Brussels has moved on cloud sovereignty, and even though the new rules only bind the public sector, the reason behind them lands on every business running on a US hyperscaler.
On 27 May, the European Commission presented its Tech Sovereignty Package. The headline measure, the Cloud and AI Development Act, sets out when sensitive public-sector data, meaning financial, judicial and healthcare records, has to sit on European-controlled cloud capacity rather than on AWS, Azure or Google Cloud. Private companies aren’t covered. If you run a business rather than a ministry, you could read the headline, decide it doesn’t apply to you, and move on.
We’d be careful about doing that.
The restrictions themselves are narrow, but the argument underneath them is not, and that argument applies to your company every bit as much as it applies to a government department. It comes down to who can legally reach your data, no matter where it physically lives.
What actually happened
The day before the Commission’s announcement, the Dutch government did something it had never done before. It blocked an acquisition outright.
The deal was Kyndryl, an American company, buying Solvinity, the Dutch firm that hosts DigiD: the national digital identity system millions of Dutch citizens use to access government services, healthcare records and tax filings. The Dutch Investment Screening Bureau reviewed it and recommended a complete ban. The reasoning had nothing to do with competition or price. It was about jurisdiction: bring that infrastructure under American ownership, and the data of millions of citizens falls within reach of US law.
This is the part worth slowing down on, because it’s the bit that affects you.
The law in question is the US CLOUD Act of 2018. It says that any company incorporated in the United States can be compelled by US authorities to hand over data it holds, regardless of where in the world that data is physically stored. A data centre in Frankfurt doesn’t change the answer. A data-residency clause in your contract doesn’t change it either. As the chief technology officer of the European cloud-standards body Gaia-X put it, no US company can promise the US government will never reach your data. Microsoft’s own chief legal officer admitted as much in a French court: he couldn’t rule out being forced to disclose European data under US orders.
And here’s the legal knot. Back in 2020, the EU’s Schrems II ruling established that a contract can’t override a foreign government’s access laws. So if an American provider receives a valid US warrant and hands over your European data, it hasn’t broken its contract with you – it’s complied with its own law. You, the customer, have no real recourse.
Why this is a private-sector problem too
The Commission was clear that the new restrictions stop at the public sector. Routine government work will likely stay where it is, and your business is free to pick whichever cloud you like.
But the Dutch decision didn’t turn on a rule about data. It turned on a principle about ownership and reach. And that principle doesn’t care whether you’re a hospital trust or a fintech scale-up. If you process anything genuinely sensitive, whether that’s customer financial information, health data, legal records, or anything covered by a contract that promises confidentiality, the same question now sits over your setup. Who, in the end, can be compelled to open it?
For a lot of regulated businesses, that question was already being asked quietly in procurement reviews. The events of 27 May have made it loud. Kiteworks’ recent research found that 32% of European organisations reported a sovereignty incident in the past twelve months, and 44% already flag concerns about their provider’s sovereignty guarantees as a barrier. This is a present worry now, not a future one, and it’s just been handed a very public example.
If your most sensitive workloads sit on a single US hyperscaler with no exit plan, you now have a board-level question to answer, whether or not the new Act names you.
The trap on the other side
Here’s where it gets genuinely awkward, and where we’d caution against an overcorrection.
The obvious reaction is “fine, we’ll go European.” The problem is that Europe doesn’t yet have homegrown providers at the scale of the big three. Local cloud providers hold roughly 15% of the European market. AWS, Azure and Google Cloud together hold around 70%. That gap is real, and it shows up in the awkward compromises being made right now.
When the Commission awarded a €180 million sovereign cloud tender in April, one of the four winning groups was built on services from a joint venture in which Google Cloud provides the underlying infrastructure. The European cloud providers’ own trade association called recognising it as “sovereign” an own goal that risked institutionalising “sovereignty washing.” Even the people writing the rules are struggling to find genuinely independent capacity that does everything they need.
So the honest position is uncomfortable. Staying entirely on a US hyperscaler carries a jurisdictional risk you can no longer pretend isn’t there. Ripping everything out and moving to a smaller European provider may cost you scale, services and developer tooling you actually depend on, and it may not even buy you the clean break you wanted. Gartner expects worldwide sovereign cloud spending to hit $80 billion in 2026, with European spending up 83% year on year. Plenty of organisations are spending into this. That doesn’t mean all of them are spending well.
What we’d actually do about it
So, where does that leave a CIO who doesn’t run a government department but does run regulated workloads? Not panicking, and not ignoring it either. Somewhere sensible in between.
Start by finding out where your exposure actually is
Most organisations don’t have a clear map of which workloads carry real jurisdictional risk and which don’t. Your marketing site doesn’t need sovereign hosting. Your customers’ health or financial records might. The first job is a proper classification exercise: what data do you hold, how sensitive is it, what would compelled disclosure actually mean for you and your customers? Until that’s done, every other decision is guesswork.
Build for portability before you build for any one provider
The single most useful thing you can do isn’t picking the “right” cloud, it’s making sure you’re not trapped on the wrong one. Containerised workloads on Kubernetes, infrastructure defined as code, open data formats, clear interfaces between your application and the platform underneath it: these are what let you move a workload if the regulatory or commercial picture shifts again, as it very well might. You don’t need to move everything tomorrow. You need to be able to move what you need to, when you need to, without rewriting half your estate.
Treat hybrid and multi-cloud as a deliberate design, not an accident
A lot of companies are already on more than one cloud, but by drift rather than design. Done on purpose, a hybrid or multi-cloud setup lets you keep the most sensitive workloads on European-controlled or on-premise capacity while running everything else where it performs best. The catch is that this adds real operational complexity, and it costs you if it’s done carelessly. It’s a strategy that rewards planning and punishes improvisation.
Get the encryption and key custody right
One genuine lever you have against CLOUD Act exposure is making sure your provider can’t unilaterally read your data even when it holds it. If you control the encryption keys, and you can prove it, compelled disclosure of ciphertext is a very different proposition to compelled disclosure of readable records. This is hard to retrofit and much easier to design in. It’s also exactly the kind of evidence regulators and boards are starting to ask for.
The bigger shift
For about two decades, cloud decisions were mostly a procurement conversation. Which provider is cheapest, fastest, easiest to hire for? That era is closing. Cloud is now tangled up with geopolitics, jurisdiction and regulatory continuity in a way it simply wasn’t five years ago, and that pulls the decision up to the board.
None of this means the hyperscalers are off the table. For most of what most businesses do, AWS, Azure and Google Cloud remain excellent choices, and the new Act doesn’t touch the private sector. What’s changed is that “we’ll just put it all on one US cloud and forget about it” is no longer a defensible default for sensitive data. The organisations that come out of this well will be the ones that made deliberate choices about where each workload lives and kept the option to change their minds. The ones that struggle will be those who either did nothing or panicked into an expensive migration they hadn’t thought through.
Q&A: The EU Tech Sovereignty Package and your business
We’re a private company, not a government body. Does the Cloud and AI Development Act actually apply to us?
Not directly. The restrictions in the Act apply to public-sector organisations handling sensitive financial, judicial and healthcare data. Your business isn’t bound by them. But the CLOUD Act exposure that prompted the whole package applies to anyone using a US-incorporated provider, and the Dutch decision to block an acquisition on jurisdictional grounds sets a precedent that screening bodies elsewhere can follow. The rule doesn’t name you. The risk it’s responding to includes you.
If our data is stored in an EU data centre, isn’t it already protected?
Physical location helps with data-residency obligations, but it doesn’t solve the CLOUD Act problem. A US-incorporated provider can be compelled to hand over data it holds wherever that data sits, and the EU’s own Schrems II ruling confirmed that a contract can’t override that. So a Frankfurt data centre run by a US company gives you European residency without European jurisdiction. Those are two different things, and the gap between them is the whole point.
Should we just move everything to a European provider?
For most businesses, no, or at least not reflexively. European providers hold around 15% of the market for a reason: scale, service breadth and tooling still favour the big three for a lot of workloads. Even the Commission’s own sovereign cloud tender ended up leaning on US infrastructure underneath a European wrapper. A blanket migration risks costing you capability without buying you the clean break you wanted. The better move is to identify which workloads genuinely need sovereign hosting and treat the rest on their merits.
What’s the single most useful thing we can do right now?
Make sure you’re not locked in. Portability, built from containerised workloads, infrastructure as code, open formats and clean interfaces, is what lets you respond when the regulatory or commercial picture changes, without a painful rebuild. You don’t have to move anything today. You do want to be able to move what matters, on your timeline rather than someone else’s.
How do we know which of our workloads are actually at risk?
Start with a data classification exercise: what you hold, how sensitive it is, and what compelled disclosure would mean in practice. Most organisations find the genuinely exposed workloads are a smaller subset than they feared, which makes the problem far more manageable than a wholesale migration. A structured review, rather than a rushed reaction to the headlines, tells you where to focus the effort and, just as usefully, where you don’t need to.
Working Through This With Vertex Agility
The question this announcement has forced into the open, namely where each of our workloads should actually live and who can reach them, is one we’re working through with technology leaders across regulated industries right now. The specifics differ. Some organisations have sensitive data sitting on a single hyperscaler with no exit route. Others are part-way into a multi-cloud setup that grew by accident and now needs a proper design. A few are tempted to overcorrect into an expensive migration that wouldn’t solve the problem they actually have.
Our Cloud Consultancy practice works across all of it: cloud strategy and migration planning, hybrid and multi-cloud architecture built on Kubernetes and OpenShift, and the security and compliance work, including zero-trust, encryption and key custody, that decides whether your sensitive workloads are genuinely defensible. As multi-cloud specialists across AWS, Azure and Google Cloud, we’re not steering you toward any single provider. We’re helping you make deliberate choices about placement and keep the freedom to change them.
Because we deliver through flexible, senior-led teams rather than a fixed headcount, we can plug into your existing roadmap and move at the pace the situation needs, whether that’s a focused classification exercise or a full re-architecting of how your estate is hosted. The point is to act on this deliberately, before it becomes a procurement emergency.
If you want an independent view of where your current setup stands, we offer a range of free self-assessments on our website. For something more substantive, get in touch with us directly below.