Your production database runs in eu-west-1. Your S3 buckets are pinned to Frankfurt. Your Azure tenant is set to West Europe and your Google Cloud project is anchored in Belgium. On the architecture diagram, every byte of customer data sits inside the European Union. And if a US federal prosecutor decides they want it, none of that matters.
This is the part of the cloud sovereignty conversation that most CTOs only half-believe until they read the legislation. The belief that picking an EU region inside a US hyperscaler resolves your GDPR exposure is one of the most widespread and most consequential misconceptions in European enterprise IT in 2026. It does not. It never did. And the legal gap between what your architecture diagram shows and what your contractual obligations actually require has only widened over the last eighteen months.
This article explains, in plain terms, why an EU region is not the same as EU jurisdiction, what the CLOUD Act actually compels, why Schrems II makes the conflict structural rather than political, and the single question every CTO should be asking before another quarter goes by.
What the CLOUD Act actually says
The Clarifying Lawful Overseas Use of Data Act was signed into US law in March 2018. It is a short piece of legislation with a long reach. In substance, it gives US federal authorities the power to compel any company incorporated in the United States to disclose data in its possession, custody, or control — regardless of where in the world that data is physically stored.
There are three details in that sentence that matter, and they matter individually.
The first is “any company incorporated in the United States.” This is a test of corporate nationality, not infrastructure location. Amazon Web Services Inc., Microsoft Corporation, and Google LLC are all US-incorporated entities. Their European subsidiaries — AWS EMEA SARL in Luxembourg, Microsoft Ireland Operations Limited, Google Ireland Limited — are wholly owned by US parents and sit inside the same jurisdictional envelope. Legal opinions issued by several European data protection authorities since 2020 have concluded that the CLOUD Act reaches through these subsidiaries and applies to data they hold on behalf of European customers.
The second is “possession, custody, or control.” A US-incorporated cloud provider has control over the data running on its infrastructure even when the physical disks are in Hesse. The act does not require the data to be in the United States. It does not even require the data to ever have touched US infrastructure. Control is sufficient.
The third is the absence of any requirement for an EU court order, an EU mutual legal assistance treaty process, or notification to the data subject. A subpoena issued by a US federal court can be served on the parent company in Seattle, and the operator is obliged to comply. The data subject — your customer, your patient, your employee — has no notice and no standing to object.
There is no region setting that fixes this. There is no encryption configuration that fixes it either, because if the provider holds the keys, the provider can be compelled to use them.
Why Schrems II makes this structural
In July 2020, the Court of Justice of the European Union issued its ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems — universally referred to as Schrems II. The court invalidated the EU-US Privacy Shield framework, which had been the legal basis for the bulk of transatlantic personal data transfers up to that point.
The court’s reasoning was the part that matters here. It found that US surveillance law — specifically Section 702 of FISA and Executive Order 12333 — grants US intelligence agencies access to data held by US companies that goes beyond what is strictly necessary and proportionate under EU law, and that affected individuals have no effective judicial remedy in the United States. In the court’s view, this is structurally incompatible with the protections that GDPR guarantees European citizens. Not politically inconvenient. Structurally incompatible.
Successor frameworks have come and gone. The EU-US Data Privacy Framework, agreed in 2023, has already drawn legal challenges on substantially the same grounds. As of 2026, the underlying conflict is unresolved. European data protection authorities, the European Data Protection Board, and the European Commission’s own Cloud Sovereignty Framework — published in October 2025 — all proceed from the assumption that data held by US-controlled providers carries a residual transfer risk that contractual clauses alone cannot eliminate.
The practical consequence is that if a regulator, a client, or an auditor asks you to demonstrate that personal data on your AWS or Azure tenant is processed in compliance with GDPR’s transfer requirements, the honest answer in 2026 is that you are relying on a position the European judiciary has already rejected once and is being asked to reject again.
What the hyperscalers actually say
To their credit, AWS, Microsoft, and Google do not pretend the CLOUD Act does not apply to them. Their public statements acknowledge it. Microsoft has gone furthest, publishing transparency reports that disclose the volume of US government requests it receives and stating publicly that it would challenge overreaching demands in court. AWS and Google have made similar commitments in less detail.
For some workloads, this is a reasonable risk posture. For regulated workloads, it is not. The argument “we would challenge an unlawful request” is an argument about willingness, not capability. The CLOUD Act gives US courts the power to compel disclosure, and a provider that loses its challenge must comply. For a financial services firm under DORA, a healthcare provider under national health data laws, or a public sector body procuring under sovereignty rules, the acceptable level of residual risk is not “low.” It is zero. A non-zero probability of compelled disclosure to a foreign jurisdiction is itself a compliance failure, regardless of how many times the provider has historically pushed back.
This is why “trust us, we’d fight it” does not survive a serious procurement review in 2026. The question is not whether the provider is well-intentioned. The question is whether the provider can be compelled, and the legal answer is yes.
The one test every CTO should apply
Strip away the marketing material, the certifications, the regional configuration, and the SLA language, and the test is one sentence long.
Is your cloud provider’s parent company incorporated in the United States?
If the answer is yes, the CLOUD Act applies. The location of the data centre is irrelevant. The encryption story is irrelevant unless you hold the keys outside the provider’s control. The contractual undertakings are irrelevant because no contract overrides primary US law. You are exposed, and your GDPR transfer position rests on a legal interpretation that the European Court of Justice has already weakened once.
If the answer is no — if the parent company is incorporated under EU law, governed by EU courts, and not owned through any chain that exposes it to foreign jurisdiction — then you are in a different conversation entirely.
What genuine protection looks like
The credible EU-native providers in 2026 are a short list, and a CTO no longer has to choose between sovereignty and capability. OVHcloud, headquartered in France, is the largest EU-native cloud provider in the world and a Gaia-X founding member. T Cloud Public, operated by T-Systems out of Germany, holds BSI C5 certification and is the default landing zone for regulated industries. STACKIT, backed by the Schwarz Group, has been the fastest-growing EU-native provider through 2025 and 2026 and is similarly BSI C5 certified. Scaleway, owned by the Iliad Group, offers the strongest GPU and AI inference economics in the European market.
Each of these providers is incorporated under EU law, governed by EU courts, and outside the reach of the CLOUD Act. That does not make any of them automatically the right answer for your workload — provider selection is a question of fit, regulatory bracket, and operational maturity — but it does put them inside the conversation you should actually be having.
For a workload-by-workload comparison of these four providers and specific recommendations by industry, compliance requirement, and workload type, see OVHcloud vs STACKIT vs T Cloud Public vs Scaleway: Which EU Sovereign Cloud Fits Your Workload?.
For a structured comparison of these providers, the workloads to migrate first, realistic timelines, and the questions to ask before signing anything, see our pillar guide: EU Sovereign Cloud Migration: A CTO’s Guide (2026).
How Looming Tech can help
Looming Tech is an EU-headquartered technology company, registered in Bulgaria, with a UK office and 50+ engineers. We are part of the Eastvantage Group and a registered partner with OVHcloud, STACKIT, Scaleway, and T Cloud Public. We help European enterprises assess CLOUD Act exposure, classify workloads by sensitivity, and plan migrations to genuinely sovereign infrastructure. If your board, your legal team, or your clients have started asking the question this article opens with, we are happy to have a no-commitment conversation.