Europe Moves on Digital Sovereignty: DPIAs, CLOUD Act Risks, and Real Case Migrations

Europe appears to be moving from rhetoric to action on digital sovereignty, driven by a legal fault line that makes continued reliance on US hyperscalers legally and operationally risky for public authorities. Recent high‑profile moves — from Austria’s Federal Ministry migrating 1,200 staff to Nextcloud and the International Criminal Court replacing Microsoft with a European open‑source stack, to political backlash over the proposed Kyndryl purchase of Dutch sovereign cloud provider Solvinity — illustrate a pragmatic, case‑by‑case strategy emerging across the continent. These are not symbolic gestures: they respond to concrete legal obligations under the GDPR and to the operational reality that US law can, in certain circumstances, compel American companies to hand over data held anywhere in the world.

Background​

Europe’s policy debate on digital sovereignty has two overlapping axes: law and markets. Legally, the General Data Protection Regulation (GDPR) requires controllers to assess high‑risk processing through a Data Protection Impact Assessment (DPIA, Article 35), a process that routinely flags extraterritorial legal risk when US‑based providers are involved. Technically and commercially, the continent’s critical cloud, compute and software layers are concentrated among a handful of non‑European vendors — a condition that EuroStack advocates and independent analysts argue leaves Europe fragile and dependent. Across Brussels, national capitals and public agencies, this double pressure is forcing hard choices: how to keep delivering modern, AI‑ready services while reducing exposure to foreign legal processes and the lock‑in that comes with hyperscale cloud platforms. The result is an increasingly pragmatic, hybrid approach that blends targeted migrations, procurement shifts and industrial policy proposals.

---

The irreconcilable legal clash: CLOUD Act vs GDPR​

What the CLOUD Act does — and why it matters​

The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) amended the Stored Communications Act to allow US authorities to compel providers subject to US jurisdiction to produce data, regardless of where that data is stored. It also set out a (limited) mechanism for providers to challenge or seek modification of certain orders, but the Act fundamentally establishes that US law enforcement can demand data from US companies even when the data resides in foreign datacentres. This extraterritorial reach is the legal irritant at the heart of Europe’s sovereignty debate. Legal practitioners and privacy experts point out that the CLOUD Act’s operation can include gag orders and limited avenues for customer notification, further eroding transparency when disclosures occur. Technical mitigations like encryption are effective only when customers control the keys; when providers hold keys or manage decryption, encryption offers limited protection against a valid legal demand. These are established legal and operational realities that European procurement and data‑protection teams must plan around.

GDPR Article 35: DPIAs change the calculus​

Article 35 of the GDPR requires a Data Protection Impact Assessment where processing is “likely to result in a high risk” to individuals’ rights and freedoms. For many public bodies handling sensitive citizen data, a DPIA that concludes a US‑based hyperscaler exposes the organisation to legally unresolved extraterritorial access risk creates an untenable compliance gap. In practice, DPIAs are now a major driver pushing public sector organisations toward local, European or customer‑keyed architectures for high‑risk workloads. Regulators and procurement officers increasingly see DPIAs as a legal trigger that demands not only contractual promises, but architectural changes.

---

Case studies: real projects that illuminate the options and limits​

Austria — a fast, pragmatic migration to Nextcloud​

Austria’s Federal Ministry for Economy, Energy and Tourism (BMWET) moved roughly 1,200 users from a legacy environment to Nextcloud hosted on Austrian infrastructure. The migration was explicitly motivated by sovereignty and control, not just cost savings. Ministry leadership ran a three‑month proof‑of‑concept on their own servers, then completed a four‑month roll‑out; the result was an operational collaboration stack that the ministry can inspect, adapt and operate under Austrian jurisdiction. Other Austrian ministries have taken notice and started similar projects. Key takeaways from Austria’s experience:

• Sovereign moves are feasible within realistic timelines for non‑mission‑critical collaboration services.
• Open‑source, on‑prem or locally hosted managed offerings can reduce the legal risk flagged in DPIAs.
• Practical constraints remain: hybrid approaches persist because external partners still use US‑centric platforms, forcing rules limiting what may be discussed on those channels.

The International Criminal Court — political risk to operational continuity​

The International Criminal Court (ICC) in The Hague reportedly migrated from Microsoft to the German open‑source OpenDesk stack following episodes that highlighted the intersection of sanctions and platform policy. The motivation was plainly political and operational: relying on an American platform exposed the court to external political pressure and the risk of service interruption for sanctioned individuals. The ICC’s move, backed by German sovereignty initiatives, is a high‑visibility example of an international body prioritising legal and operational independence. Caveat: public detail on the ICC’s procurement terms and timeline remains partially opaque, and reporting mixes official confirmations with journalistic accounts — prudent readers should treat some specifics as evolving.

Schleswig‑Holstein and other large‑scale state projects​

German states such as Schleswig‑Holstein have adopted open‑source mail and office stacks at scale, migrating tens of thousands of mailboxes and standardising LibreOffice and other European tools across administrations. These migrations demonstrate that even large user bases can be transitioned when political will, funding and a staged change programme align. They also expose user‑experience and interoperability friction that must be managed carefully.

France’s NUBO and the Solvinity acquisition warning​

France’s NUBO — an OpenStack private cloud designed for sensitive government use — represents the targeted industrial approach: build private, sovereign capacity for the services that matter most. But the acquisition of Solvinity by US firm Kyndryl in November 2025 is a cautionary tale: choosing a local provider does not guarantee long‑term sovereignty if that provider can later be acquired by a foreign company. Dutch municipalities and ministries expressed surprise and concern when the Solvinity sale was announced, explicitly citing CLOUD Act exposure as a key worry. The lesson is stark: procurement preferences are necessary but not sufficient without protections against hostile or strategic acquisitions.

---

The industry response: ‘sovereignty washing’ and product changes​

Major US hyperscalers have responded with a mix of engineering investments and marketing: EU Data Boundary projects, local processing for AI, “national partner clouds” and contractual enhancements that aim to reassure governments. Microsoft’s EU Data Boundary and Azure Local offerings are examples of technical mitigations that reduce many operational risks, but they do not change the jurisdictional fact that US law can reach US entities. Microsoft executives publicly acknowledged they cannot guarantee absolute data sovereignty under US law — an admission that punctured marketing claims and sharpened political pressure. Critics call some of these offerings “sovereignty washing”: superficially localised data centres and governance structures that leave legal risk unchanged because ultimate corporate control and legal domicile remain foreign. This has driven sharper scrutiny of vendor statements and contract fine print: customers now demand not just local hosting but customer‑managed keys, auditable access controls, and contractual remedies tied to jurisdictional risk.

---

EuroStack and the industrial strategy argument​

Cristina Caffarra and the EuroStack movement argue Europe’s problem is self‑inflicted: procurement rules and market design have allowed non‑European suppliers to capture the lion’s share of the stack. EuroStack’s three pillars — Buy European, Build European, Fund European — propose an industrial policy approach that uses public procurement as an anchor demand, targets strategic public funding to seed supply, and incentivises private investment to scale European alternatives. The goal is not autarky but resilience: a target market share of roughly 30–40% for European suppliers, according to EuroStack advocates, to restore bargaining power and reduce systemic risk. This argument aligns with macro assessments that Europe lags in critical technology development and with calls from industrial policy analysts for coordinated, demand‑side interventions. But it raises immediate tradeoffs: procurement preferences can be politically contentious within the EU’s open‑market framework and may invite trade tension with partners. Carefully designed carve‑outs, a phased approach and strict WTO compliance checks are prerequisites for politically viable policy.

---

The hard limits: capital, talent and time​

Two recent independent surveys and trackers underline the scale of the challenge. Forrester’s 2026 European predictions concluded that no European enterprise would entirely shift away from US hyperscalers in 2026 — a pragmatic forecast based on geopolitical volatility, contractual inertia and the capital intensity of cloud infrastructure. Meanwhile, the Australian Strategic Policy Institute’s Critical Technology Tracker finds China leading in most of the 64 technologies it monitors, underscoring that Europe’s challenge is global and systemic: rebuilding the industrial stack requires sustained capital, scale and focused strategy. These findings temper calls for quick wins and emphasise that a hybrid, targeted sovereignty approach is the realistic near‑term path.

---

Practical recommendations for European governments and public agencies​

Europe’s emerging pattern points to a pragmatic, risk‑based toolkit rather than an all‑or‑nothing break with hyperscalers. A workable roadmap includes:

• Classify workloads by legal, operational and mission criticality. Prioritise those that truly require legal insulation for migration to European‑sovereign environments.
• Use procurement as an anchor demand for early scaling: reserve a portion of public procurement for certified European suppliers and sovereign‑capable services, while designing carve‑outs to remain WTO‑compliant and interoperable.
• Require customer‑managed keys and independent audit rights for sensitive workloads when using foreign providers.
• Fund targeted sovereign compute zones (defence, health, judiciary, identity) rather than attempting to replicate the entire commercial cloud market.
• Build acquisition‑resilience clauses into contracts for critical suppliers — for example, change‑of‑control clauses that trigger review and mitigation obligations.
• Invest in migration tooling, open standards and portability tooling (Kubernetes, container registries, open APIs) to reduce lock‑in costs and make exit paths real, not theoretical.

These steps are practical, incremental, and aligned with what successful public‑sector migrations (Austria, Schleswig‑Holstein, selected German states) show is feasible at scale.

---

Risks, trade‑offs and political economy​

A few hard trade‑offs deserve candid emphasis:

• Cost and environmental footprint: Building sovereign capacity costs money and consumes energy. Europe must pair capacity building with a green energy strategy to avoid local opposition and environmental criticism.
• Fragmentation vs resilience: Uncoordinated national projects risk fragmentation and higher unit costs. Federated standards and interoperability must be non‑negotiable design principles.
• Acquisitions and ownership churn: As the Solvinity/Kyndryl case shows, supplier choice can be overturned by later corporate M&A. Regulatory or contractual mechanisms to manage change‑of‑control risk are essential.

Finally, regulatory overreach could chill investment. The DMA and sectoral probes are tools, but they must be deployed with granular technical understanding so that obligations are enforceable without destroying cloud economics. The EU’s challenge is to thread that needle: be assertive where legal independence truly matters, and pragmatic where scale and performance benefit from global providers.

---

Strengths of the current movement — and what could still go wrong​

Strengths:

• Legal clarity is forcing realistic action: DPIAs are not theoretical tools; they are operational drivers for migration.
• Proved implementability: Austria and several German states show public bodies can execute migrations at scale when the political will exists.
• Industrial mobilisation: EuroStack and similar movements are seeding demand signals that could attract private capital if paired with procurement and funding commitments.

What could still derail progress:

• Sovereignty washing: vendor marketing that substitutes local datacentres for real legal separation.
• Acquisition risk: national champions bought by foreign firms (Solvinity) would undo sovereign buys overnight.
• Funding and political fatigue: without multi‑year funding and cross‑member‑state coordination, pilots will not scale into durable industrial capacity.

---

Conclusion — from declarations to durable capability​

Europe’s path to digital sovereignty is not a binary switch; it’s a portfolio choice. Legal realities (CLOUD Act and DPIA obligations) give public authorities a defensible impetus to reduce exposure for high‑risk workloads. Pragmatic migrations — like Austria’s Nextcloud roll‑out and the ICC’s move to open‑source stacks — demonstrate that meaningful autonomy for specific services is achievable and affordable. At the same time, structural challenges — market concentration, capital intensity, and acquisition risk — mean Europe cannot expect overnight independence from US hyperscalers.
The sensible policy approach combines targeted procurement, funding for anchor projects, technical standards for portability, and contractual mechanisms that protect against future ownership changes. That won’t instantly rebuild an entire European hyperscale ecosystem, but it will create resilient islands of sovereignty where legal risk and strategic value demand them. If Europe can convert the momentum of recent projects into coordinated industrial policy and disciplined procurement, the continent can plausibly regain meaningful control over the critical parts of its digital stack without severing the global economic ties that also bring innovation and scale.

---

Source: theregister.com Europe gets serious about cutting US digital umbilical chord