In 2025, the ICC‘s chief prosecutor was locked out of his Outlook email after US sanctions targeted his organisation. Adobe cut off Venezuelan customers overnight. Microsoft temporarily blocked the Indian energy firm Nayara Energy. These weren’t GDPR fines or compliance warnings. They were operational disruptions caused by US government actions — and there was no European legal remedy available.
For European tech companies in 2026, cloud procurement is a legal risk question. Which government’s courts have authority over your provider? That’s what you need to be asking.
European sovereign cloud spend is forecast to triple to $23 billion by 2027 (Gartner). 61% of Western European CIOs plan to shift more workloads to local providers. Gartner’s benchmark puts the target at least 1% of GDP in AI infrastructure by 2029.
Airbus EVP Digital Catherine Jestin put it plainly: “We learned about aeronautics by working under licence of US products… I see that also as a way for Europe to really understand and build skills.” In December 2025, Airbus backed that view with a EUR 50 million sovereign cloud tender.
Here’s what this hub covers:
- What the US CLOUD Act actually does to data stored in Europe
- How to read European sovereign cloud certifications — SecNumCloud, BSI C5, GAIA-X Level 3
- Is the AWS European Sovereign Cloud actually sovereign — a technical and legal analysis
- What European governments and Airbus are actually doing about cloud sovereignty
- The European sovereign cloud provider landscape in 2026
- What Nextcloud, OpenDesk and LibreOffice actually replace for a European tech company
What is European digital sovereignty, and why is it suddenly urgent?
European digital sovereignty is about staying in control of your data, applications, and infrastructure under local law. That means deciding where data is stored, who can be compelled to access it, and which jurisdiction governs disputes. Three things matter: data location, access rights, and governing law. It became urgent in 2025–2026 because the risks that were theoretical under GDPR are now operational — US executive actions and sanctions disrupted real organisations, with no European legal recourse available.
US hyperscalers control approximately 70% of the EU cloud market. European providers’ share has dropped from 29% in 2017 to around 15%. Around 80% of EU corporate spending on software and cloud goes to US vendors.
Accenture identified a clear “second wave” of digital sovereignty interest in the past 12–18 months, driven by US executive actions and sanctions power rather than GDPR compliance theory. Martin Ollrom, CIO of Austria’s Ministry of Economy, said it plainly: “It’s not only technically possible to deactivate our services, because of the political situation it’s becoming more and more likely.”
The risk has moved from a compliance planning exercise to an operational one. Service disruptions happened. More are possible.
For the full legal mechanics: What the US CLOUD Act Actually Does to Data Stored in Europe.
What does the US CLOUD Act actually do to data sitting in a Frankfurt datacenter?
The short answer: it requires US-headquartered cloud providers to hand over your data to US law enforcement on demand — regardless of where that data physically sits. A US federal subpoena served to AWS, Microsoft, or Google compels disclosure of data in Frankfurt, Dublin, or Amsterdam. The provider cannot legally refuse. A German server address in your contract does not change this.
The CLOUD Act applies to any US company with “possession, custody, or control” of data — and that covers every US parent over its foreign subsidiaries. To make things worse, complying with a CLOUD Act order may conflict with your GDPR obligations. Standard Contractual Clauses cannot override US federal law.
Microsoft France’s public affairs director said as much under oath before the French Senate in June 2025: “No, I cannot guarantee French data won’t be seized by US authorities.”
Full analysis and case studies: what the CLOUD Act actually does to data stored in Europe.
How do European sovereignty certifications — SecNumCloud, BSI C5, GAIA-X — help buyers tell real from fake?
They vary enormously in what they actually require. Some certifications are designed to exclude CLOUD Act exposure. Others just measure operational security practices. A few are more or less meaningless as sovereignty signals. Knowing which question each one answers is the most important procurement skill you can develop.
SecNumCloud (France, ANSSI) requires EU-majority ownership, all data and operations in the EU, and explicit immunity from foreign legal orders. Providers holding this: OVHcloud, Outscale, Clever Cloud.
BSI C5 (Germany) attests to security controls — mandatory for German federal agencies from 2020. It does not require EU-only ownership. AWS ESC holds BSI C5 while remaining fully CLOUD Act-exposed.
GAIA-X admits AWS, Microsoft, and Google as full members. CISPE has described this as a “Trojan horse” diluting the framework’s sovereignty signal. GAIA-X membership is an interoperability signal, not a sovereignty one.
CISPE Verifiably Sovereign (April 2026) introduced two badges: a Sovereign badge (EU-owned, EU-governed, immune to foreign legal interference) and a Resilient badge (portability, encryption, exit options). This is the most useful new signal for evaluating sovereignty washing.
Full comparison and decision matrix: SecNumCloud, BSI C5 and GAIA-X Level 3 — Reading European Sovereign Cloud Certifications.
Is the AWS European Sovereign Cloud actually sovereign, or is this sovereignty washing?
Sovereignty washing is when you adopt sovereignty language — “EU Data Boundary,” “European Sovereign Cloud” — without addressing the underlying CLOUD Act legal exposure. AWS European Sovereign Cloud GmbH is German-registered, holds BSI C5, and stores data in Germany. It is also a 100% subsidiary of Amazon Inc., which means a US federal subpoena directed at the parent can compel disclosure. The sovereignty claim holds for data residency. It does not hold for jurisdictional immunity. Those are two different things.
Gartner’s René Buest was direct about it: “The AWS European Sovereign Cloud GmbH is a 100 percent subsidiary of Amazon Inc. There are still dependencies… They don’t give up control.”
Microsoft 365‘s EU Data Boundary keeps Microsoft 365 data within the EU for storage and processing. It does not change Microsoft Corporation’s exposure to CLOUD Act orders. Google’s “Guardrail Sovereign” models reduce but do not eliminate exposure.
There are three things that determine genuine sovereignty: data location, which legal system governs it, and who can legally compel access. EU-native providers — 100% EU-owned, no US parent — satisfy all three. Hyperscaler sovereign variants typically satisfy only the first.
Full corporate structure analysis and a ten-question vendor checklist: Is the AWS European Sovereign Cloud Actually Sovereign — A Technical and Legal Analysis. For the certification layer: SecNumCloud, BSI C5 and GAIA-X Level 3.
What are European governments and Airbus actually doing, and what does that imply at smaller scale?
They’re making operational risk decisions, not ideology experiments. Airbus issued a EUR 50 million sovereign cloud tender in December 2025 — its largest single procurement action of this kind — explicitly citing US dependency risk and CLOUD Act exposure for defence-adjacent data. Austria’s Ministry of Economy migrated 1,200 staff to Nextcloud after their DPIA flagged the CLOUD Act as unacceptable. The ICC adopted OpenDesk after Karim Khan was locked out of Outlook following Trump sanctions. These decisions were driven by actual disruption, not precaution.
Austria’s Ministry of Economy completed the migration in four months. CISO Florian Zinnagl: “It was never about saving money. It was about maintaining control over our own data.”
The ICC adopted OpenDesk (ZenDiS) after Chief Prosecutor Karim Khan was locked out of his Outlook email following US sanctions — an unplanned migration triggered by a geopolitical event.
Schleswig-Holstein completed migration of 40,000 email accounts to Open-Xchange and Thunderbird, with 24,000 employees on LibreOffice and Nextcloud as of November 2025.
The Solvinity/Kyndryl case is worth noting as the counterpoint. In November 2025, US firm Kyndryl acquired Dutch provider Solvinity — an “unpleasant surprise” for government clients who had chosen Solvinity specifically to reduce US dependency. A European provider today can become a US-parent subsidiary tomorrow. Build that into your evaluation.
Full case studies: what European governments and Airbus are actually doing about cloud sovereignty.
Which European cloud providers genuinely exist outside US legal jurisdiction?
The ones you want are in the Full EU Isolation tier — 100% EU-owned, EU-operated, governed exclusively by EU law. They’re the only category with genuine jurisdictional immunity. The main ones operating at scale in 2026 are Hetzner, OVHcloud, Scaleway, T-Systems Open Telekom Cloud, STACKIT, and Outscale. “EU-based” just means servers in Europe — that’s necessary but not sufficient. The relevant question is the corporate ownership chain, not where the servers sit.
Hetzner (Germany): 100% EU-owned; zero CLOUD Act exposure. A Callista benchmark from February 2026 shows 14.3x value-per-compute-unit vs AWS.
OVHcloud (France): France’s largest EU-native provider; holds SecNumCloud, BSI C5, ISO 27001. Due diligence note: an Ontario court order in 2024 compelled OVHcloud’s Canadian subsidiary to hand over data stored in France — verify the full entity tree before signing.
Scaleway (France, Iliad Group): 100% EU-owned; GPU infrastructure for AI workloads.
T-Systems Open Telekom Cloud (Deutsche Telekom): BSI C5 certified; mandatory for German federal workloads. Note: this is distinct from Delos Cloud (Google technology under T-Systems management) — a different exposure category entirely.
STACKIT (Schwarz Gruppe/Lidl): BSI C5; EUR 11 billion investment; Full EU Isolation.
Outscale (Dassault, France): SecNumCloud certified; runs Mistral AI‘s sovereign deployment.
Hetzner’s compute advantage, combined with the compliance overhead of hyperscaler dependence, makes EU-native more cost-competitive than it was two years ago.
Full provider matrix, acquisition risk, and capability gaps: the European sovereign cloud provider landscape in 2026.
What does the open-source route — Nextcloud, OpenDesk, LibreOffice — actually replace?
Nextcloud replaces Google Workspace or Microsoft 365 for file storage, collaboration, and calendar and contacts — with no US parent company and full EU legal governance. OpenDesk replaces the same stack with an office-suite and video-conferencing layer. LibreOffice replaces Microsoft Office for desktop productivity. These are application-layer sovereignty tools, not infrastructure substitutes. The question you need to answer first: does your use case require infrastructure sovereignty, application sovereignty, or both?
Nextcloud GmbH (Stuttgart): German company, no US parent, no CLOUD Act exposure. Deployed across European government and enterprise environments. CIO Martin Ollrom said it simply: “Microsoft is way more expensive than Nextcloud.”
OpenDesk (ZenDiS): The German government-backed reference suite — office editing, collaboration via Nextcloud, video. Germany, France, Italy, and the Netherlands established the European Digital Infrastructure Consortium for Digital Commons in July 2025 to scale it jointly.
LibreOffice: Desktop office replacement, deployed at scale by several German state governments. Denmark’s Ministry of Digitalization is phasing out Office 365 in its favour.
There’s a real gap in AI co-pilot features. Microsoft Copilot and Google Gemini have deep integration with their suites; open-source equivalents aren’t comparable. If your organisation has heavily adopted AI-assisted features, migration timelines will be longer. Hosting open-source applications also requires operational skills — it’s not a straight licence-cost comparison.
Full capability comparison, migration realities, cost model, and AI feature gap: what Nextcloud, OpenDesk and LibreOffice actually replace for a European tech company.
How should a cloud procurement decision account for jurisdictional risk in 2026?
The clearest starting point is workload classification by sovereignty sensitivity — separate your data and workloads by what the consequences would be if a foreign government accessed them. Regulated data and IP-adjacent workloads require EU-native or open-source alternatives. Lower-sensitivity workloads can stay on hyperscaler infrastructure. Most European organisations in 2026 will land on a hybrid model — 57% per Accenture — not a full migration. That’s probably where you’ll land too, and that’s fine.
Classify workloads by sensitivity. High (regulated data — EU-native only); medium (business-sensitive — EU-native preferred); low (non-sensitive — hyperscaler is fine). Gartner’s René Buest: “It’s not really about the migration. It’s more about the new workloads that are being developed right now.”
Verify corporate structure, not data centre location. Who is the ultimate parent? Under what jurisdiction? Can the provider legally refuse a US court order?
Evaluate certifications by what they measure. BSI C5 and ISO 27001 address security controls. SecNumCloud and CISPE Verifiably Sovereign’s Sovereign badge address jurisdictional immunity. These are different things.
Build in acquisition risk protection. Require contractual portability terms and tested exit plans. The Solvinity case showed why.
Account for the regulatory floor rising. DORA (in force January 2025) requires audit rights and exit strategies. EUCS will formalise sovereignty tiers EU-wide when finalised.
The clearest way to present this to your executive team is as a business continuity question: which of your systems run on US infrastructure, and what’s your recovery plan if access is suspended?
For provider selection: The European Sovereign Cloud Provider Landscape in 2026 and What Nextcloud, OpenDesk and LibreOffice Actually Replace. For the legal mechanics: What the US CLOUD Act Actually Does to Data Stored in Europe.
European Digital Sovereignty Library
Understanding the Legal and Regulatory Landscape
What the US CLOUD Act Actually Does to Data Stored in Europe How US federal law reaches Frankfurt servers, why SCCs are insufficient, and the gag order problem. Start here.
SecNumCloud, BSI C5 and GAIA-X Level 3 — Reading European Sovereign Cloud Certifications What each certification requires, which signal sovereignty vs security, and a decision matrix for regulated industries.
Evaluating Vendors and Sovereignty Claims
Is the AWS European Sovereign Cloud Actually Sovereign — A Technical and Legal Analysis Corporate structure audit of AWS ESC GmbH, sovereignty washing defined and applied, ten-question vendor checklist.
The European Sovereign Cloud Provider Landscape in 2026 — Who Exists and What They Offer Provider comparison matrix, acquisition risk assessment, and EU-native provider profiles.
Real-World Deployments and Alternatives
What European Governments and Airbus Are Actually Doing About Cloud Sovereignty Case studies from Airbus, Austria, France, Germany, and the ICC.
What Nextcloud, OpenDesk and LibreOffice Actually Replace for a European Tech Company Capability comparison, migration realities, cost model, and AI features gap for the open-source sovereign stack.
FAQ
Does storing my data in an EU data centre mean it’s protected from the US government?
No. The CLOUD Act requires US-headquartered providers to hand over data regardless of where it is stored. A Frankfurt data centre operated by a US subsidiary provides no jurisdictional immunity — the relevant question is which country’s law governs the provider’s parent company, not where the servers are.
See: What the US CLOUD Act Actually Does to Data Stored in Europe
Can AWS or Microsoft guarantee my European data is safe from US authorities?
No — and Microsoft has said so on the record. Anton Carniaux, Microsoft France’s Director of Public and Legal Affairs, testified under oath before the French Senate in June 2025: “No, I cannot guarantee French data won’t be seized by US authorities.” AWS ESC GmbH is a 100% subsidiary of Amazon Inc. — BSI C5 certification doesn’t change that.
See: Is the AWS European Sovereign Cloud Actually Sovereign
What is GAIA-X, and does it actually guarantee cloud sovereignty?
No. AWS, Microsoft, and Google are full GAIA-X members alongside European providers. CISPE has described US hyperscaler membership as a “Trojan horse” diluting the framework. GAIA-X membership is an interoperability signal, not a sovereignty signal.
See: SecNumCloud, BSI C5 and GAIA-X Level 3
Is Hetzner actually more private than AWS if I’m in Europe?
From a jurisdictional perspective, yes. Hetzner is German-owned, governed exclusively by EU law, and cannot be served a US federal subpoena. AWS operates German servers through a US corporate chain subject to US federal law. Different entities, different legal exposure.
See: The European Sovereign Cloud Provider Landscape in 2026
What does DORA mean for cloud provider selection in financial services?
DORA (Digital Operational Resilience Act), in force since January 2025, requires financial services entities to have audit rights, contractual exit strategies, and incident notification from all cloud providers. AWS, Azure, and Google were designated Critical Third-Party Providers under DORA in November 2025, meaning they’re subject to direct EU supervisory oversight. DORA doesn’t require EU-native cloud providers, but it significantly raises the documentation and contractual complexity of relying on US hyperscalers for critical financial workloads.
See: SecNumCloud, BSI C5 and GAIA-X Level 3
Why is Airbus leaving US cloud providers?
Airbus issued a EUR 50 million tender in December 2025 citing CLOUD Act exposure for defence-adjacent data. Catherine Jestin framed it as the same logic Airbus applied to aeronautics — learn from US partners under licence, then build independence. The business case is simple: low probability, catastrophic business impact.
See: What European Governments and Airbus Are Actually Doing About Cloud Sovereignty
How should I explain cloud sovereignty risk to my board or executive team?
Frame it as operational business continuity risk, not regulatory compliance. The strongest examples are concrete service disruptions: the ICC losing access to Microsoft Outlook after US sanctions, Adobe cutting off Venezuelan users overnight, Microsoft blocking Nayara Energy. These aren’t GDPR fines — they’re your organisation losing access to a core system with zero notice and no European legal recourse. Then quantify the exposure: which of your systems run on US infrastructure? What is the recovery cost if access is revoked?
See: How European Cloud Procurement Became a Jurisdictional Risk Decision (this article)
