You’re hosting your data in Frankfurt. You’ve set up everything in AWS‘s European data centres. Your data never leaves the EU. Sorted, right?
Not quite. There’s a jurisdictional catch. The CLOUD Act gives US authorities the power to access your data regardless of where it physically sits. The jurisdiction follows the provider’s legal home, not where their servers are.
This guide is part of our comprehensive European digital sovereignty movement resource, where we explore the strategic, regulatory, and practical dimensions of achieving technology independence. Digital sovereignty is the framework for dealing with this. It’s built on three pillars: technical sovereignty (you control the infrastructure), data sovereignty (you control legal jurisdiction over your data), and operational sovereignty (you have strategic autonomy in your technology choices).
The EuroStack initiative provides a seven-layer technology stack architecture for European independence. Gaia-X implements a federated data model with over 180 sectoral data spaces already up and running. The geopolitical drivers are real: over 80% infrastructure import dependency, regulatory conflicts between CLOUD Act and GDPR Article 48 (addressed in our EU Data Act compliance requirements guide), vendor lock-in risks.
So you need to understand sovereignty principles to assess your current exposure, evaluate European cloud provider alternatives, and implement hybrid architecture patterns that align with compliance requirements.
What is digital sovereignty and why does it matter for European tech companies?
Here’s the formal definition: digital sovereignty is “the ability of a nation, organisation or individual to control and govern their own digital assets, infrastructure and data independently, free from undue external influence or dependency”.
In practice, it covers three things: control over your data flows, control over your IT systems and software, and control over your operational decision-making processes. Strategically, it’s about independence from foreign technological, economic, and political influence.
This matters for European tech companies because the US CLOUD Act creates a compliance conflict with GDPR. If US authorities issue a disclosure order to your cloud provider, that provider faces a nasty choice: comply with US law or face GDPR penalties of up to €20 million or 4% of global revenue. You’re stuck in the middle of that conflict. For a comprehensive analysis of these CLOUD Act exposure risks and geopolitical threats, see our detailed risk assessment.
The dependency statistics paint the picture. Over 80% of Europe’s digital infrastructure is imported from US or Chinese providers. This creates system-wide vulnerability to foreign policy decisions and vendor leverage. When one provider controls your infrastructure, they have leverage over your pricing, your terms, and your operational flexibility.
The business risks break down into three categories:
Jurisdictional exposure – foreign governments can access your data through legal mechanisms that bypass your local data protection laws.
Vendor leverage – lock-in costs make switching providers prohibitively expensive, giving vendors power over pricing and terms.
Regulatory compliance costs – post-Schrems II, organisations must conduct Transfer Impact Assessments evaluating risks whenever they use US providers. That’s an ongoing compliance burden.
The sovereignty framework gives you an assessment methodology. You can quantify your exposure by workload type and work out which systems need migration priority. 84% of decision-makers now consider digital sovereignty a factor in vendor selection. That’s not a political preference—it’s a risk management calculation.
What are the three pillars of digital sovereignty?
The three-pillar framework breaks sovereignty into bits you can actually act on.
Technical Sovereignty means control over your digital infrastructure and software stack without foreign proprietary restrictions. This is about open-source tools for transparency, customisation, and reduced vendor lock-in. When you run Kubernetes, you can audit the code and avoid single-provider dependencies. When you run AWS ECS, you’re locked into Amazon’s proprietary implementation.
Data Sovereignty is legal control over your data, governed by the jurisdiction where it resides. This goes beyond just physical location. It includes data residency (controlling where your data physically sits) plus jurisdictional authority over who can access it and how it’s processed. GDPR Article 48 requires international agreements (MLAT process) for foreign data access requests. That protection matters.
Operational Sovereignty is the freedom to make independent operational decisions. This includes vendor choice, deployment methods, and data processing locations. Vendor lock-in threatens this through proprietary APIs and architectures that make switching prohibitively expensive. When you build on vendor-specific services, you lose the ability to negotiate or leave. Interoperable standards and open-source ecosystems give you strategic autonomy.
The three pillars interconnect. Technical sovereignty enables data sovereignty—if you control the infrastructure, you control where data sits and who can access it. Both support operational sovereignty—when you’re not locked in technically or jurisdictionally, you maintain strategic flexibility.
You can use this framework to assess your current position across each pillar. Where do you have control? Where are you exposed? That analysis tells you where to prioritise improvements.
Here’s a practical example. If you’re running everything on AWS using Lambda, DynamoDB, and API Gateway, you have zero technical sovereignty (proprietary services), questionable data sovereignty (US jurisdiction via CLOUD Act), and limited operational sovereignty (high switching costs). If you’re running Kubernetes on a European provider with PostgreSQL and open-source message queues, you’ve got technical sovereignty (portable stack), data sovereignty (EU jurisdiction), and operational sovereignty (low switching costs).
Understanding how the CLOUD Act undermines data sovereignty helps you assess your current exposure.
How does the CLOUD Act give US authorities access to European data?
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) is US federal law giving extraterritorial power to demand data from US-based providers regardless of where it’s stored.
Here’s how it works: jurisdiction follows the provider, not the server location. Your customer data sitting in AWS Frankfurt data centres remains subject to US legal authority because Amazon is a US company.
The CLOUD Act bypasses the Mutual Legal Assistance Treaty (MLAT) process that GDPR Article 48 requires for foreign government data access. US authorities can issue disclosure orders directly to US providers without international agreements or notification to European governments. The provider gets the order, complies, and your data goes to US authorities. The comity challenge provision theoretically allows providers to contest orders conflicting with foreign laws, but it’s rarely successful, discretionary, and complex.
This creates a compliance dilemma for your organisation. If the US issues a disclosure order, your cloud provider complies with US law. But that transfer might violate GDPR, exposing you to penalties. You didn’t make the decision, but you face the regulatory consequences.
The data residency marketing from US hyperscalers doesn’t fix this. AWS EU Data Boundary and Microsoft EU sovereign cloud offerings provide data residency (storage in EU data centres) but don’t change jurisdictional authority. The provider remains a US company subject to US law.
European cloud providers—Exoscale, OVHcloud, Deutsche Telekom—reduce this exposure through EU jurisdiction. They’re European companies subject to European law. US authorities could still request data through MLAT diplomatic channels, but that process gives European governments oversight and refusal ability.
Post-Schrems II, organisations must conduct Transfer Impact Assessments evaluating CLOUD Act risks when using US providers. The European Data Protection Board made clear that service providers subject to EU law cannot legally base data transfers to the US solely on CLOUD Act requests.
The risk varies by data type. If you’re processing health data, financial information, or personal identifiable information, your exposure is higher. If you’re running development environments with synthetic data, your risk is lower. The assessment needs to be workload-specific.
What is the difference between data sovereignty and data residency?
Data residency refers to the geographic location where data physically resides—specific data centres. Data sovereignty focuses on legal jurisdiction and control authority—who can access that data under what legal framework.
Residency addresses “where”. Sovereignty addresses “who controls”.
US hyperscalers market “EU Data Boundary” offerings that emphasise residency without sorting out jurisdictional control. The data sits in European data centres, but the provider remains subject to US law.
European cloud providers offer both: residency (EU data centres) and sovereignty (EU legal jurisdiction).
When you’re evaluating providers, assess the provider’s legal domicile and parent company nationality, not just data centre locations. A US company operating EU data centres remains subject to US law. A European company operating EU data centres gives you both residency and sovereignty.
You need both for genuine protection. Residency handles latency and compliance checkboxes. Sovereignty handles jurisdictional independence.
What is EuroStack and how does it address European technology independence?
EuroStack is an architectural framework for European technology independence. It’s a comprehensive seven-layer technology stack designed to achieve autonomy across the digital value chain. As we detail in our sovereignty landscape overview, EuroStack represents Europe’s most ambitious response to platform dependency.
The scope is ambitious: approximately €300 billion investment over one decade to reduce current dependency on US and Chinese technology. The initiative addresses Europe’s technological lag—70% of foundational AI models originate in the United States.
The seven layers define the complete stack:
Layer 1: Critical Resources – energy and raw materials for technology manufacturing
Layer 2: Chips – semiconductor manufacturing reducing dependency on Asian and US fabrication
Layer 3: Networks – pan-European connectivity infrastructure
Layer 4: IoT & Devices – trusted device systems
Layer 5: Cloud Infrastructure – secure platform services
Layer 6: Software – open-source application frameworks
Layer 7: Data and AI – AI models and federated data exchange
Gaia-X operates as a specific implementation of EuroStack’s data infrastructure layer. The relationship is hierarchical: EuroStack defines the overall architecture, Gaia-X implements the federated data model within that architecture.
Current adoption includes German state governments migrating infrastructure, automotive sector implementing Catena-X, healthcare implementing GAIA-X Health, and energy sector implementing EONA-X data spaces. These are production deployments, not pilot projects.
For technology leaders, EuroStack provides a roadmap showing which European capabilities will be production-ready when, helping you work out vendor lock-in risks and migration timing.
What is Gaia-X and how does its federated model work?
Gaia-X is a European federated secure data infrastructure project enabling data sharing while users retain control. The project operates with over 180 data spaces operational as of 2025.
The federated architecture is the key innovation. Rather than a centralised hyperscaler model where one provider controls everything, Gaia-X uses decentralised governance where multiple independent nodes interconnect via open standards.
Gaia-X is GDPR-compliant by design. Data sovereignty requirements are built into the architecture.
Sectoral data spaces provide industry-specific implementations:
Catena-X (automotive) enables secure data exchange between manufacturers and suppliers
GAIA-X Health (healthcare) provides patient data exchange while maintaining privacy
EONA-X (energy) coordinates grid data and renewable energy systems
Here’s how it works technically: participants maintain sovereignty over their data while enabling controlled sharing through federated access policies and encryption. You define who can access your data, under what conditions, for what purposes. The federation enforces those policies across nodes.
Open-source foundations and interoperable standards enable vendor independence. You’re not locked into a single provider’s proprietary APIs. If you don’t like one node operator, you can move to another while maintaining access to the federation.
Sectoral data spaces provide industry-specific collaboration infrastructure without surrendering control. Catena-X gives automotive companies supply chain data exchange capabilities. GAIA-X Health provides healthcare patient data interoperability without centralised control.
What are European cloud provider alternatives to AWS and Azure?
There are 10 major European cloud providers: OVHcloud, STACKIT, Cyso Cloud, Open Telekom Cloud, IONOS, Scaleway, UpCloud, Exoscale, ELASTX, and Nine. All offer both residency and sovereignty, reducing CLOUD Act exposure. For a detailed comparison of European cloud alternatives and platform independence options, see our comprehensive evaluation guide.
Since 2025, customers have actively asked to use European cloud providers. That’s a shift from theoretical concern to procurement criteria.
The major providers:
OVHcloud (France) – mature provider with 43 data centres across 9 countries. Full IaaS, managed Kubernetes, databases, and PaaS services.
STACKIT (Germany) – officially launched in 2024, hosts SAP RISE. Strong enterprise workload focus.
Open Telekom Cloud (Germany) – operated by Deutsche Telekom AG. Leverages Deutsche Telekom’s infrastructure.
Exoscale (Austria) – specialises in DBaaS including Kafka and OpenSearch.
Scaleway (France) – offers managed AI and serverless services.
Interest in “European alternatives” has risen 660% year over year. The portal european-alternatives.eu tracked 384 alternatives across 58 categories and saw 1,100% traffic growth in 2025. That’s mainstream procurement activity, not fringe interest.
Key things to evaluate: EU jurisdiction (confirm European legal domicile), native GDPR compliance, technical capabilities matching workload requirements, relevant certifications (Gaia-X Labels, ISO 27001, SOC 2), transparent pricing, and industry-specific sectoral data space integration.
Common services across providers include IaaS, managed Kubernetes, managed databases, PaaS services, and AI and serverless capabilities. The capability gap with US hyperscalers has narrowed. You’re not sacrificing functionality for sovereignty.
Genuine sovereign solutions meet five standards: EU jurisdiction, open-source transparency, strong encryption, enterprise identity integration, and sustainable vendor ecosystem. Use those as evaluation filters.
Many organisations implement hybrid strategies: European providers for sensitive data (customer PII, financial records), US hyperscalers for non-sensitive workloads (development environments, content delivery). That risk-based approach lets you optimise for sovereignty where it matters.
The maturity has reached production-ready status. German state governments are migrating infrastructure. Automotive sector is implementing Catena-X on Gaia-X.
FAQ
Can the US government access my company’s data if stored in European data centres?
Yes, if your provider is a US company. The CLOUD Act jurisdiction follows the provider’s legal domicile, not server location. AWS Frankfurt data centres remain subject to US legal authority because Amazon is a US company. European cloud providers reduce this exposure through EU jurisdiction.
Should European tech companies worry about moving away from AWS?
The concern is legitimate but doesn’t require wholesale migration. High-risk workloads like PII and healthcare data have greater CLOUD Act exposure and require Transfer Impact Assessments. Many organisations implement hybrid strategies: European providers for sensitive data, US hyperscalers for non-sensitive workloads.
What does it mean when European politicians talk about digital sovereignty?
In practical terms, it means control over data flows, IT infrastructure, and operational decisions without foreign dependency. Focus on the operational aspects: technical sovereignty (infrastructure control), data sovereignty (jurisdictional authority), and operational sovereignty (vendor independence).
Is Microsoft Azure safe for European companies under GDPR?
Azure complies with GDPR data protection requirements but remains subject to CLOUD Act extraterritorial jurisdiction as a US company. Microsoft’s EU Data Boundary provides data residency but not data sovereignty. Post-Schrems II, organisations must conduct Transfer Impact Assessments evaluating CLOUD Act risks for Azure usage.
Why are European companies talking about leaving American cloud services?
Three drivers: CLOUD Act compliance conflict with GDPR creating regulatory exposure, vendor lock-in limiting operational sovereignty, and strategic dependency on foreign infrastructure. EuroStack and Gaia-X initiatives provide European alternatives through €300 billion investment in domestic capabilities.
How does EuroStack differ from Gaia-X?
EuroStack is a comprehensive seven-layer technology stack framework requiring €300 billion investment over a decade. Gaia-X is a specific federated data infrastructure initiative operating as one component within EuroStack’s data layer.
What European cloud providers are alternatives to AWS and Azure?
Major providers include Exoscale (Austria), OVHcloud (France), Deutsche Telekom (Germany), and Scaleway (France). All offer IaaS, managed Kubernetes, databases, and PaaS services comparable to hyperscaler offerings.
Do sovereign cloud offerings from AWS and Microsoft solve the jurisdiction problem?
No. AWS Sovereign Cloud and Microsoft EU Data Boundary provide data residency but don’t resolve jurisdictional authority. The providers remain US companies subject to CLOUD Act extraterritorial reach.
Can customer-managed encryption keys protect against CLOUD Act data access?
Customer-managed encryption provides additional technical control but doesn’t override legal jurisdiction. CLOUD Act disclosure orders could compel the provider to deliver encrypted data to US authorities. Encryption is valuable but not a substitute for jurisdictional sovereignty.
How long will EuroStack take to deliver production-ready alternatives?
EuroStack roadmap spans approximately one decade (2025-2035) with phased delivery. Current maturity varies by layer: cloud infrastructure has production European providers today (OVHcloud, STACKIT, Exoscale). Chips layer requires multi-year investment. Data and AI capabilities are operational through Gaia-X sectoral data spaces.
