FEATURE Europe’s quest for digital sovereignty is hampered by a 90 per cent dependency on US cloud infrastructure, claims Cristina Caffarra, a competition expert and a driving force behind the Eurostack initiative.

While Brussels champions policy initiatives and American tech giants market their own ‘sovereign’ solutions, a handful of public authorities in Austria, Germany, and France, alongside the International Criminal Court in The Hague, are taking concrete steps to regain control over their IT.

These cases provide a potential blueprint for a continent grappling with its technological autonomy, while simultaneously revealing the deep-seated legal and commercial challenges that make true independence so difficult to achieve.

The core of the problem lies in a direct and irreconcilable legal conflict. The US CLOUD Act of 2018 allows American authorities to compel US-based technology companies to provide requested data, regardless of where that data is stored globally. This places European organizations in a precarious position, as it directly clashes with Europe's own stringent privacy regulation, the General Data Protection Regulation (GDPR).

This creates a risk that is difficult, if not impossible, to mitigate contractually. Any private contract between a European customer and a US cloud provider is ultimately subordinate to US federal law. A warrant issued under the CLOUD Act legally compels an American company to hand over data, overriding any contractual commitments of data residency or privacy.

Furthermore, these warrants often come with a gag order, legally prohibiting the provider from informing their customer that their data has been accessed. This renders any contractual clauses requiring transparency or notification effectively meaningless. While technical measures like encryption are often proposed as a solution, their effectiveness depends entirely on who controls the encryption keys. If the US provider manages the keys, as is common in many standard cloud services, they can be forced to decrypt the data for authorities, making such safeguards moot.

The conflict between the CLOUD Act and European data protection law becomes a practical barrier through Article 35 of the GDPR, which mandates a Data Protection Impact Assessment (DPIA) before deploying any new technology that is "likely to result in a high risk to the rights and freedoms of natural persons."

When conducted for US hyperscaler services, these DPIAs invariably flag the CLOUD Act as a significant, often unacceptable, risk. This legal obligation is increasingly becoming the primary driver of public bodies to seek alternatives.

What Austria learned

Austria's Federal Ministry for Economy, Energy and Tourism is a case in point. The ministry recently completed a migration of 1,200 employees to the European open-source collaboration platform Nextcloud, but the project was not a migration away from an existing US cloud provider. It was a deliberate choice not to adopt one.

Unlike many organizations that rushed to adopt American cloud solutions during the COVID-19 pandemic, the Austrian ministry had more time to evaluate alternatives because it was still using Skype for Business. That breathing room proved critical.

Florian Zinnagl, the ministry's CISO, and Martin Ollrom, its CIO, led the project. The ministry processes not only employee data but also sensitive information from citizens and external businesses, making the DPIA risk assessment particularly critical. For Ollrom, the issue went beyond a single technology decision.

"This is not just about Microsoft. It's about a fundamental shift where Big Tech companies are moving all your data and operational control into their clouds," he tells The Register. "We in the IT department have been concerned for years about losing control over our own infrastructure."

The primary driver was not cost, but sovereignty. "It was never about saving money," Zinnagl adds. "It was about maintaining control over our own data and our own systems."

A three-month proof-of-concept on the ministry's own servers convinced the team that Nextcloud could deliver the functionality they needed. More importantly, it offered something Microsoft never could, according to the CISO: "We can see our input in Nextcloud releases. That is a feeling we never had with Microsoft," says Zinnagl.

The migration, completed in just four months, demonstrated that such projects can be executed swiftly. The Nextcloud solution turned out to be significantly cheaper, we're told, but the principle of maintaining control remained paramount.

The decision has triggered a ripple effect, as several other Austrian ministries have since begun implementing Nextcloud. For Zinnagl and Ollrom, this proves that one organization willing to take the first step can inspire others to follow.

Their advice to other European governments is clear: be brave, involve management, and start. "You don't achieve digital sovereignty overnight," Ollrom tells The Register. "You have to do this in many steps, but you have to start with the first step. Don't just talk about it, but execute it."

Yet the Austrian case also illustrates the practical limits of digital sovereignty. Nextcloud now serves as the primary collaboration platform for internal communication and file sharing, but Microsoft Teams has not been banned entirely.

Its use is strictly limited to external communication with parties that still rely on it, such as the European Commission. Even then, strict rules apply: no sensitive information may be discussed on Teams, and usage is kept to an absolute minimum. This hybrid approach reflects a pragmatic recognition that complete independence is not always immediately possible when external partners remain locked into US platforms.

The scale of Europe's technological deficit makes migrations like Austria’s daunting for most organisations. A recent analysis by the Australian Strategic Policy Institute found that of 64 crucial technologies, China leads in 57 and the United States in the remaining seven. Europe leads in none.

The Draghi report on European competitiveness, published in September 2024, similarly warned of Europe's growing dependence on foreign technology providers.

This stark reality underscores a broader vulnerability: Europe's digital infrastructure is almost entirely dependent on non-European providers. If a major American cloud provider were to restrict European access or cease operations, the consequences would be immediate and severe. This fragility has created a market opportunity that American hyperscalers are now exploiting.

The scale of the challenge is underscored by recent market analysis from analyst firm Forrester. It predicted that no European enterprise will shift entirely from US hyperscalers in 2026, citing geopolitical tensions, ongoing volatility, and the impact of new legislative acts like the EU AI Act as barriers to independence.

For Cristina Caffarra, founder of the Eurostack Foundation and a competition economist, Europe's predicament is both alarming and self-inflicted. She estimates that 90 percent of Europe's digital infrastructure (cloud, compute, and software) is now controlled by non-European, predominantly American, companies.

The issue, she argues, is not that Europe needs to eliminate American providers entirely, but that it has allowed its own market share to collapse to dangerous levels. In every other major region, procurement rules favour local providers. Europe, by contrast, operates under a default principle of open procurement that effectively mandates buying from anywhere. "We have rules that are so poorly designed they work against us," she said in an interview with The Register.

Caffarra's critique extends beyond procurement policy. She is scathing about Europe's regulatory response to Big Tech dominance, dismissing initiatives like the Digital Markets Act and antitrust cases as ineffective distractions.

While Brussels focuses on regulating consumer-facing services, the underlying infrastructure has been handed over entirely. "What Europeans don't realize is that while they regulate e-commerce and app stores, the digital infrastructure on which everything rests is now owned by non-Europeans," she says.

Her proposed solution, embodied in the Eurostack Foundation, is not more regulation but an industrial strategy focused on three pillars:

First, buy European: procurement rules must prioritize European providers for critical infrastructure, as is standard practice in the United States and Asia.

Second, build European: the private sector must invest in developing European alternatives, rather than relying on subsidies or waiting for government intervention.

And third, fund European: a dedicated fund should support the development of Europe's technology stack, with public bodies acting as launching customers to create initial demand and prove viability.

The goal, she emphasizes, is not autarky or protectionism, but resilience. Europe does not need to achieve complete independence from American technology, but it does need to reclaim a meaningful share of its own market. "Can we please have 30 to 40 percent for ourselves?"

For Caffarra, the path forward requires a fundamental shift in mindset: from talking to building, from regulating to investing, and from passivity to action. Europe cannot rely on Brussels to deliver this transformation. The market must build it, but governments must create the conditions, through procurement preferences and initial funding, that make it viable.

European alternatives do exist. Platforms like Nextcloud, OVHcloud, Collabora, and others offer genuine sovereignty. Yet for many organizations, distinguishing real alternatives from false promises has become increasingly difficult.

American hyperscalers have recognized the market demand for sovereignty and now aggressively market 'sovereign cloud' solutions, typically by placing datacenters on European soil or partnering with local operators. Critics call this ‘sovereignty washing’.

Caffarra warns that this does not resolve the fundamental problem. "A company subject to the extraterritorial laws of the United States cannot be considered sovereign for Europe," she says. "That simply doesn't work." Because, as long as the parent company is American, it remains subject to the CLOUD Act.

For Caffarra, this trend is dangerously reminiscent of Gaia-X, a previous flagship initiative for a federated European cloud. "The intention behind Gaia-X was good," she says. "The problem was that American companies lobbied to be included. Once Microsoft, Google, and AWS were inside Gaia-X, the initiative lost its purpose.". In her opinion: "That is why it failed."

The project was, she argues, undermined from within by the very forces it sought to provide an alternative to. Today, "sovereignty-washing" represents a more sophisticated version of the same tactic: coopting the language of autonomy to entrench dependency.

Beyond sovereignty to true tech independence

Yet Europe's vulnerability extends beyond marketing tactics. Even when organizations make deliberate choices in favour of European providers, those decisions can be undone by market forces. A recent acquisition in the Netherlands illustrates this risk. In November 2025, the American IT services giant Kyndryl announced its intention to acquire Solvinity, a Dutch managed cloud provider.

This came as an “unpleasant surprise” to several of its government clients, including the municipality of Amsterdam and the Dutch Ministry of Justice and Security. These bodies had specifically chosen Solvinity to reduce their dependence on American firms and mitigate CLOUD Act risks.

Solvinity manages critical national infrastructure, including the Netherlands' citizen authentication system and government service portal. The acquisition places these systems squarely within the potential reach of US authorities. The case demonstrates that even a deliberate choice for a local provider offers no guarantee of long-term sovereignty when that provider can be acquired by a US-based entity, exposing a critical flaw in Europe's strategy that cannot be solved by procurement alone.

Yet despite these structural challenges and the risks they pose, a growing number of public bodies are demonstrating that a different path is possible. Driven by the legal imperatives of the GDPR and mounting concerns about data access, organizations across Europe are taking concrete moves toward genuine sovereignty. The International Criminal Court (ICC) in The Hague announced in November 2025 it was replacing its Microsoft office software with a European alternative.

The decision to adopt OpenDesk, an open-source office and collaboration suite delivered by the German Centre for Digital Sovereignty (ZenDiS), was seen as a direct response to political pressure from the United States, which has sanctioned ICC employees in the past. The move was reportedly catalyzed by an incident in which chief prosecutor Karim Khan was temporarily locked out of his Outlook email account.

The new system, supported by the German government, bundles services from European providers like Nextcloud and Collabora, and involves the Dutch national health institute RIVM. It is a powerful example of an international institution, located in the heart of Europe, pushing back against hyperscaler dominance.

This trend is visible across the continent. In Germany, the state of Schleswig-Holstein is undertaking an even more ambitious project to replace Microsoft products with open-source alternatives for its 30,000 civil servants. The state began its migration in March 2024 and has already transitioned 24,000 employees to LibreOffice, Nextcloud, Open Xchange, and Thunderbird.

The project has since inspired broader European collaboration. In July 2025, Germany, France, Italy, and the Netherlands established the European Digital Infrastructure Consortium for Digital Commons to jointly develop and scale sovereign digital tools like OpenDesk.

In France, the Ministry of Economics and Finance recently completed NUBO, an OpenStack-based private cloud initiative designed to handle sensitive data and services. These cases illustrate that while a complete break from US hyperscalers may seem unrealistic, as Forrester predicts, targeted migrations for specific, high-risk applications are not only possible but are actively being pursued. They represent a grassroots movement, driven by legal obligations and a growing desire for autonomy.

For these individual successes to scale into a continent-wide shift, however, structural barriers must be addressed. The path to digital sovereignty is not a single, grand gesture but a series of deliberate, often difficult, choices. The examples from Austria, France, and the ICC show that the journey begins with a single, courageous step, often prompted by the mundane reality of a data protection assessment.

They prove that alternatives exist and that the benefits extend beyond mere compliance. Yet, the case of Solvinity in the Netherlands serves as a stark warning that procurement alone is not enough; without mechanisms to protect European champions from foreign acquisition, any progress can be undone overnight.

For Europe, the question is no longer whether it should pursue digital sovereignty, but whether it has the collective will to stop talking, start building, and, most importantly, distinguish real autonomy from clever marketing.

Caffarra frames the challenge starkly: "Imagine if Americans woke up one morning to discover that 90 percent of their digital infrastructure was owned by Europeans. Would they regulate? Or would they march to the White House and demand action: 'Let's build'?" ®