U.S. CLOUD Act and Why Corporate Structure Matters for Data Sovereignty

Posted on 22 January 2026

European companies are increasingly seeking European data sovereignty. As part of this discussion one of the main concerns is the Lawful Overseas Use of Data (CLOUD) Act, which obliges U.S. cloud providers to disclose any data pertaining to a customer within such provider’s possession, custody, or control, regardless of whether the data is located within or outside of the United States. 

A common question arising from this provision is whether a European cloud provider with a U.S. subsidiary could be mandated to disclose data stored in Europe to U.S. authorities.

The scope of application of the CLOUD Act

The CLOUD Act establishes two distinct and cumulative requirements that must be met for a company to be subject to an information disclosure order:

  1. The company must be subject to U.S. jurisdiction (U.S. incorporated entity); and
  2. The information or data being requested must be in the “possession, custody, or control” of the company.

While the CLOUD Act has an extraterritorial effect, its jurisdictional scope does not automatically extend to all non-U.S. companies. Key requirement is the level of control that the U.S. based company exercises over the foreign entity. 

Does a U.S. subsidiary compromise European data sovereignty?

In the scenario of a European provider with a U.S. subsidiary, the requirement of control over data is the key factor. The subsidiary, while subject to U.S. law, can only be compelled to disclose data that is within its control. Control can be either technical or organizational.

In a relationship between a subsidiary and a parent company, it is clear that the parent company has control over its subsidiary based on ownership and the right to appoint directors of the subsidiary. The subsidiary, on the other hand, cannot exercise control over the parent company based on ownership. The only way a subsidiary could have this kind of control is through the parent company’s bylaws or contractual arrangements. In the absence of such arrangements, the U.S. subsidiary has no control over the data stored by its parent company outside the U.S, and thus cannot be compelled to disclose it under the CLOUD Act. 

Therefore, the mere fact that a European cloud provider has a subsidiary in the U.S. does not, by itself, compromise the principle of European data sovereignty. To determine whether a U.S. subsidiary poses a risk for data sovereignty requires a careful, case-specific analysis of the situation. 

How UpCloud’s corporate structure protects European data

UpCloud’s corporate structure is designed to enforce the legal and technical separation between the European parent company and its foreign subsidiaries, thereby safeguarding European data from unlawful third-country governmental access. 

  • Our U.S. subsidiary operates only U.S. data centers and is the sole entity in UpCloud group that is subject to the U.S. jurisdiction.
  • All customer account information, regardless of the selected data center, is held by the European parent company, UpCloud Oy, incorporated in and subject to the laws of Finland.
  • The U.S. subsidiary has no control over the customer account information, nor can it access any production hardware located outside the U.S.
  • All our European data centers are operated by the European parent company, UpCloud Oy, under the relevant Finnish and EU member state laws.

UpCloud can therefore reject any information request received from foreign governmental authorities and will always direct the requester to contact the relevant Finnish authorities for mutual legal assistance, to validate the request in accordance with the Finnish law. 

Further details regarding jurisdiction and about our measures to prevent international governmental access can be found here.

Summer promotion!

Start your free 30-day trial today and discover why thousands of businesses trust UpCloud

  • $500 free credits
  • Risk-free trial
  • Optimized performance
  • Scalable infrastructure
  • Top-tier security
  • Global availability

Sign up

See also

Blog post about UpCloud's actions regarding the COVID-19 pandemic.

COVID-19: UpCloud actions regarding the Coronavirus pandemic

We at UpCloud have been closely following the global developments around the COVID-19 pandemic and want to reassure our users of continued operational security. We’ve […]

Janne Ruostemaa

Editor-in-Chief

UI elements with a shield icon and text saying "99.999% Uptime SLA".

Introducing the five 9’s – New and improved service level

At UpCloud, we are proud to announce an exciting update to our service levels. Starting May 1st, 2025, UpCloud services will offer a 99.999% service […]

Janne Ruostemaa

Editor-in-Chief

UpCloud graphic on achieving peak performance in cloud-based game development, showing connected infrastructure and a high-performance indicator.

Achieving peak performance in cloud-based game development

In the fast-paced world of gaming, where every millisecond counts, optimising your cloud infrastructure is crucial. Amid economic challenges, gaming companies strive to cut costs […]

Fiona Horan

Enterprise Marketing Specialist

Back to top