Microsoft admitted that it 'cannot guarantee' data sovereignty [0] "on June 18 before a [French] Senate inquiry into public procurement and the role it plays in European digital sovereignty" as the CLOUD Act "gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil."
It'd be great if they could clarify in their FAQ [1] if and how the CLOUD Act affects them.
It would seem like the problem is one of the business layout and technical layout.
Organize your business and your tech correctly and you can have an owned foreign subsidiary that can comply with local laws. But things would have to be quite separate.
> The AWS European Sovereign Cloud is the only fully-featured, independently operated sovereign cloud, backed by strong technical controls, sovereign assurances and legal protections.
independently OPERATED, not independently owned
therefore: still under the jurisdiction of the US regime
Exactly, this seem pointless for people serious about staying away from US owned data stores. I know first hand of EU based businesses that left AWS (and all other US owned services) before 2020 due to customer (B2B) demand which in turn was due to the Cloud Act[1], and for whom it today would be completely untenable to return.
Wait, how does this work? If it is owned by a US company but operated by people inside the EU, I would expect the actual laws in effect to be the EU ones. I mean, that’s who can actually send police to stomp around and physically take the hard drives if they really want to.
The US can of course command the US owners to instruct their EU based employees to do something illegal in the EU, but if your boss tells you do do something illegal, you are still breaking the law if you do it…
Congress as it is are cowards incapable of protecting the law, it is merely a regime based law until Congress can prove and rebuild trust that it has a backbone.
Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...
All of these isolation sovereignty iniatives are window dressing to the bigger problem that the EU and other countries are massively dependent on proprietaey US-centric software stacks.
> Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...
Id argue that very few software components are written (let alone maintained) by US staff. This is basically another major player (there are other sovereign clouds) reading the writing on the wall and doing what is necessary to avoid losing business or being irradiated from the market.
CloudFlare CEO, take notice. Look how the big boys do business and maybe learn a thing or two.
If push comes to shove, these services can and will be weaponized against EU interests. They are bugged and backdoored to the brim. If we see a risk in chinese-made electrical buses which can potentially be remotely shut down by an integrated sim card, then using AWS should be a no go in the current political climate - no matter how much lipstick they put on that pig.
Last week, after receiving a fine in Italy, the Cloudflare CEO demonstrated that US tech leadership are extremely emotionally volatile and can lash out in all directions, threatening unrelated parties with shutdown of service. This is in line with Peter "anti christ" Thiel and Elon "nazi salute" Musk going off the rails. Maybe it is a drug-induced psychosis from their annual gathering in the desert where US tech workers consume illegal substances, I don't know.
What if someone scratches Bezos' yacht by accident and then he threatens to shut down the DC? Or he might get upset about a CO2 surcharge when refueling his private jet? Can we really take these risks?
I worked on a team deploying a service to European Sovereign Cloud (ESC). Disclaimer - I am a low level SDE and all opinions are my own.
AWS has set up proper boundaries between ESC and global AWS. Since I'm based out of the US I can't see anything going on in ECS even in the service we develop. To fix an issue there we have to play telephone with an engineer in ESC where they give us a summary of the issue or debug it on their own. All data is really 100% staying within ESC.
My guess is that ESC will be less reliable than other regions, at least for about a year. The isolation really slows down debugging issues. Problems that would be fixed in a day or two can take a month. The engineers in ESC don't have the same level of knowledge about systems as the teams owning them. The teething issues will eventually resolve, but new features will be delayed within the region.
The prices for the only region in Germany are very similar to the prices in eu-west-1 (Frankfurt), except in € instead of $, so that’s basically a 16% markup by today's exchange rate. Also, AMD CPUs appear to be completely missing.
I was actually surprised to see this:
"As we make this change, we will continue to work as a blended team of EU residents and EU citizens, with all personnel working from EU locations, before gradually completing our transition to EU citizen operations for the AWS European Sovereign Cloud." This looks like a more serious attempt to make it independent of US meddling. It will not protect it fully, but still.
How effective would this setup be if the parent company in the US is ordered to order the EU subsidiary to do something not in the interests of the EU?
If it breaks the law in the EU, then the European employees staffing the data center refuse, because they don't want to go to jail or pay fines.
That's the entire point of setting it up like this.
Think of it like fast-food franchises. They have to sell the same food and use the same branding and charge the same prices. But if McDonald's tells you to start selling cocaine on the side, you tell them nope, that's not in the contract and I don't feel like going to prison.
Edit: what on earth is with the downvotes? I'm just explaining how it works. I'm not even expressing an opinion or anything.
What if the software is developed and potentially backdoored in the US and deployed by the EU team in the sovereign region? Or did they rewrite the entire AWS stack?
If the EU employees can look around the code, it would then get quite interesting if they were to point out a backdoor. which they would of course raise with an EU based CERT.
In a way that protects US customers as well having a set that can't be stopped from doing that.
I don't think there are any protections against that. On the other hand, you'd have to ask yourself how realistic it is that the US is forcing Amazon to secretly backdoor its own software for US spying abroad? I can't give an answer on that one, you'll have to form your own opinion.
I imagine that if a back door were ever discovered, AWS's reputation would tank so hard that a lot of companies would probably never do business with it again.
I would love to see a US specific version of this as well. Something similar to GovCloud with the same security controls and employee vetting but accessible to commercial customers.
Critical infrastructure. The US has a history of forcing their way into many parts of it [1] and we know they use it for leverage whenever it's suitable. Furthermore, if you control the information flow of a system, then decision making based on that information becomes dependent on those who control it.
Yeah.... no thx. Hard voice against it and anything that comes from the US. There is tons of stuff that is genuinely cool, we got tons of stuff it would be barbaric to spit in the soup.
However I'm pretty sure at this point that even the GAFAM are tired of this situation and that they don't care if giants their size show up in Europe. I'm genuinely thinking that what is also happening with AI (eg : free knowledge drop) is some kind of mechanism to allow those new giants to emerge in other places than US.
Being the bright star that takes all the broken stuff on the head is not always the smartest move - at some point if you are blocking everything from showing up just because you exist, you are just slowly creating conflict against you - which i'm pretty sure the GAFAM are not interested in.
I'm pretty sure there is a lot of power dynamic shift happening just now, AI bubble is just a tool that permit it -- the amount of startups that are allowed to launch on the simplest product are crazy --
tldr : creating incumbents then beating them is a display of power ; not caring is a display of power, having too much money is a display of power, being blocked due to political and social movement is weakening the velocity of these entities - i'm pretty sure atp that creating new giants in Europe would help them more than to continue in what appears like a colonialist endeavor - which they probably don't like either (they just want to market and win)
Microsoft admitted that it 'cannot guarantee' data sovereignty [0] "on June 18 before a [French] Senate inquiry into public procurement and the role it plays in European digital sovereignty" as the CLOUD Act "gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil."
It'd be great if they could clarify in their FAQ [1] if and how the CLOUD Act affects them.
[0] https://www.theregister.com/2025/07/25/microsoft_admits_it_c...
[1] https://aws.eu/faq/
It would seem like the problem is one of the business layout and technical layout.
Organize your business and your tech correctly and you can have an owned foreign subsidiary that can comply with local laws. But things would have to be quite separate.
> Organize your business and your tech correctly and you can have an owned foreign subsidiary that can comply with local laws.
I doubt it, a majority owned subsidiary is usually passed through for many legal purposes.
> The AWS European Sovereign Cloud is the only fully-featured, independently operated sovereign cloud, backed by strong technical controls, sovereign assurances and legal protections.
independently OPERATED, not independently owned
therefore: still under the jurisdiction of the US regime
> still under the jurisdiction of the US regime
Exactly, this seem pointless for people serious about staying away from US owned data stores. I know first hand of EU based businesses that left AWS (and all other US owned services) before 2020 due to customer (B2B) demand which in turn was due to the Cloud Act[1], and for whom it today would be completely untenable to return.
[1] https://en.wikipedia.org/wiki/CLOUD_Act
Wait, how does this work? If it is owned by a US company but operated by people inside the EU, I would expect the actual laws in effect to be the EU ones. I mean, that’s who can actually send police to stomp around and physically take the hard drives if they really want to.
The US can of course command the US owners to instruct their EU based employees to do something illegal in the EU, but if your boss tells you do do something illegal, you are still breaking the law if you do it…
Also "legal protections" provided by the US regime, for what that exactly entails anymore I'm not sure, probably depends on the situation.
Congress as it is are cowards incapable of protecting the law, it is merely a regime based law until Congress can prove and rebuild trust that it has a backbone.
Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...
All of these isolation sovereignty iniatives are window dressing to the bigger problem that the EU and other countries are massively dependent on proprietaey US-centric software stacks.
Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...
Not as much as you might think. The most important component -- Nitro -- basically runs out of Germany.
> Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...
Id argue that very few software components are written (let alone maintained) by US staff. This is basically another major player (there are other sovereign clouds) reading the writing on the wall and doing what is necessary to avoid losing business or being irradiated from the market.
CloudFlare CEO, take notice. Look how the big boys do business and maybe learn a thing or two.
If push comes to shove, these services can and will be weaponized against EU interests. They are bugged and backdoored to the brim. If we see a risk in chinese-made electrical buses which can potentially be remotely shut down by an integrated sim card, then using AWS should be a no go in the current political climate - no matter how much lipstick they put on that pig.
Last week, after receiving a fine in Italy, the Cloudflare CEO demonstrated that US tech leadership are extremely emotionally volatile and can lash out in all directions, threatening unrelated parties with shutdown of service. This is in line with Peter "anti christ" Thiel and Elon "nazi salute" Musk going off the rails. Maybe it is a drug-induced psychosis from their annual gathering in the desert where US tech workers consume illegal substances, I don't know.
What if someone scratches Bezos' yacht by accident and then he threatens to shut down the DC? Or he might get upset about a CO2 surcharge when refueling his private jet? Can we really take these risks?
If I'm not mistaken the US (e.g. intelligence agencies) can still require them to provide client data and respect US sanctions?
AWS should be ditched altogether and something Europe based chosen even if it requires investment.
Yes, 100%. They are fully compromised and an extension of US dominance. They can and will be weaponized against us.
Same with Apple iCloud - one day Europeans will wake up and see that all their pictures have been deleted.
> one day Europeans will wake up and see that all their pictures have been deleted
Possible this happens due to bugs in iCloud's GDPR implementation.
It's better than nothing but I'd say it's naive to believe this will hold if US gov genuinely leans on AWS US HQ.
I worked on a team deploying a service to European Sovereign Cloud (ESC). Disclaimer - I am a low level SDE and all opinions are my own.
AWS has set up proper boundaries between ESC and global AWS. Since I'm based out of the US I can't see anything going on in ECS even in the service we develop. To fix an issue there we have to play telephone with an engineer in ESC where they give us a summary of the issue or debug it on their own. All data is really 100% staying within ESC.
My guess is that ESC will be less reliable than other regions, at least for about a year. The isolation really slows down debugging issues. Problems that would be fixed in a day or two can take a month. The engineers in ESC don't have the same level of knowledge about systems as the teams owning them. The teething issues will eventually resolve, but new features will be delayed within the region.
Sure, but what really prevents
>To fix an issue there we have to play telephone with an engineer in ESC where they give us a all the data we need or get fired.
?
EC2 pricing: https://aws.eu/ec2/pricing/on-demand/
The prices for the only region in Germany are very similar to the prices in eu-west-1 (Frankfurt), except in € instead of $, so that’s basically a 16% markup by today's exchange rate. Also, AMD CPUs appear to be completely missing.
"AWS" and "European Sovereign" - that's a contradiction in terms.
Just stop using clouds run your own computers.
I was actually surprised to see this: "As we make this change, we will continue to work as a blended team of EU residents and EU citizens, with all personnel working from EU locations, before gradually completing our transition to EU citizen operations for the AWS European Sovereign Cloud." This looks like a more serious attempt to make it independent of US meddling. It will not protect it fully, but still.
How effective would this setup be if the parent company in the US is ordered to order the EU subsidiary to do something not in the interests of the EU?
There was a Microsoft email server legal case for Ireland that didn't go well
https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_Stat...
Yeh I was curious how it was different - I thought MS did a similar thing of getting T-mobile to operate it's EU cloud.
If it breaks the law in the EU, then the European employees staffing the data center refuse, because they don't want to go to jail or pay fines.
That's the entire point of setting it up like this.
Think of it like fast-food franchises. They have to sell the same food and use the same branding and charge the same prices. But if McDonald's tells you to start selling cocaine on the side, you tell them nope, that's not in the contract and I don't feel like going to prison.
Edit: what on earth is with the downvotes? I'm just explaining how it works. I'm not even expressing an opinion or anything.
What if the software is developed and potentially backdoored in the US and deployed by the EU team in the sovereign region? Or did they rewrite the entire AWS stack?
If the EU employees can look around the code, it would then get quite interesting if they were to point out a backdoor. which they would of course raise with an EU based CERT. In a way that protects US customers as well having a set that can't be stopped from doing that.
Assuming EU employees get to see the sources, let alone own their building process.
I don't think there are any protections against that. On the other hand, you'd have to ask yourself how realistic it is that the US is forcing Amazon to secretly backdoor its own software for US spying abroad? I can't give an answer on that one, you'll have to form your own opinion.
I imagine that if a back door were ever discovered, AWS's reputation would tank so hard that a lot of companies would probably never do business with it again.
> how realistic it is that the US is forcing Amazon to secretly backdoor its own software for US spying abroad?
probably 100%?
Maybe you missed when Microsoft blocked the email account of the chief prosecutor of the international court of justice: https://www.heise.de/en/news/Criminal-Court-Microsoft-s-emai...
Of course these services are backdoored. You really sound like an useful idiot.
I would love to see a US specific version of this as well. Something similar to GovCloud with the same security controls and employee vetting but accessible to commercial customers.
Why is this valuable?
Critical infrastructure. The US has a history of forcing their way into many parts of it [1] and we know they use it for leverage whenever it's suitable. Furthermore, if you control the information flow of a system, then decision making based on that information becomes dependent on those who control it.
[1] https://www.radiofrance.fr/franceculture/guerre-economique-c...
Government contracts
Yeah.... no thx. Hard voice against it and anything that comes from the US. There is tons of stuff that is genuinely cool, we got tons of stuff it would be barbaric to spit in the soup.
However I'm pretty sure at this point that even the GAFAM are tired of this situation and that they don't care if giants their size show up in Europe. I'm genuinely thinking that what is also happening with AI (eg : free knowledge drop) is some kind of mechanism to allow those new giants to emerge in other places than US.
Being the bright star that takes all the broken stuff on the head is not always the smartest move - at some point if you are blocking everything from showing up just because you exist, you are just slowly creating conflict against you - which i'm pretty sure the GAFAM are not interested in.
I'm pretty sure there is a lot of power dynamic shift happening just now, AI bubble is just a tool that permit it -- the amount of startups that are allowed to launch on the simplest product are crazy --
tldr : creating incumbents then beating them is a display of power ; not caring is a display of power, having too much money is a display of power, being blocked due to political and social movement is weakening the velocity of these entities - i'm pretty sure atp that creating new giants in Europe would help them more than to continue in what appears like a colonialist endeavor - which they probably don't like either (they just want to market and win)
Idk I might be extrapolating like a mad man
EU does not seem happy about outsource tech platforms
https://cybernews.com/news/europe-internet-control-sovereign...
This is about as grifty and mckinseyian as the AI Data Centres in space hype.