The EU Parliament is putting pressure on Europe to move faster away from US clouds and big tech dependencies in critical areas and build its own infrastructure for cloud and AI. Background: Legal conflicts due to the US CLOUD Act, service blocks in political conflicts and a massive outflow of money from the EU into digital US services.
The EU Parliament has passed a resolution on "European technological sovereignty and digital infrastructure" by a large majority - and thus taken the clearest political step to date to reduce Europe's dependence on US technologies in critical areas. The core: Europe should massively expand its own cloud and AI capacities, make open standards and interoperability mandatory and strengthen open source. The whole thing is beingpromoted and accelerated via the "EU cloud and AI development act".
The facts: How dependent Europe really is
The document confirms a figure that no managing director of a public authority, KRITIS, clinic or law firm can ignore: The EU, it literally states, "relies on non-EU countries for over 80% of digital products, services, infrastructure and intellectual property" - in other words, for a large part of what supports day-to-day IT operations.
But it's not even just technology, it's also value creation: the Council of the EU puts the EU's services balance deficit with the US at around 148 billion euros for 2024 - in other words, real value creation that flows out of the EU year after year.
Two risks that need to be separated
In practice, there are two different risks that the EU wants to counter with different countermeasures:
- Data access / legal conflict (Cloud Act) and
- Service blocking / political blackmailability
1. cloud act: why "data center in the EU" is not "sovereign" enough
In 2018, the US CLOUD Act made it clear that US providers must hand over data over which they have "possession, custody, or control" - regardless of where this data is stored. This means that the "EU" region alone is no longer a protective shield if jurisdiction and control over the data lie outside Europe.
From a European perspective, this is a classic clash of jurisdictions: the EDPB and EDPS documented the extraterritorial scope and potential conflicts with EU data protection law in a joint assessment in 2019.
In addition, Article 48 GDPR was explicitly created to legally prevent or severely limit the transfer of data to third countries. The EDPB has specified this once again in 2025.
2 . Lockdown: when politics paralyses operations
The second risk can - and already does - have a direct impact on day-to-day work: in May 2025, the Associated Press reported that US sanctions were massively hampering the work of the International Criminal Court - including disabling email access; the report cited Microsoft as a lever of this dependency. The effect is the decisive factor - and this is relevant for any organization with sensitive mandates: If a provider is no longer able or allowed to deliver services in a sanctions or pressure scenario, it is suddenly not "just IT" that is at stake, but the operational ability to act.
The ICC reacted in precisely this way: in 2025, it became public that the court wanted to shift its working environment away from Microsoft and towards "openDesk" - a European open source suite from the ZenDiS environment.
The problem with "sovereignty washing "
The German Informatics Society (GI) is calling for "European Tech First" in public procurement and warns that "sovereign cloud" for hyperscalers is often only sovereign on paper if ultimate control (updates, support, admin access, legal access) remains outside Europe. In concrete terms, this means that labels don't matter - jurisdiction, key control, portability and genuine exit options are crucial for "digital sovereignty".
It does work: Schleswig-Holstein and the exit in figures
If you want to know whether "away from Microsoft" is more than just a mind game for talk shows, you should take a look at Schleswig-Holstein: The state administration has completed the migration of its mail system from Exchange/Outlook to Open-Xchange and Thunderbird - with over 40,000 mailboxes, well over 100 million migrated emails and calendar entries.
And then there are the hard figures on cost-effectiveness: the state is already talking about savings of more than 15 million euros in license costs; for 2026, this is offset by one-off investments of nine million euros.
Admittedly: This change did not go smoothly either. But that is precisely the point - sovereignty is not a PR program, but a fundamental strategic decision.
International success stories: Open source in large fleets
There are also international success stories: France's gendarmerie has gradually migrated tens of thousands of workstations to Ubuntu ("GendBuntu"); Canonical, among others, documented 85,000 PCs in a case study, and the EU Open Source Observatory has also documented the migration.
There are also similar projects at EU institution level: The European Data Protection Supervisor (EDPS) launched Nextcloud and Collabora as an open source pilot in 2023 - as an alternative for secure collaboration.
What "sovereign cloud" really means
Four test questions are often enough to identify pseudo-sovereignty:
Jurisdiction (is a company subject exclusively to EU law or also to the law of third countries?)
Key control (who really controls the keys?)
Portability (are there standards, exit plans, has reverse migration been tested?) and
Operation (are all admin accesses, support, updates, incident response located in Europe?)
The EU resolution is aimed precisely in this direction: European data infrastructure is to be strengthened, dependencies reduced, interoperability and open standards enforced.
What needs to be done now - by sector
For public administration, SMEs/KRITIS, healthcare, law firms and IP-intensive companies, the following applies: it is not necessary to replace everything at once - it is important to take stock quickly in order to make dependencies measurable and derive concrete countermeasures. An appropriate plan should cover the following aspects:
1. inventory of critical platforms (cloud, identity, collaboration, backup, security, AI)
2. data protection requirements (patient records, mandate data, research, blueprints, source code)
3. exit capability as a binding goal (standards, data portability, restart scenarios).
European data sovereignty - is that even possible?
If you want to derive a realistic program from the discussion, you should know the options that are operated in EU jurisdiction, meet all technical requirements and can be migrated cleanly: sovereign IaaS/PaaS as a basis, managed Nextcloud as a European collaboration alternative, backup/disaster recovery with tested restore processes and consulting/migration to reduce lock-in in a controlled manner.
Conclusion
The thesis of the EU resolution hits a nerve at a time when a US administration is using military blackmail against its own allies: European digital sovereignty is necessary, possible - and it is important enough to be politically demanded and promoted at the highest level. Switching to real control now (jurisdiction, keys, exit) has nothing to do with ideology or nationalism. It reduces operational risk, strengthens compliance and protects intellectual property.