Why U.S. Hyperscalers Fall Short on European Data Sovereignty

What is European Data Sovereignty?

“Data sovereignty” is a term you hear everywhere right now. With increasing regulatory and customer demands in Europe, major cloud providers are actively marketing “sovereign cloud solutions”. For those businesses who are concerned about the sovereignty of their data, it is essential to understand the concept of sovereign European cloud.

In this blog we look past the marketing fluff to understand what the principle of European data sovereignty actually entails.

Data residency vs. Data sovereignty

In discussions about data management, the term most people are familiar with is  data residency, which simply refers to the physical, geographic location where the data is hosted. Data sovereignty focuses on the legal framework governing the data. It is the principle that data must remain subject to the laws and jurisdiction of the country where it is stored, protecting it against unlawful access by third-country governments.

The EU Commission has created A European Strategy for Data, which aims to create a single market for data while upholding European values, with EU data sovereignty as a central pillar. This strategy is implemented and enforced through a European legal framework which includes e.g. GDPR, Data Act, Cyber Resilience Act, and NIS2.

Together, the aforementioned regulations create a legal shield designed to protect and safeguard EU residents’ data, to block extraterritorial access by foreign governmental authorities, and to reduce the EU’s dependency on U.S. tech giants.

Therefore, to achieve true European data sovereignty, businesses must ensure that their cloud service provider is able to meet the following criteria:

1. EU jurisdiction – The service provider is exclusively subject to EU jurisdiction. This means that also the controlling parent entity must be European.
2. EU data residency – The service provider must offer data localization within the EU.
3. EU values – The service provider upholds European values and is able to demonstrate compliance with the EU legal frameworks, including protection against third-country governmental access to data.

U.S. Cloud Providers’ Response

Recognizing the urgent demand in Europe, major U.S. cloud providers have launched dedicated “sovereign” cloud offerings directed at the European market.  

AWS announced its Digital Sovereignty Pledge already in November 2022. As part of this pledge AWS is launching The AWS European Sovereign Cloud, which is setting in motion its first region in Germany by the end of 2025 to help customers meet their data sovereignty requirements¹. 

Similarly, on 16 June 2025, Microsoft announced their new Microsoft Sovereign Cloud solutions in response to strengthening their European digital commitments².

Google has also entered the race, offering its own set of Sovereign Cloud features such as the Google Cloud Data Boundary and Goodle Cloud Dedicated to meet the growing demand³.

Despite different branding, these sovereign solutions created by U.S. cloud providers share a common blueprint built on four key pillars: 

1. Data Residency: As the foundational safeguard, the providers commit to storing all customer data, including backups and metadata, exclusively within data centers located in the EU.
2. EU-Only Access and Operations: As another layer of assurance, they assert that all access to data centers, technical support, and customer service for these regions are handled strictly by EU-based personnel.
3. Encryption and Key Management: Technical measures such as encryption are presented as a guarantee of confidentiality. Customers are offered services like “Bring Your Own Key” (BYOK) or even “Hold Your Own Key” (HYOK), where customers exclusively manage the encryption keys. 
4. Local Partnerships: To reinforce their commitment to EU jurisdiction, U.S. providers offer independently owned and operated environments with partner clouds. These entities are positioned as legally anchoring the data operations within the EU legal framework.

Why These Solutions Do Not Establish True Sovereignty?

Jurisdictional Issue

The measures discussed above certainly provide a meaningful layer of protection, but are they enough to establish true European data sovereignty? All major U.S. cloud providers have European subsidiaries that sell and operate their European cloud solutions. These subsidiaries are however in full control of their U.S. parent companies, who must comply with the U.S. laws and authorities’ orders. These laws and authority orders may extend to their European subsidiaries, which causes a major obstacle for achieving European data sovereignty – the effect of U.S. jurisdiction.

The carefully built European facade of the American hyperscalers is heavily undermined by the extraterritorial reach of U.S. jurisdiction, as demonstrated below. Therefore, all their promises – that the customer data is stored in Europe, managed by EU personnel, or hosted by a local partner or subsidiary – are insufficient to establish true European data sovereignty. The jurisdiction of the parent company is a decisive factor, and that opens a backdoor for governmental access by the U.S. authorities.

The U.S. CLOUD Act and FISA

The most significant legal act endangering European data sovereignty is the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act which obliges the U.S. cloud providers to disclose any data pertaining to a customer within such provider’s possession, custody, or control, regardless of whether the data is located within or outside of the United States and without prior notice to affected users⁴. This includes for example emails, server images, communication records or any other data that might be relevant to their cases. U.S. law enforcement agencies like the FBI, intelligence agencies like the NSA, prosecutors investigating crimes, and U.S. courts can all demand this data through legal orders. 

Another problematic piece of legislation in the U.S. is the Foreign Intelligence Surveillance Act (FISA), which regulates the U.S. government’s surveillance of foreign powers and agents of foreign powers within the U.S., providing a framework for electronic surveillance and other intelligence gathering activities related to national security. Section 702 of FISA authorizes the U.S government to conduct warrantless surveillance using U.S. based electronic communication services and collect communications, such as emails and messages, of individuals reasonably believed to be located outside the U.S. Again, the location of the data does not provide any protection against these surveillance measures. U.S. cloud providers are required to hand over the data, even if it is stored in the EU.

The Collision with European Values

These laws are in a fundamental conflict with the EU laws. For example, GDPR and Data Act prohibit disclosures of European data to third-country authorities, unless the disclosure is based on an international agreement binding on the EU Member State⁵. The purpose of these laws is to ensure that European data protection standards are not undermined by third-country laws.

The highest data protection authority in Europe, the European Data Protection Board (EDPB), has confirmed that European data cannot be lawfully disclosed to the U.S. officials based on the CLOUD Act⁶. Consequently, U.S. cloud providers are left in a difficult position,  as fulfilling the U.S. warrant would constitute a violation of GDPR, whereas refusal to comply could result in penalties under U.S. law. 

This conflict between the marketing rhetoric of the U.S cloud providers and legal reality has been openly acknowledged. During a recent hearing before the French Senate on June 10, 2025, Anton Carniaux, Director of Public and Legal Affairs for Microsoft France, admitted he cannot guarantee that the data of French citizens would never be transmitted to U.S. authorities⁷. 

Ultimately, the question is can we trust that the American hyperscalers protect their European clients’ interest against U.S. authorities, and can the U.S. government be trusted to respect the fundamental rights of Europeans when wielding their investigative and surveillance powers. The risks seem high as the current U.S. administration pressures U.S. tech giants for policy changes⁸, imposes protectionists policies and tariffs against countries whose regulations target U.S companies unfavourably⁹ and openly threatens their closest allies¹⁰. 

Encryption as a Safeguard?

The U.S. cloud providers offer technical safeguards, such as customer managed encryption keys, as a solution for data sovereignty concerns. Encryption does indeed provide a degree of protection by possibly limiting the ability of the foreign authorities to read the data. The U.S. cloud providers are, however,  still obligated to hand over the raw data to the U.S. authorities, if required. 

In this sense, customer-managed encryption can be considered a partial safeguard for sovereignty, provided of course that the encryption keys are stored outside the reach of U.S. authorities. Yet encryption also entails significant trade-offs, particularly in performance, and thus can be an impractical solution for companies seeking data sovereignty. 

Conclusion

The “sovereign” cloud offerings from U.S. providers (AWS, Microsoft, Google) fail to deliver true European data sovereignty. While they offer data residency and EU-only operations, this is undermined by the extraterritorial reach of U.S. laws like the CLOUD Act and FISA. 

These acts allow U.S. authorities to demand access to data, regardless of its European location or management, creating an unavoidable conflict with the EU laws. Ultimately, the lack of legal independence from the U.S. government means these solutions do not establish true sovereignty. Moreover, dependency on U.S. cloud providers comes with inherent political risks as demonstrated by the recent actions of the U.S. government.

Path to European Data Sovereignty

Not every business is actively seeking data sovereignty. AWS, Google and Microsoft offer a vast portfolio of products and technical security features, and for many use cases they remain a viable option. However, for businesses that are looking for true European data sovereignty, these hyperscalers can offer only a partial solution. 

The easiest way for businesses to achieve European data sovereignty, without compromising the benefits of cloud computing, is to choose a native European cloud service provider. A cloud provider that is headquartered in Europe, guarantees data residency in the EU, and demonstrates compliance with European regulations. Choosing a European provider eliminates the risks arising from foreign cloud providers (e.g. CLOUD Act and FISA) and ensures transparent control of data, which are essential building blocks for sovereign European cloud.

Building European Sovereign Cloud on UpCloud

• Founded and headquartered in Finland – under European ownership. 
• Built-in European data residency through data centers in multiple EU countries. 
• EU Access Management Policy to ensure that only EU-based UpCloud employees have privileged full remote access to operating systems within our EU data centers.
• Certified compliance & security – Technical and organizational measures for data protection and security, as demonstrated by our ISO 27001 certification and adherence to CISPE Code of Conduct.

Discover more on European Data Sovereignty or reach our to our team today to begin your sovereign cloud journey.

¹Announcing initial services available in the AWS European Sovereign Cloud, backed by the full power of AWS. AWS Security Blog, last updated 25.7.2025.
² Judson Althoff – Executive Vice President and Chief Commercial: Announcing comprehensive sovereign solutions empowering European organizations. Official Microsoft Blog 16.6.2025.
³  Advancing sovereignty, choice, and security in the cloud for our customers. Google Cloud Blog 21.5.2025.
⁴ U.S. Clarifying Lawful Overseas Use of Data (CLOUD)  § 2713.
⁵  Article 48 of GDPR, Article 32 of Data Act.
⁶  EDPB & EDPS Joint response on 10 July 2019.
⁷  French Senate hearing 10.6.2025.
⁸  Facebook and Instagram get rid of fact checkers. BBC News Article on 7 January 2025.
⁹  Trump threatens tariffs on countries that discriminate against US tech: The Guardian Article on 26 August 2025.
¹⁰  Trump says he doesn’t rule out using military force to control Greenland. The Guardian Article on 4 May 2025