New revelations about US cloud providers are confronting Europe with an uncomfortable truth. The continent has never had true digital sovereignty, and the path to achieving it is steep and politically fraught.
In early July 2025, IT-Business published an analysis based on its own research and quotes from policy documents, which made it clear that US hyperscalers such as AWS, Microsoft, Google, and Salesforce are required to hand over data to the US government, even when that data is physically stored in Europe. The companies openly confirm that they must comply with the extraterritorial application of the US CLOUD Act. This has once again made it clear that the location of data is less important than legal control over the infrastructure on which that data runs.
This control is not limited to stored information alone, but also extends to the services themselves. Control over access to communication services such as email, collaboration tools, and identity management enables companies not only to provide data, but also to block or restrict access when political or legal pressure is exerted. This places organizations worldwide in a position of dependency, even when the functionality of those services appears to fall outside the jurisdiction of the United States.
Email blockade at the International Criminal Court
An incident in May this year showed how far the influence of US legislation can reach. Microsoft blocked access to the email of Karim Khan, chief prosecutor of the International Criminal Court in The Hague, on its own initiative after the US government imposed sanctions on him and the ICC. The block was imposed without judicial review and raised questions worldwide about the independence of digital infrastructure provided by US companies. For the Netherlands, which is both an ICT pioneer and host to international legal institutions, this exposes a fundamental area of tension.
At the heart of this issue lies the legal asymmetry between the European General Data Protection Regulation (GDPR) and the US CLOUD Act. Whereas the GDPR stipulates that personal data may only be transferred to third countries on the basis of international treaties or legal cooperation, the CLOUD Act obliges US companies to grant worldwide access to customer data when ordered to do so. European data centers that are technically fully compliant with GDPR standards may therefore still be subject to foreign interference.
The false sense of security created by the physical storage of data in European data centers of US companies deserves critical consideration. Many organizations assume that geographical storage within the EU automatically means that data is protected by European law. In reality, the physical location is of little significance when legal control is in the hands of a foreign entity. After all, the CLOUD Act focuses on the nationality and legal status of the provider, not on the place of storage. This means that data in Frankfurt or Amsterdam may be accessible to US authorities without the customer’s knowledge. Relying on European data centers as being GDPR-compliant and geopolitically neutral by definition is therefore misplaced.
Procurement rules form a barrier
The problem extends beyond storage or service. Dependence on US companies also plays a role in public procurement. European procurement rules often do not exclude foreign companies such as Microsoft or Amazon, even if they have a branch in Europe. This means that US providers compete for strategic digital infrastructure, while Europe wants to position itself as autonomous. The Dutch government recently highlighted this challenge and called for an EU-wide policy that combats digital dependency and offers opportunities for European providers without contravening international agreements on open procurement.
At the same time, there is growing political support for including “Buy European” elements in future procurement directives, including from European commissioners, who believe that critical sectors such as cloud infrastructure should give priority to European providers. However, this approach conflicts with existing international obligations against discrimination against foreign companies.
In this area of tension, digital autonomy quickly feels like symbolic politics. Critics, including think tanks such as the European Centre for International Political Economy (ECIPE) and the Center for Data Innovation, warn that EU initiatives such as GAIA-X or European cloud labels will remain largely symbolic as long as they do not stimulate actual market power or allow room for technological competition.
At the same time, radical proposals, such as banning American providers from European infrastructure projects, entail substantial costs and pose risks to interoperability and innovation, as was also highlighted in consultations on the EU cloud certification standard (EUCS). Various media outlets, including Politico and the Financial Times, also point out that the European debate on cloud sovereignty sometimes resembles policy rhetoric rather than practical market repositioning.