CLOUD Act Data Risk

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) of 2018 requires US cloud providers to hand over data on request from US authorities – regardless of where the servers physically sit. A data center in Frankfurt, Munich, or Dublin does not protect your data from US access as long as the operator is a US company. For European businesses, this creates an irresolvable legal conflict between the GDPR and US law.

The core problem: jurisdiction follows the company, not the server

The CLOUD Act empowers US authorities to demand the production of data from any company under US jurisdiction – regardless of where it is stored. In concrete terms, that means: Wire: CLOUD Act & EU Data Sovereignty

AWS Frankfurt: Amazon is a US company → the CLOUD Act applies
Azure Germany: Microsoft is a US company → the CLOUD Act applies
Google Cloud Europe: Google is a US company → the CLOUD Act applies

The physical location of the data is irrelevant. What matters is whether the cloud provider or its parent company falls under US jurisdiction. For a detailed cost and compliance comparison between EU and US cloud providers, see our Hetzner vs. AWS comparison. Akave: Europe's Cloud Sovereignty Crisis (2026)

78%

of CIOs prioritize digital sovereignty (Lünendonk study 2025)

43%

of companies have no exit strategy for a fast cloud-provider switch (Lünendonk 2025)

6–18

months is the average duration of a cloud migration

US laws with extraterritorial data access: CLOUD Act, FISA 702, EO 12333

Lünendonk: Digital Sovereignty Becomes Top Priority (2025)

Data residency vs. data sovereignty: the decisive difference

Many German companies lull themselves into a false sense of security: as long as the server sits in Germany, the data is supposedly protected. That is a mistake. Xpert.digital: US Authorities Are Reading Along

Kriterium	Data residency	Data sovereignty
Definition	Data is physically stored in a specific country	Data is subject exclusively to the legal order of the storage country
Protection against US access	No – the CLOUD Act bypasses the storage location	Yes – but only with EU-owned providers
AWS Frankfurt	✓ Data sits in DE	✗ US company → the CLOUD Act applies
Hetzner DE	✓ Data sits in DE	✓ EU company → no CLOUD Act

A legal opinion from the University of Cologne, commissioned by the German Federal Ministry of the Interior and published in December 2025 via a freedom-of-information request, confirms the point: the possibility of US authorities accessing data held by US cloud providers "cannot be reliably ruled out" – not even through technical or organizational safeguards. Igor's Lab: Interior Ministry Opinion Confirms Risks

Even encryption is not enough: although providers can technically restrict their own access, the opinion finds that this does not release them from the legal production obligations under US procedural law. TWINSOFT: EU Data at Risk

Microsoft under oath: "No, I cannot guarantee that"

On 10 June 2025, Anton Carniaux, legal counsel at Microsoft France, was asked directly before the French Senate whether he could guarantee that the data of French citizens held in the Microsoft cloud would never be handed over to US authorities.

His answer: "Non, je ne peux pas le garantir" – "No, I cannot guarantee that." The Register: Microsoft exec admits cannot guarantee sovereignty

Microsoft stated that it would challenge such requests legally and limit them to the bare minimum. But the legal reality remains: there is no law that overrides the extraterritorial reach of the CLOUD Act. DataBalance: Microsoft Cloud Sovereignty 2026

FISA 702: mass surveillance without judicial warrant

Beyond the CLOUD Act, FISA Section 702 lets US intelligence agencies monitor the electronic communications of non-US persons – without an individual judicial warrant. SoftwareSeni: CLOUD Act & FISA 702 Legal Exposure

The 2024 reauthorization (RISAA) actually widened its scope: any company under US jurisdiction that offers a service of any kind and has access to communications infrastructure can be compelled to cooperate. CDT: FISA 702 Expansion Impact on DPF

FISA Section 702 was originally set to expire on 20 April 2026 (sunset under the 2024 RISAA). After a 10-day emergency extension and a 45-day "clean extension," the statutory basis actually lapsed on 12 June 2026 – but existing certifications from March 2026 allow the agencies to continue surveillance until roughly March 2027. Any new legal basis will form the foundation for a possible "Schrems III" ruling by the CJEU. EFF: Victory! 702 Has Expired (2026) Congressional Research Service: FISA Section 702

Schrems III: the next legal earthquake?

The EU-US Data Privacy Framework (DPF), the successor to the Privacy Shield struck down in 2020, is already under legal fire:

The Latombe case:

September 2025: the EU General Court dismissed the lawsuit brought by French member of parliament Philippe Latombe against the DPF
31 October 2025: Latombe filed an appeal with the CJEU
The central question: is the US Data Protection Review Court (DPRC) truly independent and impartial?

Freshfields: DPF Survives First Challenge WilmerHale: CJEU to Review DPF Challenge

The NOYB offensive: NOYB, the data protection organization founded by Max Schrems that has already brought down two predecessor agreements (Safe Harbor and Privacy Shield), is weighing a separate, more comprehensive lawsuit before the CJEU. NOYB: First Reaction to the Latombe Ruling

Regulatory pressure is mounting: the EU Data Act and NIS2

EU Data Act (applicable since September 2025)

Article 32 of the EU Data Act requires cloud providers to take "all reasonable technical, organizational, and legal measures" to prevent unlawful international access to non-personal data in the EU. EU Data Act: Article 32

When a US provider complies with a CLOUD Act request, it potentially breaches Article 32 – yet another legal conflict with no resolution.

NIS2 (in force since December 2025)

The NIS2 Directive requires 29,500 German companies to assess cybersecurity across their supply chain. That includes examining whether cloud providers are exposed to access by third-country authorities. The jurisdiction of your cloud provider thereby becomes a compliance problem.

EU e-Evidence Regulation (from August 2026)

From 18 August 2026, the new EU e-Evidence Regulation (Regulation (EU) 2023/1543) takes effect, governing cross-border access to electronic evidence within the EU – a European counterpart to the CLOUD Act. The regulation entered into force on 18 August 2023 and applies after a three-year transition period from 18 August 2026. eucrim: E-Evidence Regulation and Directive Published CMS: White Paper CLOUD Act vs EU Sovereignty

The alternative: EU-owned infrastructure

True data sovereignty requires a cloud provider that:

Is 100% EU-owned (no US parent company)
Is subject exclusively to EU law
Has no entity that can be served a CLOUD Act order

Kriterium	Hetzner (DE)	AWS Frankfurt
Owner	Hetzner GmbH, Gunzenhausen (DE)	Amazon.com Inc., Seattle (US)
CLOUD Act exposure	None – not under US jurisdiction	Full – US parent company
FISA 702 risk	None	Yes – as a US company
GDPR compliance	Native – EU law only	Legal conflicts with US law
EU Data Act Art. 32	No third-country access possible	US access cannot be ruled out
Data centers	Nuremberg, Falkenstein, Helsinki	Frankfurt (US operator)
Cost (4 vCPU/16 GB)	A fraction of AWS costs	A multiple of Hetzner costs

Comparable servers cost a fraction of AWS pricing at Hetzner. For the detailed price and performance comparison, see our Hetzner vs. AWS cost comparison.

Gart Solutions: EU Cloud Provider Guide (2026) Hetzner: Data Privacy FAQ

The clock is ticking: why act now?

The regulatory landscape is tightening in a single direction: away from US dependencies and toward European sovereignty.

FISA 702 sunset: statutory basis lapsed on 12 June 2026 – surveillance continues by certification until roughly March 2027
EU e-Evidence: from 18 August 2026 – a European counterpart to the CLOUD Act
NIS2 registration: already due – requires a supply-chain risk assessment
EU Data Act: applicable since September 2025 – a compliance obligation for cloud providers
Our planning takeaway: cloud migrations take 6 to 18 months – anyone who has not started planning by 2026 will be acting under regulatory and political pressure in 2028. Context: 78% of CIOs prioritize digital sovereignty (Lünendonk 2025). Lünendonk: Digital Sovereignty Becomes Top Priority (2025)

A cloud migration takes 6 to 18 months. If you do not start now, you will be forced to migrate under time pressure and at higher cost. Our Sovereign Hosting Guide lays out the concrete steps for DACH SMEs.

How AnvilStack helps

We use AI tools for rapid development – but every line of code is reviewed by senior engineers and deployed on EU-sovereign infrastructure:

CLOUD Act-free: we deploy exclusively on Hetzner (Germany) – 100% EU-owned, no US jurisdiction
Architecture-level sovereignty: no third-country access is possible, not through technical workarounds but through the provider's legal structure
NIS2-compliant supply chain: our infrastructure passes any supply-chain risk assessment
EU Data Act Art. 32 ready: all measures against unlawful international access are documented
Migration from US cloud: we migrate existing platforms from AWS/Azure/GCP to sovereign EU infrastructure – typically in 2–6 weeks for individual applications

In a free initial consultation, we assess your cloud infrastructure for CLOUD Act exposure. At a fixed price of €36,000 we migrate and harden your platform on EU-sovereign infrastructure – with a working app on Hetzner as the outcome, not just a migration plan.

Frequently asked questions

What is the CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act (2018) requires US cloud providers to hand over data on request from US authorities – regardless of where the servers physically sit. AWS Frankfurt, Azure Germany, and Google Cloud Europe are all subject to the CLOUD Act.

Does a data center in Germany protect against US access?

No. The CLOUD Act follows the legal jurisdiction over the company, not the server location. As long as the cloud provider or its parent company is a US business, the CLOUD Act applies – no matter whether the data sits in Frankfurt, Munich, or Dublin.

What is the difference between data residency and data sovereignty?

Data residency only means that data is physically stored in a particular country. Data sovereignty means that the data is subject exclusively to the legal order of that country. AWS Frankfurt offers data residency, but not data sovereignty.

What happens if FISA Section 702 is extended?

FISA Section 702 was originally set to expire on 20 April 2026. After several extensions, the statutory basis actually lapsed on 12 June 2026 – but certifications issued in March 2026 allow the agencies to continue surveillance until roughly March 2027. Any new legal basis could trigger a Schrems III ruling by the CJEU and topple the EU-US Data Privacy Framework. Anyone still hosting on US infrastructure at that point would be under immediate pressure to act.

Which cloud providers are CLOUD Act-free?

Only providers that are 100% EU-owned and subject exclusively to EU law – such as Hetzner (Germany), OVHcloud (France), or Scaleway (France). No US parent company means no CLOUD Act exposure.

How long does a migration away from US cloud take?

A cloud migration takes 6 to 18 months depending on complexity. Simple applications can be migrated in 2–6 weeks; complex multi-service architectures need more time. AnvilStack delivers the complete migration at a fixed price of €36,000.