Government & Public Sector Cloud Estate

The cloud shape public-sector CIOs and CISOs actually buy — sovereignty controls, confidential compute, customer-managed keys, and the continuous-compliance posture that meets the regulator wherever they look.

ForCIO · CISO

Compass

Businesspersona, use case, outcome
Capabilitywhat the org needs to do
Technologythe technology choices

Guided journey · Step 1 of 4

Regulatory Mapping & Compliance Anchoring

Map the regulatory regime first — GDPR, NIS2, DORA, SecNumCloud, IRAP, FedRAMP, regional sovereign requirements. The mapping shapes every downstream decision.

~ 10 weeks

Search any SKU, capability, risk, or source on this map.

Filter by type

All maps

Narrative intro

Public-sector cloud is shaped by sovereignty. The regulator's question is not 'is this secure?' but 'where does the data live, who can access it, and can you prove both?' This map walks the architectural and SKU choices that satisfy that scrutiny — Microsoft Cloud for Sovereignty as the architectural baseline, customer-managed HSM keys, Confidential Computing for the most sensitive workloads, and continuous compliance attestation as the ongoing discipline.

Key takeaways

Regulatory regime mapping precedes architecture — sovereignty posture shapes everything
Customer-managed keys in Managed HSM is the FIPS 140-3 Level 3 floor for regulated workloads
Partner-operated sovereign clouds (Bleu, Delos) are real options where local sovereignty is mandatory
Continuous attestation is the discipline — annual audits are no longer the posture

Programme shape

Estimated duration: 30–60 weeks
Estimated FTE: 1 FTE sovereignty lead + part-time security, compliance, and procurement partners
Spend tier: major
Risk level: high

Sovereignty controls are the constraint. The decision is which sovereignty posture the regulator requires — EU Data Boundary, partner-operated sovereign cloud (Bleu / Delos), or Azure Government — and that decision shapes everything downstream.

Back to all maps