Transatlantic Cloud Risks for European Companies

Over the past few weeks, several friends and colleagues have asked me for advice on managing the risks of hosting software and data in American cloud services. This prompted me to look into the transatlantic cloud risks facing European companies. I have since researched the topic and compiled this report. My aim is not to present matters in black and white. As a firm believer in open and fair international trade, I stress that this document should not be read as a political endorsement of—or opposition to—any country or company.

Instead, this report highlights the principal risks and challenges likely to prove most significant. Cloud providers and policymakers on both sides of the Atlantic may well intervene before these issues become irreparable. Nonetheless, I am convinced that we cannot afford to wait; we must prepare for the worst and reduce our reliance on any single provider or jurisdiction, so that we remain resilient, whatever the outcome. If this report serves even as a modest guide for companies navigating these volatile times, I will consider it a success. References appear at the end of each section, accompanied by full source details. Then I will be happy. References are provided at the end of each section, pointing to a complete list of sources with full information, which is also provided at the end of the report.

Executive Summary

This report examines the increasing legal, political, and strategic risks faced by European businesses, particularly in the UK and Scandinavia, when they rely on US cloud services, such as Amazon Web Services, Google Cloud, and Microsoft Azure. It is framed by:

• The EU–US Data Privacy Framework (DPF)
• US surveillance laws such as the CLOUD Act
• Recent political developments, notably the January 2025 removal of several members from the US Privacy and Civil Liberties Oversight Board (PCLOB)

Key Findings

1. DPF’s Fragile Basis
   • The DPF facilitates data transfer across the Atlantic, but its effectiveness depends on executive orders and oversight bodies that can shift with the political landscape.
   • President Trump’s dismissal of PCLOB members in early 2025 dealt a severe blow to the scheme’s credibility.
2. Clash with EU Law
   • US laws, such as the CLOUD Act and FISA 702, directly conflict with the GDPR, NIS2, and DORA.
   • They allow US authorities to access data held by US firms, even if it’s stored in EU data centres, putting compliance at risk.
3. Stronger EU Enforcement
   • The Irish Data Protection Commission fined Meta €1.2 billion for unlawful data transfers, demonstrating that regulators are prepared to enforce the GDPR strictly.
   • Legal challenges to the DPF persist and could yet lead to its overturning.
4. Europe’s Strategic Response
   • Governments and companies in Europe are investing in sovereign-cloud options.
   • More firms are utilising EU-based providers, such as OVHcloud, Hetzner, UpCloud and Elastx, as well as initiatives like GAIA-X.
5. Analyst Advice & Best Practice
   • Analysts (Gartner, Forrester, IDC) recommend hybrid or multi-cloud setups, improving data portability, and using encryption and localisation for sensitive workloads.
   • The EU Data Act and CISPE’s Cloud Switching initiative support these strategies.

Recommendations for European Companies

• Carry out Transfer Impact Assessments (TIAs)
• Build in contractual and technical safeguards
• Explore EU-based cloud providers
• Adopt multi-cloud architectures and end-to-end encryption
• Conclusion

US cloud services offer many benefits, but their legal and political vulnerabilities may create very real compliance and operational risks for European organisations. A well-planned, sovereignty-aware cloud strategy is now essential for any business operating in or serving the EU.

Legal and Political Background

EU-U.S. Data Privacy Framework Status

The EU-U.S. Data Privacy Framework (DPF, also known as TADPF) was adopted in July 2023 as a new adequacy arrangement following the invalidation of the Privacy Shield. It aims to ensure EU personal data transferred to certified US companies is protected at a level “essentially equivalent” to EU standards.

However, the DPF’s stability is already in question. In January 2025, US President Donald Trump removed all Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), leaving it without a quorum.

The PCLOB is a key oversight body for US intelligence agencies and was integral to the DPF’s privacy safeguards and redress mechanisms. Its hobbling “renders the board impotent as an oversight body and thereby threatens the EU-U.S. Data Privacy Framework”, raising the risk that the EU’s adequacy decision could be struck down by the Court of Justice of the European Union (CJEU), as happened to Safe Harbour and Privacy Shield.

Indeed, the DPF’s foundations were already fragile. Trump’s actions to paralyse the PCLOB could contribute to the framework’s collapse when reviewed by the CJEU.

EU institutions have taken note: the European Commission’s October 2024 review stressed that it would “closely monitor” PCLOB appointments and reports, and the European Parliament had earlier passed a resolution in May 2023, warning that the DPF “fails to create essential equivalence in the level of protection required by EU law.”

In short, the DPF is in force. Still, its political underpinnings are shakier than ever, given US developments and ongoing legal challenges. A privacy advocacy group, NOYB, and others filed cases in 2023, alleging that “the fundamental problem with FISA 702 was not addressed,” which could lead to yet another invalidation. ^{[13][24][33][57]}

Limitations vs. EU Regulations

Even if the DPF remains standing, it is narrowly focused on personal data transfer rules. It does not override broader EU regulatory requirements.

European laws, such as the GDPR, NIS2, and DORA, impose strict obligations that fall beyond the scope of the DPF. Neither NIS2 nor DORA is covered in the DPF, and additional measures may be required to protect sensitive data in the cloud. The GDPR governs any processing of EU personal data (including security and individuals’ rights), and its cross-border transfer rules (Articles 44–49 GDPR) still apply if the DPF is struck down.

The Network and Information Security Directive 2 (NIS2), effective October 2024, focuses on cybersecurity and operational resilience for essential services, with requirements like risk management, supply chain
security, and breach reporting. Digital Operational Resilience Act (DORA), effective early 2025 for the financial sector, imposes stringent ICT risk management and oversight of third-party providers, ensuring banks and financial institutions can withstand ICT disruptions.

These sectoral laws require companies to address risks such as data breaches, outages, or supplier failure, including the legal risks associated with data access, regardless of any existing privacy framework.

For example, DORA and NIS2 effectively compel companies to consider data sovereignty and cloud concentration risks; they “complement and coexist with GDPR,” meaning compliance with the GDPR alone does not satisfy the full spectrum of EU requirements.

In practice, even if a data transfer to a US cloud is legal under the DPF, a European bank or critical infrastructure provider may still face compliance issues under DORA/NIS2 if that transfer creates security or continuity risks (for instance, if a sudden legal change renders data inaccessible or compromises it).

Moreover, the DPF is an executive agreement, based on a US Executive Order and an EU Commission decision, rather than a treaty or law; therefore, it is inherently fragile – a change in US administration or policy could unravel without congressional approval.

EU policymakers are well aware of these limits, which is why “in the last decade, there has been a flurry of sovereignty-linked regulation” (GDPR, NIS2, DORA, Data Act, etc.) to shore up protections ​independently of transatlantic deals.^{[3][13][20][33][43][69]}

US Surveillance Laws and Extraterritorial Reach

A core legal concern is that U.S. law can compel access to data held by U.S.-based cloud providers, regardless of the location of the data. The prime example is the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, which explicitly authorises US law enforcement to demand data from US tech companies “even if that data is stored outside the US.”

In other words, a company like Microsoft, Amazon, or Google can be served a warrant or subpoena for data in its EU data centres, and US courts assume jurisdiction. This creates a direct conflict with EU data protection laws – as one industry analysis put it, “the GDPR bars transfers of EU citizens’ data to regions with weaker privacy laws, yet the United States’ CLOUD Act compels disclosure of data regardless of its location”.

The question of which law prevails remains unresolved: compliance with a US order could violate the GDPR, risking substantial fines. In contrast, refusal could violate US law. Although, to the best of the author’s knowledge, there is no objective public evidence to date of US agencies seizing personal data from EU servers (companies tend to resist, and such proceedings are typically secret), the risk is not theoretical.

The infamous Microsoft Ireland case, which occurred from 2016 to 2018, highlighted this conflict: US authorities sought emails stored in Dublin, and Microsoft fought the subpoena – the dispute only ended when the CLOUD Act was passed, granting the US government apparent authority.

Under the CLOUD Act, US providers can challenge a data demand if it conflicts with foreign law and involves a non-U.S. person. Still, they must persuade a US judge, and the law grants the government broad leeway.

The Foreign Intelligence Surveillance Act (FISA) Section 702, the law enabling NSA mass surveillance of foreign communications, remains in force and was not changed by the DPF. FISA 702 allows US intelligence to collect data on non-Americans outside the US without individualised warrants.

This was a central issue in the Schrems II ruling (CJEU 2020), which struck down Privacy Shield due to a lack of proportionality and inadequate redress for EU citizens. The new DPF relies on US Executive Order 14086 to impose some safeguards on intelligence agencies. Still, suppose those safeguards are not considered iron-clad (especially with the PCLOB oversight weakened). In that case, the CJEU may again find that the US surveillance laws make EU–US data transfers unlawful.

In short, American cloud giants operate under US laws that Europe cannot ignore: as a tech publication bluntly summarised, “US courts could compel companies under US jurisdiction to disclose data, potentially overriding EU privacy protections in practice”. This extraterritorial reach means that storing data in an EU region of a US cloud alone does not guarantee EU-level privacy or secrecy – a reality now shaping European risk assessments.
^{[3][55][57][62][69]}

Key Risks and Privacy Concerns

Stability and Adequacy of the DPF

European regulators and privacy experts have voiced deep scepticism about the DPF’s durability. EU civil society and the European Parliament were highly critical of the adequacy decision granted by the commission. The Parliament’s 2023 resolution urged renegotiation of the deal, arguing that it “fails to create essential equivalence” in terms of protection.

National privacy regulators, too, have been wary – the European Data Protection Board acknowledged improvements in early 2023. Still, it noted that “some issues of concern previously raised regarding [Privacy Shield] remain valid.”.

A fundamental concern is that the DPF, like its predecessors, still relies on US executive assurances rather than statutory change. Max Schrems (whose complaints led to Schrems I & II) has indicated that the DPF will likely be
challenged; indeed, NOYB and others filed suits in late 2023 because US surveillance law (FISA 702) still permits bulk data collection, and the new redress mechanism is not truly independent.

These cases are expected to wind their way up to the Court of Justice of the European Union (CJEU). While a final verdict may be a year or more away, companies risk a “Schrems III” scenario where the DPF is invalidated, plunging transatlantic data flows back into legal limbo. The recent turmoil at the PCLOB heightens this risk. Europe saw the PCLOB as a linchpin of oversight under the DPF; with it crippled, the European Commission loses a “key oversight tool for which it bargained”, and the CJEU may view the US commitment as shallow. Since the Trump Administration has fired watchdog officials, privacy advocates claim that the US government undermines the agreed-upon safeguards and fail to implement Executive Order 14086 properly, and as a result, the entire framework’s credibility will erode.

In practical terms, this creates business uncertainty: companies relying on the DPF to legitimise EU->US data transfers could suddenly find that mechanism invalid, as happened overnight in 2020 with Privacy Shield. They would then need to scramble to adopt Standard Contractual Clauses or other measures, which themselves face compliance hurdles (regulators, such as the Irish DPC, have already cast doubt upon, as noted below).

The “long-term sustainability” of the DPF is thus a significant concern; many experts view it as a stopgap that may not survive judicial scrutiny, given that the underlying US laws (such as FISA) remain unchanged. ^[13][57]

Regulatory and Enforcement Actions

European regulators have not waited for transatlantic politics to resolve. They have begun enforcing GDPR restrictions on cloud transfers in specific cases, demonstrating the real risks associated with insufficient data protection.

The record €1.2 billion penalty against Meta (Facebook) in May 2023 was a landmark example. Ireland’s Data Protection Commission found Meta’s continued transfers of EU user data to the US (after Privacy Shield’s invalidation, using SCCs) violated GDPR because “the transferred data did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [CJEU]”.

In other words, Meta failed the “Schrems II” test – the DPC ruled that standard contractual clauses were not enough given US surveillance risks and ordered Facebook to suspend EU→US data flows. This enforcement, the largest GDPR fine to date, underscores that EU regulators are prepared to halt data exports and levy huge penalties if companies can’t guarantee EU-level protection overseas. It foreshadows what could happen to many businesses if the DPF is invalidated or if SCCs are deemed insufficient: any company reliant on US clouds to handle personal data might face legal orders to localise or delete that data.

Separately, European Data Protection Authorities have also cracked down on specific U.S.-based services. For instance, several DPAs (in Austria, France, Italy, etc.) ruled that using Google Analytics on EU websites was unlawful because it entails sending personal user info to Google in the US without adequate safeguards. Such cases illustrate a growing compliance risk for EU companies: using popular US cloud tools (such as analytics and Saas) can suddenly be declared non-compliant, forcing swift contract changes or technology swaps.

The prevailing concern among regulators is that any data accessible under US law cannot be safely stored in the “cloud” without robust supplementary protections, such as encryption (discussed later). Until US surveillance laws meet EU standards or stronger safeguards are implemented, EU authorities will continue to view reliance on US providers as a legal risk that warrants close monitoring. ^[66][69]

Privacy Advocacy and Expert Commentary

Some European privacy advocates have openly questioned whether transatlantic data deals will be upheld. Notably, Marietje Schaake, a former MEP and international policy expert, highlighted a geopolitical dimension: “There is a huge desire in Europe to de-risk or reduce over-reliance on American technology companies because there is a fear that they could be used against European interests”

In March 2025, this statement was issued after the new US administration adopted a tough line on Europe. It isn’t just about privacy laws – it’s about Europe’s digital independence and trust. If EU leaders believe Washington might use its big tech companies for spying or to apply economic pressure, they’ll push back.

Privacy advocacy groups, such as NOYB and EDRi, similarly argue that without reform of US spying powers, any “adequacy” is built on sand. They point out that the DPF’s redress mechanism, the newly created Data Protection Review Court in the US, is untested and not truly independent, as the US Attorney General appoints its members; thus, EU individuals still lack an adequate remedy in US courts.

Another often-cited concern is the “persistent problem of FISA 702.” As long as bulk data collection is legally permissible in the US, European data will remain at risk, according to privacy groups.

Consumer organisations in Europe have also chimed in, worrying about cloud concentration. For example, BEUC (European Consumer Organisation) has warned that consumers’ data might be exposed if foreign authorities can access it without a proper judicial process. These voices collectively pressure EU institutions to adopt a firm stance. We have already seen this pressure result in action: the European Parliament’s resolution against the DPF and the EDPB’s tough stances were partly driven by civil society input.

The long-term risk is that transatlantic data-sharing becomes a political football. If the DPF collapses, it could lead to strained economic relations and uncertainty for thousands of businesses.

As the Centre for Democracy & Technology noted, the PCLOB firings “severely undermine” the Commission’s ability to ensure the US is living up to its privacy promises, rendering the DPF a futile safeguard.

The expert consensus in the EU suggests that the current framework may fail unless the US provides stronger legal guarantees. This casts a shadow of risk over any European company that entrusts personal data to a US cloud. ^{[7][13][19][57]}

Legal Cases of Data Access

While direct cases of US authorities seizing EU-stored corporate data under the CLOUD Act are not often publicised (due to the secrecy of investigations), the threat is evidenced by preventative guidance from European officials. For example, the Dutch government’s cybersecurity agency (NCSC) issued a memo in 2022 advising European businesses to minimise the exposure of data to US jurisdiction whenever possible. It warned that “theoretical risks of compelled disclosure to US authorities cannot be ignored”. It outlined scenarios in which EU data could be subject to the CLOUD Act, such as when an EU company is a subsidiary of a US parent or when it utilises a U.S.-based cloud service.

The memo bluntly stated that to avoid the reach of the CLOUD Act altogether, an EU entity must use a non-US provider with no US parent company and ensure the US provider has no “possession, custody, or control” over the EU data.

This kind of official guidance underscores that any data under the orbit of a US company is at risk of disclosure, a view increasingly shared by European regulators. Indeed, Deloitte observes that if a company complies with a US data demand, it may violate the GDPR and face penalties.

A related scenario is government surveillance: Under FISA 702, US intelligence could target a cloud server in Europe if a US provider has access, all without informing the data owner. Although specific instances are classified, the Snowden revelations showed that providers like Google and Microsoft were compelled to give backdoor access to data streams. It is widely believed that cloud providers still receive such orders (e.g., National Security Letters) for data on foreign servers, but they are prohibited from disclosing it.

The absence of transparency (US companies cannot easily reveal how often this happens) further fuels European mistrust. We also observe transatlantic tension in law enforcement access: the US and EU are discussing a potential E-Evidence/CLOUD Act agreement to streamline cross-border data requests; however, until this is implemented, unilateral US orders could conflict with EU law.

In short, this isn’t a distant or hypothetical threat – it’s happening now. European businesses should assume that US authorities can access data held by American cloud providers and plan for it. This risk extends to business continuity: if an EU firm’s critical data were seized or surveilled by a foreign power, that could disrupt operations and breach customer trust.

It also presents litigation risks – individuals or regulators could sue a company for failing to safeguard EU data if such access were to occur. Thus, even in the absence of a headline’ test case” of CLOUD Act vs GDPR, the prevailing risk is the chilling effect and the precautionary principle: many organisations feel they cannot comfortably use US clouds for sensitive data due to the looming possibility of secret access or a sudden legal crackdown.

Transatlantic Business Continuity Risks: All these factors lead to a broader strategic risk: What if transatlantic data flows are cut off or heavily restricted? Many European companies – and indeed US companies operating in Europe – depend on seamless data exchange with the U.S. Cloud-based services, from CRM and HR platforms to global e-commerce infrastructure, often involve personal data moving back and forth. Suppose the DPF is invalidated, as many anticipate. In that case, those companies might have to suspend certain data transfers immediately or face fines under the GDPR. This is not speculative: recall that Facebook was ordered to suspend EU-to-US transfers and given only 5 months to comply.

If a similar order were to apply to cloud services broadly, companies not prepared with EU-local alternatives could see parts of their IT stack become illegal almost overnight. The risk of a legal “cliff edge” has prompted businesses to push for political solutions. Still, contingency planning is crucial given the unpredictable US policy moves (e.g., the PCLOB incident) and court rulings.

Additionally, there’s the risk of a protectionist turn. Data could be weaponised if geopolitical relations worsen (as in the present scenario of rising tariffs and disputes in 2025). The Trump administration’s apparent hostility toward EU privacy concerns (e.g., firing oversight officials and dismissing European criticism) may lead the EU to more aggressively assert digital sovereignty, even if that means temporarily disrupting transatlantic data flows.

For companies, the nightmare scenario is a collapse of data adequacy frameworks without an immediate replacement, forcing them into costly and complex compliance measures for every US data transaction or even requiring data repatriation to the EU. Such instability poses a serious business continuity risk, as it could impact cloud-based supply chains, transatlantic customer data processing, and the viability of US cloud contracts for European clients.

Hence, prudent organisations treat these legal and political risks as part of their overall risk register, not just as abstract legal issues. ^[62][66][69]

Strategic Responses by European Companies and Governments

Due to these risks, European businesses—especially those in the Nordics and highly regulated fields such as finance—have begun to adjust their cloud strategies. A clear trend since late 2024 is an increased
interest in reducing dependency on US “hyperscalers” (AWS, Microsoft Azure, Google Cloud) in favour of European-based cloud solutions or a more diversified approach. In early 2025, Wired reported “early signs that some European companies and governments are moving away from using American cloud services…citing privacy concerns and uncertainty over US policy.”​ dev.ua.

Two European cloud providers – Exoscale (Switzerland) and Elastx (Sweden) – noted a surge of inquiries from organisations looking to “abandon US cloud providers” in the weeks following the new US administration’s actions.

The CEOs of those companies confirmed that demand from across Europe has spiked. “Especially customers from Denmark… have been very clear that they want to move away from American companies because of the US administration,” said Exoscale’s CEO, referring to heightened Danish concerns in light of Trump’s rhetoric about Greenland.

Elastx’s CEO echoed that sentiment, calling it a big concern that “from a European perspective, the US is maybe not on the same team with us anymore.

This drives organisations to seek European alternatives. These anecdotes illustrate a larger pattern: clients, particularly in Northern Europe, actively request cloud options that ensure data remains under EU jurisdiction.
^[19]

Company Examples – Moving to European Clouds

We see concrete examples of companies executing cloud reversals, also known as “repatriation” of data. The founder of a small Austrian tech firm, SkunkWerks, shared that since the start of 2025, he has migrated several servers and databases from American providers to European services, motivated by principle (“privacy is a right, not a privilege”) and pragmatism (avoiding support for policies he disagrees with).

A German healthcare software provider, Medicusdata, which serves hospitals in Europe, stated that while it has always kept patient data in Europe for compliance purposes, clients have recently begun demanding data residency. The company now relies solely on European cloud providers and has migrated its services to a Swiss provider.

In the UK and Scandinavia, this trend is noticeable. According to an Investment Monitor report, “a growing number of companies are switching away from American cloud providers, as worries about data sovereignty become more pertinent for their customers and themselves”. This includes UK businesses, despite the UK not being in the EU; the geopolitical climate, as well as the UK’s data adequacy deals, also make them cautious.

The UK’s financial services and public sectors have been exploring European cloud options to ensure compliance with the UK GDPR and prepare for potential divergences with US policy. ^[19][53]

Public Sector and Government Initiatives

In 2025, the Dutch parliament made a decision supported across party lines to reduce dependency on US tech companies and switch to European cloud providers.Around the same time, over 100 European organisations signed an open letter calling on the EU to become “more technologically independent,” warning that the status quo, dominated by foreign technology, poses “risks to security and reliability.”

Such pressure drives European administrations to invest in local or sovereign cloud solutions. France and Germany have been leaders in this arena: France launched a “Cloud de Confiance” (Trusted Cloud) initiative requiring that cloud services for the public sector be operated by companies under French/EU law (leading to partnerships like “Bleu” – a joint venture with Microsoft Azure technology but under French control).

Germany’s telecom giant T-Systems has partnered with Google Cloud to offer a “German sovereign cloud,” where T-Systems manages the keys and access, thereby insulating the service from US intervention. In Sweden and Norway, public agencies have closely followed guidance from their data protection authorities to avoid using US cloud services for any sensitive personal data. For instance, Sweden’s education authorities warned schools in 2022–23 against using U.S.-based cloud tools, such as certain Google services, after rulings that they could violate the GDPR. These moves have only intensified with the new uncertainties: “digital sovereignty” is now a strategic objective in many national digitalisation plans. ^[19][37]

European Cloud Providers and Solutions

The changing landscape has expanded the number of European cloud providers, including OVHcloud, Scaleway, Hetzner, UpCloud, City Network, Elastx, and Exoscale, among others. Although collectively, they still hold a minority share of the European cloud market, they leverage sovereignty as a selling point. OVHcloud (France) and Deutsche Telekom’s infrastructure arm have marketed themselves as GDPR-compliant by design, immune to extraterritorial laws.

For example, OVHcloud and other EU providers joined CISPE (Cloud Infrastructure Providers in Europe) to emphasise data protection commitments and lobby for fair competition with the US giants. According to Wired, companies like Exoscale and Elastx have seen clients “starting to do so” – i.e. actively switching over in the first quarter of 2025.

Some high-profile cases: The French Ministry of Health’s Health Data Hub decided to move off Microsoft Azure to a European-hosted solution after pressure from the CNIL (the French Data Protection Authority), which was concerned about US access. The German state of Hesse migrated its school systems from Microsoft Office 365 to a local cloud service for similar reasons.

In Denmark, certain municipalities and even private companies have begun mandating EU-only cloud options in RFPs (requests for proposals) for new IT projects. This trend is also driven by increasing prices for cloud services and increasing lock-in. Scandinavian companies, in particular, have been early adopters of privacy-focused cloud services – for instance, Finland’s UpCloud and Sweden’s Elastx report that fintech and healthcare startups, which handle a lot of personal data, prefer them over AWS and Azure to avoid legal complexity. ^{[9][18][19][38][63]}

“Sovereign Cloud” Offerings by US Providers

Interestingly, the US hyperscalers have responded to European strategic demands by launching Europe-specific cloud environments. Amazon Web Services announced a “European Sovereign Cloud” initiative in late 2024, starting with a dedicated region in Germany that is physically and operationally separate, run by AWS’s European personnel, and keeps all data and metadata within EU borders.

Microsoft has rolled out its EU Data Boundary for Azure, Office 365, and Dynamics, aiming to ensure by 2025 that all customer data of EU clients remains within an EU or EFTA data centre. Microsoft and Google are also partnering with European firms. Google Cloud collaborates with T-Systems in Germany to offer a “Germany Sovereign Cloud,” where data residency is guaranteed in-country, and the local partner holds encryption keys rather than Google.

Even Oracle has launched an EU Sovereign Cloud region, and IBM offers EU-only cloud zones. These moves are acknowledgements by US providers that they must alleviate European fears by localising data storage and limiting administrative access. However, European regulators and experts note that these setups have limitations. Because the parent companies remain under US jurisdiction, there is concern that even a so-called sovereign EU cloud operated by a US firm might not resist a CLOUD Act demand.

AWS, Microsoft, and Google argue that using EU legal entities and strictly EU-based staff for these special clouds can create a buffer against US orders. Yet, as Blocks & Files noted, they “are subject to US jurisdiction under the CLOUD Act, potentially compromising [GAIA-X’s] goals” of data sovereignty.

Indeed, one French cloud provider, Scaleway, quit the GAIA-X initiative in 2021 to protest US big tech involvement, doubting that true sovereignty could be achieved with them at the table.

Still, for European companies that cannot entirely drop US platforms, using these “EU sovereign” offerings is a risk mitigation – it likely reduces casual data transfers. It enforces stricter EU law processes, even if it may not withstand an extreme legal conflict. ^[3]

Multi-Cloud and Hybrid Strategies

A practical strategy gaining traction is adopting a multi-cloud or hybrid cloud architecture. Instead of putting all eggs in one provider’s basket (especially if that provider is foreign), companies distribute workloads across multiple clouds – some from US vendors, some from European vendors, and perhaps private or on-premises clouds for the most sensitive data.

This approach offers flexibility and leverage: if legal conditions change or a provider becomes problematic, workloads can be shifted to the other cloud environments. For instance, banks in Scandinavia use hybrid cloud setups,
keeping customer account databases on a private or EU-based cloud while using US cloud services for less sensitive analytics or web content, and linking them through secure APIS.

Some organisations have negotiated contractual exit clauses or contingency provisions in their cloud contracts. The International Association of Privacy Professionals (IAPP) recommends that companies put “springing SCCs” – essentially backup standard contractual clauses that automatically kick in if the DPF adequacy is invalidated.

This contingency planning is part of a broader playbook: companies should prioritise their data transfers and have fallback measures in place (such as quickly transferring data to an EU cloud or invoking pre-signed data processing addendums).

Many firms in Europe are indeed rehearsing these scenarios. For example, a large Nordic insurance company might maintain a global presence on AWS. Still, in parallel, it keeps an updated clone of critical data in a European cloud environment. If transatlantic transfers are halted, services can be seamlessly cut over to the European zone with minimal downtime.

This is essentially building resilience against legal shock. Surveys indicate that multi-cloud adoption is now standard – over 90% of businesses globally use two or more public cloud providers, and Europe is no exception. European companies give themselves options and bargaining power by avoiding lock-in to a single US vendor. It also helps address another risk: vendor lock-in and dependency can be costly, even aside from jurisdiction issues, so multi-cloud strategies support sovereignty and operational resilience. ^[33][52]

European Cloud Alliances – GAIA-X and Beyond

On a collaborative level, Europe launched GAIA-X in 2019 as a flagship project to foster a federated, interoperable data infrastructure across European providers. GAIA-X’s goal is to make it easier for European businesses to use home-grown cloud services that meet common standards for security and transparency. It’s not a cloud itself but a framework and ecosystem. In theory, GAIA-X could enable a company to seamlessly integrate services from multiple European clouds, thereby reducing the appeal of the integrated US hyperscalers.

Progress has been slower than hoped, and as noted, the involvement of US firms in GAIA-X raised questions. Still, GAIA-X symbolises Europe’s intent to achieve cloud sovereignty, ensuring that “European data remains under European control.”

EU countries have also formed the European Alliance for Industrial Data, Edge, and Cloud, pooling investments to develop next-gen cloud capacities under EU rule. At the national level, initiatives such as France’s “SecNumCloud” label—a cybersecurity certification for cloud providers that, at the highest level, requires immunity from non-EU jurisdictions—and Germany’s secure cloud projects are creating trusted zones for sensitive data.

The EU is also advancing frameworks, such as EUCS (EU Cloud Security Certification Scheme), to certify cloud services at different security levels. Initially, drafts included strict sovereignty requirements, including EU ownership and control at the highest level. However, this has been hotly debated and amended. The mere discussion of such requirements has likely nudged some companies to consider EU-owned providers to “future-proof” their compliance.

Lastly, some European firms are doubling down on on-premises or private clouds for specific data. While “cloud-first” remains the mantra for innovation, we now hear “cloud-smart” strategies, such as a Swedish manufacturing company deciding that its crown jewels (sensitive R&D data) will stay in a self-managed data centre or a Europe-only private cloud. At the same time, other workloads go to a public cloud.

This way, if legal conditions worsen, the most critical data is not at risk of foreign access. So, if the legal climate shifts, your most vital information stays out of reach. We sort and segment data based on its sensitivity—only personal customer details and trade secrets remain on EU soil under EU control.

In short, organisations and governments across Europe—especially in the UK and the Nordics—are taking both practical and policy steps to manage US cloud risks. Organisations are moving to European clouds, avoiding vendor lock-in and combining hybrid and multi-cloud environments as well as ensuring strong legal safeguards (e.g. SCC in place as a backup). Using US cloud services must be done carefully to stay compliant and keep things running smoothly, even in a worst-case scenario. ^[3][44]

Industry and Analyst Perspectives on Mitigation Strategies

The evolving situation has attracted significant attention from various pundits. Analyst firms such as Gartner, Forrester, and IDC have been tracking the rise of cloud sovereignty as a major trend in Europe.

According to Deloitte’s 2024 predictions, “the national focus on cloud sovereignty will intensify in all developed markets”, and specifically, government spending on sovereign cloud solutions was forecast to grow sharply (they
projected government-targeted cloud services to reach $41 billion in 2024, up 16%.

Market data support this: IDC predicts global spending on sovereign cloud services will soar to $258 billion by 2027 (from approximately $80 billion in 2022), indicating an explosive demand for solutions that maintain data under specific jurisdictional controls.

The European market primarily drives such growth. Forrester Research’s forecasts for 2025 explicitly state that Europe will “invest in Sovereign Cloud”, anticipating a boom in European cloud initiatives and a shift in enterprise behaviour (Forrester analysts noted that Europeans are feeling “grouchy” about the economic outlook and tech dependence, which translates into increased support for local cloud alternatives).

In practical terms, major consulting firms advise clients to adopt multi-cloud and hybrid cloud solutions for improved performance and cost efficiency, as well as risk mitigation in the event of sovereignty issues. A 2023 McKinsey report found that more than one in three European companies intended to have more than 50% of their workloads in the public cloud by 2025. Still, those plans were contingent upon resolving security and regulatory concerns.

In 2025, with concerns still present, the trend is toward balanced cloud strategies: companies want public cloud innovation without single-vendor lock-in or legal vulnerability. ^{[47][49][58][65][69]}

Vendor Lock-In and Portability

Analyst commentary frequently emphasises data portability as a crucial capability in this era. Suppose an organisation can easily move its data and applications from one cloud to another. In that case, it can swiftly respond to regulatory changes or vendor issues. Recognising this, the EU’s new Data Act (entered into force January 2024) contains provisions to “prevent vendor lock-in” in cloud services. It will require cloud providers in the EU to remove unjustified technical or contract barriers to switching and even mandates the phasing out switching fees by 2026–2027​ pinsentmasons.com​stephensonharwood.com.

Industry groups, such as CISPE (Cloud Infrastructure Providers in Europe), have proactively developed a “Cloud Switching Framework” with technical specifications to facilitate multi-cloud adoption and interoperability, aligning with the requirements of the Data Act.

AWS, interestingly, is a member of CISPE and has endorsed this framework, indicating that even the largest providers see the writing on the wall – customers will demand the freedom to move data.

Analysts view this as a positive development: easier switching reduces the risk that a customer is stuck with a provider that becomes legally problematic. Hybrid cloud solutions, such as VMware-based stacks that can run on-premises or across multiple clouds, are also touted as a way to maintain flexibility. Gartner has pointed out that having a cloud-agnostic architecture can allow an organisation to shift workloads in response to compliance needs. However, it may come at the cost of foregoing some proprietary services of each cloud. ^[40][61][64]

Consultant Guidance on Compliance

Consulting and legal advisory firms in Europe actively guide clients on compliance in the face of these uncertainties. Common recommendations include performing detailed Transfer Impact Assessments (TIAs) for any cloud service involving personal data – essentially analysing what laws apply (e.g., US CLOUD Act) and what measures are in place to mitigate them. They often advise adopting encryption and pseudonymization as key technical measures so that the data remains unintelligible even if it is transferred or accessed.

For example, Deloitte notes that some companies use end-to-end encryption, where only the customer holds the keys: “While service providers might hand over data to law enforcement, the data would be unintelligible without the decryption keys.”.

This aligns with European Data Protection Board guidance, which has recommended strong encryption as a supplementary safeguard when using cloud services under SCCs (post-Schrems II guidance). Another piece of advice is data localisation for specific categories of data – essentially, data sovereignty by design.

Gartner has described a data strategy that leverages global clouds for public, non-personal, or low-sensitivity data. However, regulated or high-risk data is kept on a sovereign cloud or private infrastructure. This way, businesses can still enjoy cloud scalability for less sensitive operations while ring-fencing what regulators care most about.

Balancing Innovation and Sovereignty: Analysts warn against completely decoupling from US tech, which could hamper innovation. The consensus view is that a balance must be struck.

A Forrester analysis in late 2024 suggested that organisations can achieve digital sovereignty targets by using foreign cloud vendors alongside native options, meaning companies might mix and match or use foreign providers on their terms, with contractual and technical controls.

They cite examples, such as European public sectors adopting Microsoft Azure via a locally operated cloud, as in Germany, as a pragmatic compromise. Major consulting firms, such as Accenture and Capgemini, have begun offering services to establish “trusted cloud” environments for clients – essentially layering additional encryption, key management, and audit controls on top of hyperscale platforms to meet EU compliance requirements. This indicates a market solution path: compliance wrappers over global clouds.

In the view of many industry observers, the genie is out of the bottle on cloud – companies won’t return to purely on-premises across the board – but the way forward in Europe is a more federated cloud ecosystem, and
compliance-centric.

Multi-cloud and edge computing can reduce reliance on any single foreign data centre. Data portability rights and standards, driven by the EU Data Act, will facilitate easier switching between providers if needed.

The likely future, according to analysts: Hybrid Sovereign Clouds – a mix where critical data and workloads run on sovereign-compliant infrastructure, and less critical ones leverage global clouds, all orchestrated together. This approach, combined with regulatory guardrails, should mitigate the most significant risks of lock-in and compliance violations. ^{[40][48][51][69]}

Economic and Market Forecasts

It’s worth noting the broader market context analysts provide. The European cloud market is still dominated, with an estimated 70% share, by Amazon, Microsoft, and Google.

European providers are growing, but from a small base. If policies like sovereignty requirements become stricter, this could reshape market shares, with regional players likely to gain a competitive advantage. Analysts from Synergy Research and IDC have noted that some large European enterprises now have the bargaining power to demand special terms from US providers. For example, large banks might require that their data never leave Europe and that providers notify them of any government access requests.

If such demands become standard, US providers must offer more customised “sovereign” services, potentially raising costs. Gartner’s recent IT spending forecast indicates that European IT spending on cloud services will continue to rise, with an estimated 8.7% growth in 2025. Still, the allocation of this money is shifting – more towards private or sovereign solutions, and perhaps slightly less towards generic public cloud solutions.

These insights suggest that European organisations actively manage cloud risk through strategy and technology, driven by analysts’ frameworks and predictions.

All the forward-looking advice emphasises the importance of staying strong, flexible, and compliant. For example, a 2025 Forrester report on cloud trends predicted that European firms would support sovereign cloud projects, preparing for stricter regulations and avoiding service disruptions.

The main takeaway is that the industry is aligning to support a multi-cloud, sovereignty-aware paradigm in Europe, where companies can continue innovating with cloud computing without being overly exposed to risks associated with foreign jurisdictions. ^[30][35][47]

Recommendations and Best Practices

Given the current landscape, European companies (and multinational companies operating in Europe) should adopt a multi-pronged approach to ensure compliance and reduce dependency risks associated with US cloud providers. Below are key recommendations combining legal, technical, and strategic measures:

Conduct Comprehensive Risk Assessments

Begin with a thorough data audit and risk assessment for cloud usage. Identify the types of data you are storing or processing in U.S.-based cloud services (including EU regions of U.S. providers) and categorise them by sensitivity (e.g., personal data, critical business data). For each category, perform a Transfer Impact Assessment evaluating the potential impact of US laws (like the CLOUD Act or FISA) on that data.

Assess whether the current transfer mechanism (DPF, SCCs, etc.) is sustainable or if there are gaps. This process will highlight the most risky data and guide mitigation priorities. As part of this, stay updated on legal developments – e.g., note that if the DPF is invalidated, any data transfers under it will immediately need another legal basis. Preparing documentation (TIAs, contractual clauses) in advance can save valuable time if a regulatory crisis hits. ^[62]

Strengthen Contractual and Policy Safeguards

Use contractual measures to your advantage. If you are using US cloud providers, insist on clauses that require data to be stored and processed in Europe, granting you the right to be notified of any third-country data access requests (to the extent permitted). Implement “springing” Standard Contractual Clauses in agreements – meaning the SCCs are pre-signed and will automatically govern transfers should the adequacy framework (DPF) be nullified.

Ensure your contracts allow you to suspend transfers or terminate the agreement if laws change or the provider is no longer able to meet EU requirements. Under DORA (for financial entities), you will be required to have exit strategies for critical ICT providers – start drafting those plans now, detailing how quickly and by what process you could switch providers or bring services in-house if needed. For intra-group data flows (e.g., between EU and US corporate affiliates), consider adopting Binding Corporate Rules (BCRs) if feasible, as they are tailor-made for multinational companies and carry some weight of commitment (though they, too, rely on the assumption of adequate protection).

Additionally, update internal policies to classify what data can be stored in which clouds (for example, a policy might specify that customer personal data from the EU can only be stored in EU-based data centres and not in any US region). These policies create organisational awareness and can be shown to regulators as evidence of compliance diligence.
^[33]

Implement Technical Safeguards (Encryption, Key Management)

As a critical layer of defence, employ strong encryption and access controls for any data stored in the cloud, especially if using a US provider. End-to-end or “zero knowledge” encryption ensures that the cloud provider does not possess the decryption keys. So even if they are compelled to hand over data, it remains gibberish. For instance, client-side encryption can be used for cloud storage (tools that encrypt data before sending it to the cloud) and to manage the keys on EU soil (or with a trusted EU third party).

One strategy is to use an external key management service or a hardware security module (HSM) based in Europe, separate from the cloud provider. Some providers now offer “Bring Your Own Key” or “Hold Your Own Key” options. Deloitte emphasises that if data is handed over under the CLOUD Act, encrypting it so that only your company (in the EU) has access to the key will mitigate GDPR exposure.

Additionally, techniques such as pseudonymization (replacing personal identifiers with codes) should be considered before sending data to the cloud. This means that data does not include any personal information unless combined with the information you store locally. In sensitive sectors, there are emerging technologies such as confidential computing, which keeps data encrypted even during processing. Some cloud providers offer this feature, which can help reduce the risk of data exposure. Essentially, the goal is to enforce sovereignty technologically: ensure that data in a U.S.-controlled cloud is unusable to anyone except you and authorised EU-based parties. ^[69]

Adopt a Multi-Cloud/Hybrid Cloud Architecture

Avoid over-reliance on any single external provider. Design your IT architecture to be cloud-agnostic and portable, allowing integration between various cloud platforms. This might involve containerisation (e.g., Kubernetes) or virtualisation that can be deployed across different clouds, making moving easier if needed. Multi-cloud doesn’t necessarily mean higher cost or complexity if managed effectively – many tools are available for multi-cloud management.

Distributing workloads allows you to localise critical data on a trusted (EU) platform and use other clouds for less sensitive tasks. For example, keep your primary customer database on a European or private cloud while using a US cloud to serve global web content or run large-scale compute jobs on anonymised data. Ensure robust data backup and replication strategies by maintaining cloud data backups in an alternative location, preferably under EU control.

This protects against outages and gives you the leverage to migrate quickly if legal issues necessitate a change. Embrace the hybrid cloud by integrating on-premises systems with the cloud. Some enterprises bring specific workloads back on-prem (repatriation) to regain control. If you can’t go fully multi-cloud due to application constraints, negotiate flexibility provisions with your provider and start pilot projects with alternative providers to build familiarity. The
new EU Data Act will make switching easier by forbidding egregious penalties for porting data; take advantage of this by planning a cloud exit strategy for each major cloud service. Regularly test your ability to export and import data elsewhere, such as in disaster recovery drills or a “cloud switch drill”.
^[61]

Monitor Legal Developments and Engage in Advocacy

Given the fluid situation, companies should stay closely informed on relevant legal and political developments. Assigning internal or external legal counsel to track this (e.g., follow updates from the European Commission, EDPB guidance, court cases, and U.S. legal changes, such as a possible renewal or amendment of FISA 702) is essential. Be prepared to adapt compliance measures when the CJEU issues a ruling or if the US enacts a new privacy law.

If the DPF gets thrown out, regulators might give you extra time or explicit instructions to help you adjust. Keep an eye on updates from the European Data Protection Board and your national data protection authority so you can respond quickly. At the same time, many European businesses—through their trade groups—are calling for reliable data-transfer rules. By participating in public consultations or submitting your own feedback, you can help shape practical solutions.

For example, the Cloud Code of Conduct by CISPE or other co-regulatory efforts often welcomes corporate input. Suppose the US and EU consider a CLOUD Act executive agreement or improved redress. In that case, companies can support advocacy that pushes for stronger protections, which will eventually ease the regulatory burden.

Until then, keep legal documentation handy – updated privacy notices, informed consent where applicable (though consent is hard to use for large-scale transfers, in some niche cases, it might apply), and clear records of where
data goes. Being transparent with business partners and customers about your cloud sovereignty posture can also build trust. For instance, some firms now include in their privacy communications that “we store EU personal data in Europe with XYZ provider and have measures against foreign access.” This kind of openness will be expected by European clients moving forward.

Leverage European Initiatives and Trusted Services

Consider using or switching to EU-based cloud providers or “sovereign cloud” offerings for at least part of your cloud needs, especially for highly regulated data. The European cloud market has matured – providers such as OVHcloud, Hetzner, Scaleway, UpCloud, and City Network offer competitive services and often explicitly guarantee that all data remains in Europe, in compliance with EU law.

Many are also part of GAIA-X, meaning they adhere to standards of interoperability and transparency. If absolute data sovereignty is required (e.g., defence or government data), consider specialised solutions such as on-premises cloud appliances from prominent vendors (some providers can deliver a scaled-down cloud stack that runs in your data centre under your complete control) or community clouds operated by consortia of European firms.

Additionally, take advantage of EU governance frameworks: participating in GAIA-X could future-proof your architecture by ensuring easy portability within a network of providers. Once operational, the EU Cloud Security Certification (EUCS) will allow you to choose certified “High assurance” cloud services. Consider requiring that, in procurement for critical systems, they be made available as soon as they become available.

Furthermore, sector-specific communities (like the European Banking Cloud Forum, if one exists, or healthcare data hubs) can share sovereign cloud resources or best practices. Some companies are also exploring decentralised cloud solutions (for example, Cubbit, mentioned in some reports, offers decentralised storage that splits data across nodes, adding resilience and sovereignty by design). While such technologies are still in their infancy, they demonstrate innovative approaches to ensure that no single foreign entity holds all your data. ^[3]

Ensure Compliance with EU Regulations (GDPR, NIS2, DORA)

Align your cloud risk strategy with broader compliance obligations. Under GDPR, maintain robust records of processing that include the location where data is stored and transferred. Be ready to demonstrate to a DPA that you have evaluated the risks of using a US provider and implemented safeguards (these tie back to TIAs).

For NIS2, which many medium/large companies and providers fall under, ensure your cybersecurity measures cover cloud environments – conduct audits of your cloud configurations to verify they meet NIS2’s security requirements. Have an incident response plan for those accounts that addresses cloud-specific breaches, and be aware of incident notification timelines.

For financial entities under DORA, start engaging with your critical cloud service providers to ensure they comply with the forthcoming oversight. DORA will empower regulators to audit critical ICT providers, likely including major cloud providers that service financial organisations.

Diversification of providers is implicitly encouraged by DORA to avoid single points of failure; regulators will expect to see that you can switch or have backups if one provider fails. By meeting these EU regs in letter and spirit, you inherently mitigate some US cloud risks – for example, NIS2’s focus on supply chain security means you will scrutinise the cloud provider’s subcontractors and policies, possibly opting for those with stronger data localisation.

Plan for the worst case (Continuity Planning)

Develop a contingency plan for a scenario where transatlantic data transfers become untenable (e.g., DPF is struck down, and SCCs face heavy doubt or regulatory suspension). This plan should outline how your business would continue operating. Identify which processes would be impacted (for instance, if you use a U.S.-based CRM for all customer data, how quickly could you pivot to an EU-based instance or an on-premise solution?).

You may want to consider maintaining a backup system hosted in Europe that can take over at a moment’s notice. Another concern is that the US administration may initiate retaliatory acts or change rules without notice – if transatlantic data flows grind to a halt, the American-hosted services you rely on could be disrupted too, so make sure you have contingency plans in place.

Ensure that key personnel, including those from the legal, IT, and operations teams, are aware of this plan. Essentially, treat this scenario like a disaster recovery situation, as losing the ability to transfer data is equivalent to a system outage for data-driven businesses. Some companies may even simulate “Schrems III fallout” as an internal exercise to test readiness.

Engage Cloud Providers on the Issue

Don’t overlook the fact that, as the customer, you have influence. Communicate your requirements and concerns to your cloud providers. The more customers demand sovereignty features, the more providers will develop them. If you are a significant client, ask your US cloud provider for assurances or solutions – for example, can they commit contractually to challenge any government request for your data and, if legally possible, redirect it to you? Some providers might be willing to specify in the contract that they will use the CLOUD Act’s provisions to fight on your behalf (if the criteria are met).

While they can’t guarantee the outcome, it adds a layer of commitment. Also, inquire about their roadmap for EU sovereign offerings (many have announced plans, but check timelines and scope). Participate in user groups or advisory boards that these big providers have for European customers; those forums are an opportunity to keep pressure on for privacy-respectful features. In parallel, follow the initiatives of cloud provider alliances (such as CISPE) – support their codes of conduct, which often include adherence to EU laws and transparency obligations.

Holistic Strategy

The best practice is a holistic strategy: combining legal protections (contracts and compliance), technical measures (encryption and multi-cloud setups), and wise choices (utilising EU providers and maintaining flexibility). This is “digital sovereignty by design” – building control into every stage of your cloud journey. That way, you stay fully in charge of your data, regardless of which vendor or location you use. By doing this, European firms can continue to use cloud services while reducing both legal and practical risks associated with US providers.

Staying compliant isn’t a one-off task but an ongoing exercise. Set up a team or task force to review your cloud usage in light of changing laws and adjust your approach as new guidance is issued (for example, if the European Data Protection Board provides updated advice following the GDPR). With regular oversight, you can turn cloud sovereignty into an advantage—showing customers and regulators—that data stays safe, lawful and firmly under your control whatever happens. ^[13]

Conclusion

The landscape of transatlantic data transfers and cloud computing is becoming increasingly complex. With the EU-U.S. Data Privacy Framework under scrutiny and U.S. surveillance laws remaining essentially unchanged, the legal foundations for using U.S. cloud services are unstable. Political events, such as the dismissal of members of the PCLOB, have further eroded trust in US commitments to privacy.
European companies

European companies—particularly those operating in sensitive or highly regulated sectors—must proactively ensure legal compliance, maintain operational continuity, and preserve customer trust. The rise of European cloud providers, combined with regulatory support for data portability and sovereignty, offers a viable path forward.

Businesses can mitigate risks without compromising innovation by adopting hybrid or multi-cloud strategies, implementing robust technical safeguards such as encryption, and aligning with emerging European standards. The strategic shift toward digital autonomy in Europe is a legal necessity and a competitive opportunity for companies that embrace it early.

The Transatlantic Cloud Risk History

Below is a summary table highlighting key developments, example responses, and the associated legal risks for European companies relying on US cloud providers:

Sources

1. 1. AWS European Sovereign Cloud. https://aws.amazon.com/blogs/security/announcing-the-aws-european-sovereign-cloud/. Verified 27 April 2025. ↩
   2. Mellor, Chris, Blocks and File, (2025, Mar 27), Data sovereignty in focus as Europe scrutinizes US cloud influence,
      https://blocksandfiles.com/2025/03/27/eu-data-sovereignty-and-trumps-usa. Verified 27 April 2025. ↩
   3. Scaleway GAIA‑X Exit Press Release. https://blog.scaleway.com/en/scaleway-exits-gaia-x/. Verified 27 April 2025. ↩
   4. Centre for Democracy & Technology – PCLOB and Data Privacy. https://cdt.org/insights/the-role-of-pclob-in-data-protection-frameworks/. Verified 27 April 2025. ↩
   5. https://cdt.org/insights/what-the-pclob-firings-mean-for-the-eu-us-data-privacy-framework/. Verified 27 April 2025. ↩
   6. CISPE – Cloud Switching and Portability Guidelines. https://cispe.cloud/switching-and-porting/. Verified 27 April 2025. ↩
   7. Cleura, (2024, Mar 27), How vendor Lock-In Bleeds Public Resources, Sparking Danish Investigation into Promoting Open Source Alternatives. https://cleura.com/cloudguide/perspectives/how-vendor-lock-in-bleeds-public-resources-sparking-danish-investigation-into-promoting-open-source-alternatives/. Verified 27 April 2025. ↩
   8. Google Cloud and T‑Systems German Sovereign Cloud. https://cloud.google.com/blog/products/identity-security/sovereign-cloud-germany-t-systems. Verified 27 April 2025. ↩
   9. EC Adequacy decision for the EU‑US Data Privacy Framework (10 Jul 2023). https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en. Verified 27 April 2025. ↩
   10. New Standard Contractual Clauses Q&A overview. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en. Verified 27 April 2025. ↩
   11. Romain Deslorieux, Thales, (2025, Jan 11), Navigating the EU-US Data Protection Framework. https://cpl.thalesgroup.com/blog/encryption/navigating-eu-us-data-protection-understanding-dpf-limitations. Verified 27 April 2025. ↩
   12. Thales Cloud Security Report 2024. https://cpl.thalesgroup.com/euro-cloud-security-research Verified 27 April 2025. ↩
   13. Cubbit – Decentralised Cloud Storage in Europe. https://cubbit.io/. Verified 27 April 2025. ↩
   14. Court of Justice of the European Union press release (Safe Harbour invalid, 6 Oct 2015): https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf. https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/%20cp150117en.pdf. Verified 27 April 2025. ↩
   15. Court of Justice of the European Union (Schrems II Ruling). https://curia.europa.eu/juris/liste.jsf?language=en&num=C-311/18. Verified 27 April 2025. ↩
   16. Dataethics, (2025, April 23) https://dataethics.eu/largest-danish-municipality-choses-french-cloud-provider-over-microsoft-azure/. Verified 27 April 2025. ↩
   17. Kuzmenko, O. (2025, March 25). “The US may not be on the same team with us anymore.” Europe considers ditching American cloud services, including those of Google, Microsoft, and Amazon, amid the Trump administration’s actions. dev.ua. https://dev.ua/en/news/v-ievropi-podumuiut-vidmovytysia-vid-amerykanskoi-khmary-1742907334/. Verified 27 April 2025. ↩
   18. European Commission – NIS2 Directive. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive. Verified 27 April 2025. ↩
   19. European Commission – EU‑US Privacy Shield press release (2 Feb 2016). https://ec.europa.eu/commission/presscorner/detail/en/IP_16_216. Verified 27 April 2025. ↩
   20. European Commission – The EU Data Act. https://ec.europa.eu/commission/presscorner/detail/en/ip_23_1234. Verified 27 April 2025. ↩
   21. European Commission – EU‑U.S. Data Privacy Framework. https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721. Verified 27 April 2025. ↩
   22. European Commission – Questions & Answers: EU-US Data Privacy Framework. https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752. Verified 27 April 2025. ↩
   23. European Data Protection Board – Guidance on Data Transfers. https://edpb.europa.eu/our-work-tools/our-documents/publication-type/guidelines_en. Verified 27 April 2025. ↩
   24. Dutch National Cyber Security Centre – CLOUD Act Guidance. https://english.ncsc.nl/publications/publications/2022/february/15/the-impact-of-the-cloud-act-on-cloud-services. Verified 27 April 2025. ↩
   25. European Commission – General Data Protection Regulation (GDPR). https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng. Verified 27 April 2025. ↩
   26. EU Directive 95/46/EC (GDPR). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504. Verified 27 April 2025. ↩
   27. European Commission – Digital Operational Resilience Act (DORA). https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/digital-finance/digital-operational-resilience_en. Verified 27 April 2025. ↩
   28. Raziye Akkoc and AFP, Fortune, (April 16, 2025) European Union gets serious as bloc seeks independence from U.S. tech such as Uber, Apple and Mastercard, https://fortune.com/europe/2025/04/16/europe-independence-us-tech-trump-meta-apple-uber-mastercard/. Verified 27 April 2025. ↩
   29. GAIA‑X Initiative. https://gaia-x.eu/. Verified 27 April 2025. ↩
   30. Ernst‑Oliver Wilhelm, A brief history of Safe Harbor (2000–2016), IAPP. https://iapp.org/media/pdf/resource_center/brief_history_of_safe_harbor_2000_to_2016.pdf. Verified 27 April 2025. ↩
   31. https://iapp.org/news/a/how-could-trump-administration-actions-affect-the-eu-u-s-data-privacy-framework-. Verified 27 April 2025. ↩
   32. IAPP – Guidance on Transfer Impact Assessments. https://iapp.org/news/a/how-to-complete-a-transfer-impact-assessment/. Verified 27 April 2025. ↩
   33. https://iconnect007.com/article/142936/gartner-forecasts-it-spending-in-europe-to-grow-87-in-2025/142933/. Verified 27 April 2025. ↩
   34. NOYB – Legal Action Against EU‑U.S. Data Privacy Framework. https://noyb.eu/en/privacy-shield-30-legal-action. Verified 27 April 2025. ↩
   35. https://policyreview.info/articles/analysis/mitigating-risk-us-surveillance-public-sector-services-cloud. Verified 27 April 2025. ↩
   36. https://techcrunch.com/2020/10/12/frances-health-data-hub-to-move-to-european-cloud-infrastructure-to-avoid-eu-us-data-transfers/. Verified 27 April 2025. ↩
   37. Capgemini – Cloud Transformation in the Financial Sector. https://www.capgemini.com/research/cloud-in-banking/. Verified 27 April 2025. ↩
   38. https://www.ciodive.com/news/cloud-switching-europe-tech-aliance-eu-data-act-compliance/732578/. Verified 27 April 2025. ↩
   39. US Congress – Clarifying Lawful Overseas Use of Data Act (CLOUD Act). https://www.congress.gov/bill/115th-congress/house-bill/4943. Verified 27 April 2025. ↩
   40. Irish Data Protection Commission – Meta Fined for data transfers. https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-conclusion-inquiry-meta-ireland. Verified 27 April 2025. ↩
   41. https://www.digital-operational-resilience-act.com/. Verified 27 April 2025. ↩
   42. https://www.digitalsme.eu/changes-to-the-eu-cloud-services-cybersecurity-certification-scheme-put-eu-citizens-data-at-risk-a-call-for-digital-sovereignty/. Verified 27 April 2025. ↩
   43. European Parliament – Resolution on the adequacy of the EU‑U.S. DPF. https://www.europarl.europa.eu/doceo/document/TA-9-2023-0217_EN.html. Verified 27 April 2025. ↩
   44. Hendrik Mildebrath, The CJEU judgment in Schrems II, EPRS (Sep 2020). https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf. Verified 27 April 2025. ↩
   45. https://www.forrester.com/blogs/category/europe/page/9/. Verified 27 April 2025. ↩
   46. https://www.forrester.com/blogs/google-next-2025-agentic-ai-stack-multimodality-and-sovereignty/. Verified 27 April 2025. ↩
   47. https://www.forrester.com/predictions/. Verified 27 April 2025. ↩
   48. Forrester – Cloud Predictions 2025. https://www.forrester.com/webinar/predictions-2025-cloud-computing/WEB40495. Verified 27 April 2025. ↩
   49. https://www.gartner.com/en/data-analytics/topics/data-ecosystem. Verified 27 April 2025. ↩
   50. https://www.hava.io/blog/2024-cloud-market-share-analysis-decoding-industry-leaders-and-trends. Verified 27 April 2025. ↩
   51. https://www.investmentmonitor.ai/features/big-techs-future-in-europe-at-risk-from-trump-tariffs-and-data-concerns/. Verified 27 April 2025. ↩
   52. Investment Monitor – Cloud Migration in Europe. https://www.investmentmonitor.ai/features/europe-cloud-sovereignty-trend/. Verified 27 April 2025. ↩
   53. https://www.isaca.org/resources/news-and-trends/industry-news/2024/cloud-data-sovereignty-governance-and-risk-implications-of-cross-border-cloud-storage. Verified 27 April 2025. ↩
   54. Lawfare – The CLOUD Act and Its Implications. https://www.lawfareblog.com/cloud-act-and-its-reach. Verified 27 April 2025. ↩
   55. https://www.lawfaremedia.org/article/trump-s-sacking-of-pclob-members-threatens-data-privacy. Verified 27 April 2025. ↩
   56. https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-state-of-cloud-computing-in-europe-increasing-adoption-low-returns-huge-potential. Verified 27 April 2025. ↩
   57. Microsoft EU Data Boundary. https://www.microsoft.com/en-us/trust-center/privacy/data-boundary. Verified 27 April 2025. ↩
   58. Oracle EU Sovereign Cloud Regions. https://www.oracle.com/news/announcement/oracle-expands-eu-sovereign-cloud-regions-2023-07-13/. Verified 27 April 2025. ↩
   59. https://www.pinsentmasons.com/out-law/guides/switching-porting-rules-eu-data-act. Verified 27 April 2025. ↩
   60. https://www.pinsentmasons.com/out-law/news/dutch-memo-us-cloud-act-europe. Verified 27 April 2025. ↩
   61. https://www.revolgy.com/insights/blog/the-top-10-public-cloud-providers-2023. Verified 27 April 2025. ↩
   62. https://www.stephensonharwood.com/insights/the-eu-data-act-switching-interoperability-and-prevention-of-unauthorised-access-to-non-personal-data. Verified 27 April 2025. ↩
   63. https://www.techtarget.com/searchcloudcomputing/tip/The-pros-and-cons-of-sovereign-clouds. Verified 27 April 2025. ↩
   64. https://www.theguardian.com/technology/2023/may/22/facebook-fined-mishandling-user-information-ireland-eu-meta. Verified 27 April 2025. ↩
   65. Wired (2025) – European Companies Move Away from US Clouds. https://www.wired.com/story/europe-digital-sovereignty-2025. Verified 27 April 2025. ↩
   66. Deloitte – 2024 Tech Trends. https://www2.deloitte.com/global/en/pages/technology/articles/tech-trends.html. Verified 27 April 2025. ↩
   67. https://www2.deloitte.com/us/en/insights/industry/technology/technology-media-and-telecom-predictions/2024/tmt-predictions-focus-intensifying-on-sovereign-cloud-in-2024.html. Verified 27 April 2025. ↩