AWS Is Offering a "Sovereign Cloud" for Europe. But Is It Actually Sovereign?

In January 2026, Amazon Web Services launched the AWS European Sovereign Cloud — a physically and logically separate cloud infrastructure based in Brandenburg, Germany. It runs on its own partition, with independent IAM, billing, DNS, and a dedicated European Certificate Authority. It's operated exclusively by EU residents, under a German parent company (AWS European Sovereign Cloud GmbH), led by EU citizens, with an advisory board enshrined in the Articles of Association.

On paper, it's an impressive piece of engineering. AWS CEO Matt Garman called it a "big bet", backed by €7.8 billion in investment through 2040. The company claims the infrastructure has "no critical dependencies on non-EU infrastructure" and can operate indefinitely even if communications with the rest of the world are severed.

But a growing chorus of legal experts, analysts, regulators, and European cloud providers are asking a straightforward question: does any of this actually solve the sovereignty problem?

The Elephant in the Room: Corporate Ownership

The core issue isn't technical. It's jurisdictional.

AWS European Sovereign Cloud GmbH is a 100% subsidiary of Amazon.com, Inc. — a corporation headquartered in Seattle, Washington, and subject to US federal law. The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) of 2018 grants American authorities the power to compel US companies to produce data regardless of where that data is stored. Crucially, US courts can require parent companies to produce data held by their subsidiaries.

As Gartner's Rene Buest put it bluntly in the weeks following the launch: "This is the elephant in the room." The AWS European Sovereign Cloud GmbH is a subsidiary of Amazon Inc. "There are still dependencies. Both Oracle and Amazon are still operating in these clouds. They don't give up control."

Forrester senior analyst Dario Maisto echoed the concern: "The legal ownership does matter, and this is one of the points that may not be addressed by the current setup of the AWS sovereign cloud."

French MP Philippe Latombe was even more direct, stating that "AWS cloud cannot be sovereign because it is subject to the US FISA and Cloud Act."

The Microsoft Testimony That Said the Quiet Part Out Loud

AWS isn't alone in facing this scrutiny. In June 2025, Microsoft France's legal director Anton Carniaux testified under oath before the French Senate that he could not guarantee French citizens' data would remain protected from US authorities. Asked directly whether data on French citizens could be transmitted to the American government without French consent, his response was unequivocal: "No, I cannot guarantee that."

Microsoft's technical director Pierre Lagarde tried to reassure senators that, since January 2025, European customer data contractually does not leave the EU. But as multiple analysts have noted, contractual guarantees are subordinate to legal obligations. When the CLOUD Act conflicts with a provider's contractual commitments, US law wins.

This isn't a Microsoft-specific problem. It applies to every US-headquartered cloud provider — AWS, Google Cloud, and Oracle included. As a detailed analysis by Kiteworks concludes: "The US CLOUD Act creates an irreconcilable conflict between US provider legal obligations and European data sovereignty law. Remedies like standard contractual clauses, EU data centre deployment, and others do not eliminate this exposure because the CLOUD Act follows provider control, not data location."

Technical Isolation ≠ Legal Isolation

AWS's engineering work is genuine. The European Sovereign Cloud runs on a separate partition (aws-eusc), with no connectivity to commercial AWS regions. An AWS engineer confirmed on Hacker News that US-based employees cannot see anything happening inside the sovereign cloud environment.

But technical barriers don't override legal authority. As Eliatra's analysis explains: "Air-gapped networks, dedicated infrastructure, and region-locked services all operate under the same corporate ownership. When US authorities issue orders to Amazon.com, Inc., every subsidiary, technical silo, and 'sovereign' region falls under that jurisdiction. The legal entity structure, not the network topology, determines compliance obligations."

The problem is further compounded by the fact that CLOUD Act demands frequently carry non-disclosure orders. The US provider may be legally prohibited from informing the European customer whose data is being accessed. An organisation could be in breach of GDPR Article 48 without ever knowing it.

AWS has stated it has not provided customer content stored outside the US in response to CLOUD Act requests since 2020. But as InfoQ's coverage noted, this is a track record claim, not a legal guarantee. The obligation remains. And under FISA Section 702 — reauthorised with expanded scope in April 2024 — the surface area for US government data requests is wider than the CLOUD Act alone.

The Sovereignty Spectrum: What Gartner's Framework Reveals

Not all sovereignty is binary. Gartner identifies a spectrum ranging from standard hyperscaler public cloud (lowest sovereignty) to regional cloud services built on non-hyperscaler technology (highest sovereignty). AWS's European Sovereign Cloud sits somewhere in the middle — offering stronger controls than standard AWS regions, but fundamentally constrained by its ownership structure.

The European Commission has formalised this thinking. Its Cloud Sovereignty Framework, published in October 2025, defines eight sovereignty objectives scored from 0 to 4 (the SEAL level). An independent assessment by European Cloud scored AWS's sovereign cloud high on security, compliance, and operational sovereignty — but low on strategic and legal sovereignty, the dimensions that matter most when the question is "who can ultimately be compelled to hand over data?"

The Commission is already using this framework for procurement. A €180 million tender was launched in 2025 to select up to four cloud providers over six years, each required to meet minimum levels across all eight objectives. Any offer failing a single criterion is automatically rejected.

The Counterargument — And Why It Matters but Doesn't Resolve the Issue

AWS has raised one point that deserves fair consideration: the CLOUD Act isn't limited to US-headquartered companies. It applies to any electronic communication service provider that operates or has a legal presence in the US. OVHcloud, a French cloud provider with US operations, acknowledges on its own FAQ page that its US entity may be subject to CLOUD Act requests.

This is a legitimate nuance. But there's a critical distinction: for European-headquartered providers, CLOUD Act exposure is limited to their US subsidiary and the data it controls. The French parent entity — and the European data it holds — falls outside US jurisdiction. For a US-headquartered company, the exposure runs the other direction: the parent company's legal obligation extends to all subsidiaries, including those in Europe.

In practice, this means a European provider like Scaleway, Hetzner, or Nextcloud — which have no US operations — are not subject to the CLOUD Act at all. That's a qualitative difference, not a marginal one.

What This Means for European Companies

None of this makes AWS's European Sovereign Cloud useless. For many workloads — particularly those without strict regulatory sovereignty requirements — it offers meaningful improvements over standard AWS regions. The technical isolation is real. The operational model is an upgrade. And for organisations that need AWS-specific services and can accept the residual jurisdictional risk, it's a reasonable option.

But for organisations in regulated industries — healthcare under GDPR Article 9, financial services under DORA, critical infrastructure under NIS2 — the question isn't whether AWS has made an effort. It's whether the remaining jurisdictional exposure is acceptable given regulatory obligations that demand documented risk assessment and, in some cases, demonstrated immunity from extraterritorial legal access.

For those workloads, the answer increasingly points toward providers that are European not just operationally, but structurally — companies headquartered in the EU, without US parent companies, and not subject to the CLOUD Act through corporate lineage. Providers like OVHcloud, Scaleway, Hetzner, Open Telekom Cloud, Nextcloud, and others are maturing rapidly, and while they may not match every hyperscaler feature, they offer something AWS structurally cannot: jurisdictional alignment with EU law.

The distinction matters. Data residency means your data is stored within a border. Data sovereignty means no foreign authority can compel access to it. AWS's European Sovereign Cloud delivers the former convincingly. The latter remains an open question — and, under current US law, likely an unanswerable one.

At Cirran, we help European companies assess the real sovereignty posture of their cloud infrastructure — cutting through marketing claims to evaluate jurisdictional exposure, regulatory risk, and practical migration paths. If you're navigating these decisions, get in touch for an initial assessment.