European sovereign cloud has moved from policy document to procurement reality. Six case studies from 2024–2026 show governments and enterprises actively executing migrations — some decisive, some hedged, all instructive.
The trigger is not GDPR, which has been on the books since 2018. The catalyst is the US CLOUD Act combined with everything that has shifted geopolitically since January 2025. Together they turned cloud vendor nationality from a compliance footnote into a boardroom risk.
Two archetypes have emerged from the evidence. Airbus is the decisive migrator: CLOUD Act immunity as a pass/fail requirement, €50M+ budget, RFP in market. Estonia is the cautious pragmatist: publicly committed to reducing US dependency, operationally migrating 25,000 workstations to Microsoft cloud. Every organisation reading this will recognise itself in one of those two.
Understanding what organisations ten to a thousand times your size actually did gives you a decision template. And it starts with treating cloud procurement as a jurisdictional risk decision, not a technology one.
Why are sovereign cloud decisions accelerating across Europe right now?
Here are the numbers. European sovereign cloud IaaS spend was approximately $6.9 billion in 2025, growing at 83% year-on-year — the fastest regional growth rate globally. Worldwide sovereign cloud spending hit $80 billion in 2026, up 35.6%. Europe is forecast to surpass North America in sovereign cloud spend by 2027. The tripling figure you keep seeing is real.
Three numbers explain the shift. 61% of CIOs and IT leaders in Western Europe say geopolitical factors will lead them to increase reliance on local cloud providers. Gartner has set 1% of GDP as the AI infrastructure investment threshold required for genuine digital sovereignty — and most EU member states are well below it. 44% of Western European CIOs have already started limiting their use of global cloud providers.
The CLOUD Act was signed in 2018. Its core provision: any US-headquartered company must disclose customer data to US law enforcement on demand, regardless of where servers are located, with gag orders preventing providers from notifying you. That legal reality has not changed. What changed in January 2025 was that European C-levels stopped treating it as theoretical. As Gartner’s Rene Buest put it: “The entire C-level is asking whether we can still rely on digital infrastructure from US-based service providers.”
The spend-tripling forecast is being driven by legal obligation, not ideology. GDPR Article 35 mandates a DPIA before deploying technology likely to create high risk for personal data. When you run one for US hyperscaler services, you keep getting the same answer: CLOUD Act exposure is an unacceptable risk. The Draghi Report provides the macro backdrop — of 64 critical technologies, Europe leads in none. And 64% of organisations in the WEF Global Cybersecurity Outlook 2026 cited geopolitical matters as their primary cyber risk driver. Forrester says no European enterprise will shift entirely from US hyperscalers in 2026. But the direction is not in question.
Why does Airbus need a sovereign European cloud, and what exactly is it demanding from providers?
Airbus’s requirement is CLOUD Act immunity. The provider must be outside US legal jurisdiction entirely. A Frankfurt datacentre owned by an American company remains subject to US federal law, which means data residency alone is not enough.
The tender launched in early January 2026. Value estimated above €50 million, term up to ten years. The scope covers the operational spine of a 130,000-person aerospace company: SAP S/4HANA ERP migration, manufacturing execution systems, CRM, and product lifecycle management including aircraft designs. CLOUD Act immunity is a stated pass/fail criterion — not a preference, not a weighting factor.
The person driving this is Catherine Jestin, Airbus EVP Digital and GAIA-X Chairwoman. Her dual role puts her at the intersection of enterprise demand and pan-European supply-side initiative. Her 80/20 framing — 80% certainty about direction, 20% uncertainty about which provider can actually deliver — is a pretty honest map of where most organisations are right now. Her position is direct: “I need a sovereign cloud because part of the information is extremely sensitive from a national and European perspective. We want to ensure this information remains under European control.”
Microsoft admitted in French court in July 2025 it could not guarantee data sovereignty under CLOUD Act legislation. The AWS European Sovereign Cloud GmbH is a 100% subsidiary of Amazon Inc. Jestin’s response: “I still don’t understand how it is possible [for AWS to claim CLOUD Act immunity].” GAIA-X Level 3 requirement — provider headquartered in Europe — that Airbus actually needs is what AWS European Sovereign Cloud does not meet.
Airbus works with 10,000 suppliers globally and is building GAIA-X data spaces for federated supplier data exchange. Smaller companies in aerospace and defence will increasingly be pulled into sovereign infrastructure requirements as tier-2 and tier-3 suppliers. That is the supply chain effect to watch.
What this means at smaller scale. If Airbus with a €50M budget cannot yet identify a provider that unambiguously passes the CLOUD Act immunity test, your “sovereign” variant from a US hyperscaler almost certainly does not answer the question either. See also why even Airbus is still evaluating whether the AWS European Sovereign Cloud provides real protection.
How does Estonia’s approach to digital sovereignty illustrate the contradiction between policy goals and operational reality?
Estonia is publicly committed to reducing US dependency. It is also migrating 25,000 government workstations to Microsoft cloud — 8,500 already completed, plans to reach 15,000 over the next two years. This is not hypocrisy. It is an honest operational response to the contradiction every European organisation currently faces.
Ergo Tars, director of Riigi IT, has been plain about the logic: run Microsoft for routine workstations now; have an EU alternative ready as a parallel track — H2 2025 was the stated contingency-ready target. The dual-track is deliberate. Estonia’s higher-security defence, interior, and foreign ministries are not on Microsoft. Routine workstations go on Microsoft cloud. Around €400 of the €2,000 cost of each government workstation goes to Microsoft in licence fees. Tars notes that an open-source alternative would not save much once you factor in support, training, and user management.
Estonia’s resilience posture is shaped by its threat model. The 2007 cyberattacks that took down government websites and cashpoints were Russian in origin. Microsoft’s continuity and incident response capabilities address that threat more directly than any current EU-native alternative. Estonia also maintains a secure datacentre in Luxembourg as backup for key digital services — sovereign continuity within EU jurisdiction, a resilience measure, not a CLOUD Act solution.
What this means at smaller scale. Estonia’s model — Microsoft for routine, sovereign for high-sensitivity — is probably the realistic path for a smaller organisation that cannot yet source everything from EU-native providers. The key requirement is that the “contingency” track is actually being developed, not just talked about. The Estonia approach validates the hybrid as an honest interim state, not a failure of ambition.
What does France’s Visio rollout reveal about what operationalised cloud sovereignty actually looks like?
Where Estonia manages the contradiction by splitting workloads, France has taken the fuller step. France is the most operationally advanced EU member state on sovereignty — where other countries have frameworks, France has running production systems serving hundreds of thousands of users.
On 26 January 2026, France announced that by 2027, all public servants will switch from Teams, Zoom, Webex, and Google Meet to Visio — France’s homegrown sovereign video platform. No licence renewals after 2027. By early 2026, the Defence Ministry, finance tax offices, and health insurance agencies are already using it.
Visio is developed by DINUM, France’s interministerial digital agency, and hosted by Outscale — Dassault-owned and SecNumCloud-certified — with AI transcription built on French AI. The scale proof point is CNRS: France’s national research centre is replacing 34,000 Zoom seats covering 120,000 associated researchers by March 2026.
SecNumCloud, administered by ANSSI, requires providers to be majority EU-owned, all data and operations in EU jurisdiction, and immune to foreign law. AWS European Sovereign Cloud does not hold it — CLOUD Act exposure is the disqualifier. SecNumCloud certification is the pass/fail criterion for sensitive French government workloads.
NUBO, France’s OpenStack-based private cloud for the Ministry of Finance, sits a tier above SecNumCloud in sensitivity — different data classifications get different sovereignty levels. France estimates €1 million per year in savings for every 100,000 users who shift from commercial platforms.
What this means at smaller scale. France’s Visio solution involved 18+ months of development by a state agency. You are not building your own. The SecNumCloud certification that France’s Visio provider holds sets the standard — certified commercial alternatives exist and are in production at scale. Use SecNumCloud certification status as the practical sovereignty filter rather than building internal sovereign tooling.
What did migrating 30,000 civil servants off Microsoft actually involve in Schleswig-Holstein?
Germany’s most ambitious public-sector open-source migration started in March 2024. The target was approximately 30,000 civil servants. As of December 2025, approximately 24,000 workstations had been migrated and 40,000+ email accounts transitioned — the October 2025 milestone included moving more than 100 million emails from Microsoft Exchange to Open-Xchange and Thunderbird. SharePoint replacement with Nextcloud and desktop Linux rollout were still in progress at year end.
The composable open-source stack: Linux, LibreOffice, Nextcloud, Open-Xchange, Thunderbird, and Collabora — delivered by ZenDiS as the OpenDesk suite. ZenDiS is a government-backed organisation, not a commercial vendor; the stack has long-term support guaranteed. The Munich precedent (Linux in 2013, back to Windows in 2017) was the cautionary tale Schleswig-Holstein sought to avoid by grounding the effort in sovereignty rather than cost savings. Schwarz Gruppe has invested €11 billion in STACKIT, providing German sovereign cloud infrastructure at enterprise scale.
What this means at smaller scale. The Schleswig-Holstein migration required 18+ months, dedicated ZenDiS support, and political commitment at minister level. But the stack is composable. Each component is independently deployable — Nextcloud for file sharing, LibreOffice for office productivity — without committing to the full programme. The STACKIT and OVHcloud provider ecosystem is now enterprise-grade enough for production workloads.
How did a GDPR impact assessment force Austria’s Ministry of Economy onto Nextcloud — and what happened next?
Austria’s Federal Ministry for Economy, Energy and Tourism provides the clearest example of a DPIA operating as a forcing function. CISO Florian Zinnagl and CIO Martin Ollrom ran a GDPR Article 35 DPIA before selecting a cloud collaboration platform. The result: CLOUD Act exposure makes US hyperscaler adoption legally indefensible for personal data workloads.
The decision was compliance-driven, full stop. “It was never about saving money. It was about maintaining control over our own data and our own systems.” — Zinnagl. A three-month proof-of-concept on the ministry’s own servers confirmed Nextcloud could deliver what was needed. The full migration of 1,200 employees completed in four months. Seven months total from decision to full deployment.
Microsoft Teams has not been banned — its use is strictly limited to external communications with parties that still rely on it. No sensitive information may be discussed on Teams. Several other Austrian ministries ran DPIAs for their own cloud services, reached the same conclusion, and began similar migrations.
In early 2025, ICC chief prosecutor Karim Khan was temporarily locked out of his Microsoft Outlook email after a US executive order targeting ICC officials. ZenDiS delivered OpenDesk to the ICC in November 2025 as its sovereign alternative — a US-headquartered provider acting under US government compulsion, no prior notification to the customer.
A procurement caution worth paying attention to: in November 2025, Kyndryl announced its intention to acquire Solvinity — a Dutch managed cloud provider holding sovereignty-sensitive contracts for the Dutch Ministry of Justice and Security. Government clients had specifically chosen Solvinity to reduce dependence on American firms. Selecting a European provider today does not guarantee long-term sovereignty. Change-of-control contractual protections are now a procurement requirement.
What this means at smaller scale. Running a DPIA for your current cloud services is a risk audit, not a commitment to migrate. Austria’s 3-month PoC + 4-month migration pattern scales down for smaller teams. If your DPIA returns the same answer Austria got, the migration question becomes a legal obligation rather than a preference. Build change-of-control protections into any European provider contract. What Nextcloud and OpenDesk actually delivered in Schleswig-Holstein and at the ICC is the practical reference for setting expectations.
Decisive migrator or cautious pragmatist — which approach makes sense for a smaller organisation?
Airbus set a pass/fail CLOUD Act immunity requirement, committed €50M+, accepted a multi-year programme horizon, and launched an RFP. Estonia is going all-in on Microsoft operationally while building an EU contingency in parallel. Neither is wrong — they reflect different risk profiles, resource levels, and threat models.
The decisive migrator model requires a clear legal trigger, a budget large enough to absorb migration risk, a multi-year commitment horizon, and organisational capacity to manage a programme at this scale. Most smaller organisations do not have all four. Apply it selectively to the workloads where you do have a clear legal trigger.
The cautious pragmatist model requires an honest assessment of what EU-native alternatives can and cannot deliver, a dual-track architecture, and a defined trigger for switching. Estonia named H2 2025 as the contingency-ready target — a specific milestone, not a vague future intention. That specificity matters.
For a smaller organisation, neither extreme is the right model. The decisive migrator approach at €50M scale is not available. The pure cautious pragmatist approach risks indefinite postponement. The practical synthesis: run a DPIA (Austria model) to identify which workloads carry legally unacceptable US cloud risk, migrate those first, and keep legacy workloads on existing providers while the EU-native ecosystem matures.
The market timing signal matters. Gartner forecasts Europe surpassing North America in sovereign cloud spend by 2027. The EU-native provider ecosystem — STACKIT with €11B invested, OVHcloud, Outscale — is gaining the enterprise scale that makes full migration more practical than it was twelve months ago. Organisations that begin their DPIA and hybrid architecture work now will be positioned to accelerate when the supply side catches up.
New workloads go sovereign-by-design. Existing sensitive workloads migrate on a defined schedule. Legacy workloads stay where they are until migration cost is justified by available alternatives. The European sovereign cloud decision framework is the tool for mapping your workloads to the appropriate track. See also OVHcloud and STACKIT, the EU-native providers used in these case studies, for the current state of the supply side.
FAQ
What is the US CLOUD Act and why does it affect data stored on European servers?
The CLOUD Act was signed into law on 23 March 2018. Its core provision: US-based service providers must comply with lawful requests for data from US law enforcement regardless of where that data is stored. Jurisdiction follows ownership, not geography. Orders come with gag orders prohibiting providers from notifying customers. EU-domiciled providers — OVHcloud, STACKIT, Outscale — are not subject to the CLOUD Act because they are not US-headquartered companies.
Why did Airbus specify CLOUD Act immunity rather than just data residency in its RFP?
Data residency — physical location in EU — is insufficient. The CLOUD Act compels the US parent to produce data regardless of where it is stored. Microsoft admitted in French court in July 2025 it could not guarantee data sovereignty under the CLOUD Act. AWS European Sovereign Cloud GmbH is a 100% subsidiary of Amazon Inc. CLOUD Act immunity requires the provider to be EU-incorporated and EU-headquartered with no US parent subject to US federal law — eliminating AWS, Azure, and Google Cloud regardless of their European sovereign variants.
What is SecNumCloud and how does it differ from BSI C5?
SecNumCloud is France’s national security certification administered by ANSSI. It requires the provider to be majority EU-owned, all data and operations in EU, and immune to foreign law. AWS European Sovereign Cloud does not hold it. BSI C5 is Germany’s Federal Office for Information Security attestation. AWS, Azure, and GCP hold BSI C5, but this does not resolve CLOUD Act exposure. BSI C5 attests security controls. SecNumCloud requires operational insulation from non-EU jurisdiction. They are not the same thing.
How many civil servants has Schleswig-Holstein actually migrated and what tools are they using?
As of December 2025: approximately 24,000 workstations migrated (original target approximately 30,000); 40,000+ email accounts transitioned; migration began March 2024. Tools: Linux, LibreOffice, Nextcloud, Open-Xchange, Thunderbird, Collabora. Delivered by ZenDiS as the OpenDesk suite. The programme is ongoing.
What exactly happened to the ICC’s email and why did it switch to OpenDesk?
Karim Khan, ICC chief prosecutor, was temporarily locked out of his Microsoft Outlook email account following a Trump executive order targeting ICC officials. A US-headquartered provider cannot notify its customer before complying with a US government order. ZenDiS delivered OpenDesk to the ICC in November 2025 as a sovereign alternative. Microsoft has stated it did not cut services to the ICC as a whole, but the incident drove the procurement decision.
Is Austria’s Nextcloud approach realistic for a 100-person company?
Yes, with caveats. Austria’s 1,200-employee migration followed a 3-month PoC + 4-month migration pattern that scales downward — a 100-person company could complete the cycle faster. The constraints are operational, not technical: user training, integration with external services, and support planning. The hybrid boundary Austria drew — sovereign internally, Teams only for external calls — is the realistic operating model.
What is the Gartner 1%-of-GDP benchmark for AI infrastructure and what does it mean?
Gartner set 1% of GDP as the AI infrastructure investment threshold required for digital sovereignty — the infrastructure needed to develop and run sovereign AI models without dependence on US hyperscaler AI platforms. For the UK, 1% of GDP equates to approximately £30 billion. Most EU member states are well below this. The conceptual point: adequate investment for sovereignty is substantially higher than most organisations currently budget.
What is sovereignty washing and how do you identify it?
Sovereignty washing is marketing a US-owned cloud product as sovereign by placing datacentres in Europe without resolving the CLOUD Act exposure from the US parent. European users are not convinced that US hyperscaler “sovereign” services mitigate the risks currently concerning them — Gartner analyst Rene Buest. Red flags: US-incorporated ultimate parent company; “data residency” language without “jurisdictional independence” language; no SecNumCloud or equivalent certification. To verify: ask whether the provider is subject to any non-EU law and whether a GDPR Article 35 DPIA has been conducted.
What is the Solvinity/Kyndryl acquisition risk and why does it matter?
In November 2025, Kyndryl announced its intention to acquire Solvinity — a Dutch managed cloud provider managing sovereignty-sensitive contracts for the Dutch Ministry of Justice and Security. Kyndryl is a US IT services company spun out of IBM. The acquisition would transfer those contracts to a company subject to US extraterritorial law. Government clients had chosen Solvinity specifically to reduce dependence on American firms. Selecting a European provider today does not guarantee long-term sovereignty. Change-of-control contractual protections are now a procurement requirement.
Why is France considered the most operationally advanced EU country on cloud sovereignty?
France is the only EU member state with all four of the following: a functioning national certification standard (SecNumCloud) that explicitly excludes CLOUD Act-exposed providers; a state-built sovereign collaboration platform (Visio) in production at scale; a sovereign private cloud for sensitive data (NUBO); and a mandatory 2027 transition timeline. Germany has strong investment — STACKIT, ZenDiS, Schleswig-Holstein — but no equivalent national certification framework excluding US providers by law.
What is the European sovereign cloud spend forecast and when will it surpass North America?
Gartner forecasts worldwide sovereign cloud IaaS spending hit $80 billion in 2026, up 35.6% from 2025. Europe’s spend was $6.9 billion in 2025, growing at 83% — the highest regional growth rate globally. Europe is forecast to surpass North America in sovereign cloud spend by 2027. Driving factors: GDPR DPIA obligations, Trump administration geopolitics, Draghi Report urgency, and a maturing EU-native provider ecosystem.
What is a data embassy and does it solve the sovereignty problem?
Estonia’s data embassy is a secure datacentre in Luxembourg as backup for key digital services — protection against physical or cyber attack. What it solves: continuity risk. What it does not solve: CLOUD Act exposure — if the data embassy uses a US-headquartered provider, the CLOUD Act still applies. It is a resilience solution, frequently misunderstood as a complete sovereignty solution.
