Skip to content
Cloud sovereignty · as of June 2026

Your data, your cloud – sovereign instead of dependent.

US CLOUD Act, a shaky data agreement, rising costs: in 2026 many companies are rethinking their cloud strategy. We assess soberly which workloads belong where – sovereign cloud, EU provider, hybrid or pragmatic hyperscaler – and implement the move technically.

Start the workload check → Book an intro call

Cloud sovereignty means you control where your data lives, which jurisdiction can reach it, and how easily you can switch providers. In 2026 the topic has gone mainstream – AWS launched its European Sovereign Cloud with a first region in Brandenburg in January, the EU created an assessment framework (Cloud Sovereignty Framework, SEAL-0 to SEAL-4), and June brought the proposal for a Cloud and AI Development Act. At the same time, scepticism is growing: Microsoft France's chief legal officer had to admit before the French Senate in 2025 that he cannot rule out US authorities accessing European data.

The good news: for typical mid-market workloads – web applications, databases, storage, Kubernetes, even AI inference – European providers like STACKIT, IONOS, Hetzner, OVHcloud or Exoscale cover the need almost completely today, often at a fraction of hyperscaler prices. The honest answer, though, is rarely "pull everything out of US cloud" – it's a clean per-workload assessment. That's exactly what this page is for.

What's actually real about the risks

Facts instead of panic: the three real risk areas of US cloud dependency – honestly assessed.

US CLOUD Act

The 2018 US law obliges providers under US jurisdiction to hand over data upon court order – whether it sits in Frankfurt or Virginia. It's a law-enforcement instrument with judicial control, not a mass-surveillance law – but Microsoft France's chief legal officer confirmed under oath in 2025: he cannot guarantee EU data will never be handed over.

Schrems III risk

The EU-US Data Privacy Framework holds – for now. The Latombe challenge was dismissed in September 2025, but the appeal is before the CJEU (C-703/25 P), noyb has announced a broader challenge, and the US oversight body PCLOB has lacked a quorum since January 2025. If the agreement falls, US transfers lose their simple legal basis – for the third time.

Vendor lock-in & costs

Proprietary services and expensive data egress (AWS: ~$0.09/GB) make switching hard. The EU Data Act defuses part of this: switching charges are fully banned from 12 January 2027. It doesn't cover ongoing operational egress, though – architecture decisions remain the bigger lever.

"Sovereignty washing"

US hyperscalers now market "sovereign" offerings too – Microsoft's EU Data Boundary, AWS' European Sovereign Cloud (own partition, EU staff, ~15% premium). Whether these constructs withstand a CLOUD Act order is legally unresolved as long as the parent company sits in the US. The EU framework (SEAL levels) helps compare offers soberly.

Sensitive data with special rules

For some data the question is already settled: health and social data require processing in DE/EU/EEA/Switzerland plus a C5 attestation under § 393 SGB V, professional-secrecy holders (§ 203 StGB) must bind service providers carefully, and classified information (VS-NfD) belongs only in BSI-approved environments.

Encryption is no free pass

"Bring Your Own Key" sounds safe but doesn't protect against disclosure orders – the provider keeps technical access to the key. What works is external key management (HYOK) or client-side encryption where the provider never sees plaintext.

The four paths – and who they fit

There is no single right cloud. There are four basic patterns – and the decision is made per workload, not wholesale.

Sovereign cloud

AWS European Sovereign Cloud · T-Systems Sovereign Cloud · (Delos: public sector only)

Separate partitions detached from the global infrastructure, with EU staff and EU governance. AWS' ESC (since January 2026, Brandenburg region) offers ~90 services at a ~15% premium. Hyperscaler comfort with a much better sovereignty story – whose CLOUD Act resilience remains legally unresolved.

Best for: Companies with high compliance needs that require hyperscaler services and can carry the premium.

On-prem / self-hosting

Own servers · colocation · air-gapped setups

Maximum control, no foreign jurisdiction – but you carry operations, security and availability yourself. With a modern open-source base (Kubernetes, Nextcloud & co.) more realistic than its reputation, but only with real ops expertise or a partner.

Best for: Highly sensitive workloads (classified data, core IP) where operational expertise exists.

EU providers

STACKIT · IONOS · Hetzner · OVHcloud · Scaleway · Exoscale · Open Telekom Cloud

European ownership, EU data centres, outside US jurisdiction – OVHcloud is one of only five providers holding the highest Gaia-X label (level 3). Fully practical today for web apps, databases, S3 storage, Kubernetes and AI inference – and often drastically cheaper (Hetzner: ~14× compute value vs. AWS, 20 TB traffic included).

Best for: The default path for most mid-market workloads – GDPR-safe without constructs, with simple pricing.

Hybrid / hyperscaler EU region

Sensitive data with EU providers + special services on AWS/Azure/GCP (EU region, HYOK)

The pragmatic middle path: non-critical or special-service-heavy workloads in a hyperscaler's EU region (with DPF/SCCs, external key management and an exit plan), sensitive data with EU providers or in-house.

Best for: Teams that need global scale or managed AI services but want to contain the risks deliberately.

Workload check: where does your application belong?

Five short questions about one specific application – then you get a first assessment of which of the four paths fits. No sign-up, no legal advice.

1 of 5

Does the application process highly sensitive data – e.g. health/social data, professional secrets or classified information?

FinOps quick-start: cut cloud costs
The most effective levers for 20–30% lower cloud costs – as a checklist to tick off, free as a PDF.

How we approach the move

01

Inventory

We map your workloads, data categories and dependencies – and classify what must be sovereign, where EU suffices and what may stay pragmatic.

02

Target picture

The right path per workload: EU provider, sovereign cloud, hybrid or self-hosting – with an honest cost and effort estimate instead of ideology.

03

Migration

We build portable (containers, infrastructure-as-code, S3-compatible storage) and migrate step by step – starting with non-critical workloads.

04

Operations & cost

A FinOps routine, monitoring and exit capability are part of the setup. The new environment stays affordable – and you stay able to switch.

FAQ

Do we have to leave US cloud entirely?

Usually no. The honest answer is a per-workload assessment: highly sensitive things belong in sovereign or self-operated environments, much runs better and cheaper with EU providers, and for individual special services a hyperscaler EU region with safeguards (external key management, exit plan) can remain defensible.

What is the CLOUD Act – does it reach data in Frankfurt?

The US CLOUD Act (2018) obliges providers under US jurisdiction to hand over data upon court order – regardless of storage location, so also from German data centres of US providers. It's a law-enforcement instrument with judicial control, not mass surveillance; no publicly documented cases against European business customers are known. The residual risk and the dependency are still real.

Is the EU-US data agreement (DPF) still valid?

Yes, as of June 2026 the Data Privacy Framework holds. But: the Latombe appeal is before the CJEU, noyb has announced a broader challenge, and the US oversight body PCLOB has been unable to act since January 2025. A third "Schrems" ruling is a realistic scenario – anyone planning architecture today should price it in.

Are the hyperscalers' "sovereign" offerings genuinely sovereign?

Partially. AWS' European Sovereign Cloud (since January 2026) is a genuinely separate EU partition with EU staff – but the parent remains American, and whether the construct withstands a CLOUD Act order is legally unresolved. Microsoft's chief legal officer in France could not guarantee exactly that in 2025. The EU Cloud Sovereignty Framework (SEAL levels) helps compare offers soberly.

Can EU providers keep up technically?

For typical mid-market workloads, yes: web applications, databases, S3 storage, Kubernetes and AI inference (e.g. IONOS AI Model Hub, STACKIT AI Serving) are fully covered – often much cheaper. The limits are very specialised managed services and training large AI models; for those there's the hybrid path.

What does switching cost – and save?

It depends on the workload. Portable applications (containers, IaC) switch cheaply; entangled architectures need a cut. On the cost side the potential is real: EU providers are often drastically cheaper (egress example: Hetzner includes 20 TB, AWS charges ~$90 for 1 TB), and systematic FinOps typically saves 20–30% – regardless of provider. From January 2027 the EU Data Act also bans switching charges.

Become sovereign – without ideology, with a plan.

We classify your workloads, calculate honestly and implement the migration technically – portable, secure and cheaper than before.

Book an intro call
⚠️ Disclaimer: This content is for general information and is not legal or tax advice. The legal situation (esp. the Data Privacy Framework) and provider offerings change continuously; prices and figures are snapshots as of June 2026. For binding compliance decisions, consult qualified advisors.