Amazon, Microsoft, and Google have recently started promoting their "sovereign cloud." This concept aims to allow customers to host and process their data exclusively within Europe. However, the current political situation could jeopardize this initiative. Companies are therefore well-advised to rethink their cloud strategy in a timely manner.
There is also an illusion of the sovereign cloud: European companies face strategic challenges from the US CLOUD Act and growing risks in transatlantic data protection.
(Image: AI-generated)
The European Commission has tied the classification of the USA as a "safe third country" for data exchange under this framework agreement to certain conditions. These conditions include effective data protection oversight and binding legal guarantees, as provided by Executive Order (EO) 14086. In January 2025, US President Donald Trump dismissed three members of the Privacy and Civil Liberties Oversight Board (PCLOB), responsible for data protection oversight. "The transatlantic data protection agreement has since been hanging by the thin thread of a single presidential order," commented Dr. Stefan Volck, CPO of Vistameet at Connect4Video, a German cloud video conferencing provider.
Among CIOs in Europe, he says, there is growing fear that the US President might take the next step and revoke EO 14086. If Trump annuls "Executive Order 14086," the Transatlantic Data Privacy Framework between the European Union and the United States would permanently lose its legal basis. Volck adds: "If this scenario unfolds, companies would no longer be adequately protected in data transfers between the European and US legal jurisdictions—as was already established after the end of the 'Privacy Shield' agreement in 2020." For European companies whose digital infrastructure is anchored in the tool ecosystems of Microsoft, Google, and Amazon, substantial risks would arise.
Narrative of the So-Called Sovereign Cloud Does Not Hold Up
The Big Tech companies Microsoft, Google, and Amazon, which supply the majority of the European cloud market, have already responded by announcing sovereign cloud offerings. Volck explains: "Microsoft, provider of the widely-used Office 365 suite, promises a data boundary (EU Data Boundary) for a 'sovereign cloud' and a 'Data Guardian,' as well as multibillion-dollar investments in European data centers. The narrative seems plausible: if corporate data from Bucharest to Lisbon does not leave the European legal jurisdiction, it should remain beyond the reach of the U.S."
But this narrative does not hold up: The Clarifying Lawful Overseas Use of Data (CLOUD) Act grants U.S. authorities extensive access to European customer data, including extraterritorially. The law also obligates legally independent subsidiaries of major cloud providers to release data. Advanced technical security concepts like "bring your own key" do not offer sufficient protection in this regard.
"That Microsoft has already blocked the account of the Chief Prosecutor of the International Criminal Court in the course of U.S. sanctions is an alarm signal and demonstrates that American interests can arbitrarily override European data security in individual cases," adds Volck.
The potential termination of data protection security guarantees by the American government, according to Volck, poses a strategic risk for European companies. Therefore, they should critically evaluate the use of American tech tools in their digital infrastructure. These developments particularly affect German companies. "Many of them are currently working intensively to integrate AI workflows and cloud services into their business processes," says Volck. For responsible IT planning, this situation results in three important fields of action:
Make data flows transparent: First, it is advisable to systematically review all international data transfers. In particular, data flows to third countries—primarily the USA—should be identified based on the record of processing activities in accordance with Article 30 of the General Data Protection Regulation (GDPR). Indirect access options via data interfaces, support requests, or connected software services within the meaning of Articles 44 ff. GDPR can also be included.
Considering alternative legal instruments: CIOs should also consider alternative transfer mechanisms such as standard contractual clauses under Article 46(2)(c) of the GDPR. However, these require a so-called Transfer Impact Assessment (TIA), which examines whether the clauses could actually be enforced in the third country.
Develop and test an exit strategy: CIOs should already prepare an exit plan for a scenario in which the transatlantic data protection agreement is revoked— regardless of whether Washington or Brussels is responsible. Alternative solutions, particularly for real-time workloads such as video conferencing, contact center integrations, or automated chat assistants that process conversation data in fractions of a second, should be tested during current normal operations before they replace existing tools and workflows.
Digital Sovereignty is No Longer Solely Within the IT Department
How complex such exit processes are depends on many factors such as the size of the company, internal use cases, and digital infrastructure. According to Volck, one thing is clear: building digital sovereignty within a company is no longer solely the responsibility of the IT department. It has become a central issue of corporate due diligence.
In light of the changing political climate, many companies have already begun preparing to switch to European cloud providers, transition to local data processing, or, for example, limit or suspend certain processing activities. European cloud providers are currently experiencing significantly increased demand, driven by substantial security concerns and "Go-European" initiatives.
It remains to be seen whether these initiatives will, in the long term, lead to a local cloud industry capable of meeting the rapidly growing demand for legally secure and reliable digital infrastructure. Such a scenario would likely only be realistic if the EU and its member states create the necessary political framework to comprehensively support local providers.
In conclusion, Volck advises: "Here and now, it is crucial for companies to move digital sovereignty out of the realm of abstract strategy papers and establish it as a fixed parameter in business decision-making. Those who prepare thoroughly today will avoid the shock of having to recalibrate the legal foundations for operations, compliance, and competitiveness overnight tomorrow."
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
:quality(80)/p7i.vogel.de/wcms/af/1e/af1ec4fca4636f521f780ba0ae009c8e/bild3-werkst-c3-bcck-20und-20werkzeug-5204x2928v1v1.jpeg "The main area of application for the new axial gear cutting machine is the production of rotor shafts for electric vehicles. (Image:Profiroll Technologies)")
:quality(80)/p7i.vogel.de/wcms/d1/ab/d1ab452217529e5c29a81add9aca7c22/0128871322v1.jpeg "Only one year to go: the new EU Machinery Regulation makes cybersecurity mandatory. Companies should act now. (Picture: ©Pisit - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/88/53/8853f7df2fe47a3d2c6f1879f6ac38e6/newsimage417073-1500x843v1v1.jpeg "Measuring setup for friction stir welding: Modular acoustic measuring system with flexibly positioned microphones for recording tool wear and process deviations in real time. (Image:Fraunhofer IDMT)")
:quality(80)/p7i.vogel.de/wcms/28/75/28751a17e2bcca46e53a1e7b8a84c433/schmersal-tiepner-029-6749x3796v1v1.jpeg "Tiepner's compact system produces ID cards made of laminated plastic, which are used as customer cards, ID cards or cheque cards, among other things. Left in the picture: Christian Höltge, Managing Director of Tiepner GmbH. (Image:Tiepner GmbH)")
:quality(80)/p7i.vogel.de/wcms/cd/fe/cdfe212a3b3206e2ff09dcdf71c11240/0129219561v1.jpeg "Extended S-series: The new Cobot models from Omron lift up to 30 kilograms and are now also protected against dust and water thanks to protection class IP65. (Image:Omron)")
:quality(80)/p7i.vogel.de/wcms/c3/6d/c36d161e7709095fd1de4cb9de27d927/0129133682v1.jpeg "Nanjing is Siemens' largest research and production center for CNC systems, drives and electric motors outside Germany. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/70/dc/70dc2fbc09e6958a72c63bd15e986e14/0129206156v1.jpeg "The global shoe machine manufacturer Desma relies on automation and has been revolutionizing shoe production—together with ABB Robotics for over 40 years. (Image:ABB Robotics)")
:quality(80)/p7i.vogel.de/wcms/60/fd/60fd12ddfe1fb623568736f27d1cfe61/0128606899v1.jpeg "The future of supply chains: AI and dashboards to ensure optimal OTIF values (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/39/38/393873c2ed943bb715a6419d94049b63/geralt-entrepreneur-1340649-1280-1280x720v1v1.jpeg "Visual Components presents its forecast for production simulation in 2026. (Image:Pixabay)")
:quality(80)/p7i.vogel.de/wcms/60/4e/604e2a1ce26f177c5f28c2bff94c2f7d/der-20rotor-20mit-20aktiv-20verwindbaren-20rotorbl-c3-a4ttern-20im-20windkanal-1920x1079v1v1.jpeg "The rotor with actively twistable rotor blades in the wind tunnel: The open measuring section and sound-absorbing wall and model fuselage cladding enable high-quality acoustic measurements. (Image:DLR)")
:quality(80)/p7i.vogel.de/wcms/a8/9a/a89aef1cba3843fa06a1ec1f07cf659b/adobestock-95634179--c2-a9-20crazyforanimeart-20-e2-80-93-20stock-adobe-com-4762x2678v1v1.jpeg "Copied from the octopus: Researchers have developed a film-like thin-film platform that can dynamically change not only its color but also its surface structure. (Image:AdobeStock_95634179_ CrazyForAnimeArt)")
:quality(80)/p7i.vogel.de/wcms/2b/fb/2bfbb9fa26274cb8f6e8979c24a3d08e/0129243542v1.jpeg "In some cases, the new additively manufactured lightweight bearings only reach
11 percent of the weight of comparable steel bearings. (Image:Rosswag Engineering)")
:quality(80)/p7i.vogel.de/wcms/25/11/25111828d56b46dc0dc3b717ac2dfcfa/0129276081v1.jpeg "According to media reports, Ford is negotiating with Geely about cooperation in production and technology. (Image:Ford)")
:quality(80)/p7i.vogel.de/wcms/b7/2d/b72dfd1458e86652491018914478cb00/0129259253v1.jpeg "The green belt of VW Palmela - including two geothermal fields and a new paint shop. (Image:VW Group)")
:quality(80)/p7i.vogel.de/wcms/cb/76/cb76d0c686e8dbc8b0e0b6961e3849c7/0129249515v1.jpeg "The Chinese Ministry of Industry and Information Technology has developed binding standards for retractable vehicle door handles. (Image:BYD)")
:quality(80)/p7i.vogel.de/wcms/42/0a/420a796e6b9d9e3bf27d89d4fe425d84/0129264331v1.jpeg "Polestar presented the new Model 5 live. (Image:Polestar)")
:quality(80)/p7i.vogel.de/wcms/6f/8f/6f8ff5bf9b81829ef22736bc790cecca/0129224894v1.jpeg "View of the quantum optics laboratory at the University of Stuttgart: here, researchers are experimenting with new photon sources for quantum computing and quantum networks. (Image:Barz Group, University of Stuttgart)")
:quality(80)/p7i.vogel.de/wcms/52/3a/523ac3157ae4b4f596c7241c89127061/0129260553v1.jpeg "This artistic illustration shows a thermal analog calculator that performs calculations using excess heat and is embedded in a microelectronic system. (Image:Jose-Luis Olivares, MIT)")
:quality(80)/p7i.vogel.de/wcms/d1/f4/d1f4508c6b79ec2f0432b34a6fa33a98/0114966184v1.jpeg "The Infineon headquarters Campeon in Neubiberg, Munich. (Image:Infineon)")
:quality(80)/p7i.vogel.de/wcms/fa/d3/fad3872cf3f110f43411f2dce9e8f23a/0129265762v1.jpeg "Siemens Energy has discovered the USA as a prosperous growth market for network technology and gas turbines! In order to be able to meet demand at some point, the company is already digging deeper into its pockets ... (Image:Siemens Energy)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/68/a4/68a47beec75ce/logo-cmyk-de.jpeg "logo-cmyk-de (https://www.datatec.eu/)"){kind=logo}
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ad/67adf92d254d2/elatec-wp-smart-factory.png "Elatec WP Smart Factory")
:quality(80)/p7i.vogel.de/wcms/db/c5/dbc51514a84cb27ed1f674576bc5f62b/0125811019v1.jpeg "At Microsoft, U.S. access to European cloud data is possible despite local hosting and EU data boundaries. (Image:AI-generated)")
:quality(80)/p7i.vogel.de/wcms/a6/60/a66045fd9b394d6ba9ed79c45ad3bfa9/0125836302v1.jpeg "Europe's cloud providers offer secure and flexible solutions that comply with strict data protection regulations. (Image: ©Zohaibzahid - stock.adobe.com)")