As ransomware, regulation, and geopolitical instability strain traditional cloud systems, Finland’s SpaceTime is rethinking infrastructure from first principles—designed not only to scale, but to survive.
While most apps using cloud platforms are busy serving personalized ads, optimizing dating swipes, or reminding you to hydrate and buy more toilet paper, SpaceTime is focused on something more urgent: protecting the data we actually can’t afford to lose.
The Cloud Illusion Is Cracking
For over a decade, cloud computing was considered bulletproof. Amazon Web Services, Microsoft Azure, and Google Cloud marketed a near-religious faith in scalability, uptime, and global availability. But that confidence is no longer warranted.
When Tietoevry, a cornerstone of Nordic IT, was hit by a ransomware attack earlier this year, it wasn’t just websites that went down. Hospitals diverted patients, banks froze operations, and entire public sector workflows were paralyzed. In Sweden, municipalities were forced to communicate offline using paper memos. In the U.S., the Change Healthcare breach disrupted medical payments for weeks, showing that “cloud resilience” still translates to “someone else’s problem… until it becomes yours.”
The lesson is uncomfortable: cloud convenience has outpaced cloud safety.
The irony? These outages happened in cloud-connected environments sold as unbreakable—right up until they broke, spectacularly. For all the breathless promises of infinite uptime and disaster-proof design, cloud infrastructure still depends on the same old magic trick: someone else’s servers, someone else’s problem, until it becomes everyone’s problem.
Even hyperscalers are not immune to catastrophic failures. In May 2024, Google Cloud accidentally deleted the entire account of UniSuper, a $125 billion Australian pension fund. The incident stemmed from a provisioning error on Google’s end, wiping out both live services and backups. It took two weeks to restore access. Fortunately, UniSuper had invested heavily in data protection and maintained third-party disaster recovery systems—without them, the company likely would have ceased to exist. For millions of retirees, one of the world’s largest cloud platforms had nearly erased their financial infrastructure.
This incident underscores that scale does not equate to safety, and even the biggest names in tech are susceptible to errors that carry existential consequences.
Cloud Sovereignty: The Infrastructure Bet Geopolitics Just Made Inevitable
The sovereign cloud market is projected to grow from $3.2 billion in 2023 to $21.5 billion by 2030, expanding at a 31.5% CAGR, making it one of the fastest-growing infrastructure categories globally. Growth is being fueled by stringent data localization laws, cyberattacks targeting national infrastructure, regulatory fragmentation, and increasing demand from governments and critical sectors, including healthcare, energy, and defense. High-growth regions, including Europe, the Middle East, and the Asia-Pacific, are where digital sovereignty is becoming a top policy priority.
But SpaceTime isn’t just riding a market wave. It’s building for a systemic shift, where digital infrastructure has become national infrastructure, and resilience now outweighs scalability. While mainstream cloud providers like AWS, Azure, and Google Cloud generate over $500 billion in annual revenue, their size is irrelevant to Spacetime’s mission. In today’s fractured, high-risk environment, sovereign infrastructure may not be bigger, but it is more important.
The Sovereign Cloud Arms Race
Across Europe and beyond, sovereign cloud and infrastructure offerings are proliferating, especially in sectors where data sensitivity is existential. In healthcare, Corti has launched what it calls Europe’s first sovereign AI infrastructure, placing data centers in Switzerland to meet regulatory pressures across Europe and the Middle East. Startups like Allonia in Germany and Owkin in France are building privacy-preserving AI systems for highly regulated use cases.
However, many of these companies focus on adapting applications to sovereign environments, not rebuilding infrastructure from scratch. Corti, for instance, emphasizes localization but lacks public documentation of global security certifications, such as ISO/IEC 27001/27022 or HIPAA. Switzerland, while strong on privacy, is actively revising its surveillance laws, raising concerns about potential backdoors in encrypted services.
By contrast, SpaceTime physical facilities have been audited for Katakri TI-3 military certification as well as sustainability certifications such as: ISO 27001, ISO 9001, ISO 14001, ISO 45001 and PCI DSS. Additionally, the company is actively certifying its operations under ISO 27001/22. Its approach is not to conform infrastructure to regulation, but to build it in a way that makes compromise and compliance an inherent property.
Where Others Retrofit, SpaceTime Reinvents
Even sovereign cloud efforts from telecom giants—such as Bleu (a partnership between Microsoft and Orange), T-Systems’ partnership with Google Cloud, or the GAIA-X consortium—often retrofit existing U.S.-based hyperscaler infrastructure to meet European compliance requirements. SpaceTime is different: its systems are sovereign by design, not adaptation. Its infrastructure is immutable, jurisdictionally locked, and physically decentralized—built to survive attack, not just satisfy a checklist.
This design-first posture makes SpaceTime stand apart in a market defined by rising compliance pressure and digital fragmentation. Where others offer a sovereign wrapper, SpaceTime delivers a sovereign core..
SpaceTime: The Fortress Builder
SpaceTime’s origins can be traced back more than 25 years, when Finnish technologists Antti Pennanen, Joonas Mäkinen, and Jyri Sillanpää—then founders of earlier ventures—first began experimenting with ideas that would later evolve into SpaceTime.
Many startups today chase buzzy topics or narratives they believe VCs will back with capital, but SpaceTime is solving a problem that its founders encountered themselves, first-hand, when building their previous businesses.
When building an animation studio in the early 2000s, Pennanen, SpaceTime’s CEO, encountered the issue of data storage. Quite literally.
“When passing work to the next team in the creative process, we found it was easier to take hard drives on a plane and then deliver them in person rather than using the internet,” he recalls. “That was insane to me even then.”
With close friends he knows from Finland’s startup nucleus, Pennanen began investigating how to tap the internet’s undoubted potential for storing and transporting data, without needing his own flight tickets. This was crystallized in 2021 with the formal launch of SpaceTime.
The collective had achieved 10 years of uninterrupted uptime with a group of Linux-based servers they’d set up for their own ventures, and saw the potential to commercialize their knowledge into a business, but with the conviction that the entire cloud paradigm must be rethought.
As a systems architect, Pennanen helped design secure telecom infrastructure for the Finnish government to protect some of its most sensitive data. He grew up in a geopolitical context where cyber disruption wasn’t hypothetical, it was expected. Finland’s proximity to Russia—and its long-standing hybrid defense doctrine—infused him with a systemic awareness of fragility.
“If you don’t own your own data, you can’t defend it,” he tells Forbes.
The importance and purity of the mission have helped assemble an impressive executive team for a young startup. Members include Taneli Tikka, a serial entrepreneur and high-profile angel investor in Finland, with a bench of advisors that includes Harri Holopainen, who previously sold a business to Nvidia.
Pennanen’s background is more war-room than boardroom. He’s not a serial founder chasing unicorn valuations. He’s the guy you call when your infrastructure catches fire and you don’t want a TED Talk, you want a disaster recovery plan and activation to be implemented immediately.
Based in Helsinki, SpaceTime isn’t trying to replace AWS. It’s building an immune system for digital civilization—one that prioritizes fault tolerance, jurisdictional sovereignty, and immutability over flexibility, scale, or developer convenience.
At the core of that system is a federated protocol designed not for centralization, but for collaboration. “We’re building a protocol for many,” says Pennanen. “It’s not a walled garden. It’s an open, sovereign framework where European players—national clouds, regional data centers, even startups—can plug in, contribute, and co-defend.”
That collaborative architecture, he argues, is what gives SpaceTime its long-term advantage: a system resilient not just to outages, but to cyberattacks, legal overreach, and systemic collapse.
“We’re not trying to become the next global cloud,” Pennanen says. “We’re building the resilient sovereign layer—the one that endures cyberwar, disruption, and digital blackout.”
The sentiment is echoed by one of SpaceTime’s major partner, Finland-based Nexetic, which sells digital backup services to over 4,000 customers.
“We partner with SpaceTime because of their reliable, secure, and domestically hosted capacity from the Ulvila Datacenter. This collaboration ensures that our state-of-the-art Microsoft 365 and Entra ID backup services are delivered with full data residency in Finland, high scalability, and top-tier data security,” Nexetic CEO Henry Liukko-Sipi tells Forbes.
“SpaceTime’s infrastructure enables us to meet the evolving needs of our customers while maintaining maximum performance, availability, and trust,” he adds.
Why Cloud Infrastructure Must Serve and Defend
In a stark example of centralized infrastructure vulnerability, Iran shut down nationwide internet access last month in response to escalating cyberattacks. The blackout incapacitated banks, mobile networks, and e-government services, crippling the country’s core systems.
At the same time, Nobitex, Iran’s largest cryptocurrency exchange, was breached. The platform was compromised despite hosting its data locally, and funds were drained in a coordinated exploit.
The takeaway: storing data locally isn’t enough. If systems aren’t architected for resilience, even sovereign infrastructure can fail. This is the frontier of modern infrastructure risk: not just uptime, but recoverability under targeted attack. In a world where infrastructure is a strategic asset, companies and countries are recognizing the need for regional redundancy, legal independence, and cyber-immune architecture.
SpaceTime was built for this moment.
“If your infrastructure can’t survive cyberwar,” says Pennanen, “it’s already obsolete.”
Europe’s Digital Awakening
European regulators are responding faster than their American counterparts. The NIS2 directive, a sweeping EU regulation aimed at strengthening cybersecurity across critical infrastructure sectors, dramatically expands obligations for risk management, incident reporting, and supply chain security, covering industries from energy and finance to healthcare and transportation. Meanwhile, the EU Data Act introduces strict localization rules for industrial data.
The legal backdrop is just as volatile. The CLOUD Act allows U.S. authorities to access data on American-owned cloud platforms, regardless of where the data is stored. Meanwhile, the Schrems II ruling invalidated the EU–U.S. Privacy Shield, creating uncertainty for companies relying on transatlantic data flows.
Even the hyperscalers are retreating to sovereign models:
- Microsoft’s EU Data Boundary promises in-region processing and storage for all customer data.
- AWS’s European Sovereign Cloud will be hosted in Germany and managed by EU personnel.
But as SpaceTime is quick to point out: these are still adaptations of U.S. companies to European law, not European infrastructure born for it.
SpaceTime was architected with these constraints in mind from day one. Its systems are sovereign by default, with zero foreign legal exposure and immutable infrastructure built into its core.
That’s essential not only because of the CLOUD Act, but as the evolution of European data laws creates almost a bifurcation between the two regions, leaving companies in the middle. While he is coy on the details of SpaceTime’s roadmap, Pennanen has a broader vision for how the company can enable European companies to control their data with increased granularity and ownership.
“We are building the protocol to unite Europe,” he declares.”We want to give European companies the opportunity to bring their data back home.”
“Europe’s sovereign cloud market is approaching a critical juncture,” wrote IDC analyst Rahiel Nasir in a December 2025 research report. “2025 looks set to become a pivotal year as new sovereign cloud offerings are launched and existing ones start to gain momentum.”
Demand is clearly growing. The report found that 84% of European organizations that are using cloud technologies were either currently using or planning to use sovereign cloud solutions.
SpaceTime Isn’t The Backup Plan—It’s The Survival Plan
SpaceTime doesn’t optimize for mass-market use or infinite scale—it’s engineered for durability in the most critical environments. Instead, it offers something different: durability. Its infrastructure is as suited to disaster insurance or nuclear redundancy as it is to typical cloud services. Since it is fully compatible with current cloud storage APIs from any provider, switching to SpaceTime from a cloud provider is a straightforward process.
The architecture is anchored on three principles:
- Immutable storage: Attackers, insiders, or administrators cannot delete or alter data.
- Decentralized architecture: Eliminates single points of failure by default.
- No foreign control: Data is physically and legally bound to its jurisdiction, immune to extraterritorial interference.
In mission-critical sectors, recoverability matters more than raw power or size. SpaceTime is positioning itself not as the dominant cloud provider, but as the contingency infrastructure trusted when the dominant cloud fails. These principles are particularly critical for hospitals, utilities, government services, and AI model training centers, where data loss costs are existential.
“Think of us as the place you keep the crown jewels,” Pennanen says. “You don’t need to access them every second. But when everything else fails, they’re still there—and intact.”
The company recently closed a seed round from deeptech investors focused on cybersecurity and critical infrastructure. Interestingly, even after receiving seed investment, the founders still own more than 90% of the company. Pennanen said there are current discussions to raise a new round of funding from investors that share the same mission of providing European data sovereignty.
“When a highly experienced team with a proven track record builds and successfully operates a 70 petabyte infrastructure serving demanding enterprise customers, wise investors take notice,” said Vitaly Kleban from Cyber Fund, which is a SpaceTime investor.
Cloud Sovereignty: The Case for Untouchable Data
Ransomware attacks are evolving from disruption to destruction. Groups like Cl0p and BlackCat now target backup systems explicitly—corrupting or encrypting recovery points to increase payout leverage. In 2023 alone, the average ransomware payment surged past $1.5 million, according to Chainalysis.
SpaceTime’s immutable model cuts off this leverage completely. Once data is written, it cannot be modified, even by administrators. This design flips the ransomware game on its head: there is no access point for extortion.
It also inoculates against internal threats, like rogue employees or misconfigurations, one of the most common causes of cloud data loss. By removing mutation rights, SpaceTime ensures that what’s stored stays stored.
This is not a convenience play. It’s a survivability guarantee.
“If attackers can modify your backups,” says Pennanen, “you don’t have backups.”
The Cloud Is Splintering—SpaceTime Was Built for It
We are entering the post-monoculture era of cloud computing. Pennanen said, “We are going back to the core of the essence of the purpose of the internet back in the day. It was BUILT for this purpose exactly. It’s nothing new, but hyperscalers destroyed that decentralised principle by taking over 80% of the internet’s compute over.”
The dream of “one cloud to rule them all” has been replaced by a more practical truth: maybe we don’t want our AI models, missile guidance systems, and grocery delivery APIs all running on the same stack. Instead, we’re entering a fractured landscape of specialized clouds: by
- Defense clouds with sovereign controls
- AI clouds with regulatory ringfencing
- Critical sector clouds with resilience baked in
This fragmentation isn’t failure—it’s evolution. Gartner predicts that by 2026, more than 60% of organizations will utilize at least three cloud providers, each selected for different risk and compliance requirements.
SpaceTime is positioned not as a competitor, but as a complement—a final layer beneath the stack, architected for one job: not to serve everyone, but to save the mission-critical C-suite for whom infrastructure resilience has become a priority.
SpaceTime’s Playbook: Resilience Without Compromise
SpaceTime isn’t in the business of storing cat videos, powering dating apps, or ensuring your influencer campaign launches on time. Its focus is narrower—and far more critical: to remain intact while the rest of the internet enthusiastically dismantles itself. Unlike Big Tech, it doesn’t chase scale for scale’s sake. But that doesn’t mean it can’t scale. SpaceTime is engineered to scale on its own terms—around resilience, immutability, and sovereign control.
Its approach is not reactive, but foundational—a reimagining of infrastructure that assumes compromise and failure, yet survives anyway.
In an age of ransomware-as-a-service, hostile AI, fragmented geopolitics, and infrastructure weaponization, SpaceTime’s pitch is not just timely. It’s essential:
Security. Sovereignty. Survival.
“We’re not building another cloud,” says Pennanen. “We’re building the thing that survives when everything else fails.”
