Canadian Government Provides Next Steps to Sovereign Cloud
Is the Government of Canada headed towards true sovereign cloud?
Canadian Cyber in Context is sponsored by
All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.
Feature your business in Canadian Cyber in Context through sponsorship.
Where are we at with Sovereign Cloud?
Since early 2025, the Government of Canada has increasingly looked to shore up and improve Canada’s digital sovereignty. The reasons for this are myriad, including many strong economic reasons to invest in Canadian capacity to develop data centre infrastructure to support Canada’s digital technology. However, the most influential reason is the significant turn the United States has taken towards authoritarianism, and Canada’s growing realization of how much its digital sovereignty is compromised by its reliance on United States cloud providers.
Initial explorations by the federal government noted big loopholes in policy and procurement that allow major hyperscalers and United States-based corporations to refer to themselves sovereign cloud. This is problematic because United States law states that any data on a foreign server that a United States-based corporation has access to can be requested by the United States as part of a “criminal investigation,” and the country where that data is hosted will have no say in its transfer.
One of the primary problems is that there are four different definitions of a “Canadian company,” including “any company that is formed in Canada following the laws of either the Government of Canada or a provincial government. This includes government and private companies of any size.” As a result, a company incorporated in Canada but owned by an American corporation still counts as a Canadian company. The Canadian Shield Institute have done some great work on this topic.
Those opposed to Canadian sovereign cloud being wholly owned by Canadian firms refuse to acknowledge Canadian national security and sovereignty issues, particularly due to United States law. Their error is ignorance and naivety in believing that their sovereignty matters more than ours. Fortunately, the Government of Canada is invoking the national security exception, which is something common in most countries that can be triggered to exclude a procurement from trade agreement obligations. This means Canada can say trade agreement rules concerning data localization and inclusion in procurement don’t matter, sovereign cloud is a matter of national security.1
PSPC and SSC updated the request for information (RFI) on March 3, which provides new information on the program's direction and who will be allowed in. Before jumping into what’s new, let us figure out what PSPC and SSC first learned that may have contributed to this update.
What has PSPC and SSC Learned?
PSPC released the first wave of its RFI on sovereign cloud capability last year. In addition to requiring that data is processed, transmitted, and stored exclusively within Canada, the RFI also included a minimum requirement that “at all times only under the control of service providers, up to and including their ultimate parent corporations, that are not subject to foreign laws that permit foreign governments to obtain access to Canada’s data without Canada’s prior written consent.” This RFI is intended to inform the development of a procurement vehicle for a sovereign cloud Infrastructure as a Service (IaaS) and a native Platform as a Service (PaaS).
In the update to the RFI, this has been changed to “Cloud services remain at all times under the control of service providers (including their ultimate parent corporations) that are not subject to foreign laws permitting foreign governments to access or compel actions affecting Canada’s data or services without Canada’s prior written consent.”
This difference in wording is very telling as PSPC and SSC figure out how to specifically frame and define the techno-legal constraints to ensure digital sovereignty.
The RFI examined a range of issues related to sovereign cloud, but that this is the basic entry point for it is a very positive sign. After the first wave, PSPC released documents that elaborate upon what they are looking for and what they have learned so far:
The Carney Government is making a lot of policy and proclamations about Canadian digital sovereignty in cloud and AI, but it is doing so without understanding the extent to which Canadian industry can meet what it is calling for, or the obstacles it faces.
This RFI is intended to help with this, and as PSPC and SSC determine what is possible, it will seek more granularity to inform the government and eventual competitive process. Some highlights of what they’ve learned so far (Keep in mind that this is all self-reporting):
40 suppliers participated, and 32 met the sovereign eligibility requirements
This is honestly more than I expected.
Sovereign cloud options do not match the “scalability” of hyperscalers.
This confirms what I have been saying. Canadian cloud providers exist, but they cannot match the scale of the giants.
Limited sovereign hardware and reliance on proprietary software
This is no surprise. I do not want to call Canadian cloud providers resellers, but Canada hasn’t had much domestic innovation or development of cloud capabilities and technology. That means relying on other’s intellectual property a lot.
However, the current landscape and investment in this space mean this will be a growing sector.
I provide some additional commentary on some RFI Q&A at the end.
What’s New in the Update?
However, the federal government appears poised to address this gap. On March 3, Public Services and Procurement Canada (PSPC) and Shared Services Canada (SSC) updated the Request for Information (RFI) - Sovereign Cloud Capability - Upcoming Competitive Processes with specific, targeted requests for information that should make proponents of Canadian sovereign cloud happy. I have covered a lot of information from last year here, so what’s new and so interesting about the update?
As I already noted above, they have slightly adjusted their definition concerning what counts as sovereign cloud: “Cloud services remain at all times under the control of service providers (including their ultimate parent corporations) that are not subject to foreign laws permitting foreign governments to access or compel actions affecting Canada’s data or services without Canada’s prior written consent.”
They have released details on the planned competitive process
Only Canadian small and medium businesses (SMBs) will be able to compete.
They use the Statistics Canada definition of SMBs:
A small business has 1 to 99 paid employees
A medium-sized business has between 100 and 499 paid employees.
When talking SMBs, they again want to emphasize that neither the corporation nor any parent corporation should be compelled by a foreign government to take any action without Canadian consent.
There are likely to be one-off competitive processes that “address specific [security or] sovereignty related challenges where Canadian firms can offer concrete solutions that materially enhance Canada’s sovereign cloud posture.”
This seems to indicate that there will potentially be contracts where SMBs cannot meet the needs. This may even mean that United States-owned Canadian corporation could compete in these one-offs, but it is unclear what definition they are using for “Canadian firm” here. It likely means the narrow one they have developed to sovereign cloud, but for these one-off contracts it could be more permissible depending on the context.
We also have a very vague timeline, but we at least know the steps. We know they are undertaking an agile procurement process, which is much more collaborative and can at times be quicker, so this is reflected in their timeline. It appears they are aiming to have a draft solicitation as soon as possible, which will be developed through engagement with industry.
One thing to note is that PSPC may move towards an initial technical qualification as the process progresses, because they will need to discuss some security requirements at some point.
Takeaways
Shared Services Canada (SSC) is specifically “leveraging an adjusted definition specific to Sovereign Cloud Services procurement.”
This may run into some difficulty later in the procurement process as the government’s wants and needs for sovereign cloud may not align with a lot of existing policies. This is particularly reflected in many of the questions received about specifics related to qualifications and existing definitions and policies of PSPC and SSC
SSC and PSPC are trying to determine what can be achieved with current capabilities that meet the specific guidelines they set out.
This may mean the results are not what we want to hear, but it will help the government determine what is feasible right now and what to invest in for the long term.
Because there is a major market gap for Canadian firms specializing in data centre infrastructure, this creates a potential obstacle to seeing a full-stack sovereign cloud that is Canadian, but this is a starting point
Post-Quantum cryptography will likely be required. They don’t have much more on this yet, but they at least acknowledge it’s likely a requirement.
Do not expect any sovereign cloud investment and competitive process to replace the hyperscalers. The information PSPC and SSC have received indicates significant market potential, but there remains a gap between the current potential of the Canadian sovereign cloud market and that of hyperscalers. This is likely contributing to the big focus on SMBs.
In other words, major cloud and data centre/infrastructure projects, like secret cloud, will still likely go to a hyperscaler.
Selected Q&A Commentary
One question raised during the initial RFI was why the national security exception was invoked and whether this could limit competition.
It all depends on how you view competition. As this is an RFI, it is not a competition yet, but the exception will affect the competition in the end. Canada wants a sovereign Canadian cloud so using a national security exception doesn’t limit competition if it is specifically looking for Canadian firms. For American corporations who do not want Canadian to have digital sovereignty, this could be viewed as limiting competition because they aren’t involved. The problem here is that Canada doesn’t want their involvement, which is why the national security exception is being used. Americans do not seem to understand that they are the security problem we want to avoid.
There was a question about the involvement of American hyperscaler-owned Canadian corporations in the process, such as Microsoft Canada and AWS Canada.
The response was that the RFI is not a qualification process and is just about collecting market information. The question is largely wanting to speak to being qualified for the eventual IaaS and PaaS of sovereign cloud, many of them claim to sell sovereign cloud as well. However, the development of this specific procurement vehicle will mean American hyperscalers will not be able to say they provide sovereign cloud, because according to the RFI, they are leaning towards a very strict definition where
One question specifically asked about using “multiple services and technology layers” and the degree to which part or all of the components are affected by the United States CLOUD Act.
This is one of the best questions. We think of digital technology as a black box, all-inclusive, but when it comes to large data centres, cloud, servers, and everything in between, this can involve a vast range of supply chains spanning software and hardware. This is where a lot of Canadian service providers are likely to have some trouble because even if it is wholly owned by a Canadian firm, it could be using all United States products, such as software developed by an American hyperscaler.
One of the most important questions is concerning what is meant by “subject to foreign laws.”
The core of this question is concerning a Canadian company with operations in the United States would still be affected by the United States CLOUD Act, or really other laws for that manner.
SSC and PSPC are particularly looking for input on how a Canadian-owned company would address this. A major issue is that any major Canadian-owned corporation that operates at the data centre level and provide government cloud services are likely to be operating in the United States as well.
I am of the view that any sovereign cloud would have to either not operate in the United States or places with similar sovereignty-infringing laws or to explicitly state they will refuse all foreign requests/demands for Canadian-hosted data.
One question asked if a Canadian-hosted service is sufficient, insinuating it is outside the scope of the US CLOUD Act.
This is false and part of the ongoing strategy of misinformation from American hyperscalers. It is no longer sufficient for data to only be hosted in Canada. A United States-based corporation like Microsoft or AWS, which owns its Canadian subsidiaries, is still required to give data to the United States if the courts say so, even if the data is hosted in Canada.
This is the entire reason for seeking to develop sovereign Canadian cloud.
The exception can be challenged if it wasn’t “properly invoked,” but I believe this is extremely rare.
I have commented to you before about my ignorance of cyber matters, but reading your article Thank You for bringing this Christmas gift in March!
If I could, I would ship some Crown Royal to you!