TL;DR
European public bodies are beginning to shift workloads off US hyperscalers as a legal conflict between the US CLOUD Act and the EU's GDPR raises compliance and sovereignty concerns. Initiatives such as Austria’s move to Nextcloud and the Eurostack proposal aim to rebuild a European technology stack, but analysts warn full decoupling from US providers remains unlikely in the near term.
What happened
European governments and some international institutions have started concrete migrations away from US-dominated cloud services after legal and operational risks became apparent. Experts point to a structural problem: the US CLOUD Act can compel American companies to hand over data stored abroad, which can clash with GDPR obligations and trigger Data Protection Impact Assessments (DPIAs) that flag unacceptable risk. That dynamic has pushed a handful of public authorities in Austria, Germany, France and the International Criminal Court in The Hague to test and adopt alternatives. Austria’s Federal Ministry for Economy, Energy and Tourism moved 1,200 staff to an on-premise Nextcloud deployment following a three-month proof of concept and completed migration in four months, citing control and sovereignty rather than cost savings. The move did not fully eliminate use of US platforms — Microsoft Teams remains allowed for limited external communications — illustrating pragmatic, stepwise approaches. Eurostack advocates, led by economist Cristina Caffarra, argue for procurement, industrial investment, and a targeted fund to rebuild Europe’s technology base, while market analysts caution most enterprises won’t fully abandon US hyperscalers by 2026.
Why it matters
- A legal clash between the US CLOUD Act and EU GDPR creates compliance and notification problems for organisations using US-based cloud services.
- Dependence on non-European infrastructure concentrates operational risk and could have immediate impacts if access is restricted or altered.
- Public-sector migrations set precedents that could reshape procurement and demand for European alternatives.
- Efforts to build European alternatives aim to increase resilience rather than pursue total technological autarky.
Key facts
- Cristina Caffarra and the Eurostack initiative estimate about 90% of Europe’s digital infrastructure is controlled by non-European companies.
- The US CLOUD Act allows American authorities to compel US-based tech firms to provide data regardless of where it is stored.
- GDPR Article 35 requires a DPIA for technologies likely to create high risk; DPIAs for US hyperscaler services often flag the CLOUD Act as a major risk.
- Gag orders accompanying some US warrants can prevent providers from notifying customers that their data was accessed.
- Encryption as a mitigation depends on who controls encryption keys; provider-controlled keys can be compelled to decrypt data.
- Austria’s ministry migrated 1,200 employees to Nextcloud after a three-month proof-of-concept and completed the move in four months, emphasizing sovereignty over cost savings.
- The Austrian rollout left Microsoft Teams available for limited external communications under strict rules, demonstrating hybrid approaches.
- Forrester predicted no European enterprise will fully shift away from US hyperscalers in 2026, citing geopolitical and market barriers.
What to watch next
- Whether more EU public bodies follow Austria’s example and publish migration plans or timelines.
- Progress on the Eurostack proposal — including any concrete fund creation or procurement rule changes — is not confirmed in the source.
- How US hyperscalers’ so-called 'sovereign' or EU-based offerings evolve and whether they address legal conflicts is not confirmed in the source.
Quick glossary
- CLOUD Act: A 2018 U.S. law that can require US-based providers to disclose data to American authorities, irrespective of where the data is stored.
- GDPR: The EU’s General Data Protection Regulation, a legal framework governing personal data protection and privacy for individuals in the European Union.
- DPIA: A Data Protection Impact Assessment required under GDPR Article 35 to evaluate high-risk processing and identify measures to mitigate risks.
- Hyperscaler: A very large cloud provider that operates at massive scale, offering infrastructure and platform services to enterprises and governments.
- Nextcloud: An open-source collaboration platform that can be deployed on an organisation’s own servers as an alternative to commercial cloud collaboration services.
Reader FAQ
Why are European public bodies moving away from US cloud providers?
Many cite the legal conflict between the US CLOUD Act and GDPR, which can make compliance and notification obligations difficult or impossible under US warrants.
Is encryption a complete fix for sovereignty concerns?
No. Its effectiveness depends on who holds the encryption keys; provider-controlled keys can be compelled to decrypt data.
Will European organisations fully abandon US hyperscalers soon?
Not according to market analysis cited in the source; Forrester predicts no complete shift away from US hyperscalers in 2026.
Has Europe agreed on a single strategy to rebuild its tech stack?
No single, EU-wide industrial strategy has been implemented; the Eurostack proposal recommends buying, building and funding European alternatives, but outcomes are not confirmed in the source.
PAAS + IAAS 94 Europe gets serious about cutting digital umbilical cord with Uncle Sam's big tech Public bodies migrate in the bloc as hyperscalers claim sovereignty Kim Loohuis Mon 22 Dec 2025…
Sources
- Europe gets serious about cutting digital umbilical cord with Uncle Sam's big tech
- Europe gets serious about cutting US digital umbilical cord
- Digital Geopolitics in Europe: Cloud Sovereignty & Data …
- When Governments Pull the Plug – Lawfare
Related posts
- Python 3.14 Released With Optional Free-Threading and Experimental JIT
- Meta transfers React, React Native and JSX to Linux Foundation React Foundation
- Bun 1.3 expands JS runtime with wide-ranging tools and features