Why the "AWS European Sovereign Cloud" must also fail to deliver on the promise of genuine European data sovereignty.
The trend is intact: AWS also announced the launch of the "AWS European Sovereign Cloud" in Germany today - including a separate infrastructure and its own governance in the EU. The offering will be physically and legally separate from the rest of the AWS cloud, operated and monitored by a German company whose management bodies are made up of EU citizens. According to Handelsblatt, this involves an investment of 7.8 billion euros by 2040, with plans to gradually expand the offering to Belgium, the Netherlands and Portugal.
This is a big announcement with a corresponding response in the press. What it is not - once again - is an answer to the actual problem that really concerns authorities, KRITIS and regulated industries in these turbulent times: How much control does Europe have over data and operations if the provider ends up being embedded in US structures again? Because "sovereign" does not mean "data is located in Germany". "Sovereign" means: even under pressure, control remains here.
And pressure is the preferred tool of the current US government. If it is not even afraid to threaten the territorial integrity of allies militarily - how credible can the promise of US providers to respect European data sovereignty be? The thumbscrews for tapping into European data via US IT providers have been openly on the table for a long time.
Synergy Research puts the global market shares in the cloud infrastructure business in Q3 2025 as follows: AWS 29%, Microsoft 20% and Google 13%. This dominance is not just a number - it quantifies a very concrete, daily European dependency: in tools, ecosystems, standards, infrastructure and integrations.
Bitkom reported at the beginning of 2026 that two thirds of German companies transfer personal data to countries outside the EU, including for cloud, communication and support. Heise picks up on the same Bitkom figures and puts the proportion of German companies that transfer data to non-EU countries at 63%. The tension is clear: the use of US hyperscalers is a daily reality - data sovereignty remains a pipe dream at best. For public authorities and KRITIS in particular, it is often more than just a wish: today more than ever, it is a question of compliance.
According to Reuters, the ESC would continue to run even if the EU were "disconnected from the internet" or the USA were to ban software exports. AWS itself has been emphasizing a model with operational control by EU citizens, independent governance and isolated infrastructure since 2023/2025.
This addresses two classic concerns: operational access (who is allowed to administer what?) and shutdown/export control risks (what happens in the event of political escalation/shutdown?). The assurances are therefore to be welcomed, but once again they do not automatically solve the most difficult part.
The CLOUD Act obliges providers subject to US law to hand over data that is in their "possession, custody, or control" - regardless of where the data is physically located. This is clearly described in a CRS summary from the US Congress and openly explained by the US Department of Justice in its own materials.
The conflict is obvious. In the EU, the view is exactly the opposite: Article 48 GDPR makes it clear that orders from third country authorities to disclose personal data may not simply be "passed on", but only on the basis of international agreements (such as mutual legal assistance agreements). The European Data Protection Board published clear guidelines on this in June 2025.
In short: US access obligations and EU data protection logic are structurally contradictory - and there is currently little indication that the US side would respect other views. This conflict is precisely the reason why "sovereignty" in highly regulated environments is not a question of image, but a question of compliance and risk management. In the current situation, "business as usual" is grossly negligent.
In December 2025, a report commissioned by the German Federal Ministry of the Interior and published via FragDenStaatanalyzed the scope of US access rights to cloud data. Heise and Golem report that the report also addresses the problem of access options for data stored in the EU and does not see the storage location alone as a protective shield. This is relevant for authorities and regulated companies because it takes the discussion to a new level: from a "bad gut feeling" to a clear business risk that can no longer be ignored.
The International Criminal Court announced that it would replace Microsoft with the German solution openDesk (ZenDiS) - out of concern about US sanctions and dependencies. Zeit and Handelsblatt reported on this. The data protection foundation subsequently reported that the chief prosecutor temporarily lost access to Microsoft emails. That was no coincidence. It was a lesson - and a clear warning shot: Dependency can suddenly lead to an inability to act faster than expected - deliberately triggered by politicians.
A simple, blanket answer to this tricky question would be dubious - because it ultimately comes down to specific types of data, protection requirements, contract models and technical controls. But for many highly regulated environments, the fact is that if data and processes are so sensitive that unnoticed third-party access or politically motivated blocking cannot be accepted, it is currently very difficult to justify a US-based provider chain.
The EDPB guidelines on Art. 48 GDPR further tighten the framework of expectations: third-country requests are not a "routine process", but a special case that must be properly examined from a legal perspective. This is precisely where the CLOUD Act can become a competitive disadvantage for US providers: Because the associated legal attack surface actually makes it impossible for authorities and companies with sensitive data in Europe to use US IT providers at all.
The ESC can really help if the main concerns for your company are EU operation/support only by EU personnel, separate infrastructure, resilience against shutdown/export controls and the ability to provide evidence to customers/auditors. However, whether the ESC completely eliminates the CLOUD Act risk is a question that, in case of doubt, will only be finally answered when the first real case of conflict arises. AWS emphasizes the legal and technical separation. From a risk perspective, however, there is still a catalog of checkpoints that no company can simply ignore: Ownership, control, key sovereignty, incident and legal processes.
Start with protection requirements instead of gut feeling: Which workloads are critical (operations, legal risk, people, state)? Which data would be a disaster if a third country gained access or an account was blocked?
Clarify key sovereignty - not just "encryption": "Encrypted" is not enough if the US provider controls the keys or decryption paths. The decisive factor is whether the provider could technically access the content - and whether it could even be forced to do so by lawsuits or US laws.
Rely on concrete evidence instead of grandiose promises: For cloud providers in Germany, the BSI Criteria Catalog C5 is an established reference framework for minimum requirements for secure cloud computing.
And make exit planning mandatory: portability (data, logs, identity, APIs), time frames and costs, migration paths and alternative operations.
For file/content processes (exchange, collaboration, sensitive documents), sovereign content platforms and managed file transfer solutions from Germany can be considered, where operation, support and jurisdiction are located here. SecureCloud advises you on the effects of the US CLOUD Act and the fundamental conflict with the GDPR.
For office/collaboration in administration, openDesk is an example: it is managed by the Center for Digital Sovereignty in Public Administration (ZenDiS), which was founded in 2022 according to the federal government.
For platform/compute workloads, there are European cloud and hosting providers as well as hybrid models (EU provider, private cloud, on-prem). It is crucial that they match your protection requirements and that the exit capability remains realistic.
The AWS European Sovereign Cloud is a pioneering step for the industry - and will find imitators in the market. It may well be an option for many organizations. But for public authorities, KRITIS and strictly regulated industries, a different, stricter test standard applies: in these cases, truly reliable does not mean "stands sovereign on it", but "remains sovereign - even in an emergency".
And emergencies have become the new reality. This is the difference between cloud strategy and cloud risk management.
Form your own opinion! We will advise you on the topic and work with you to derive a reliable decision matrix for your data security, based on
Protection requirements → Provider class → Control → Evidence → Exit