Cloud Capabilities and Obstacles to Adoption for NATO

Modern multi-domain operations demand scalable, resilient digital infrastructure – particularly for data storage and processing. To meet these needs, NATO allies – including the UK – are adopting cloud technologies across enterprise and operational environments. Cloud refers to a model of computing that enables scalable, on-demand access to pooled resources – storage, processing, and applications – often distributed across physical locations.

National militaries are actively pursuing cloud adoption for both enterprise and battlefield functions and NATO is working to cohere these efforts into an alliance-wide capability. At NATO’s cloud conference in January 2025, allies reiterated the importance of secure cloud-based solutions that can host sensitive data to support multi-domain operations, drive interoperability and strengthen situational awareness.

To inform decision-making within and across the alliance at a time of increasing defence budgets among NATO allies, it is pressing to take stock of some defence capabilities that cloud enables and consider complicating factors to its adoption.

Cloud-Enabled Capabilities

The transition to cloud computing has created opportunities to achieve operational advantage. Conflicts in Ukraine and Gaza have illustrated clear use-cases and demonstrated how digital capabilities can be integrated in campaigns. Against this backdrop, decision-makers in NATO alliance militaries increasingly view cloud adoption as an urgent operational priority.

Cloud adoption supports the integrity and continuity of critical services by distributing computing workloads across multiple devices and data centres. Distributed workloads are less easy to target and using a large network of computers creates more options for failover and redundancy – mitigating the risk that services are degraded or destroyed.

The DELTA combat system, Ukraine’s situational awareness and battlefield management platform, is hosted on the public cloud, in other words, servers which are not owned and operated by Ukraine’s military. By hosting DELTA in public cloud, the likelihood of service disruption is reduced: if a public cloud data centre – a civilian object – is taken offline, the service can use capacity in another facility. Ukraine has also opened the door to hosting DELTA on public cloud outside the country to further insulate the service. Were it hosted in foreign data centres, it would mitigate the risk of kinetic attack by Russia.

Cloud adoption enables access to diverse advanced capabilities – especially for countries without extensive sovereign capacities. In the current operational environment, cloud is the primary mechanism to unlock large-scale data processing and machine learning or AI use-cases.

Scalable compute is critical for DELTA. The platform demands huge compute resources to process data inputs – from sensors, personnel, satellites – and coordinate effects, for example targeting, fires sequencing, and UAV control. The authors understand that the necessary compute resource required to run the platform exceeds what is available in a single hyperscale region – while loosely defined, this is easily over 20,000 servers. By contrast Valtori, the IT arm of Finland’s government, run a private cloud with only around 12,000 servers.

The scale of cloud – especially commercial public cloud – is also critical to accessing AI use-cases. In the persecution of Israeli’s war on Gaza, the Israeli Defence Force (IDF) have used commercial cloud-hosted AI capabilities – storing over 13.6 petabytes between 7 October and July 2024 on a single provider’s servers. Unconfirmed reports by AP News include that the IDF has used public cloud hosted AI to transcribe, translate and process intelligence.

Cloud adoption affords strategic flexibility to achieve resilience where countries leverage delocalisation. Presently, European capitals are discussing how to achieve digital, data and cloud sovereignty. Countries including France and Germany have borne significant costs to develop territorialised ‘sovereign’ clouds – though few agree what sovereign means. Meanwhile some countries are challenging traditional ideas of territorial sovereignty to achieve resilience by delocalising their data.

In 2017, well before Ukraine demonstrated it could achieve resilience by migrating data onto foreign clouds, Estonia established a data embassy in Luxembourg. The data embassy is a facility that hosts backups of Estonian data and systems in case its people or government were forced into exile. It is not a cloud system, however it provides an insight into how some countries are now approaching delocalised cloud. When faced with an existential threat – invasion, climate change – a country can enhance resilience by mitigating the impact of the capture or loss of its territory. For countries that perceive no immediate existential threat the urgent impetus to delocalise data as a mitigation does not exist. But for those experiencing a more complex threat picture, the opportunity can be compelling.

Complicating Factors

Yet, alliance dynamics – political, procedural, legal, and technical – impede successful cloud deployment across NATO.

One complicating dynamic are national or pan-European pressures for critical cloud services to be ‘sovereign’. During a presentation, one UK MOD official identified nine distinct dimensions of sovereignty for just the UK, ranging from geographic data to personnel to sovereign capacity to use a service. Across NATO, there is little consensus on what constitutes ‘sovereign’ cloud. Some countries prioritise geographic data residency; others focus on sovereign operational, encryption control, or domestic legal jurisdiction. Divergent interpretations delay procurement, complicate interoperability, and drive fragmented investments.

Another complication or barrier to adopting cloud technologies in defence is national data legislation and regulation. Measures such as the EU’s GDPR are pervasive in Europe and place significant duties and constraints on national militaries. Legal requirements, for example, to ensure data – regardless of encryption – remains resident in a particular physical area can prevent access to compute resources based in another. For NATO militaries, heterogenous national legislative requirements are then exacerbated by a need to consider bilateral, multilateral, EU and alliance level frameworks – few of which are effectively aligned. This crowded environment hinders the ability of militaries to work across borders or on shared cloud platforms with classified data. The compliance burden is incredibly high: NATO has acknowledged this and is working to mitigate the impact of regulatory barriers by prioritising providers that use open standards, but more coherent regulatory alignment will likely be necessary.

A final complication for NATO is achieving technical interoperability for cloud. The use of common cloud service providers (CSPs) can reduce the complexity of interoperability solutions between countries, as these CSPs can engineer common methods of interoperability between their systems as well as with other major providers. Without – or often in addition to – hyperscale-engineered interoperability, more burdensome methods of interoperability are necessary, such as cross-domain solutions or interconnect fabrics. These methods are highly dependent upon the slow NATO processes for creating common standards, security procedures, and network management, in addition to having high cost and complexity.

NATO is attempting several programmes to build resilient interoperability structures across allied clouds. Using the Federated Mission Networking (FMN) framework, NATO has implemented a federated cloud strategy, where alliance countries maintain their separate clouds but share common standards. This strategy ensures flexibility to accommodate varied national cloud strategies while supporting a baseline of interoperability. The NATO Digital Backbone builds on the FMN specifications, combining the federated clouds with multiple service layers to create connectivity and data transport across domains and allies. The backbone would help cohere the digital systems of the 32-country alliance, but the ambitions of the initiative will take years to formalise. As part of this backbone, NATO is pursuing the first alliance-wide classified cloud capability, called ‘Allied Software for Cloud and Edge’, although acquisition is still in its initial stages.

Conclusion

Observing ongoing conflicts, NATO members and the wider alliance understand the importance of digital capabilities and many view cloud as a critical enabler. While cloud adoption is not a silver bullet to seamlessly deploy digital capabilities, it is part of the solution and is increasingly a necessary and pressing operational requirement.

Efforts by NATO to acknowledge and address complicating factors to clouds adoption should continue. To increase their chance of success, allies themselves must also take ownership of the issue at a national level. Alignment, interoperability and a common understanding of the urgency of the threat are critical to unlocking necessary transformational capabilities.

This commentary will be followed by full research papers in Autumn 2025 on cloud’s impact on national security and NATO interoperability.

© RUSI, 2025.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.