Cloud Blog: Engineering Deutsche Telekom’s sovereign data platform

Jul 15, 2025

—

Source URL: https://cloud.google.com/blog/topics/customers/engineering-deutsche-telekoms-sovereign-data-platform/
Source: Cloud Blog
Title: Engineering Deutsche Telekom’s sovereign data platform

Feedly Summary: Imagine transforming a sprawling, 20-year-old telecommunications data ecosystem, laden with sensitive customer information and bound by stringent European regulations, into a nimble, cloud-native powerhouse. That’s precisely the challenge Deutsche Telekom tackled head-on, explains Ashutosh Mishra. By using Google Cloud’s Sovereign Cloud offerings, they’ve built a groundbreaking “One Data Ecosystem."
When we decided to modernize our telecommunications data ecosystem at Deutsche Telekom, we faced a daunting task. Over 40 legacy systems, each an ecosystem (data warehouse or data lake), held terabytes of customer, network, and operational data. Each system had 5,000 to 10,000 users who had built their workflows around these isolated silos over decades of use.
The result? What I lovingly call a "spaghetti mess” of data distribution and an undetermined cost of value creation.
The technical challenge of building our One Data Ecosystem (ODE) was one thing — consolidating disparate systems always is. It’s the regulatory puzzle that made it genuinely interesting.
As a telecommunications company in Germany, we handle some of the most sensitive data imaginable: call data records (CDRs), network telemetry, and customer location data. Under GDPR and Germany’s Telecommunications and Telemedia Data Protection Act regulations, this data simply can not leave sovereign borders or risk exposure to foreign legal frameworks.
Here’s where it gets technically fascinating: Traditionally, regulated industries solve this by building expensive on-premises encryption and pseudonymization infrastructure. You process your sensitive data locally, strip it of identifying characteristics, and then send sanitized versions to the cloud for analytics.
This approach costs millions in dedicated hardware and creates a fundamental innovation bottleneck. We wanted something radically different: cloud-native processing of sensitive data, without compromise.

aside_block
), (‘btn_text’, ‘Get started for free’), (‘href’, ‘https://console.cloud.google.com/freetrial?redirectPath=/welcome’), (‘image’, None)])]>

Engineering sovereignty at cloud scale
The breakthrough came with Google Cloud’s approach to digital sovereignty and their Germany Data Boundary by T-Systems offering (formerly known as Sovereign Controls by T-Systems). The architecture is elegant in its simplicity: Deutsche Telekom maintains complete cryptographic control through external key management (EKM) while using cloud-native data services.
Here’s how the technical magic works. T-Systems manages our encryption keys entirely outside Google’s infrastructure. This creates sovereign protection against foreign legal frameworks, and ensures they are able to control access to their data and deny access for any reason.
Meanwhile, we use format-preserving encryption (FPE) algorithms that maintain data utility for analytics while ensuring privacy protection.
The core innovation is our custom pseudonymization layer, which comprises C++ modules with Java wrappers that handle real-time data transformation during ingestion. This eliminates the traditional need for separate preprocessing infrastructure while maintaining analytical value.
Choosing our data format was crucial. After extensive POCs, we settled on Apache Iceberg, and here’s why that matters for anyone building similar platforms: Iceberg solves the polyglot analytics problem beautifully. Our data scientists prefer working in Python notebooks, our engineers use Spark, and our business analysts work with SQL.
While traditional approaches force you to pick sides or maintain multiple data copies, Iceberg provides us with a single source of truth that speaks every language fluently.
The three-layer architecture we built around Iceberg is worth replicating: Raw data lands directly in Cloud Storage, flows through an Atomic layer for normalization and schema evolution, and then surfaces in an Analytic layer optimized for specific use cases. BigQuery, Spanner, BigTable, and Cloud SQL each serve their optimal workloads while sharing the same underlying Iceberg foundation.

Performance and scale in production
We are migrating from more than 40 legacy systems to reinvigorate our business demands. We have ingested over 200 source systems in just six months. However, the real validation came recently when one of our use cases, running live on the new platform, achieved a 22x performance improvement over its legacy predecessor.
That number represents the compound effect of eliminating data silos, reducing ETL complexity, and using cloud-native autoscaling. When you can process overnight analytics jobs in minutes instead of hours, you fundamentally change how business decisions get made.
What makes this platform genuinely scalable isn’t just the technical architecture; it’s the operational model. We’ve implemented a GitOps approach with policy-as-code onboarding through GitLab CI/CD pipelines, where infrastructure and governance policies are defined declaratively and deployed automatically. This means onboarding a new system takes hours instead of months, and compliance becomes automatic rather than manual.
Additionally, we’re already running agentic AI use cases on the public side of our platform. The unified data model we’ve built positions us perfectly for the next wave of AI innovation. As more AI services become available with sovereign controls, we’ll be ready to expand our deployment at scale.
The key insight: Build your data foundation with AI in mind, even if you can’t implement every AI capability immediately. Clean, unified, well-governed data is the prerequisite for everything that’s coming.
A blueprint for the future
This is one of the largest and most comprehensive data platforms built on Google Cloud’s Data Boundary — but it won’t be the last. The architectural patterns we’ve developed, external key management, format-preserving encryption, unified data formats, policy-as-code governance, are replicable across any regulated industry.
The business case is also compelling: Eliminate expensive on-premises preprocessing infrastructure while gaining cloud-scale analytics capabilities. The technical implementation is proven. What’s needed now is the willingness to engineer sovereignty, rather than simply accept traditional trade-offs.
For my fellow data architects in regulated industries, you don’t have to choose between innovation and compliance. With the right technical approach, you can achieve both and build platforms that position your organization for the AI-driven future that’s rapidly approaching.
The maturity and integration of Google Cloud’s data and AI capabilities, combined with our intensive collaboration between engineering teams, has made this transformation possible. We’re not just customers: We’re co-creating the future of sovereign cloud platforms.

AI Summary and Description: Yes

Summary: Deutsche Telekom’s transformation of its telecommunications data ecosystem illustrates a significant cloud-native evolution, emphasizing compliance with stringent European data regulations while enabling advanced analytical capabilities. This transition highlights the importance of digital sovereignty in deploying cloud services, utilizing innovative approaches like external key management and format-preserving encryption.

Detailed Description:
The case study of Deutsche Telekom’s modernization of its data infrastructure brings to light several crucial insights for professionals dealing with cloud computing, security, and compliance:

– **Challenge of Legacy Systems**: Deutsche Telekom transitioned from over 40 isolated legacy systems to a unified, cloud-native data ecosystem, termed One Data Ecosystem (ODE), which faced challenges not only in technical integration but also in regulatory compliance.

– **Data Sovereignty**: The company had to adhere to strict regulations, such as GDPR and Germany’s Telecommunications and Telemedia Data Protection Act, which necessitated that sensitive data, including call data records and customer information, remain within national borders.

– **Innovative Encryption Strategies**: Traditional methods of managing sensitive data through costly on-premises encryption infrastructures were deemed inadequate. Instead, Deutsche Telekom leveraged Google Cloud’s Sovereign Cloud offerings to utilize external key management for enhanced data protection, effectively safeguarding against foreign legal influences.

– **Format-Preserving Encryption (FPE)**: This technique was adopted to enable sensitive data processing while maintaining data utility for analytics, striking a balance between privacy and operational efficiency.

– **Custom Pseudonymization Layer**: A bespoke layer was introduced, utilizing C++ modules with Java wrappers, facilitating real-time data transformation and analytics without additional preprocessing overhead.

– **Unified Data Format with Apache Iceberg**: Choosing Apache Iceberg allowed for seamless integration across different analytics platforms, allowing various stakeholders (data scientists, engineers, and business analysts) to utilize a single source of truth effectively.

– **Three-Layer Architecture**: The architecture employed includes layers for raw data, normalization and schema evolution, and analytics, serving diverse workloads while optimizing data accessibility and governance.

– **Performance Improvements**: Early applications of the new platform showed a remarkable 22x improvement in performance, alleviating data silos and complexity in ETL processes.

– **GitOps and Automated Compliance**: The operational model introduced GitOps practices with policy-as-code governance, enabling rapid onboarding and compliance automation, thus reducing implementation time significantly.

– **AI Readiness**: The unified data model positions Deutsche Telekom for future AI capabilities, ensuring they can adapt as AI services evolve, reinforcing the core message that a well-governed data foundation is essential for advanced AI functionalities.

In summary, this transformation exemplifies a blueprint for regulated industries aiming to innovate while remaining compliant. The architectural patterns and methodologies detailed are replicable, suggesting a paradigm shift in how organizations can approach data sovereignty and compliance in the cloud era.

1 10 2 4 5 a access accessibility Act ads advanced advanced AI after agent agentic agentic AI AGI AI AI capabilities algorithm algorithms analytical capabilities analytics and apach Apache Apache Iceberg API app Application applications Arch architectural architectural patterns architecture art as at ated Auto automation autoscaling Bi BigQuery Bigtable board book building built business by Byte C capabilities capability case study challenge challenges CI CI/CD CIA Cloud cloud computing cloud platform cloud platforms cloud service cloud services Cloud SQL cloud storage cloud-native co code Col collaboration communication complexity compliance compliance automation Computing Console control controls core cost Costs creation cross Crypto cryptographic Customer customer information D data data access data accessibility data boundary data ecosystem data formats data infrastructure data lake data platform data processing Data Protection data regulations data scientist data scientists data service data silos data sovereignty data transformation data utility de decision decisions DeFi demand deployment Deutsche Telekom digital digital sovereignty drive driven e ecosystem effective efficiency encryption encryption keys end Engineer engineering engineering teams engineers EU Europe European European regulations exp External external key management face fine for framework frameworks free full function future g GDPR Gen German Germany git GitLab GitOps Go Google Google Cloud governance governance policies graph gs H hardware high Highlight HR http HTTPS Iceberg image implementation implicit in industry Influence information infrastructure infrastructures innovation innovative approach innovative approaches insights integration intensive inter io ite J Java job jobs Just k Key Key Management keys l Labor Lance land language large led legacy systems Legal Legal Framework legal frameworks Li local location data low M made Magic man management matt maturity mean media methodologies Mila ML Mode model Modern modernization multi my N nation native network network telemetry new next no non notebook o of off offs on onboarding one only operation operational data operational efficiency ops opt optimized organization organizations ory oS out over patterns per performance performance improvement performance improvements phi Pipeline pipelines platform platforms PoC policies policy Policy-as-Code Power practices pre premises preprocessing preserving privacy privacy protection pro problem process processes processing product production professionals protection ps pseudonymization public puzzle Py Python Q R rag rate RCE readiness ready real real-time real-time data record red regulated industries Regulation regulations regulatory regulatory compliance right Risk risk exposure Ro RoT s safe sam scalable Scale scaling schema scientists sec security sensitive data service services SHA sharing shift side Sig Sim simplicity single solid source sovereign cloud Sovereign Controls sovereignty Spanner Spark specific sql SSE SSO stakeholders STAR start storage strategies structures study system systems T Task team Teams tech technical implementation ted telecom telecommunications telemetry text the Time time data to Tor TP trade Transform transformation transition trial trie truth two UI under US use use cases user Users uth V val Valid Validation version WAN Ware Well Wi workflow workflows workload workloads x yt z