Why 'European Cloud' means (almost) nothing if your cloud provider is American

The legal conflict that no amount of infrastructure solves

Known as the CLOUD Act and signed into law in March 2018, the U.S. Clarifying Lawful Overseas Use of Data Act compels any U.S.-incorporated company to produce data stored anywhere in the world when served with a valid U.S. government demand. There is no carve-out for data stored in EU data centres. There is no exception for GDPR. The obligation is absolute and extraterritorial.

This creates a direct and unresolved collision with European law. GDPR Article 48 states that foreign court orders cannot be automatically recognised or enforced within the EU without a formal international agreement. No such CLOUD Act agreement exists between the United States and the European Union. Unlike the bilateral agreements Washington has signed with the United Kingdom (in force since October 2022) and Australia (January 2024), EU organisations have no treaty framework to fall back on, leaving them with only the competing obligations of two irreconcilable legal systems. A February 2026 white paper by CMS Law examines this conflict in detail and reaches the same conclusion: the tension is structural, not incidental.

Ulrich Ahle, CEO of Gaia-X, put it plainly at the Porto Summit in November 2025: "The highest level of sovereignty for European end customers can only be provided by providers having their headquarters in Europe. Services from U.S. providers, even when operated in Europe, data stored in Europe, are still under American legislation, under the Cloud Act."

Why the ‘sovereign cloud’ offerings from hyperscalers fall short

AWS launched its European Sovereign Cloud in January 2026, backed by a €7.8 billion investment and structured as an EU-incorporated subsidiary under German law, staffed exclusively by EU nationals. Microsoft has its EU Data Boundary. Google has announced an airgapped dedicated cloud for European clients, developed in partnership with Thales in France.

These are genuine attempts to address the problem, and it would be unfair to dismiss them entirely. But several structural issues remain.

The first is corporate ownership. An EU-incorporated subsidiary is still 100% owned by its American parent. When U.S. legal obligations apply to that parent, including FISA Section 702 surveillance authorities reauthorised in April 2024 with a significantly expanded definition of "electronic communication service provider", the question of whether the subsidiary is truly insulated remains untested. 

Thierry Carrez, Executive Director of the OpenInfra Foundation, assessed the situation accurately: "U.S. hyperscalers are trying to find a mix of technical solutions and legal engineering to isolate their EU products from potential demands from the U.S. government. This is a positive development, but whether that mix will prove sufficient is unsure and untested."

The second is the fragility of the EU-US Data Privacy Framework. The DPF, adopted in July 2023 as the third attempt to legitimise data flows after Schrems I and Schrems II, survived its first legal challenge at the EU General Court in September 2025. But an appeal was filed at the Court of Justice of the European Union on 31 October 2025, and NOYB, the organisation behind both previous invalidations, has signalled further challenges. More fundamentally, the DPF rests on Executive Order 14086, which is revocable by presidential action at any time. Following the gutting of the Privacy and Civil Liberties Oversight Board (three of five members removed in early 2025, leaving it without a quorum), the oversight mechanism the DPF depends on is currently non-functional.

The EDPB's first DPF review report, published in November 2024, flagged concerns about U.S. intelligence agencies acquiring personal data through data brokers, a channel that technical data localisation measures cannot address.

What enforcement looks like in practice

This is not a theoretical compliance concern. GDPR enforcement against U.S. technology companies has accelerated significantly: over 2,800 fines totalling more than €6.2 billion have been issued since 2018, with more than 60% of that total imposed since January 2023.

The fines most relevant to the CLOUD Act question involve unlawful data transfers rather than internal security failures. Meta received a €1.2 billion fine from the Irish Data Protection Commission in May 2023, the largest GDPR penalty to date, specifically for illegal EU-US data transfers. In January 2024, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined Uber €290 million for improper transfers of EU driver data to U.S. servers, citing insufficient safeguards.

That Dutch DPA action matters to European organisations working with U.S. cloud providers. The same authority that fined Uber for inadequate transfer safeguards will apply the same framework to any organisation that relies on a U.S. provider and claims that data "stays in Europe", without first examining whether the controller is truly outside U.S. jurisdiction.

We have written previously about how Dutch government policy has responded to these risks, and the halt on public-sector cloud migrations to U.S. providers is a direct consequence of exactly this legal analysis.

The regulatory momentum is accelerating, not slowing

Two years ago, it was possible to characterise digital sovereignty concerns as precautionary. Today, the legislative and geopolitical context has removed that interpretation.

The European Parliament's 2025 report on technological sovereignty found that the EU relies on non-EU countries for over 80% of its digital products and services. A December 2025 analysis in The Register, drawing on industry research, estimated that roughly 90% of Europe's digital infrastructure is controlled by non-European companies, with U.S. hyperscalers holding approximately 70% of the European cloud market. Sovereign cloud investment in Europe is projected to reach $80 billion in 2026, representing 83% growth year-on-year, a figure that reflects the scale of migration now underway.

The legislative picture reinforces this. The EU Data Act, applicable since September 2025, introduces mandatory cloud switching provisions: providers must remove all barriers to switching, exit fees are being phased out entirely by January 2027, and Chapter VII creates explicit safeguards against unlawful third-country government access to data held in the EU. For organisations currently locked into hyperscaler ecosystems, the Data Act gives them new legal tools to exit. For organisations evaluating providers now, it makes the lock-in calculus significantly less forgiving of proprietary architectures.

The Commission's planned Cloud and AI Development Act aims to triple EU data centre capacity within seven years. France's SecNumCloud scheme already prohibits non-EU providers from government procurement. Germany's state of Schleswig-Holstein has migrated 30,000 civil servants from Microsoft to open-source alternatives. And in late October 2025, the International Criminal Court replaced Microsoft Office with OpenDesk, directly following a Trump-era sanctions action that temporarily locked the ICC's chief prosecutor out of his Microsoft Outlook account.

What genuine sovereignty requires

The distinction between data residency and data sovereignty is worth making precise, because it clarifies what to look for in a provider.

Data residency is a property of infrastructure: your data is physically stored within a defined geographic boundary. All major cloud providers, including U.S. hyperscalers, offer data residency in Europe. It is a necessary condition for GDPR compliance, but not a sufficient one.

Data sovereignty is a property of jurisdiction: the legal framework governing the organisation that controls your data is exclusively European. No foreign law can compel disclosure without going through EU legal channels. The controller's ownership, incorporation, and operational obligations are all European.

Achieving genuine data sovereignty requires a provider that:

• Is owned and headquartered in Europe, with no U.S. parent company structure that creates CLOUD Act exposure

• Operates on open-source, open-standards infrastructure that does not create proprietary lock-in

• Can demonstrate independent verification of its sovereignty claims through recognised certification frameworks

• Extends sovereignty across the full infrastructure stack, covering not just compute but also DNS, email, databases, and identity management

The last point matters more than it might initially appear. Organisations that migrate their workloads to a European cloud provider while continuing to use U.S.-based transactional email services, DNS providers, or identity platforms have not achieved sovereignty; they have moved one dependency while leaving others in place. As we explored in our piece on where your transactional emails actually live, the attack surface for data sovereignty is broader than the cloud hosting bill.

How Cyso Cloud approaches this

Cyso Cloud is 100% Dutch-owned, with no external foreign investors and no U.S. parent company. Our infrastructure is built on OpenStack, following the "4 Opens" principles of Open Development, Open Standards, Open Source, and Open Collaboration, which means your workloads are portable and you are never dependent on proprietary tooling to move them. There are no egress fees.

Our platform runs across TIER 3 data centres in Amsterdam and Frankfurt, with three availability zones per region. We hold ISO 27001 and NEN 7510 certification, the latter being the Dutch information security standard for healthcare, a requirement that reflects the scrutiny our infrastructure has undergone for the most sensitive categories of regulated data.

In 2025, we became a CNCF-certified Kubernetes Service Provider (KCSP), one of a small number of European providers to hold this certification. Our managed Kubernetes service is production-grade with a 99.9% SLA. Across our full services portfolio, including DNS, transactional email, object storage, cloud databases, and identity and access management, every component is operated on European infrastructure, under European law.

We have also been independently verified. In December 2025, Cyso Cloud was recognised across three major European cloud verification platforms: European.cloud, European Alternatives, and Dutch Alternatives, each of which applies its own due diligence criteria for European ownership and operational independence. These are not self-certifications.

Ready to move?

Ask your current cloud provider one question: can you guarantee, in writing, that our data will never be disclosed to U.S. authorities?

If the answer is anything other than a clear yes, it is worth having a conversation. Cyso Cloud is 100% Dutch-owned, with no U.S. parent company and no legal exposure to the CLOUD Act. Get in touch, and we will walk you through what a move looks like for your workloads.