Featured

CLOUD Act: Europe pays for its own dependence

The US CLOUD Act grants American authorities access to data held by US providers—regardless of where servers physically sit. Every euro spent on these platforms funds innovation abroad while starving Europe's own. We're financing our strategic subordination. For European tech leaders, this isn't a compliance checkbox. It's an architectural choice, and the path to regulatory independence starts with infrastructure independence.

By Jurg van Vliet

Published Jun 5, 2025

A practical question for every European CTO: If a US court issues a subpoena tomorrow for your customer data, would your cloud provider be legally obligated to comply?

For most European companies running on AWS, Azure, or Google Cloud, the answer is unequivocally yes.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) requires US companies to provide data to US law enforcement, regardless of the data's physical storage location. A server farm in Frankfurt or Stockholm does not change this; what matters is which company controls the keys.

This legal reality was solidified by the precedent set during the Microsoft Ireland Case. In 2013, Microsoft challenged an FBI warrant demanding emails stored on servers in Dublin. The case reached the US Supreme Court. While arguments were underway, Congress passed the CLOUD Act, explicitly amending the Stored Communications Act to mandate compliance with US law enforcement requests “regardless of whether such communication, record, or other information is located within or outside of the United States.” The Supreme Court declared the case moot, establishing a clear framework: jurisdiction follows the corporate entity, not the server location.

Beyond legal jurisdiction, there is a core economic consideration: where do the profits, and strategic power, flow?

When a European organisation pays AWS, Azure, or Google Cloud, those revenues ultimately fund US-headquartered corporations.

  • AWS Europe (Frankfurt, Paris): Owned by Amazon.com, Inc., incorporated in Delaware, USA.
  • Azure Europe: Owned by Microsoft Corporation, incorporated in Washington, USA.
  • Google Cloud Europe: Owned by Google LLC, incorporated in Delaware, USA.

These corporations, even operating through European subsidiaries, remit profits back to their US parent companies. This creates a one-way transfer: the vast innovation capacity built from European expenditure flows back to corporate headquarters in Seattle, Redmond, or Mountain View. Investment decisions, core research priorities, and strategic direction for the global cloud market are made there, not in Europe.

In contrast, paying European providers like OVHcloud (French), Scaleway (French), or Hetzner (German) ensures that revenue remains within the European ecosystem. These companies reinvest in European data centers, support European engineering teams, and contribute to local innovation capacity.

This is a pragmatic economic choice: Are you building digital infrastructure for Europe, or paying a premium to reinforce a non-European strategic lead?

We have reviewed dozens of enterprise cloud agreements. They are sophisticated commercial contracts with detailed Service Level Agreements (SLAs) covering uptime and response times. However, no commercial contract can override the laws governing the provider's home jurisdiction.

An SLA can promise 99.99% availability. It cannot promise that your customer data will not be disclosed under a valid US legal order.

This creates an acute and uncomfortable situation for European organisations: you are contractually and legally obligated to protect customer data under GDPR, while your infrastructure provider is potentially obligated to disclose it under US law. These obligations are in direct conflict.

The Schrems II decision (2020) already invalidated Privacy Shield and confirmed that US surveillance law poses significant obstacles for EU-US data transfers. Organisations using US cloud providers must implement complex supplementary measures, standard contractual clauses, and transfer impact assessments to manage this risk.

For European-controlled infrastructure, these complications are largely eliminated. The provider and your organisation operate under the same legal and regulatory framework. Running on European infrastructure doesn't replace compliance, it simplifies it.

Choosing infrastructure that aligns with compliance requirements and strategic independence is good architecture.

European cloud providers operate under European jurisdiction, meaning data stored with them is subject to European law. This is the strategic choice for those concerned with GDPR, NIS2, and the forthcoming AI Act.

A Pragmatic Action Plan for European Tech Leadership:

  1. Identify Sensitive Workloads: Determine which data and applications have the strictest regulatory, contractual, or sovereignty requirements.
  2. Map Current Providers: Clearly document where each provider is incorporated and which national laws govern them.
  3. Plan Incrementally: Full migration is not always necessary or feasible. Start by moving the most sensitive and jurisdiction-critical workloads to European-controlled infrastructure.

Building on infrastructure you control is not a political statement or an act of nationalism. It is a necessary, fact-based step toward ensuring genuine digital sovereignty and meeting the legal and strategic mandates of a European enterprise.