Amazon Web Services recently launched its European Sovereign Cloud, promising enhanced data sovereignty for European public sector organizations and highly regulated industries. Generally available in Brandenburg, Germany, this infrastructure features physically and logically separate systems operated exclusively by EU residents, complete with dedicated identity management and billing systems. AWS has committed something like €7.8 billion to this initiative, positioning it as the ultimate solution to Europe’s digital sovereignty requirements.

aws europe

But let’s look beyond the impressive technical specs and the massive investment. There is a fundamental legal contradiction here that no amount of infrastructure isolation can truly resolve: the irreconcilable conflict between U.S. and European law.

The legal collision course

The core issue comes down to two competing legal frameworks pulling in opposite directions.

The CLOUD Act’s long arm

On one side, we have the U.S. CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018. It grants American authorities the power to demand data from U.S.-based service providers regardless of where that data is physically sitting. The law’s jurisdiction follows the provider, not the server. Critically, this applies not only to companies headquartered in the United States but also to their foreign subsidiaries.

According to most legal analyses, the CLOUD Act applies to data entrusted to foreign subsidiaries of U.S.-registered companies because the data is considered under the parent company’s “possession, custody, or control”, a phrase U.S. authorities interpret broadly enough to encompass overseas affiliates.

On the European side, GDPR Article 48 establishes a clear barrier. It states that any judgment or administrative decision from a third country requiring data transfer can only be recognized if it’s based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board is quite clear: entities cannot simply hand over data based on a foreign authority’s request without both a legal basis for processing and an appropriate ground for transfer.

This creates what many analysts describe as a genuine compliance dilemma: following one law often means breaking the other.

An impossible position

Imagine this scenario: a U.S. authority issues a lawful order under the CLOUD Act to AWS (headquartered in Seattle) demanding access to data stored in their European Sovereign Cloud. AWS faces two equally bad options.

If they comply with the U.S. order, they potentially violate GDPR Article 48. European customers who paid for “sovereign” cloud services would see their data accessed by a foreign government, precisely the scenario GDPR was designed to prevent.

If AWS refuses the U.S. order to comply with European law, they face sanctions under American law, including potential contempt charges and substantial fines. For a U.S. corporation, defying lawful orders isn’t really an option.

Why tech can’t fix legal problems

AWS has implemented some impressive technical safeguards here. The infrastructure features dedicated EU-based operations, separate identity and access management, independent billing, and strict technical controls. Only EU residents handle day-to-day operations, support, and service.

These architectural improvements are great for security, but they cannot override jurisdictional realities. As legal experts note, data residency in the EU should ideally be combined with strong encryption and customer-held keys. But even that doesn’t eliminate the conflict if a provider can be compelled to assist in decryption.

Microsoft’s chief legal officer in France actually acknowledged this under oath before the French Senate, admitting they cannot guarantee EU data is safe from U.S. access requests. The same applies to any U.S.-headquartered cloud provider, regardless of where they build data centers or who they hire.

The executive agreement loophole

The CLOUD Act does provide for bilateral executive agreements to streamline cross-border data requests. However, as of January 2026, the U.S. has such agreements only with countries like the UK and Australia. No similar agreement exists with the EU, leaving European customers in limbo.

Even if such agreements existed, they would just create a faster pathway for lawful requests rather than eliminating U.S. jurisdiction over American companies. The sovereignty question remains: can infrastructure truly be sovereign when the operating company answers to a foreign legal authority?

“Sovereignty washing”

Industry observers have coined the term “sovereignty washing” to describe companies marketing products as sovereign without giving users true control. The critical question isn’t where data resides, but who controls the infrastructure, the software stack, and the decision-making.

When looking at sovereignty claims, we should ask: is the provider governed exclusively under EU law? Do open standards allow portability? By these measures, any cloud operated by a U.S. company remains subject to American jurisdiction.

We’ve seen this in practice: Microsoft blocking access to Outlook accounts of International Criminal Court employees in The Hague due to U.S. sanctions demonstrates how non-European legal frameworks can override local expectations, even when the infrastructure appears European.

The regulatory response

European regulators are increasingly recognizing this gap between marketing and reality. The CLOUD Act/GDPR conflict has accelerated initiatives toward genuine digital sovereignty, favoring EU-owned providers.

For EU businesses, “compliance by design” now means treating provider control as a top risk factor. Customers are looking for providers that are not just operating in Europe, but are actually incorporated and controlled under European law.

What true sovereignty means

Genuine digital sovereignty requires more than just technical isolation. It demands:

Legal independence (governance under EU law without foreign parent companies).
Operational autonomy.
Technical control through open standards.
Transparent governance.

The AWS European Sovereign Cloud achieves the technical part, but the fundamental control remains with a U.S. corporation.

The geopolitical reality

This conflict reflects deeper tensions between American security interests and European data protection values. Both have legitimate purposes: the CLOUD Act aids law enforcement, while GDPR protects privacy.

The problem arises when one entity operates across both. U.S. authorities feel it’s unfair to exempt companies just because they are registered elsewhere, while European regulators view foreign access as a violation.

Marketing vs. Reality

The AWS European Sovereign Cloud is a significant technical achievement. For organizations with moderate sovereignty requirements, it offers meaningful improvements over standard regions.

However, for those with the highest requirements (public sector, critical infrastructure) the fundamental question remains: can infrastructure operated by a subject of foreign jurisdiction ever be truly sovereign?

As long as AWS is headquartered in Seattle, this contradiction persists. When American and European law conflict, the company will follow the jurisdiction that controls its existence. Technical measures cannot fix a legal reality.

Calling this “fully sovereign” is, at best, an oversimplification. At worst, it’s sovereignty washing: marketing autonomy while keeping the keys in foreign hands.

True digital sovereignty requires European ownership and control. Until that happens, these claims remain aspirational.