Technology

2025-06-11

The Sovereignty Illusion: Why AWS's European Cloud Cannot Escape US Jurisdiction

Why U.S. cloud providers can't offer true data sovereignty in Europe—legal jurisdiction overrides technical solutions.

Reading time: 10 minutes
CMO
When Heise, one of Germany’s most reputable technology publications, recently detailed Amazon’s elaborate plans for a “sovereign” European cloud, readers could be forgiven for believing that US hyperscalers had finally solved the fundamental conflict between American surveillance laws and European data protection. The article’s technical focus on independent billing systems, EU-only staff, and physical separation from US infrastructure paints a compelling picture of jurisdictional independence.
EU Cloud US Law72 This narrative is not just misleading—it’s dangerously so. As European businesses and government agencies make critical decisions about their digital infrastructure, articles that emphasize technical architecture while minimizing legal reality create a false sense of security. The truth remains stark and unchangeable: no amount of technical sophistication, organizational restructuring, or operational independence can transform a US corporation into a genuinely sovereign European entity.
This analysis aims to cut through the carefully crafted messaging and technical smokescreens to expose why data sovereignty under US hyperscalers remains impossible—not improbable, not challenging, but fundamentally impossible under current legal frameworks. When Amazon claims its European Sovereign Cloud will be “physically and logically separate,” they’re answering the wrong question. The issue was never about physical separation; it’s about legal jurisdiction. And on that crucial point, US law is unambiguous: American companies must comply with US government data requests regardless of where that data resides.

The Fundamental Conflict That No Architecture Can Solve

The core issue isn’t technical—it’s jurisdictional. US companies remain subject to American law wherever they operate, creating an insurmountable barrier for genuine European data sovereignty. Despite billion-euro investments and elaborate technical architectures, this legal reality persists unchanged.

AWS’s €7.8 Billion Sovereign Cloud Faces Immediate Legal Skepticism

Amazon Web Services announced its European Sovereign Cloud in late 2023, promising a “physically and logically separate” infrastructure staffed exclusively by EU residents and launching in Germany by end-2025. The €7.8 billion investment through 2040 includes independent billing systems, a European Security Operations Center, and a German parent company structure. Yet legal experts immediately identified the fatal flaw: AWS remains a US corporation subject to American jurisdiction.
French MP Philippe Latombe crystallized the opposition, stating that “AWS cloud cannot be sovereign because it is subject to the US FISA and Cloud Act” - laws mandating US companies cooperate with American security agencies globally. Jean-Sebastien Mariez, founding partner of French tech law firm Momentum Avocats, emphasized that “the location of data was hereafter irrelevant in the applicability of US laws.” This creates what Frank Karlitschek, CEO of Germany-based Nextcloud, calls “false sovereignty” - elaborate technical measures that cannot overcome fundamental jurisdictional conflicts.
The German government’s endorsement through its Federal Office for Information Security (BSI) has created friction with France’s more stringent SecNumCloud certification requirements, highlighting European disagreement on acceptable sovereignty levels for US-controlled entities. This divergence reflects deeper tensions about digital independence versus pragmatic accommodation of American tech dominance.

US Legal Frameworks Systematically Override European Sovereignty

The 2018 CLOUD Act codified what privacy advocates had long warned about: US authorities can compel American companies to provide data “regardless of whether such communication, record, or other information is located within or outside of the United States.” This explicit extraterritorial reach directly violates GDPR Article 48, which stipulates that foreign court orders requesting data transfers are only acceptable if grounded in international agreements. FISA Section 702 compounds the sovereignty violation by enabling mass collection of foreign communications without individualized warrants. The European Court of Justice’s Schrems II decision specifically cited Section 702 as incompatible with EU fundamental rights, finding it “does not limit the collection of personal data to what is strictly necessary and proportional.” Europeans lack “rights actionable in court against US authorities,” violating Article 47 of the EU Charter.
Legal precedents reinforce this extraterritorial overreach. The Microsoft Ireland case (2013-2018) saw US authorities demand emails stored in Dublin, leading directly to the CLOUD Act’s passage. The Google Pennsylvania case established that data location becomes irrelevant when US courts determine jurisdiction by where authorities review information, not where it’s stored. National Security Letters provide another mechanism for accessing European data without judicial oversight, with documented histories of extensive violations and minimal accountability.

Failed Sovereign Cloud Attempts Reveal Structural Impossibility

Microsoft’s Deutschland Cloud (2015-2018) represents the most ambitious attempt at US company sovereignty in Europe. Despite T-Systems acting as exclusive data trustee under German law, with Microsoft having no direct access without consent, the model collapsed within three years. The service cost 40-60% more than standard Azure and offered severely limited functionality due to its complete isolation from global Azure services. The critical insight isn’t just that it failed commercially, but why it had to be so isolated in the first place. Any meaningful integration with Microsoft’s global infrastructure would have immediately created pathways for US legal jurisdiction. The extreme technical separation required to maintain even theoretical sovereignty made the product essentially a different, inferior service. Microsoft’s official abandonment acknowledged that “the isolation of Microsoft Cloud Germany imposes limits on its ability to address the flexibility and consistency customers desire.” Most significantly, this model was never tested against its core promise: What would have happened if US authorities had invoked the CLOUD Act against Microsoft Corporation? The service died before this critical question could be answered. The Deutschland Cloud’s failure demonstrates that achieving both true integration with US hyperscaler capabilities AND genuine sovereignty appears to be mutually exclusive—you can have isolation or functionality, but not both.
Google’s sovereign cloud partnerships with T-Systems and others continue in limited capacity but face similar challenges. The dual control mechanisms create operational friction, significant cost premiums persist, and the service portfolio remains restricted compared to global offerings. Market response has been lukewarm, with few major customer announcements despite years of development. Oracle and IBM’s sovereign cloud attempts show similar patterns of limited adoption and unresolved jurisdictional conflicts.

EU Regulations Demand Sovereignty That US Companies Cannot Provide

Current EU regulations establish increasingly stringent sovereignty requirements that fundamentally conflict with US corporate structures. GDPR Article 44 prohibits transfers undermining EU data protection, while Article 48 specifically addresses foreign government access. The European Data Protection Board mandates Transfer Risk Assessments for all non-adequacy transfers, requiring controllers to assess whether foreign laws like FISA and the CLOUD Act undermine safeguards.
The NIS2 Directive, with full application from October 2024, expands sovereignty requirements to cloud providers serving critical infrastructure. Risk management must address supply chain security, including jurisdiction analysis of third-party suppliers. The European Cyber Resilience Act, entered into force December 2024, adds security-by-design obligations throughout product lifecycles, with enhanced requirements for critical digital infrastructure.
ENISA’s draft EU Cloud Services Certification Scheme crystallizes sovereignty expectations. The highest security level requires cloud provider headquarters within the EU, all data processing in Europe unless customers explicitly consent otherwise, and technical measures preventing unauthorized foreign government access. These requirements effectively exclude US-owned providers from serving Europe’s most sensitive workloads.

Legal Experts Unanimously Reject US Sovereignty Claims

Max Schrems, the Austrian privacy activist whose cases invalidated two transatlantic data frameworks, states bluntly: “We would need changes in US surveillance law to make this work – and we simply don’t have it.” Legal scholars consistently emphasize that ownership trumps technical measures - US companies remain under American jurisdiction regardless of architectural sophistication or operational arrangements.
The expert consensus identifies the fundamental impossibility: compliance with both US and EU law creates irreconcilable conflicts. US authorities claim jurisdiction based solely on corporate nationality, while EU law prohibits exactly such extraterritorial assertions. No technical sovereignty can prevent legal compliance when parent companies face American enforcement actions. Experts particularly warn about AI training data creating new sovereignty vulnerabilities. Models trained on European data but controlled by US entities embed continental knowledge under foreign jurisdiction. Even anonymized training data reveals sensitive societal patterns through AI analysis, creating permanent dependencies that technical measures cannot address.

What Technical Teams Should Understand About Legal Limitations

Technical decision-makers often approach sovereignty as an engineering challenge, believing that sufficient encryption, architecture complexity, or operational controls can overcome jurisdictional issues. This fundamental misunderstanding leads to dangerous assumptions in system design and risk assessment.
Encryption Cannot Prevent Legal Compulsion While end-to-end encryption protects data in transit and at rest, US companies must still comply with lawful access demands. The CLOUD Act explicitly requires providers to deliver data in their “possession, custody, or control” in readable form. If AWS holds your encryption keys—even in hardware security modules in Frankfurt—they must use those keys when compelled. Bring Your Own Key (BYOK) only shifts the problem: providers typically require key escrow for service functionality, recreating the access pathway.
Technical Isolation Provides No Legal Protection Air-gapped networks, dedicated infrastructure, and region-locked services all operate under the same corporate ownership. When US authorities issue orders to Amazon.com, Inc., every subsidiary, technical silo, and “sovereign” region falls under that jurisdiction. The legal entity structure, not the network topology, determines compliance obligations.
Confidential Computing and Secure Enclaves Remain Vulnerable Technologies like AWS Nitro Enclaves or Azure Confidential Computing protect against some threat vectors but cannot prevent the infrastructure owner from being legally compelled to modify the environment. Updates, patches, and hypervisor-level access create persistent control points that legal orders can exploit.
Zero-Knowledge Architectures Require Trust in Implementation Even systems designed for zero-knowledge operation depend on the integrity of the implementing code. US companies under sealed orders could be compelled to introduce targeted vulnerabilities while being legally prohibited from disclosing these modifications. The provider’s nationality, not their technical architecture, determines susceptibility to such orders.
For CIOs and architects, the message is clear: treat US provider sovereignty claims as marketing, not technical specifications. When conducting risk assessments, assume that any data accessible to US companies—regardless of encryption, location, or technical controls—is potentially accessible to US authorities. Design systems accordingly, with truly sensitive data remaining exclusively within European-controlled infrastructure.

European Alternatives Offer Genuine but Limited Sovereignty

True data sovereignty requires European ownership and control throughout the technology stack. OVHcloud, with custom servers manufactured in-house and SecNumCloud certification, commits that “no access to customer data is granted, unless the customer requests it.” IONOS operates exclusively within the EU with explicit exclusion of non-European authority access. Scaleway and other European providers offer genuine jurisdictional independence but lack the scale and service breadth of American hyperscalers.
Technical sovereignty measures like Bring Your Own Key Management, confidential computing, and zero-trust architectures provide partial protections but cannot overcome ownership-based jurisdiction. The GAIA-X federated cloud initiative aimed to create interoperable European infrastructure, but US company participation potentially compromises its sovereignty goals. Common European Data Spaces offer sector-specific frameworks under EU control but require massive investment to match American capabilities.
Policy experts recommend combining European ownership with advanced encryption, exclusive EU jurisdiction over infrastructure, and operational independence through EU-based staff. Yet the economic reality remains stark: US companies control 72% of the European cloud market, and the cost of technological independence often proves prohibitive.

Conclusion

The evidence conclusively demonstrates that US cloud providers cannot deliver true data sovereignty in Europe despite elaborate technical architectures and massive investments. The CLOUD Act, FISA, and fundamental principles of American legal jurisdiction create insurmountable conflicts with European sovereignty requirements. Failed attempts by Microsoft and Google, despite sophisticated trustee models and local partnerships, prove that technical measures cannot override corporate nationality.
As EU regulations tighten and geopolitical tensions intensify, the fiction of US company sovereignty becomes increasingly untenable. European organizations requiring genuine data sovereignty must ultimately choose between American technological advantages and jurisdictional independence. The current transatlantic data governance regime structurally subordinates EU law to US extraterritorial assertions, making meaningful sovereignty impossible without either complete technological independence or fundamental restructuring of global data governance.
The path forward requires acknowledging this reality: in the realm of data sovereignty, ownership determines destiny. No amount of technical sophistication can transform a US corporation into a European sovereign entity when American law explicitly claims global jurisdiction over its corporate citizens.
Eliatra Newsletter
Sign up to the Eliatra Newsletter to keep updated about our Managed OpenSearch offerings and services!