European Digital Sovereignty: U.S. Cloud Company Responses & the Shared Transatlantic Tech Interest

Jun 03, 2025

(Explanatory note: I'm sharing these thoughts before presenting on digital sovereignty at the Global Digital Collaboration conference in Geneva next month. Would love your thoughts and feedback!)

Digital Sovereignty and the Cloud

For over 15 years, cloud computing has remained a central component of Europe’s digital sovereignty ambitions.1 France’s early attempt with the state-funded Andromède project in 2011 — designed to create a home-grown alternative to American cloud companies —2 ultimately stalled, yet it established a clear strategic direction. Since 2020, this vision has crystallized into a comprehensive European industrial policy focused on computing infrastructure.

The result is that regulation and CapEx now move in tandem.

On the rule-making side, the Data Act will eliminate cloud-switching fees from 2027, a “sovereign” tier in the draft EU Cloud-Cybersecurity Scheme could bar services exposed to non-EU law, and national trusted-cloud labels — such as France’s Cloud de Confiance and Germany’s emerging sovereign cloud framework — steer public contracts toward platforms legally ring-fenced inside Europe. Meanwhile, the forthcoming Cloud and AI Development Act is expected to lock in procurement preferences for EU-based providers, mandate EU data residency for government and critical infrastructure, and define a high-security “sovereign cloud” category.

The heavier lever, however, appears to be capital expenditure. The EU has expanded its funding of peta- and pre-exascale systems like LUMI and Leonardo, earmarked €1.5 billion for seven GPU-dense “AI factories,” and paired these projects with the €43 billion Chips Act. The EuroStack Initiative represents the private sector’s alignment with this spending surge, as over 200 European companies have mobilized to advocate for substantial public-private funding to build a comprehensive European-owned technology stack from semiconductors to cloud services. This industry coalition demonstrates how regulatory pressure and public investment have catalyzed significant private sector coordination around digital sovereignty, with participating companies prepared to co-invest billions alongside government funding.

Meanwhile, European cloud companies are expanding their offerings and data center footprints, positioning themselves as sovereignty-compliant alternatives to U.S. hyperscalers. OVHcloud, IONOS, and Scaleway now collectively generate roughly €2.6 billion in annual revenues.3 Much of the EU’s regulatory framework appears deliberately designed to create market opportunities for these European providers and encourage their CapEx growth, aligning with the recommendation of the Draghi report on European competitiveness to foster something akin to European tech champions while reducing dependencies and streamlining innovation-friendly regulation.

Against this backdrop, America’s three largest hyperscalers are adapting. Their ability to meet Europe’s sovereignty requirements — and Europe’s decisions about how open its digital ecosystem will be — will determine both the success of U.S. cloud companies in Europe and the course of transatlantic tech cooperation.

Sovereignty and U.S. Cloud Companies

The EU’s intensified focus on digital sovereignty directly impacts U.S. cloud providers operating in Europe — Microsoft, Google, Amazon Web Services (AWS), Oracle, CoreWeave, and others — which collectively serve approximately 72% of Europe’s cloud infrastructure market. Though these companies don't break out European cloud revenues in their public filings, the continent represents a substantial and highly profitable market for the hyperscalers.4 Failure to adapt to and address European digital sovereignty concerns risks losing substantial market share to emerging European alternatives or other compliant non-European providers.

U.S. cloud companies are working to respond to six digital sovereignty criteria articulated by European policymakers and the broader European policy and business communities:

Data Residency: Data must be stored and processed strictly within EU borders.

Encryption & Key Management: European customers must have exclusive control over their encryption keys, with the provider unable to access decrypted data.

Local Operational Control: Cloud operations, including staffing and governance, must be managed locally within the EU by European entities.

Operational Autonomy: Cloud services must remain functional and resilient, even if disconnected from their global parent companies.

Regulatory Compliance: Providers must fully align with all relevant EU regulatory frameworks, such as SecNumCloud in France, DORA, and NIS2.

Transparency & Oversight: Providers must submit to independent audits and clearly disclose any extraterritorial data access requests.

How the U.S. Hyperscalers Are Responding

Faced with these expectations, U.S. hyperscalers have adapted their offerings and operational models in Europe, as demonstrated in the table below:5

Chart created using Datawrapper. Click here for the interactive version.

Microsoft has made a significant commitment to European digital sovereignty efforts, likely because it’s working to grow its business on the continent. To that end, it has announced a 40% expansion of its European data center footprint by 2027. The company has implemented a comprehensive EU Data Boundary that geo-fences all customer and support data within EU borders. Beyond infrastructure, Microsoft has focused on the political benefits of joint ventures with European entities, establishing “Bleu” in France (in partnership with Capgemini and Orange) and “Delos Cloud” in Germany (in collaboration with SAP and Arvato Systems). These partnerships give European entities control over U.S. cloud services, theoretically reducing concerns about unwanted third-party access to European data. Most remarkably, Microsoft’s “business continuity partnerships” commitment establishes a Swiss-based code escrow, ensuring operational continuity even if Microsoft were forced to withdraw support — essentially a “dead man’s switch” guaranteeing operational autonomy. The covenant is saying: “If all hell breaks loose and we can’t guarantee your control over your data and workloads, we will hand over the keys and you will be in full control.”

"If all hell breaks loose and we can't guarantee your control over your data and workloads, we will hand over the keys and you will be in full control."

Google Cloud has pursued a quieter but equally substantial approach, combining significant European infrastructure investment with local partnerships and technical transparency. Its sovereign cloud solutions with T-Systems in Germany and S3NS (a joint venture with French defense contractor Thales) in France operate under EU jurisdiction with local management and staffing. Like Microsoft’s European partnerships, these accomplish the dual role of political cover and enhanced protections for European workloads. Google ensures EU data residency and provides customers with control through external encryption key management, allowing customers to store encryption keys outside Google’s infrastructure, plus “Key Access Justifications” that surface any data access attempts to customers for approval or denial.

AWS initially showed skepticism toward dedicated sovereign setups but has made a significant strategic pivot in the last three years. The company will launch an independent AWS European Sovereign Cloud in Brandenburg, Germany, by late 2025 — physically and logically separate from its global infrastructure, with all data, metadata, and operations controlled exclusively by EU-resident personnel. Backed by a €7.8 billion investment through 2040, the effort includes a dedicated European Security Operations Center, a locally incorporated AWS parent company with EU-based leadership, and an independent advisory board legally obligated to act in the sovereign cloud’s interest. AWS has also committed to a new Sovereign Requirements Framework, supported by independent third-party audits and full control traceability. This represents one of the most comprehensive sovereign cloud commitments by any American hyperscaler to date.

Still, fundamental European concerns persist

Despite these substantial adaptations, at least two core European concerns remain unresolved.

U.S. Government Access via the CLOUD Act:6 European policymakers remain wary that the U.S. CLOUD Act, which passed in 2018, could allow American law enforcement agencies to compel U.S.-based companies to disclose data, regardless of its physical location. While providers have instituted technical safeguards and promised legal challenges, the potential for jurisdictional conflict between U.S. and EU law creates ongoing skepticism about absolute data immunity.

Geopolitical Service Disruption: Europe has witnessed how digital dependencies can become strategic vulnerabilities. The Biden administration’s AI chip export controls demonstrated how quickly the U.S. can cut off technology access, while concerns persist about “kill switches” in critical systems — as seen in debates over the F-35 fighter jet’s software dependencies. The rapid imposition of tech sanctions following Russia’s invasion of Ukraine further exemplified how geopolitical tensions can instantly transform digital infrastructure into tools of statecraft.

As such, these concerns are moving away from technical issues toward purely political ones that will require the U.S. government to engage directly with the EU on frameworks for data access, jurisdictional conflicts, and mutual trust.

These concerns might suggest to some that even deeper commitments may be necessary. Cloud companies could enhance legal protections by more aggressively challenging government data requests, expanding European hiring and R&D investment, creating stronger operational firewalls between EU and global operations, and providing more granular transparency about any government interactions involving European customer data.

Ultimately, however, these are becoming political questions. Security, privacy, data residency, and other protections are inherently asymptotic — they will not reach perfection.

If U.S. cloud companies are held to a standard of perfection (requiring guarantees that in no circumstances will the U.S. government gain access to European user data residing on U.S. cloud infrastructure), then there will always be an excuse to exclude them, limit their presence, or turn to alternatives (whether or not those alternatives offer better solutions to their European customers).

The CLOUD Act provides a great example of a political solution to a European concern: the law contains provisions for the U.S. government to negotiate law enforcement sharing agreements with foreign governments that could also be vehicles for addressing other data access issues. So far, no such agreement has been negotiated with the EU or any of its member states. That’s a missed opportunity.

Why Europe Should Want a Balanced Approach

While the drive for greater digital autonomy is understandable, achieving complete technological independence from U.S. providers is widely considered impractical, economically unfeasible, and strategically suboptimal for Europe.

The numbers tell the story.

Microsoft, Amazon, and Google together are reportedly spending roughly $255 billion on data center CapEx in 2025 alone. Europe today accounts for about a quarter of global cloud demand (as noted previously, this is an estimate), so duplicating the capacity Europeans already rent from the three hyperscalers would require about €50 billion of fresh CapEx every year — about 7% of the roughly €750 billion annual investment gap flagged in the Draghi report.7

The Draghi report itself explicitly makes this point:

“Given the dominance of US providers, the EU must find a middle way between promoting its domestic cloud industry and ensuring access to the technologies it needs. It is too late for the EU to try and develop systematic challengers to the major US cloud providers... However... the EU should ensure that it has a competitive domestic industry that can meet the demand for ‘sovereign cloud’ solutions.”8

Moreover, European digital success doesn’t depend on building its own technical infrastructure from day one or excluding foreign providers. The examples of Google, Meta, ByteDance, and countless others demonstrate that companies can be born in the cloud using rented infrastructure, but as their businesses succeed, they can build out their own data centers and technical infrastructure. This evolutionary approach enables European companies to focus their resources on innovation and market development, rather than making massive upfront infrastructure investments, while maintaining the option to develop sovereign capabilities as they scale.

This reality has prompted innovative thinking about alternative approaches. Paolo Da Rosa, in his analysis of digital cooperation strategies, argues that Europe should abandon attempts at “simplistic digital sovereignty” and instead pursue “Digital Cooperation” — building structured operational alliances with partner nations to achieve strategic autonomy through “governed interdependence.” Da Rosa’s framework emphasizes sharing costs and risks in developing infrastructures, creating interoperable solutions, and focusing on concrete shared objectives rather than attempting isolated self-sufficiency. Da Rosa’s Digital Cooperation model is compelling, but it should explicitly embrace the United States as a primary partner.

The Draghi report also does this to a certain extent by proposing a cloud market that is bifurcated between “sovereign” segments and segments that are non-sovereign. The latter, the report suggests, should benefit from “a low barrier ‘digital transatlantic marketplace’, guaranteeing supply chain security and trade opportunities for EU and U.S. tech companies on fair and equal conditions.”9

The U.S. remains one of Europe’s closest allies, sharing fundamental values around democracy, the rule of law, and open societies (this may read as a controversial point in the current political moment, but my hope is that it is a true statement now and my bet is that it will be a true statement in the medium and long terms). And American cloud providers have already demonstrated a roadmap to adapt to European sovereignty requirements through substantial regional investments and governance changes.

Excluding the U.S. from procurement, security, and other cloud-relevant frameworks would be strategically counterproductive, potentially weakening the transatlantic alliance while failing to address Europe’s scale challenges. Contra Draghi, there shouldn’t be “sovereign” segments that exclude U.S. companies (in fact, in areas like defense and cybersecurity, doing so would go against European interests by limiting government procurement options).10

Europe’s optimal path involves adapting the Digital Cooperation model to prioritize strategic partnerships with the United States — leveraging American technological capabilities and scale while ensuring these partnerships respect European sovereignty principles through robust governance structures, effective technology, and significant European infrastructure and operations.

The ultimate goal should be digital solidarity, which is technological self-determination through partnerships and alliances among open, democratic, and rule-bound societies.11 Given the current technological and geopolitical landscape, this goal must be coupled with the caveat that less democratic countries will need to be part of the solidarity ecosystem for some time, without losing sight of the fact that the project is ultimately about protecting and uniting open, democratic, and rule-bound societies.

The ultimate goal should be digital solidarity, which is technological self-determination through partnerships and alliances among open, democratic, and rule-bound societies.

Why the U.S. Should Care

The United States has both immediate economic interests and long-term strategic imperatives driving engagement with Europe’s digital sovereignty agenda. The economic stakes alone are substantial: AWS generated over $107 billion in revenue in 2024, with Europe representing a significant portion of this market. The company’s €7.8 billion investment commitment through 2040 for European sovereign cloud infrastructure signals just how valuable European markets are to American cloud providers.

But the strategic implications extend far beyond market share.

Dismissing European sovereignty concerns as mere protectionism risks a dangerous fragmentation of the democratic digital ecosystem. If the U.S. fails to genuinely address these concerns, Europe may be pushed toward technological decoupling or alternative partnerships with China. Such scenarios would leave democratic nations without the collective scale needed to set global technology standards, potentially ceding digital governance to authoritarian models.

The stakes are high for democratic values in the digital age. At a moment when democratic institutions face unprecedented pressures — from global economic uncertainty and massive geopolitical tensions to technological upheaval and declining trust in core democratic practices — the transatlantic alliance cannot afford fragmentation in its most critical domain.

The alternative path — technological nationalism and fragmented markets — serves only authoritarian competitors who benefit when democratic nations fail to coordinate their considerable collective strengths.

A smart U.S. policy would recognize that working to address European sovereignty concerns actually strengthens American interests.12 When Google Cloud commits billions of dollars to building sovereign infrastructure with EU-based partners, operations, and data controls, or when Microsoft establishes Swiss code escrow systems, they demonstrate that democratic partnerships can deliver both sovereignty and innovation (true even if the partnerships are public-private). These investments should be supported by the U.S. government with an eye toward solving for legitimate concerns while maintaining a bias towards cooperation and mutual support.13

This collaborative approach offers a compelling alternative to China’s state-directed technology model. Neither Europe nor America alone possesses the scale to effectively compete with Beijing’s massive, coordinated investments in emerging technologies. Together, though, they can maintain technological leadership — and through that leadership develop mutually beneficial partnerships with other parts of the world.

The alternative path — technological nationalism that leads to isolationism and fragmented markets — serves only authoritarian competitors who benefit when democratic nations fail to coordinate their considerable collective strengths.

Conclusion: Sovereignty Through Solidarity

Europe’s pursuit of digital sovereignty has compelled U.S. hyperscalers to embrace greater localization, transparency, and regulatory compliance. The sovereign programs launched by Microsoft, Google Cloud, and AWS demonstrate meaningful adaptation to European demands, yet concerns about U.S. jurisdiction and potential service disruption during geopolitical crises will likely persist.

The path forward lies in achieving digital solidarity — strategic partnerships built on mutual trust, clear legal frameworks, and shared democratic values. This approach allows Europe to enhance control over its digital destiny while benefiting from international innovation and maintaining strong transatlantic ties. For the U.S., it preserves valuable economic and strategic relationships with key allies.

Ultimately, balanced transatlantic digital cooperation will foster a more resilient, competitive, and democratic global digital environment that serves the interests of both sides of the Atlantic.

Conflict of Interest Disclosure: The views I express in this essay are my own. While I maintain professional affiliations and advisory roles with various organizations, I don’t receive compensation or direction from them (or from any other entities) for the views expressed in my essays, unless explicitly stated otherwise in a particular piece. In some cases, I may receive an honorarium from the publisher as compensation for contributing the essay itself (I am receiving zero compensation for this piece from Substack or anyone else…).

I love em dashes and Oxford commas. Both — I’ve read — are now supposedly tell-tale signs of AI rather than human authorship. To be honest, in light of that, I tried to give up both, but that seemed like the wrong way for the “man vs. machine” war to end. So I’m back to using “—” and “, and” as I did for years before November 2022. (I will say, though, that no spaces between the em dash and words are suspicious…)

Scaleway is a privately held company and does not publicly disclose its detailed financial information. Based on a handful of online sources, my estimate is that its annual revenue is approximately €33 million.

My back-of-the-envelope estimate is that AWS, Microsoft, and Google collectively generated approximately $220 billion in cloud revenue in 2024. If Europe accounted for roughly for 25% of global cloud revenue, the companies’ combined regional revenue would be about $55 billion. This is a rough estimate, however, due to several factors: (1) the companies do not disclose regional breakdowns of their cloud revenues; (2) their cloud businesses are not categorized in a consistent way that allows direct comparisons; and (3) industry analysts often use varying definitions of “cloud.” For example, some limit their estimates to infrastructure services (e.g., virtual machines, storage, and compute), while others take a broader view that includes software-as-a-service offerings like Microsoft 365 or Salesforce.

The table compares how AWS, Microsoft Azure, and Google Cloud have adapted their European sovereign cloud offerings to align with key EU policy expectations. An earlier, published version of this table is available here.

While the goal is consistency and factual accuracy, some judgment calls are required where regulatory timelines, disclosures, or implementation details are incomplete or evolving. For example, in Regulatory Compliance, Microsoft receives a ✅ due to its active pursuit of SecNumCloud certification through its Bleu joint venture and participation in EU frameworks like SWIPO and the EU Cloud Code of Conduct. AWS is marked 🟡 as its sovereign region has not yet launched and it has not committed to pursuing certifications like SecNumCloud.

In Operational Autonomy, all providers receive ⚠️ to reflect the presence of strong technical safeguards — such as air-gapping, code escrow, or isolated infrastructure — while still being subject to U.S. legal frameworks due to ownership or control of the underlying cloud stack (and the as-yet untested nature of technical and other measures).

The table serves as a snapshot of public-facing implementation and policy alignment, providing a general indication of the measures companies have taken. The table presents the data from official provider sources, public technical papers, and press reports as of June 2025.

“The CLOUD Act” is shorthand for concerns about the U.S. government’s access to data abroad under various legal authorities, including Section 702 of the Foreign Intelligence Surveillance Act. (See, for example, this Covington & Burling memo on concerns about data in the cloud in light of the USA PATRIOT Act: “[O]ne of the principal privacy-based concerns raised in connection with US cloud-based services is that the use of such services will afford the US government greater access to the enterprise customer’s data…This concern—which has been prevalent in the press in connection with EU enterprises’ use of cloud services—is often based on a misunderstanding of the Patriot Act and the law governing government access to data both in the United States and abroad.”)

Draghi Report, page 63.

Draghi Report, page 34.

Another consideration is that if digital defense-related products and services, including cybersecurity products, count towards each European country’s NATO contribution, this would also be a mutually beneficial outcome for the U.S. and Europe.

This essay isn’t and shouldn’t be read as a defense of American cloud companies or a criticism of European digital sovereignty ambitions. Rather, it aims to provide an analytical assessment of how various stakeholders are trying to navigate the complex intersection of sovereignty requirements and technological cooperation. The essay should be read, though, as a call to preserve the international digital ecosystem that connects democracies. The central concern is not that European sovereignty policies are inherently problematic. Instead, the issue is that implementing them through the exclusion of democratic allies or demands for fool-proof (or similar) sovereignty solutions could weaken Europe’s own digital capabilities and broader economic advancement while failing to achieve meaningful sovereignty gains. The goal should be to leverage sovereignty requirements to build stronger partnerships with trusted allies, rather than using them as barriers that limit European access to innovation and scale.

The current strategy of the State Department's Bureau of Cyberspace and Digital Policy, which is anchored around the idea of digital solidarity, hints at this but doesn't explicitly state support for meeting sovereignty concerns halfway. An updated version of the strategy — if one is published — should address the issue more explicitly, arguing that, like increasing NATO members' defense expenditures, digital investments at the national or EU level that maintain openness to and partnership with the U.S. enhance both sovereignty and cooperation among allies and partners.

While the sovereign cloud solutions developed by major American providers represent meaningful adaptations to European requirements, they also raise three significant systemic concerns:

(1) The substantial infrastructure and compliance investments required to meet sovereignty standards may inadvertently create higher barriers to entry for smaller cloud providers and technology companies, potentially consolidating market power among entities with sufficient resources to navigate complex regulatory frameworks.

(2) If European cloud providers become overly reliant on their “sovereign” status as a competitive differentiator, this could reduce competitive pressure to deliver best-in-class security, performance, and innovation — potentially leaving European customers with inferior technical capabilities despite enhanced regulatory compliance.

(3) The operational model emerging from some sovereignty frameworks — where American companies provide technology and infrastructure but European entities control operations and data access — is increasingly looking to me like the “TikTokification” of cloud infrastructure, similar to ByteDance's proposed Project Texas structure for TikTok's U.S. operations (or, for that matter, like China’s JV requirements placed on AWS and Microsoft). While such arrangements may address immediate sovereignty concerns, they create new risks. Among other things, they may establish precedents that other nations could exploit to impose similar requirements on democratic technology companies operating globally.