Wero's Cloud Sovereignty Struggle: Can a European Payment Service Really Quit AWS?

The dream of European digital sovereignty is hitting a wall of technical and financial reality. Wero, a pan-European payment service backed by a consortium of major banks including Deutsche Bank, BNP Paribas, and ING, has publicly committed to reducing its dependence on US cloud providers like Amazon Web Services (AWS). However, recent reports reveal that the service's initial infrastructure remains heavily tied to AWS, raising questions about the feasibility of true cloud independence in the financial sector.

Wero was launched with a clear mission: to create a European alternative to US-dominated payment systems like Visa and PayPal. As part of this mission, the consortium promised to build the service on European cloud infrastructure to ensure data sovereignty and compliance with the General Data Protection Regulation (GDPR). Yet, the reality is more complex. According to sources close to the project, Wero's core payment processing and data storage systems currently run on AWS, with only peripheral services hosted on European providers like OVHcloud and Deutsche Telekom's T-Systems.

This reliance on AWS is not for lack of trying. The consortium has reportedly explored migrating to European alternatives, but several factors have hindered progress. First, AWS offers a mature ecosystem of services—from compute and storage to machine learning and analytics—that are difficult to replicate with European providers. Second, the cost of migration is substantial, both in terms of financial investment and operational risk. Third, the performance and scalability requirements of a real-time payment system demand infrastructure that European cloud providers are still developing.

The situation highlights a broader challenge for European digital sovereignty. While policymakers in Brussels have pushed for 'cloud repatriation' as a strategic goal, the technical and economic realities make it difficult for even well-funded initiatives like Wero to break free from US hyperscalers. The dominance of AWS, Microsoft Azure, and Google Cloud is not just a matter of market share; it is embedded in the architecture of modern digital services.

For cybersecurity professionals, the Wero case offers several lessons. First, vendor lock-in is not just a procurement issue—it is a security and compliance risk. When a financial service relies on a single cloud provider, it becomes vulnerable to changes in the provider's security policies, pricing, and even geopolitical pressures. Second, the encryption and data residency requirements of GDPR can be met even with US providers, but only if the contract includes strict data localization clauses and regular audits. Third, a multi-cloud strategy, while more complex and expensive, can reduce the risk of lock-in and provide greater resilience.

The broader context of cloud market dynamics adds another layer of complexity. Microsoft's cloud division continues to accelerate its growth, driven by AI and enterprise adoption, while Alphabet's Google Cloud is also expanding rapidly, albeit from a smaller base. This growth reinforces the dominance of US providers, making it harder for European alternatives to gain traction. The recent earnings reports from both companies show that cloud revenue is a key driver of their overall performance, giving them the resources to invest in new features and lower prices.

Wero's struggle is not unique. Other European initiatives, such as Gaia-X and the European Cloud Initiative, have also faced challenges in creating a truly independent cloud ecosystem. The gap between ambition and reality is wide, and bridging it will require not just political will but also significant investment in European cloud infrastructure and skills.

Despite these challenges, Wero's public commitment to reducing AWS dependence is a step in the right direction. The consortium has announced a phased migration plan that will move critical workloads to European providers over the next three to five years. This plan includes building a hybrid cloud architecture that combines AWS for certain functions with European providers for others, allowing for a gradual transition without disrupting service.

For the cybersecurity community, the key takeaway is that cloud sovereignty is not an all-or-nothing proposition. It is a journey that requires careful planning, risk assessment, and continuous monitoring. Organizations should evaluate their cloud dependencies, implement encryption and access controls that work across providers, and negotiate contracts that allow for portability. The Wero case shows that even with strong political backing and financial resources, achieving true cloud independence is a long and difficult process. But it is a goal worth pursuing, not just for sovereignty but for security and resilience.