How US law reaches the American tech you run in Europe

On the evening of 12 June 2026, a single US government letter switched off two commercial AI models for every foreign national on earth. The earlier post on this blog traced what happened and why it mattered: a working product withdrawn from non-Americans overnight, by directive, with no negotiation. That was one visible pull of one lever.

The more useful question is the quieter one. What are all the ways a US government can reach American technology you depend on in Europe, even when your data sits in a Frankfurt data centre and your contract is with a European subsidiary? The levers are not secret and not new. Understanding the machinery is what lets you plan around it calmly, before any of it points at your business.

Jurisdiction follows the provider, wherever the data sits

The principle most people get wrong is the one that matters most. Moving your data to a European data centre does not move it out of US reach if the company holding it is American. US legal reach attaches to the provider, not the location of the storage.

The clearest example is the CLOUD Act, passed in 2018. It requires US companies to hand over data in their "possession, custody, or control" when lawfully ordered, regardless of where in the world that data is stored. The US Department of Justice is open about this: the obligation rests on the company's nationality, not the server's address.

For a European customer, the practical consequence is simple. A German region of a US hyperscaler is still operated by a US company, and that company remains subject to US orders. The data residency promise is real for latency and for many GDPR obligations, but it does not change which government the provider ultimately answers to.

This is why a data-residency clause, on its own, settles less than it appears to. The contract can promise that your records never leave Europe and still leave the deciding authority in another country. The question that determines your exposure is whose courts the company must obey, and that can be a different country from the one hosting the disks.

Two ways in: quiet access and the loud shut-off

Once you see that reach follows the provider, the individual legal tools sort into two families. The first is access, and it is quiet. The CLOUD Act compels a provider to disclose data. Separately, Section 702 of the Foreign Intelligence Surveillance Act has long allowed US agencies to collect the communications of non-US persons held by US providers, with limited visibility for the people affected. Section 702 is currently contested in Congress and running on short extensions, which is a reminder that the scope of these powers is decided in Washington and can shift without reference to you.

The second family is the shut-off, and it is loud. Export controls and sanctions can withdraw a product or freeze an account outright. The Fable 5 directive was an export control. The same mechanism cut Huawei off from Android in 2019 and blocked developers in sanctioned countries from parts of GitHub. Sanctions reach further than many European firms assume: the US Treasury has penalised non-US companies whose services merely routed through US infrastructure or relied on US-origin software.

The two families share one root. The same jurisdiction can either read what flows through a US provider or switch that provider off. Both are routine legal instruments, used more than once, rather than exotic emergencies.

Why this is structural

None of this depends on who occupies the White House. The levers are built into how the system works, and they move quickly, by executive or agency action, with little notice and no requirement to consult the foreign customer. An administration friendlier to Europe still governs the same machinery, and the next directive can arrive on a few hours' notice.

This is the calm reading the earlier post argued for, and it holds here too. A supplier in another country answers to that country's government first, and noticing that is plain realism. European businesses have US customers, US partners, and good reasons to keep using American tools. The point is to know where the dependency sits before a decision made elsewhere turns it into a problem.

Speed is the part worth considering. A regulatory fine or a contract dispute gives you months and a process to work through. A directive of the kind that hit Fable 5 can take effect the same evening it is signed, and the first sign of it may be the product no longer working. That asymmetry, more than any single statute, is what makes a little planning ahead of time worth the small effort it costs.

What actually removes the lever

There are two honest answers, and they apply to different parts of your estate. For the capabilities you cannot afford to lose, a European provider moves the switch into European jurisdiction. The legal machinery still exists, but now it answers to courts and regulators you can actually reach, under GDPR rather than over the top of it.

For a great deal of what you run, open-source software removes the switch entirely. There is no vendor to receive a directive, no licence to revoke, and no foreign account that can be frozen. Schleswig-Holstein is the working example at scale: the German state is moving tens of thousands of public-sector workstations off Microsoft to Linux, LibreOffice and Thunderbird, citing digital sovereignty as the reason and a steady annual saving as the bonus. Open source is the calm default for everything that can run on it, not an act of protest.

Europe now has credible providers for most mainstream workloads - infrastructure, storage, managed databases, email and office tools - run by operators bound by EU law from the inside. The gaps are real and worth naming on the first call: some specialised managed services have no exact European equivalent yet, and a few will not for a while. An honest plan moves the regulated, business-critical core first and leaves the rest where it sits until a good European option exists.

The two answers combine well. European providers for the critical, regulated core; open source wherever it fits underneath. In each case you are either changing who holds the lever or removing it.

A short, calm exercise

You do not need a strategy to start. List the handful of capabilities your business genuinely cannot run without for a week. Note which of them sit with a single US-jurisdiction vendor, and for each one ask a plain question: if access changed next week, what is the fallback, and how long would moving actually take? The exercise usually takes an afternoon, and most of the answers turn out to be reassuring once they are written down rather than assumed.

Most of your stack will not need to move, and that is a fine outcome to reach deliberately. The few capabilities that have no fallback are the ones worth knowing about now, while this is a planning exercise rather than an emergency. Running the same assessment after access has already changed is neither cheap nor calm.

Thinking about migration or audit? Book a free consultation to discuss your situation.