Ongoing geopolitical tensions, most notably between the United States and the European Union, have shifted the focus of this debate onto sovereignty in the cloud. The European Commission (EC) deserves credit for making some courageous moves in establishing a framework to protect European data. They are particularly aiming for the scale biting back against the influence of U.S. technology giants. What’s in the CLOUD Act The CLOUD Act gives U.S. federal law enforcement the authority to require American companies to provide data. This extends to information that we have stored abroad. As the EC prepares to implement its new guidelines in October 2025, questions arise about whether U.S. cloud providers can meet these demands and whether European initiatives like EURO-3C can compete effectively in this evolving landscape.
The EC’s two-part framework for evaluating cloud providers bidding for public sector contracts introduces a structured approach to cloud sovereignty. Beyond the proposed amendment, this initiative creates a precedent that might shape future legislation at both national and EU-wide levels. It ranks bidders depending on how closely they follow sovereignty requirements, producing a “sovereignty ladder.” Here’s how European nations are making life difficult for non-EU cloud providers. Consequently, many U.S. companies are left hustling to comply with these new laws before they take effect.
The CLOUD Act and Its Implications
The CLOUD Act still continues to hang heavy over the cloud services market. By requiring U.S. authorities access data stored by American firms outside of their borders, it crosses European stakeholders’ red lines. In particular, critics say that this piece of legislation would compromise the privacy and security of European citizens.
As a leader in the tech community, Stéfane Fermigier saw these geopolitical risks posed by the CLOUD Act. He stated, “The geopolitical risk isn’t just the most extreme form of a doomsday ‘kill switch’ where Washington turns off Europe’s internet.” These kinds of sentiments are indicative of a new level of concern about the risks associated with dependence on U.S. based cloud services.
In response to these concerns, several European countries, including France, have enacted stringent measures limiting access to non-EU cloud providers. France requires that government cloud service providers keep all data within the borders of the EU. They need to take on EU-based employees, too, and can’t allow non-EU shareholders to control their activities. This step is a great way to reinforce local data sovereignty at the same time as tackling fundamental privacy concerns created by the CLOUD Act.
The European Commission’s Framework
The EC’s framework is meant to put pressure on future bidders of public sector contracts to undergo an extreme vetting process. Part one lays out the fundamental cloud provider obligations. The second installment dives deep into the process of evaluating the sovereignty credentials of bidders. This comprehensive and complicated scoring system looks at a variety of bidders’ operations. It shines a pointed spotlight on their adherence to EU regulations and their ability to safeguard data from foreign intrusion.
As European nations fully embrace this framework, it is sure to shape the future of cloud service procurement processes throughout the entire continent. Yet today, major U.S. providers—including AWS, Microsoft Azure, Google Cloud, and IBM Cloud—control 82 percent of the EU market. They dominate close to 70 percent of all cloud services offered. Most commenters remain doubtful that U.S. companies actually plan to respond to EU requests for data with the CLOUD Act allowing for access. Their confidence in these commitments is shaken.
Arnold Juffer, a technology adviser, underscored that attraction for U.S. cloud services. He noted that for many of us, these services leverage cutting edge technology that is incredibly convenient and easy to use. He said, “What I want you to think about is if you look at AWS, you look at Google, they’ve built some really sexy technology. It’s very convenient, it’s easy to use.” Yet, he warned about the potential pitfalls of becoming entrenched in these systems: “Once you’re in that platform, in that ecosystem, it’s very hard to get out.”
The Emergence of EURO-3C
EURO-3C has come up as a very promising initiative to further improve Europe’s cloud sovereignty. Indeed, key proponents such as Telefónica and the European Commission are behind this collaborative project. As such, its ambition is to replace U.S. hyperscalers’ footprints in providing safe and compliant cloud infrastructure to European organizations.
EURO-3C wants to provide a strong, competitive counterpart. It works to strengthen local data storage and governance practices in line with EU regulations. The initiative addresses a majority of data privacy issues that have been brought up by lawmakers and the public. It requires that data remain on EU soil and that only European staff members have access to it.
Martyna Chmura, an industry analyst, echoed the frustration many organizations experience trying to operate systems between various platforms. She added, “Operating systems on multiple platforms can add integration expenses and can add difficulty with security and data governance.” These complexities can often offset the efficiency and cost benefits that are realized by leveraging the large hyperscale platforms.