Digital Emigration

The sovereignty question the Big Three cloud providers cannot answer

Published:

European “sovereign cloud” offerings have become more sophisticated.

Separate EU entities. EU staff. EU data centres. EU governance models.

Yet there is one question the Big Three cloud providers still cannot answer.

Can you guarantee that this service will continue to operate if your home government orders it to stop?

For Amazon Web Services, Microsoft, and Google, the honest answer is no.

Not because of bad intent. Because of law.

This exposure does not hinge on a single statute. It results from a stack of enforceable US legal powers that attach to US‑controlled companies, regardless of where infrastructure is located.

Three mechanisms matter in particular.

The CLOUD Act (2018)
Allows US authorities to compel US companies to provide data under their control, including data stored outside the United States.

FISA Section 702
Imposes intelligence collection obligations on US service providers, often accompanied by gag orders that prevent disclosure.

US sanctions and export control regimes
These do not primarily target data access. They target service provision itself. Providers can be legally required to suspend, restrict, or terminate services.

Executive authority can also be used to coerce organisations that fall out of political alignment, without involvement of courts in the jurisdictions where services operate.

None of these mechanisms require a court in the country where the data or systems are hosted.

This is not hypothetical

The idea that executive authority could be used to interrupt digital services is often dismissed as theoretical. It is not.

Executive orders, sanctions regimes, and trade measures have already been used to exert direct pressure on organisations and infrastructure, including outside US territory.

Three recent examples illustrate this clearly.

First, in 2025, International Criminal Court Chief Prosecutor Karim Khan temporarily lost access to official email services after a US executive order triggered sanctions obligations. There was no ruling against the ICC, no finding of wrongdoing, and no technical failure. Access was removed because a US-based service provider was legally required to comply.

Second, ASML, a Dutch company operating within EU and allied jurisdictions, has repeatedly been subjected to US export control measures that restrict what it can sell, to whom, and under what conditions. These restrictions were imposed unilaterally through US executive and regulatory authority, with immediate commercial and operational impact.

Third, the renewed use of tariffs and trade restrictions under executive authority has shown how quickly access to markets, components, and services can be curtailed when geopolitical alignment shifts. These measures do not target data. They target continuity.

Together, these cases demonstrate that executive power is a practical instrument, not a hypothetical risk. When applied to digital infrastructure controlled by US entities, it can lawfully interrupt services without reference to courts in the countries where those services operate.

Why continuity, not access, is the real fault line

Most sovereignty discussions fixate on data access, encryption, and key management.

Those controls are necessary, but insufficient.

A government seeking leverage does not need to read your data. It only needs the authority to compel a provider to:

All of this can be done lawfully, without touching customer‑held encryption keys.

At that point, confidentiality is intact, but operations stop.

Why the Big Three cannot give the guarantee

The Big Three are not neutral utilities. They are strategic corporations embedded in their home state’s legal and security framework.

No amount of EU operational separation changes three structural facts:

At best, “sovereign cloud” constructs can delay enforcement through legal challenge. They cannot eliminate the obligation.

The line that defines sovereignty

Sovereignty is not about where systems run. It is about who can force them to stop.

Conditional sovereignty is not sovereignty. It is risk mitigation.

That distinction matters most for governments, healthcare, energy, transport, and justice systems, where even short disruptions cascade into real‑world harm.

The uncomfortable conclusion

The Big Three can offer excellent infrastructure.
They can offer compliance.
They can offer risk reduction.

What they cannot offer is immunity from foreign coercion.

That is not a failure of execution. It is a consequence of jurisdiction.

If Europe wants real digital sovereignty, it must design its critical digital infrastructure accordingly.

Sources