The EU Commission is working on the Digital Networks Act. Member states have earmarked €288 billion for digital infrastructure. Merz and Macron are calling for European datacenters. Germany's Digital Ministry is testing openDesk as a Microsoft alternative.
The direction is clear: Europe wants to become less dependent on US tech. The question is: what does that actually mean?
The Starting Point
European companies spent approximately $25 billion on cloud services from the five largest US providers in 2024. That's 83% of the European market.
Microsoft, Amazon, and Google control the infrastructure that runs much of the European economy. Email, document management, CRM, ERP, backup, hosting – often all with the same provider.
The political debate centers on one question: what happens if the US government cuts off access? Or requests data?
What the EU Is Planning
The Digital Networks Act is expected to come into force in 2027, replacing the European Electronic Communications Code. The goal: a unified framework for investment in digital infrastructure, cybersecurity, and network development.
The numbers from member state roadmaps:
- €288.6 billion in planned digital investment
- 71% from public funds
- €8.5 billion in EU funding (Digital Europe Programme + Connecting Europe Facility)
For comparison: US private sector invests over $200 billion annually in digital infrastructure.
The Problem with "Sovereign Cloud"
Microsoft, AWS, and Google have responded. They now offer "Sovereign Cloud" products in Europe: Delos Cloud, Azure under T-Systems control, Google Distributed Cloud. Data stays in the EU, European staff, local encryption.
In June 2025, Anton Carniaux, Legal Counsel at Microsoft France, sat before the French Senate. The question was direct: can you guarantee that data of French citizens will never be handed over to US authorities without approval from French authorities?
His answer under oath: "Non, je ne peux pas le garantir."
Microsoft had previously guaranteed contractually that data of European customers would not leave the EU. But: if a US request is legally valid, they still have to comply.
Three US Laws That Affect European Data
CLOUD Act (2018)
The Clarifying Lawful Overseas Use of Data Act requires US companies to hand over data on request – regardless of where the servers are located.
The law states:
"A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication [...] regardless of whether such communication, record, or other information is located within or outside of the United States."
The law emerged from the Microsoft Ireland case: Microsoft refused to hand over emails stored in Dublin to the FBI. The case went to the Supreme Court. Then Congress passed the CLOUD Act.
FISA Section 702
Allows US intelligence agencies to collect communication data from non-US persons without a warrant. In 2024, the scope was expanded:
"The reauthorization expanded the scope of FISA 702 so that — with limited exceptions — any company under U.S. jurisdiction that offers a service of any kind and has access to equipment on which communications are stored or transit can be compelled to comply with FISA 702 directives."
The ECJ invalidated the EU-US Privacy Shield in 2020 because of FISA 702 (Schrems II).
Executive Order 12333
Enables mass surveillance without territorial limitation and without judicial oversight – including data traffic on transatlantic undersea cables.
Overview: US Laws and Their Reach
| Law | Scope | Judicial Oversight |
|---|---|---|
| CLOUD Act | All US companies, worldwide | Yes (US court) |
| FISA 702 | US companies with communications infrastructure | No |
| EO 12333 | No territorial limitation | No |
What "Sovereignty" Technically Means
Server location alone isn't enough. What matters:
- Contract partner: German company or US subsidiary? A GmbH with a US parent company is subject to the CLOUD Act.
- Legal jurisdiction: Which law applies in case of disputes?
- Ownership structure: Who controls the company? Investors, management, parent company?
- Technical control: Where do management systems run? Who has access to encryption keys?
When Does This Matter?
AWS reports that no enterprise data has been disclosed due to CLOUD Act requests so far. For most companies, the risk is theoretical.
But "theoretical" isn't enough for everyone:
- Regulated industries: Banks, insurance companies, healthcare organizations must demonstrate control over their data.
- Government entities: Police, municipalities, state agencies often have data sovereignty requirements.
- Companies with US competitors: Different risk profile than a local bakery.
- Lawyers and accountants: Professional secrecy doesn't mix well with disclosure obligations.
What We Don't Promise
Complete technological independence doesn't exist. Our servers run on Intel or AMD processors. Firmware from Dell or Supermicro. GPUs from Nvidia.
What we offer: a German GmbH as your contract partner. German law. No US parent company. Our own infrastructure in German and European datacenters (AS215197).
For companies that actually value data sovereignty, that's a difference.
Sources
- heise.de: Not sovereign – Microsoft cannot guarantee the security of EU data
- heise.de: How sovereign are US clouds for Europe really
- heise.de: EU Parliament calls for detachment from US tech giants
- ZeroHedge: EU's Digital Networks Act – €288.6bn investment plans
- Stanford Law Review: Microsoft Ireland, the CLOUD Act
- Center for Democracy and Technology: FISA 702 Expansion
- Brennan Center for Justice: Overseas Surveillance
- noyb: Schrems II FAQs