Separating Fact from Fiction: What European Cloud Regulations Actually Require

Debunking Three Persistent Myths About Cloud Sovereignty

Scrutiny of the European Union's dependence on non-European cloud services has intensified dramatically as geopolitical tensions escalate and cyber risks multiply across increasingly interconnected digital ecosystems. The statistics paint a stark picture of market concentration: US-based hyperscalers now control more than seventy percent of the European cloud market, while the combined market share of European providers has nearly halved since 2017, contracting from positions of relative strength to marginal market presence.

This dramatic shift in market dynamics has triggered growing concern among European policymakers and security officials that American technological dominance could become a source of geopolitical leverage—a means through which foreign policy priorities might influence access to critical digital infrastructure that European enterprises and governments depend upon for essential operations. Similar anxieties surround Chinese cloud providers as they expand their footprint in the European market, raising questions about data security, governmental access, and strategic autonomy that mirror concerns about American platforms.

As the European Union and its member states respond with increasingly sophisticated regulatory frameworks, the legal landscape governing cloud services has grown extraordinarily complex. This complexity has fueled considerable confusion among technology leaders about what European law actually requires when selecting and deploying cloud infrastructure. Misconceptions have proliferated, often driving organizations toward unnecessarily restrictive technology choices based on misunderstandings of regulatory obligations rather than accurate legal analysis. For CIOs and CTIOs navigating procurement decisions worth millions of euros and carrying multi-year strategic implications, distinguishing regulatory reality from prevailing myth has become essential.

Myth One: European Law Requires Physical Servers Located Within the European Union

Perhaps the most pervasive misconception circulating among European technology leaders is that European law mandates data localization—that servers processing European data must physically reside within EU territory. This belief, while understandable given the sovereignty rhetoric surrounding recent regulatory developments, fundamentally misrepresents how European law actually functions. European regulations do not include explicit or general data localization requirements that prohibit the use of non-European cloud infrastructure.

Instead, European law focuses predominantly on risk-based assessments rather than blanket prohibitions. Regulations require organizations to evaluate the specific risks associated with their cloud deployments and implement appropriate safeguards proportionate to those risks. In certain contexts, this risk-based approach can indeed lead to de facto data localization requirements or other restrictive measures that non-European cloud providers and their customers must carefully consider. Nevertheless, these outcomes result from specific risk profiles and regulatory frameworks rather than general bans, and non-European cloud providers are explicitly not excluded from serving European customers.

To navigate this complex landscape effectively, both cloud providers and their enterprise customers must pay particular attention to several key regulatory frameworks that shape what is permissible and what safeguards are required. The General Data Protection Regulation, which has become synonymous with European data protection standards globally, establishes the foundational rules for cloud services handling personal data. The critical provisions concern transfers of personal data to countries outside the European Union. Such transfers are only permitted under specific conditions: either the transfer must be based on an adequacy decision issued by the European Commission, recognizing that the destination country provides essentially equivalent data protection, or the transfer must rely on appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules, accompanied by a comprehensive Transfer Impact Assessment that evaluates whether the destination jurisdiction's laws might undermine the protections these mechanisms provide.

Experience has demonstrated that even adequacy decisions offer limited certainty. Organizations would be wise to prepare Standard Contractual Clauses and Transfer Impact Assessments even when relying on adequacy decisions, as the landmark Schrems I and Schrems II cases illustrated how these decisions can be invalidated by court rulings that find destination countries' surveillance laws incompatible with European fundamental rights. The practical implication is that organizations cannot simply rely on adequacy decisions as permanent solutions but must maintain contingency arrangements and continuously monitor the legal landscape.

The European Health Data Space regulation introduces sector-specific requirements for electronic health data used in healthcare delivery and scientific research. This framework allows individual EU member states to mandate that health data be stored and processed exclusively within European Union territory, unless a GDPR adequacy decision exists for the destination country. The regulation further limits third-country access based on strict reciprocity principles, establishing that EU entities should only share health data with foreign partners if they receive equivalent access in return. Healthcare organizations and their technology partners must therefore navigate not only EU-level requirements but potentially divergent national rules across the member states where they operate.

The Data Act establishes comprehensive rules for what it broadly defines as data processing services, encompassing Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service cloud offerings. The regulation requires providers to implement robust safeguards preventing third-country authorities from accessing non-personal data stored within the EU if such access would violate European or member state law. Data can only be lawfully disclosed to foreign authorities under explicit international agreements or bilateral arrangements with member states. Significantly, however, the Data Act does not prohibit non-European cloud providers from serving European customers, nor does it ban storing non-personal data outside EU territory.

The European Commission's official guidance confirms that companies retain freedom to choose where to store non-personal data, subject to the access control requirements the regulation establishes.

The Directive on Security of Network and Information Systems, commonly known as NIS-2, aims to establish a consistently high level of cybersecurity across the European Union, with specific provisions covering cloud computing service providers.

Organizations falling under NIS-2's scope must implement appropriate technical, operational, and organizational measures to manage cyber risks and mitigate the impact of security incidents, with these measures tailored to their specific risk profiles rather than following a one-size-fits-all approach. The directive requires conformity with the state of the art in cybersecurity practices but explicitly does not demand absolute security or provide prescriptive lists of mandatory controls.

While NIS-2 does not generally mandate data localization, the risk assessments required under Article 21 may lead companies to conclude that selecting EU-based providers is necessary, particularly where supply chain security and subcontractor relationships raise significant concerns that cannot be adequately mitigated through contractual or technical controls. Similarly, the Digital Operational Resilience Act, known as DORA, aims to strengthen the operational resilience of financial entities throughout the European Union. It applies both to financial institutions directly and to third-party information and communication technology service providers, including those offering cloud computing, network infrastructure, and other digital services. While DORA does not impose general localization requirements or ban non-European clouds, providers designated as critical under the regulation must establish a legal presence within the European Union. Additionally, parties must agree upfront on service and data-processing locations, with prior notice required for any changes—a requirement that could lead to de facto localization in practice as financial institutions seek to minimize operational complexity and regulatory risk.

Myth Two: Non-European Cloud Providers Are Banned from Government Contracts

The second persistent myth holds that European governments and institutions are prohibited from procuring cloud services from non-European providers. This misconception has gained traction as public sector use of foreign cloud infrastructure has sparked intense sovereignty debates, with concerns about potential foreign interference running particularly high in governmental contexts where sensitive policy discussions, classified information, and citizen data converge. Both the European Union and individual member states, including Germany and France, have indeed introduced additional requirements and heightened scrutiny for government cloud deployments.

Despite these additional safeguards and elevated oversight, non-European cloud providers often remain able to serve public sector clients, though they must navigate more stringent requirements than those applicable to private sector deployments. In October 2025, the European Commission published its Cloud Sovereignty Framework, which defines eight distinct sovereignty objectives that EU institutions must consider when procuring cloud services. These objectives provide a structured approach to evaluating cloud providers along multiple dimensions of sovereignty concern.

Key sovereignty objectives that non-European cloud providers and their government customers must address include whether the cloud service provider is headquartered outside the European Union, whether it processes data outside EU territory, whether it faces exposure to the influence of foreign governments through legal frameworks or ownership structures, whether it depends on non-European goods and technologies that could create supply chain vulnerabilities, and whether it can continue to run, support, and evolve its services without foreign control even in scenarios of geopolitical disruption. Importantly, these objectives function as minimum considerations rather than absolute requirements, and they are deliberately not precisely defined in the framework. The required level for each objective may differ substantially across individual procurement processes, depending on the sensitivity of the workload, the data involved, and the strategic importance of the system being deployed. Furthermore, the ultimate procurement decision will likely be influenced predominantly by traditional factors such as price competitiveness and technical performance, with sovereignty considerations forming one element of a multi-criteria evaluation rather than serving as automatic disqualifiers.

Germany's approach to government cloud procurement illustrates how member states can establish rigorous standards without categorically excluding non-European providers. The Federal Office for Security in Information Technology, known as BSI, has issued binding minimum standards that federal agencies must observe when using external cloud services. To satisfy these requirements, providers must demonstrate compliance with the BSI's Cloud Computing Compliance Criteria Catalogue, commonly referred to as C5. This comprehensive framework sets detailed expectations across numerous control domains.

For non-European providers seeking to serve German federal authorities, key expectations include maintaining complete transparency and customer control over all data processing locations, providing robust transparency regarding how they handle governmental requests for data access, and implementing effective limits on access to customer data by state authorities. Significantly, the C5 criteria do not impose explicit localization requirements, nor do they automatically exclude non-European cloud providers from serving federal agencies. Rather, they establish a high bar for security, transparency, and control that any provider—European or otherwise—must meet to qualify for government business.

France has developed what are widely regarded as some of the strictest cloud requirements in Europe for public sector deployment, centered on the SecNumCloud certification framework. The requirements appear formidable at first examination. Cloud providers must demonstrate immunity to requests from public authorities of third countries, meaning they cannot be compelled by foreign governments to disclose customer data. Service providers must store and process client data exclusively within European Union territory. All service administration and supervision operations must be conducted from within the EU. The provider's registered office, central administration, and principal place of business must be located within the European Union. These requirements might seem to categorically exclude non-European cloud providers from the French public sector market. However, practice has demonstrated otherwise.

Through joint ventures with local companies that satisfy these requirements while licensing technology and services from their global parent organizations, non-European cloud providers have successfully structured offerings that meet SecNumCloud certification standards and serve French government clients with their cloud products. This approach allows France to maintain its stringent sovereignty requirements while government agencies retain access to globally competitive cloud capabilities.

Myth Three: Only Domestic Clouds Can Be Considered Sovereign Clouds

The third pervasive myth concerns the very definition of what constitutes a sovereign cloud. The term has become something of a buzzword in technology and policy circles, used frequently despite the absence of any defined legal term or universally understood concept. This definitional ambiguity has allowed various interpretations to proliferate, some more grounded in technical and legal reality than others.

A protectionist interpretation that has gained currency in some quarters links the concept of sovereign cloud exclusively to infrastructure operated by domestic companies using servers physically located within national territory. According to this view, only cloud services provided by companies headquartered in the same jurisdiction as their customers, using data centers situated within that jurisdiction's borders, can legitimately claim to be sovereign. This approach, while superficially appealing from a nationalist perspective, suffers from significant technical limitations that undermine its stated security objectives.

The fundamental flaw in the protectionist interpretation is that the provider's country of origin or server location alone does not guarantee the intended level of security or immunity from foreign governmental access. A court case in Ontario dramatically illustrated this limitation when it ordered the French cloud provider OVHcloud to disclose data stored exclusively on European servers to Canadian police authorities.

The decision demonstrated that physical location provides no absolute shield against extraterritorial legal demands, particularly when the cloud provider itself has operations or assets in the jurisdiction making the demand. Nationality and geography, in other words, offer far less protection than the protectionist narrative suggests.

A more convincing and legally grounded interpretation treats digital sovereignty as shorthand for comprehensive compliance with European Union law, with particular focus on implementing robust safeguards against unauthorized third-country access to cloud-hosted data. This interpretation aligns with how EU regulations actually function. Rather than mandating localization or preferencing domestic providers, European regulatory frameworks prioritize preserving data protection and cybersecurity standards regardless of where infrastructure physically resides or who operates it.

Germany's Federal Office for Information Security has adopted this pragmatic view explicitly, stating that relying exclusively on local cloud solutions is often simply not possible for organizations requiring access to cutting-edge capabilities. The BSI observes that rigid localization requirements would effectively block European organizations from accessing global innovation while simultaneously creating substantial economic and administrative risks that could undermine rather than enhance security. In practice, digital sovereignty is best served by ensuring that cloud providers—regardless of their headquarters location or data center geography—comply rigorously with European Union rules and respect EU fundamental rights. Specific location demands in individual cases often exceed what binding law actually requires, reflecting policy preferences and risk-averse procurement cultures rather than legal obligations.

Strategic Implications for Technology Leadership

The fundamental takeaway from this analysis is clear: there exists no general ban on non-European cloud providers serving either private or public sector clients within the European Union. What does exist is a complex, multi-layered regulatory framework that establishes sophisticated requirements around data protection, cybersecurity, operational resilience, and governmental access—requirements that any cloud provider, European or otherwise, must satisfy to serve customers in regulated sectors or handling sensitive data.

For CIOs and technology leaders, this regulatory reality demands a nuanced approach to cloud strategy that moves beyond simplistic notions of European versus non-European providers. Both cloud providers and their enterprise customers must verify compliance with applicable data protection, cloud governance, and cybersecurity regulations regardless of where the provider is headquartered or where servers are physically located. Geography and nationality matter far less than demonstrable compliance with European legal requirements and the implementation of robust technical and organizational measures to protect data and ensure service continuity.

Organizations must develop the capability to assess cloud options against the specific regulatory requirements that apply to their particular circumstances. This assessment begins with two fundamental questions that drive all subsequent analysis. First, is the sector subject to specialized regulations beyond the horizontal frameworks that apply across industries? Healthcare organizations must navigate the European Health Data Space requirements. Financial institutions fall under DORA's stringent operational resilience standards. Critical infrastructure operators face heightened cybersecurity obligations under NIS-2. Second, what types of data will reside in cloud infrastructure? Personal data triggers GDPR's transfer requirements and necessitates Transfer Impact Assessments. Health data activates sector-specific controls and potential localization requirements. Even non-personal business data may be subject to access restrictions under the Data Act depending on sensitivity and strategic importance.

Sovereign Sky specializes in helping European enterprises cut through the complexity and confusion surrounding cloud sovereignty regulations. We work with technology leaders to conduct comprehensive regulatory assessments that identify which specific requirements apply to your cloud deployments based on your sector, data types, and operational context. We evaluate cloud provider offerings against European compliance frameworks, assessing not just stated capabilities but actual technical and organizational measures that determine whether providers can meet your regulatory obligations. We design cloud strategies that satisfy sovereignty requirements without unnecessarily restricting technology choices or inflating costs through over-engineered solutions.

Our team helps you navigate sector-specific regulations like EHDS and DORA, prepare robust Transfer Impact Assessments that satisfy GDPR requirements for international data transfers, structure contractual arrangements that preserve compliance even as regulatory landscapes evolve, and develop procurement approaches that balance sovereignty concerns with operational requirements and budget realities. We understand that cloud sovereignty is not about ideology or protectionism but about ensuring that your technology choices satisfy legal obligations while enabling competitive advantage.

The regulatory landscape governing European cloud deployments will continue to evolve as policymakers respond to emerging security threats and geopolitical developments. Organizations that build compliance capabilities based on accurate understanding of what regulations actually require—rather than on myths and misconceptions—will maintain the flexibility to adapt as requirements change while avoiding the costs and constraints of unnecessarily restrictive technology choices.

Contact Sovereign Sky to separate regulatory fact from fiction and develop cloud strategies grounded in legal reality rather than prevailing myths.