DMEA 2026 - Rethinking image management with Telepaxx - make an appointment now

DE
DE
Free consultation
  • By Miriam Friedmann

Sovereign cloud in hospitals: how to strike a balance between data sovereignty and technological reality

IT managers in hospitals and healthcare facilities are under enormous pressure. The growing relevance of digital patient records and increasing networking require high-performance, scalable IT systems that can be used flexibly on different end devices. It has long been clear that cloud technologies can address these challenges. In view of the GDPR, the requirements of medical device law and NIS-2, one term has recently become increasingly prominent in the public debate: the sovereign cloud.

This article sheds light on what a sovereign cloud is, shows why technological isolation is neither realistic nor desirable and provides arguments on how a modern cloud strategy combines compliance and innovation. 

Demand for data sovereignty in healthcare

The demand for data sovereignty is absolutely justified in the healthcare sector, as this is where the most sensitive patient data is processed. This data should never be exposed to the risk of unauthorized access by American authorities, for example. In many discussions, however, “sovereignty” is currently narrowed down to the demand for purely German or European solutions and a rejection of global technology standards - particularly from the USA. 

Such established technologies offer a number of advantages: Immediate, reliable availability and low-cost tariffs are just two specific examples. Before categorically turning away from globally established cloud infrastructure providers, it should therefore first be clarified what exactly data sovereignty means - in general, but also for an individual medical institution - and how it can be achieved.

In general, digital sovereignty in Europe is essentially understood as the ability and possibility of the European Union, its member states, companies and citizens to act independently, autonomously and securely in the digital world. The aim is to reduce dependence on non-European - particularly US and Chinese - technology companies and systems in strategically important areas and to enforce Europe's own values and standards such as data protection and ethical principles in the digital transformation.

The concept is not a demand for complete digital self-sufficiency or isolationism (protectionism), as the digital world is globally networked. Rather, it is about avoiding one-sided, strategic dependencies and being able to survive as an equal player and rule-setter in global digital competition.

Reading tip

Digital sovereignty

Digital sovereignty is the ability and possibility of the European Union, its Member States, its companies and its citizens to act autonomously, independently and securely in the digital world.

What is a Sovereign Cloud (and what isn't)?

The term “sovereign cloud” describes a cloud model that guarantees users comprehensive technical and legal control over their data and its processing. In contrast to a purely geographical view (“The data center is located in Germany”), it is therefore about a holistic chain of control.

A Sovereign Cloud solution is characterized by three core pillars that are relevant for IT managers in healthcare facilities:

  • Legal sovereignty: Data processing must be subject to European or German law. This includes the choice of the operating location, the place of jurisdiction and the applicable contract law. The processor must ensure that access requests from third countries (e.g. through the US CLOUD Act) can be legally defended against or prevented in the first place through technical measures such as encryption.
  • Technical sovereignty: Technical sovereignty: This ensures that the customer - or a processor controlled by the customer - controls the technical access mechanisms. Essential criteria here are the use of multi-client capable encryption (ideal for archiving patient data) and transparent disclosure of the architecture and security concepts.
  • Operational sovereignty: This refers to independence in operations. The IT manager must be certain that processes are carried out by qualified personnel under strict control and in accordance with German security standards (e.g. BSI C5 criteria). It should also be ensured that data can always be accessed via recognized interfaces and standards.

In short, a sovereign cloud solution is a legally binding, secure control concept for sensitive medical data.

Conclusion for hospital IT managers

Data sovereignty means control of the data level, not the elimination of any foreign technology components. Global technologies should and can be used in such a way that data security and control by the European cloud operator is demonstrably guaranteed. The focus is on contractual sovereignty, encryption architecture and access control to neutralize the potential influence of foreign legislation.

The TMD Cloud as a sovereign cloud solution for medical data

As a German SaaS provider with decades of expertise in the management of sensitive medical data, Telepaxx understands the particular challenges of hospital IT and medical specialists. The TMD Cloud was explicitly designed in response to the demand for true data sovereignty, with a focus on compliance and scalability.


Why the TMD Cloud is a sovereign cloud solution:

  1. Legal exclusivity: Telepaxx acts as a processor (AV) with the TMD Cloud exclusively under German law and jurisdiction. Our contracts meet all requirements of the GDPR and national and European law. Our cloud platform is operated entirely in certified German data centers.
  2. CLOUD Act compliance: As a German company, Telepaxx is not subject to the US CLOUD Act. In addition, data processed on behalf of healthcare facilities is stored in encrypted form in data centers in Germany. This provides reliable protection against unauthorized access to personally identifiable data.
  3. Control at the data and access level: The cloud architecture, which has been specially optimized for medical image data, guarantees that patient data is encrypted not only during transmission but also when stored (archiving). Control of the keys and access mechanisms remains the responsibility and prerogative of the German contractual partner and is subject to clear, auditable processes.
  4. Certification: With the TMD Cloud, Telepaxx attaches great importance to maximum transparency of operating and security processes, evidenced by regular, independent audits and compliance with relevant standards (e.g. C5 testament, ISO 27001 certification).
Telepaxx Medical Data Tobias Anger Managing Director

"With the TMD Cloud, we also consciously rely on technologies from established American hyperscalers because they offer a high degree of reliability and at the same time enable a high speed of innovation. At the same time, however, we go our own way where we consider it appropriate due to the legal regulations in force here and in the interests of our customers."

Tobias Anger, Managing Director Telepaxx Medical Data GmbH

How the TMD Cloud uses hyperscalers to your advantage

When developing the TMD Cloud, Telepaxx also deliberately uses Amazon Web Services (AWS) as a hyperscaler in the backend. Two examples:

  1. Storing and archiving:Telepaxx uses so-called S3 Object Stores to store and archive data previously encrypted by Telepaxx in the image archive . In the S3 Object Stores, image data can be stored in different storage classes and easily moved between them - in accordance with the corresponding specifications (lifecycle rules). This allows (cost-) optimized data storage without the need for additional program logic.
  2. Faster data processing: To quickly process the ever-increasing amounts of data, we use functions such as message queues (SQS) and serverless functions (Lambdas) in the backend. These can be used directly as a mature service and would require more effort to program and configure yourself with other cloud providers.

However, Telepaxx is also deliberately going its own way with other aspects of the TMD Cloud, independently of American hyperscalers, such as:

  • Data encryption: The encryption mechanisms for the data to be stored are developed by Telepaxx itself.
  • Databases containing personal metadata: For databases containing personal metadata, Telepaxx has developed a sophisticated multi-cloud concept that stores this data and the keys exclusively in data centers belonging to national German cloud providers.

For IT managers, choosing the TMD Cloud means less legal and technical hassle: they use a state-of-the-art, scalable archiving solution, while the data protection sovereignty of patient data is ensured by Telepaxx as a specialized German partner.

Confident cloud concepts: control, not isolation

There is no single definition or approach to a sovereign cloud for IT in German healthcare facilities. What is clear is that a sovereign cloud solution must strike the necessary balance between compliance with the strictest data protection regulations and the use of powerful, future-proof technologies. After all, sovereignty means control, not isolation.

IT managers can actively shape confident cloud concepts by choosing a cloud partner that not only anchors the storage location but, above all, the legal and technical control level reliably in the European legal area.

The TMD Cloud from Telepaxx is designed precisely for this purpose: maximum performance and scalability for medical data, secured by the complete sovereignty of a German specialist in DICOM data management.

Learn more about the use of the TMD Cloud and its various mechanisms for ensuring data sovereignty and data protection.

Arrange meeting

Other articles that may interest you

C5 certification: Why it is indispensable for hospitals

C5 certification: why it is essential for hospitals

Miriam Friedmann 31 March 2025

A C5 certificate is mandatory for cloud solutions in the healthcare sector. This article describes what it says, what it does for hospitals and how it differs from the ISO 27001 standard.