or economically dependent on each other.

All of a sudden people start to realize that their companies are heavily reliant on IT, right? And if this software is under a particular act like the Cloud Act, but also China and other regions have particular acts. And they might stop their software, then all of a sudden their business is at risk. So in Europe, the buzzword I would argue is sovereignty, but it ultimately boils down to business resilience, right?

How resilient is your business in foreign dependencies to your business? And yeah, since every company has become a software company, right? All of a sudden there’s a, there’s a big risk. And just to finish up, funny enough, if you take a look at other regions, they would use a different term that comes down to the same meaning.

So in the US with a lot of our American customers, we speak very often about data security, which is ultimately boiling down to the same risk assessment. Who owns the data, owns the company. You could argue, um, it’s in some regions about autonomy. So you see all different words that boil down to am I ultimately as a company owner able to operate my company without foreign influences, uh, and, and legislation driving these changes.

And I do think with software, that’s a very interesting way of, of looking at it, and it’s a very broad spectrum of what companies needs to do there.

Benjamin Wilms: And would you say it’s only for like small businesses or is it something that only your enterprises should take care of?

Andreas Prins: Uh, I do think it’s every company that should absolutely consider how they are dependent on software, but if you think about the bigger companies, right, let’s say the banking, the healthcare, but also the manufacturing, which are all big software plants, right? Producing physical goods or, or services.

Uh, they should definitely consider it and make a conscious decision. Think about an electricity grid provider, right, that is critical infrastructure or the harbors or the airports or the trains, right? They are critical infrastructure to a country. So when that stops, right? The entire economy or the country, or even worse, would stop, right?

So for big companies with critical infrastructure, it’s absolutely a topic to consider. As a small company, well, your business might be equally dependent on software, right? So you also need to make choices, seek for alternatives, but you might make different decisions there, right? Because it’s a lower risk.

To your company or it’s less mission critical, so there’s a kind of a, um, a regional or a country dependency, right, to mission critical infrastructure, hospitals, et cetera. And then there’s obviously the company that needs to make a decision themself on, Hey, how reliant do I wanna be on other companies or, or rules, but honestly speaking for a small company right, that doesn’t wanna spend lots of man hours on IT, right?

Their choices might be different, right? And they might most likely quicker pick a SaaS solution, right? To solve the problem of some bookkeeping or whatever, rather than a, a larger enterprise that has more room to, to make choices.

Benjamin Wilms: Yeah. And isn’t it like the combination of where your market is, like really where you are selling your end product and, like what type of infrastructure you need? Some, I mean, if you are just selling, for example, in the Netherlands or just in in Europe, do you really need like a multi region cloud provider application?

It’s, it’s really like this combination or is it else?

Andreas Prins: I do think there are many, there are many angles to the decision framework that you can make, right? So, um, one is, I, I would always suggest, and in conversations is make a, a ranking of your applications from a criticality perspective. Right. So if you’re an electricity grid provider, and it’s about the software, right, that operates the grid, right?

That’s absolutely a crown jewel. First, there’s, if you have just regular business operations, right, that that run only once a week or once a month somewhere, head down in the team, right? Very operational. You see already, right? That in that same company, you can make different decisions to say, Hey, the crown jewels, they need to run entirely independent, right?

In my own control versus the regular business applications. I can perfectly run that on a hyperscale and we see that move, right? People becoming aware and they’re making different choices in the same company on where would they locate. Um, another interesting element, right, is if you are anyhow, a company that operates across, let’s say Europe and the US, which many of our companies are, right, and you have entities in both.

Well, the risk, right, of, of not being able to use Office 365 or G Suite is is significantly lower because you also have a legal entity on the other side of the ocean, right? So that’s also a way of looking at it. Um, and yeah, and also probably interesting, right, is how quickly can you pivot your, your architecture.

And what we see happening now is at Hyperscalers is people would normally use the Kubernetes have from AWS, GCP, or Azure, and they’re now decoupling so they now say, Hey, I only use compute. I still stick to the hyperscaler, but I run, for example, run to Kubernetes engine, add a version from SUSE or K3S or others.

I run that on top. So that means that when I’m no longer allowed to use the hyperscaler, my workload is pretty portable and I can bring that over to another cloud. So lots of movements to reduce the risk and, and yeah, making decisions from an architectural perspective.

Benjamin Wilms: Hmm, that’s a good point. And especially like our, and our customer base, we can see like there are always some hiccups in, in the main cloud providers and after such a hiccup or an outage, they are, you are reconsidering their final decision. Was it, was it a good one at that point in time or should we now move to another cloud provider?

Nowadays they also realize, hey, we need to run on a multi-cloud strategy, which is exactly getting in that direction you mentioned, um. What I want to talk about now is, in my previous episodes, always there was like the term coming up sociotechnical system and is just, uh, to recap it, the sociotechnical system is really like the combination of the infrastructure, the processes, the applications, but also like the people, the, uh, teams, the organization itself.

You need to really provide your end service, your product for, for your, for a customer. And now the question is how to make sure that your organization is able to move as fast as needed if you are running on a multi-cloud strategy.

Andreas Prins: Yeah. Yeah, that’s, that’s very. Tough question, right? Because it sounds easy on paper to move from one to the other, right? But we all know that there are so many dependencies, and I do think any particular, the hyperscalers did an amazing job, right? Not to just provide the infrastructure, but to provide all the outta the box services, right?

So our application architectures are heavily reliant on very specific services offered by one of the three hyperscalers. Moving away there means simply, right, refactoring sometimes your entire application, and because you need to go from an AWS specific database to universal database or message queue or anything like that, right?

So, um, easier said than done, right? But from a reliability perspective, that’s a huge migration because you know for sure how stable, and how it performs, right? When you make use of such an out of the box service and now you move to an infrastructure provider or an, and a local hosting provider, that only provides infrastructure and you need to build a reliable solution yourself, right?

So that’s, that’s not an easy, that’s not an easy pivot. So if you really need to move, I do think you really need to start re-architecting and we see that happening already with new developments as the people are taking sovereignty, like security and performance, right, and reliability into their decision making framework of how do you design a stack?

That’s one. Second, uh, interestingly enough, what we see is slowly, I would argue, the awareness of where are your people, right? Where’s the personnel located? Uh, and in particular, if you make use of third party services and you say, Hey, I wanna become more sovereign, do you make use of support engineers, for example, that are in your same jurisdictional region, right?

Because yeah, if something might happen then, then the move is harder. We see the move, right? Going to more local, uh, hosting providers. And if you take a look at the Europe, right, um, the Hetzners, the Ionos, the Nextclouds, the OVH cloud, right? They’re absolutely, absolutely growing. I recently, I saw some stats, right?

It’s significant, but it’s still a small portion, obviously relatively to, to what the others have to provide and the migration to me, right? The reliability of your business process, right, running on the new stack, that’s absolutely something that’s, that’s, that’s putting pressure on the shoulders of engineering teams and engineering leaders.

Benjamin Wilms: Maybe we can get in a little bit more like the infrastructure level, and what is like SUSE’s perspective on it.

Andreas Prins: Yeah. So many, many times, right? When you start a conversation, the conversation very often happens about the applications where your user interacts with, um, obviously I would argue, right? Because that’s, that’s most common. But what about the underlying stack, right? What about the middleware?

What about the, the Linux, right? The OS that is running on the cloud? Or what about the physical data center? Right? Who’s owning it? Where is it hosted? And some companies would go as far as, but what about the chips, right? The render and the software. In the kernel, right? So there’s, there’s a lot underneath that the tiny business application that, uh, that is important. Our take right is absolutely make it open source, right? As much as the stack as possible, right? Because open source right, gives the promise and the ability whenever, right, let’s say SUSE, uh, who can shut down, right? Which won’t happen, but imagine, right?

Or another company, if the software is open source, you can pick it up yourself. Ask another consultant to help out. And continue your business operations. So that is, that is in my mind and in our mind, one of the most important drivers to become more sovereign. But then when you think about sovereignty and open source, that’s not enough, I would argue, eh, because what we see happening is that regions ask that the software is built in that particular region, right?

So you not only need to think about, Hey, I have an open source Linux, SUSE Linux, for example, but can I, eh, have my own version? So we are thinking about, and we’ve launched a concept of reproducible build. Eh, so no matter where you build across the world at what given time, the outcome is always the same.

Benjamin Wilms: Is it really like the, the region you are building the software is important and not like the outcome of this build

Andreas Prins: Yeah, because, yeah, so that is happening at the moment, right? It’s not widespread yet, but governments, defense, right? They start to ask these questions, right? Can I, can I build it here? Um, I do think what we’ll see towards the future is also third party verifiers, right? To say, Hey, what is built is indeed what we expect it to be built.

The other, I do think very important elements. What we see, uh, in, in our stack, uh, and in conversation with the customers is, can you actually prove what I download is indeed what I think I download, right? So where is it built? Who built it? How is it built? Uh, what is in there? What are all the libraries?

What are the vulnerabilities? What are all the license type? And we see the term software bill of materials at the station. So, prove right that you can have a particular systematic approach of building software, and we think that that becomes more and more important.

So rather than pulling randomly from the internet and artifacts, right, pull them from a trustworthy source into your organization so you at least know right what you’re pulling into the organization, and then with all the S Code capabilities, policy S codes, you can simply say, Hey, only these type of packages, they come into my CI/CD pipelines into production, et cetera.

Benjamin Wilms: Mm-hmm, and is this even more important with like, yeah, AI code generation, like if you use Claude code and it’s just pulling dependencies like hell.

Andreas Prins: I think, I think AI is just making the mix even worse. I don’t know why, but this morning I was reading an article on LinkedIn, right? Is most of these AI models are trained on stuff a little while ago, right? So two years ago. So imagine there’s a vulnerability that’s already fixed and patched and whatever, but had the model itself was trained on it, right? Does it then inject? I do think primarily the spaghetti, right, that is, generated. So if you like vibe coating like I do, because I cannot program a single line of code before you go to production, right? There always needs to be someone else, right?

To clean it, to structure it, and, and to verify it. So I definitely think that the usage of AI tools is bringing yet another complexity. Because portions of what is generated, hey, if you do it to people like me, you’re unknown to it. The other very interesting angle when it comes down to sovereignty, uh, and not a lot of people understand and realize, but we use Slack, we use G Suite, we use Salesforce, right?

And all these tools have their lovely AI assistants, but we’re leaking, if you like, a lot of data and knowledge from our company to these models, right. And I do think from a sovereignty perspective the world is only partially aware, um, at the potential risk there. I’m not pointing fingers here, right, but are you aware that this is running right and that lots of data is used to train and, and whatever.

Um, yeah. I think that’s another way of looking at sovereignty as such. If you think about how we do that at SUSE, and we also have assisted troubleshooting, right? So we have introduced Liz from, from our lizard, uh, and then ai, AI assistant in, uh, ranching Manager, and you can run it on ChatGPT, you can run it on Gemini, but very important, you can also run it on your local models, right?

Because if you don’t want to have information leaked from your production environments. Oh, that’s the level, right, that you need to think about it from a, a resilience perspective.

Benjamin Wilms: Well, well explained really, uh, this, uh, answered a lot of my questions, so is there a link between, sovereignty and the Reliability of your system? So, is there really like, um, what is sovereignty providing me to be more reliable in my system?

Andreas Prins: So one aspect there I touched upon already is imagine you need to migrate. From, from one to another. Well then there’s big time reliability resilient involved, right? Can you guarantee what was running stable, smooth performance on the hyperscaler runs equal in your other data center. Right. And then I do think chaos engineering and all these type of testing are absolutely valuable to, uh, to get a good comparison and to model and to, um, to detail that out.

That’s one aspect. I think the other aspect that’s very interesting from a reliability perspective is if you imagine that, um, you would run a test, hey, where one component is taking out of your entire chain, right? Won’t happen right overnight. But how stable is your entire business stack from an application perspective?

And I haven’t seen it yet, right, that companies start to run these simulations. Uh, but I do think it would be interesting, uh, from a resilience perspective to, to make almost a business mapping, right? If this component would fail or would be taken out, Hey, how can I then still operate my business as a whole?

Then the third angle that I see happening, yeah, is I spoke about decoupling from a AWS, GCP, or Azure dedicated Kubernetes engine, right? Let’s, let’s keep it simple and small. What if you start to decouple, right? You still are at the hyperscaler, but you start to use, for example, Ranger Kubernetes engine, right?

Or K3S, Well, do you then still have the same performance and the same reliability and stability as you would have using a dedicated hyperscaler version? So I see a lot of elements in the migration itself in becoming more resilient, more sovereign. Yeah. Where yeah, reliability is absolutely an aspect to, uh, to take into account. Like any big migration, I would argue.

Benjamin Wilms: So you touched on the, your topic of, of course, chaos engineering, which I love a lot. And, if I’m getting it right, you would use chaos engineering or like the, the method of running experiments more like as a quality inspector quality gauge to see like, okay, if I am now running on one dedicated cloud provider and now I would like to run on a multi-cloud strategy, I can run and create experiments that are verifying in the new system that everything is working as before.

Andreas Prins: Yeah. Yeah. Yeah.

Benjamin Wilms: What do you think, how prepared are companies to really know their risk in the system? Are they just taking it because they don’t know or zero?

Andreas Prins: I, I, I, personally, personally, I do think we are really at the beginning of the entire transformation and journey, right? So if I take a look at the conversations we are having with our customers, they are very early, early stage. So decisions are made, migrations are started, uh, but we’re not yet at the stage right, that entire stacks or multi-cloud strategies are implemented.

So I do think it starts at the boardroom level. Also primarily driven, uh, by, by new and upcoming legislation in Europe, the cyber resilience act.

The awareness around the US Cloud Act, right? So boardroom level attention making decisions. I would argue many easy decisions are made first. I can come back to that in a minute.

And then the bigger, more architectural changes need to be made. And what, what, for example, what I see happening at SUSE is you could argue we have kind of three larger, well, we have more, but for simplicity, we have three larger product families. We have one around Linux. We have a very nice offering where we can manage your Red Hat Linux, right, for less cost.

So you stick to Red Hat Linux. But we take over as SUSE from a support perspective, we take over supporting that particular capability. Well, that’s almost risk free from an operational stability perspective for larger enterprises because you don’t need to migrate yet. Suse Linux, if you would. Right?

It’s, it’s really easy, but we simply take over support. So operational risk, close to zero, um, habits, reducing the risk of being dependent on foreign entities. Absolutely. Spot on. And the next move that we see happening, right, is with the entire VMware, right? So companies want to move away from VMware for sovereignty reasons and for cost reasons.

Well, we have an alternative. SUSE virtualization. But that transformation is already a real transformation, uh, because you need to, uh, build other, other VMs, operate them at a slightly different platform, right? So that is a migration and it already brings more risk and stability uncertainties to the business.

But it’s still doable because a VM, you could argue, is a VM. Not highly, but right. The third element is now imagine you want to become more autonomous and you wanna build your cloud native stack entirely in your own data center, rather than being dependent on a hyperscaler, well, all of a sudden, you’re deeply tied into that hyperscaler ecosystem and now you need to build your entire cloud platform yourself with, with, with rancher, with probably a layer of virtualization, with components on top. Well, you see, right? How that gets more and more difficult, um, and also how you’re introducing more stability risk as such.

Complexity. Yeah, obviously. So the move is there, but speaking about the last step, really transforming your landscape. Well, that’s a humongous engineering effort, right? And that’s where I do think the chaos engineering and the reliability testing, et cetera, is much more important than just moving over Red Hat Linux, right into a SUSE supported version as such.

Benjamin Wilms: Yeah. Do you really see like this is getting a priority and it’s been, pushed hard to get to that point or what I sometimes are, we are identify is like, oh, okay. Uh, it’s more like a, a check. We’ve done it. That’s a badge. Yeah. Move on.

Andreas Prins: I, I would argue, well, this is probably the biggest wave and transformation I’ve seen, right? And I do think about 10, 15 years ago with the whole Agile. DevOps, CICD transformation, that really transformed because people all of a sudden were collaborating, right, and we had pipelines from coding to production.

Pushing it to 40 minutes rather than 40 days. So I would say in my career, that was a very big movement. This one is, is even bigger. I absolutely, I absolutely see. So we started: is sovereignty a buzzword? I would argue. Absolutely, yes. But does it drive a lot of change and transformation in many IT teams and organizations?

Absolutely right. The number of times I’m involved in a call where the CTO or the CIO is at the table, that’s happening more than once a week at the moment. Right. So the move is on. Absolutely. Yeah.

Benjamin Wilms: And, who really owns that topic? Is it really like top down owned or is it like also that the team wants to push for this, way of, of doing.

Andreas Prins: It depends a little bit, many organizations, there’s absolutely a top down approach. Yeah, because there’s a top liability in the Cyber Resilience Act in DORA, right? The executives being personally liable for whatever is happening. So all of a sudden it’s a topic, it’s a boardroom topic because all of a sudden people become aware that they run on software, right?

And that’s not as reliable from a legislation perspective as ever dreamed about. No one could imagine, right? That, that these tensions are happening across the world, and then AI has, has added a level of complexity. So it’s definitely boardroom awareness, driving changes deeper down in the organization.

Funny enough, in some situations, Rancher, for example, was already used. I’ve heard numerous examples, but not picked as the platform standard. So people liked it, very community oriented, grassroots adoption, and now all of a sudden, right, it becomes the standard in the organization.

So that happens as well, but very often, right? It’s, it’s the other way around. From driven from a risk assessing what needs to change, what are my crown jewels, and where can we start changing the architecture and the the, the choices.

Benjamin Wilms: And to double down on this, and also getting into the, yeah, like, takeaways section of this episode is, so from the leaders, what takeaways you can mention and what should teams take in mind or how they should prepare themself, but also maybe push for the topic.

Andreas Prins: Yeah. Yeah. So for the leaders, what I do think what we really need to do as an industry is bring a little bit of structure in our thinking, right? So we, we speak a lot about sovereignty, and if you follow the Gartners and the Forresters as they say it, as technological data and operational sovereignty.

But it doesn’t tell you a lot. What the EU has done, October last year, they’ve launched the Cloud Sovereignty Framework, and in my mind, companies should really thoroughly assess their company as a whole on these eight objectives that are written down in this cloud sovereignty framework, because that gives a very good structure in understanding how sovereign am I, according to these major eight categories, and then they have scoring levels and whatever.

So for leaders, I would say absolutely do this. Then one level below, what I would recommend is start to investigate, what are, what is kind of the ranking of your risk levels from an application? So what ones are crown jewels, mission critical, business critical, and regular applications, because that will determine if you need to change, right?

And if you wanna invest in becoming more sovereign is what are the applications that you should focus on on first? And then if you go to architects, or the combination of these senior leader and architects is, yeah, what are the quick wins, right? Can you bring over contracts from one to the other? Are there good European alternatives?

Say if you’re in Europe or South Africa or Middle East alternatives that you can that you can pick from, and I would suggest make a very nuanced approach. Right? It’s, it’s not that you as a company need to leave all your applications or move them all away from the hyperscale, but probably a few, right?

So make, make different, uh, judgements and then from the engineering teams. Yeah. I would argue that really that depends on what you’ve done in that middle layer. Right. How did you assess the criticality of your applications? The risk involved, and then start, start changing, right? Like we do change already for ages in, um, in IT.

And think about, future projects and decisions. Yeah. Can you make them more autonomous, in your architecture, less dependent on, on other technologies? And then open source right is in my mind, absolutely a fundamental to pick from for these teams in, uh, in moving forward and building, building new applications.

Benjamin Wilms: One last question. How to say it? Uh, translation is needed in between like the engineering teams that want to do something regarding sovereignty and like when the leaders are jumping in, is there like a clash?

Andreas Prins: No, I, I haven’t seen, I haven’t seen a clash, right? The only clash that I see is that, if a leader might pick a technology that’s disliked by the engineering teams, right? There might be a clash in that sense, and you know that that happens sometimes. Um, once assessed the right way, Hey, where is your risk?

What applications? Right. If you combine that, then it’s almost obvious, the technology you need to choose to lower the risk for your particular application. So I don’t, from that aspect, I have, I haven’t seen any, any clashes as such going on, no, not yet.

Benjamin Wilms: Sounds very good, so before we’re closing this session, um, what is the best way if people want to interact with you, would like to reach out to you?

Andreas Prins: I would recommend follow me on LinkedIn. I’m very active there sharing lots of, I do think interesting sovereignty information. So if you wanna stay up to date, what’s happening, absolutely follow me and, happy to continue the conversation there.

Benjamin Wilms: Nice, and then, thank you very much. I learned a lot about this topic. I will try to yeah, improve, um, how to pronounce it correctly. And thank you very much for being a guest on my podcast.

Andreas Prins: Absolutely. Thank you. Thank you so much.