AWS European Sovereign Cloud: Marketing or True Sovereignty?
Spoiler alert: the truth lies somewhere in between.
A few days ago, AWS announced the launch of the AWS European Sovereign Cloud, with its first region now live in Brandenburg, Germany.
The promise is ambitious: EU data residency, EU-resident operations, and strong technical isolation from the rest of AWS’s global infrastructure.
At first glance, this looks like a major milestone for European digital sovereignty.
I remain skeptical; not because AWS lacks engineering rigor, but because sovereignty is ultimately a legal question, not a technical one.
What “Sovereign Cloud” Really Means
A sovereign cloud is not defined by the location of its data centers alone.
It implies full control over data access, processing, governance, and legal authority, exercised exclusively by the host jurisdiction.
In Europe, this typically requires:
Protection from non-EU extraterritorial laws
EU-resident operations with no foreign legal dependencies
Compliance with strict national frameworks such as SecNumCloud (France) or C5 (Germany)
AWS’s European Sovereign Cloud delivers meaningful improvements: EU-based infrastructure, locally operated environments, isolated control planes, and customer-managed encryption keys.
However, it remains a wholly owned subsidiary of Amazon, a US-headquartered company, and that single fact reshapes the entire sovereignty discussion.
The Legal Constraint AWS Cannot Escape
The fundamental limitation of AWS’s sovereignty claim lies in US law.
The CLOUD Act
The US CLOUD Act (2018) obliges US companies to provide data “in their possession, custody, or control”, regardless of where that data is stored.
No foreign court approval is required.
In other words, EU-hosted data is not legally immune if AWS is compelled by a valid US subpoena.
AWS often points out that it has reported zero disclosures of non-US customer data since 2020. While encouraging, this is not a legal safeguard, only a historical statement, which is also very hard to verify.
And anyway, future obligations remain enforceable.
FISA Section 702
Beyond subpoenas, FISA Section 702 authorizes US intelligence agencies to conduct electronic surveillance targeting non-US persons located outside the United States.
These requests are often classified, broad in scope, and accompanied by gag orders.
This makes independent verification or customer notification extremely limited.
Together, CLOUD Act and FISA 702 create an unavoidable reality:
a US-controlled cloud provider cannot offer absolute legal sovereignty, even when infrastructure is fully located in the EU.
The Technical Argument and Its Limits
AWS highlights strong technical safeguards:
Customer-managed encryption keys (BYOK), typically using AES-256 encryption at rest, ensuring that data stored on disk is unreadable without customer-controlled keys
Zero-operator-access services, designed to prevent AWS personnel from accessing customer data during normal operations
The AWS Nitro System, including custom hardware designed by Annapurna Labs, which offloads virtualization, networking, and storage to dedicated hardware and enforces strong isolation between tenants and from the host OS
These mechanisms are real and impressive.
Nitro’s architecture significantly reduces the attack surface by eliminating traditional hypervisor access, while customer-managed encryption keys ensure that data at rest remains cryptographically protected.
In practice, this means that raw data stored on disk should be unreadable to AWS operators, even within AWS-managed facilities.
However, technical isolation does not nullify legal authority.
If AWS retains any form of operational control: over infrastructure orchestration, service execution, key management workflows, or recovery mechanisms, it may still be legally compelled to assist US authorities “to the extent feasible”.
Encryption materially reduces risk, but it does not eliminate extraterritorial jurisdiction.
GDPR: The Uncomfortable Middle Ground
This legal exposure collides directly with GDPR, particularly Articles 44–50 governing international data transfers.
Since Schrems II, the EU has made its position clear: access by foreign intelligence agencies must be prevented unless “essentially equivalent” safeguards exist.
AWS commits to:
Challenging unlawful requests
Applying EU-centric contractual protections
Minimizing access wherever possible
Yet when US law and EU law conflict, AWS has no option but to comply with US obligations.
The result is not theoretical, it creates legal ambiguity/uncertainty for customers, who remain responsible for GDPR compliance and face potential fines of up to 4% of global annual revenue.
AWS vs EU-Native Sovereign Clouds: The Practical Difference
When discussing cloud sovereignty in Europe, the question is not whether AWS works, as it it clearly does.
The real question is whether EU-native cloud providers offer something fundamentally different, or merely a regional variation of the same model.
They do offer something different, from a legal point-of-view.
With the AWS European Sovereign Cloud:
Data is hosted exclusively within the EU
Operations are handled by EU-resident teams
Security and encryption standards are best-in-class
US law still applies due to AWS’s corporate ownership
By contrast, with EU-native sovereign providers such as OVHcloud or Bleu:
Infrastructure and operations are fully EU-based
Corporate ownership is European
Providers are subject only to EU and national law
Certifications like SecNumCloud explicitly exclude exposure to foreign extraterritorial legislation
Trustworthy Does Not Mean Sovereign
AWS’s European Sovereign Cloud is a serious and well-executed initiative.
It meaningfully improves data residency, operational isolation, and transparency for European customers. For many organizations, it will be more than sufficient.
But sovereignty is not a question of trust or technical excellence.
It is a question of legal independence.
This distinction matters even more in the current geopolitical climate. In a world of growing tensions between the United States and the rest of the world, marked by trade disputes, sanctions, export controls, and expanding surveillance authorities, digital sovereignty is no longer a theoretical concern.
Cloud architectures must be evaluated not only for how they operate in times of stability, but for how they behave under pressure. Sovereignty is about ensuring that critical systems and data remain governed by predictable, local law even when international relations deteriorate.
In that context, AWS’s position is structurally limited. As a US-headquartered company, AWS remains subject to US extraterritorial legislation, regardless of how isolated or European its infrastructure becomes. No amount of technical separation can override that legal reality.
This does not make AWS untrustworthy, it makes it non-sovereign.
For many workloads, a trustworthy cloud is enough, but for regulated, strategic, or state-sensitive data, sovereignty requires more than trust, it requires jurisdictional immunity.
When sovereignty truly matters, EU-native providers without foreign legal obligations remain the only option for full peace of mind.
Related readings
AWS Blog Post - Opening The AWS European Sovereign Cloud
Annapurna Labs - Amazon custom hardware for AWS infrastructure