The relationship between the European Union (EU) and the United States has moved into a new phase of attack and counter-attack. This new transition is marked by the geopolitical existential threats and brutal cloud computing markets. Most recently, this has been through the U.S. government’s rather bold threat of invasion against EU member state Hungary. This provocative action has increased anxiety over European security and sovereignty. For the first time in history, the U.S. has sanctioned a European Commissioner for introducing legislation that the White House disagrees with. This action has deepened diplomatic relations during continued threats.
We know the geopolitical environment is changing quickly. Four U.S.-based hyperscalers—Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and IBM Cloud—now dominate the EU cloud services market, accounting for roughly 70 percent of the sector. Governments, academia, and nonprofits became aware of this dominance and raised urgent questions about data sovereignty and control. In return, the European Commission (EC) is developing a new framework to assess cloud providers competing for public sector contracts. The ladder framework should be viewed as a “sovereignty ladder.” It lays down precise and non-discriminatory criteria enabling providers to qualify for tenders, establishing a huge precedent for future EU legislation.
France has gone a step further by placing severe limitations on non-EU cloud providers within public services. According to France’s new rules, cloud providers are only allowed to store data within the EU. They must recruit staff based in the EU and maintain an EU-based majority of shareholders at all times. This move underscores growing European concerns about data privacy and national security in an era dominated by U.S. tech giants.
It empowers U.S. federal law enforcement to compel American companies to turn over data they store outside the country. Frankly, many European observers are doubtful about the assurances that U.S. cloud providers can provide. They point out that the CLOUD Act undermines these pledges.
The EC’s recently adopted framework sets out a minimum qualification threshold that all bidders must meet. It includes a much improved “sovereignty” scoring rubric. As this framework gains traction, cloud providers seeking state contracts across Europe may find themselves having to adapt their operations significantly.
Indeed, many organizations are making deeper moves to multi-cloud environments, choosing European or sovereign providers to run their most sensitive workloads. This trend is indicative of an increasing global desire to reduce dependence on U.S.-based cloud services in the context of geopolitical uncertainty. As one report about interoperability cautioned, juggling systems from different vendors can significantly increase the cost of integration. Yet this complexity only adds to the challenges of securing and governing this data.
“Running systems across different platforms can increase integration costs and make security and data governance more complicated. In some cases, organisations could lose some of the efficiency and cost advantages that come from using large hyperscale platforms.” – Martyna Chmura
Despite these challenges, Martyna Chmura noted that “overall, the EU appears willing to accept some of these trade-offs.” Today, organizations continue to chart their cloud adoption paths amid changing regulatory guidance and the rise of geopolitical threats. They need to be secure without sacrificing operational efficiency in the transition.
The inertia of U.S. cloud giants represents a huge task, especially for European companies, that are trying to give companies a competitive alternative. Their resulting monopolistic power means they have little incentive to invest in infrastructure and services. They do this in a bigger way than their European counterparts. Arnold Juffer pointed out the convenience and sophistication of U.S. cloud technologies, stating, “If you look at AWS, you look at Google, they’ve created some super technology. It’s very convenient, it’s easy to use. Once you’re in that platform, in that ecosystem, it’s very hard to get out.”
As the European Commission’s framework starts to come into focus, it could have impacts on legislation at national and EU-wide levels. The ongoing scrutiny of U.S. cloud providers reflects a broader concern regarding digital sovereignty and the implications of outsourcing critical services to foreign entities.