Why European Companies Are Migrating Away From US Cloud Giants — And What Comes Next

For over a decade, European organisations have built their digital operations on American foundations. Amazon Web Services, Microsoft Azure, and Google Cloud collectively control more than 70% of the European cloud market, according to Synergy Research Group — while all European providers combined hold just 15%. That dependency was once seen as a pragmatic trade-off. Increasingly, it's viewed as a strategic liability.

Across the continent, a quiet but consequential migration is underway. Public institutions, regulated enterprises, and mid-sized companies are reassessing their reliance on US-controlled infrastructure. The drivers aren't abstract: they're legal, regulatory, and — since early 2025 — increasingly geopolitical.

The Legal Fault Line: CLOUD Act vs. GDPR

At the heart of the issue is an unresolved conflict between two legal frameworks that directly contradict each other.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018, grants American law enforcement the power to compel US-headquartered companies to hand over data — regardless of where that data is physically stored. If your organisation uses AWS, Azure, or Google Cloud, your data in Frankfurt or Amsterdam is technically within reach of a US warrant.

This collides head-on with GDPR Article 48, which prohibits transfers of personal data to third-country authorities absent an international agreement. The CLOUD Act is not such an agreement. As a comprehensive analysis by Kiteworks puts it: "The US CLOUD Act creates an irreconcilable conflict between US provider legal obligations and European data sovereignty law."

This isn't theoretical. The CJEU's landmark Schrems II ruling invalidated the EU-US Privacy Shield on precisely this basis. And while the EU-US Data Privacy Framework offered a temporary reprieve, its foundations remain fragile — in early 2025, the Trump administration removed three of five members of the US Privacy and Civil Liberties Oversight Board, the body responsible for overseeing the framework's intelligence commitments.

The problem is compounded by the fact that CLOUD Act demands frequently carry non-disclosure orders — the US provider may be legally prohibited from informing the European customer whose data is being accessed. An organisation could be in ongoing breach of GDPR without ever knowing a demand has occurred.

For companies handling sensitive information — trade secrets, patient records, financial data — this isn't an academic concern. It's a material business risk that procurement, legal, and compliance teams are increasingly required to assess and document. As Exoscale's analysis notes, "the real issue is jurisdictional control, not just where the servers are."

The Regulatory Wave: NIS2, DORA, and the EU Data Act

The CLOUD Act conflict alone might have remained a background concern. But a wave of new EU regulation is forcing organisations to take concrete action.

NIS2 (Network and Information Security Directive 2), which entered into force in October 2024, imposes cybersecurity risk management obligations across critical sectors — energy, transport, health, digital infrastructure, and more. Organisations must now assess and document third-party ICT risks, including those arising from provider jurisdiction.

DORA (Digital Operational Resilience Act), applicable since January 2025, goes further for financial services. It requires banks, insurers, and fintechs to evaluate concentration risk from ICT providers and maintain documented exit strategies. Relying on a single US hyperscaler is now explicitly treated as a risk that boards must address. The ECB's July 2025 Guide on outsourcing cloud services reinforces this, emphasising risk-based assessment of providers' legal exposure.

The EU Data Act, fully applicable since September 2025, mandates interoperability and switching capabilities between cloud providers — making it practically and legally easier to move workloads away from incumbent platforms.

Together, these frameworks create a compliance environment where sticking exclusively with US hyperscalers requires more justification, more documentation, and more risk acceptance than ever before.

The Scale of the Dependency

The numbers underscore how deep the dependency runs. According to CNBC's analysis of Synergy Research data, the European cloud market reached €61 billion in 2024 and is projected to grow another 24% in 2025. European providers tripled their revenues between 2017 and 2024 — but the market grew sixfold in the same period, meaning their share actually halved from 29% to 15%.

Amazon, Microsoft, and Google now operate over 140 hyperscale data centres in Europe and invest roughly €10 billion per quarter in European infrastructure. SAP and Deutsche Telekom, Europe's largest cloud providers, hold just 2% of the market each. Cristina Caffarra of the Eurostack Foundation estimates that 90% of Europe's digital infrastructure — cloud, compute, and software — is now controlled by non-European, predominantly American, companies.

Beyond the competitive imbalance, there's an economic argument: every euro spent on US hyperscalers is revenue that leaves the European ecosystem. By shifting even a portion of workloads to local providers, more capital stays within the EU, supporting homegrown innovation and employment in a sector that Europe desperately needs to grow.

Real Migrations, Not Just Rhetoric

The shift isn't confined to policy papers. Concrete migrations are happening across Europe.

Austria's Federal Ministry for Economy, Energy and Tourism moved 1,200 employees to Nextcloud — the European open-source collaboration platform — in just four months. Germany's Schleswig-Holstein has migrated 24,000 civil servants from Microsoft products to LibreOffice, Nextcloud, Open Xchange, and Thunderbird. In France, the Ministry of Economics and Finance completed NUBO, an OpenStack-based private cloud for sensitive data.

The International Criminal Court in The Hague replaced its Microsoft office software with OpenDesk, an open-source suite developed by the German Centre for Digital Sovereignty — a decision catalysed after the chief prosecutor was reportedly locked out of his Outlook account amid US political pressure.

In the private sector, European cloud providers Exoscale and Elastx reported a surge in enquiries from organisations looking to abandon US providers in early 2025. The Dutch parliament voted across party lines to reduce dependency on US tech companies. And in July 2025, Germany, France, Italy, and the Netherlands established the European Digital Infrastructure Consortium to jointly develop sovereign digital tools.

The Sovereignty Illusion: Why "EU Data Centres" Aren't Enough

US hyperscalers have responded with "sovereign cloud" offerings — AWS Sovereign Cloud, Microsoft's EU Data Boundary, Google's Sovereign Controls. These products store and process data within EU borders, and they satisfy many use cases.

But they don't resolve the jurisdictional problem. As long as the provider is headquartered in the US, the CLOUD Act still applies. A recent court testimony in France saw Microsoft's legal director concede under oath that the company could not guarantee French citizens' data would never be transmitted to US authorities.

Cristina Caffarra, founder of the Eurostack Foundation, has described this pattern as "sovereignty-washing" — co-opting the language of autonomy to entrench dependency. It echoes the fate of Gaia-X, the EU's earlier federated cloud initiative, which Caffarra argues was undermined from within after US companies lobbied to be included.

The distinction matters: data residency means your data is stored within a geographic border. Data sovereignty means it is subject only to the laws of that jurisdiction. For organisations in regulated industries, only the latter provides genuine protection.

A Pragmatic Path Forward

None of this means European companies should — or realistically could — abandon US cloud providers overnight. Forrester's 2026 European Predictions report concluded that no European enterprise will fully disentangle from US hyperscalers this year, citing operational, economic, and technical constraints.

But "complete independence" was never the realistic goal. What's emerging instead is a more nuanced approach: identifying which workloads carry genuine sovereignty risk, migrating those to European or open-source alternatives, and maintaining US hyperscaler services where the risk profile is acceptable. The European Commission's own Cloud Sovereignty Framework, published in October 2025, provides a graded scoring system for exactly this kind of assessment.

For mid-sized companies in regulated industries — healthcare, finance, legal services — this isn't a future concern. NIS2, DORA, and the Data Act are already in force. Regulators are watching. And the question isn't whether to act, but how to act strategically: which systems carry the highest sovereignty risk, which European providers can handle the workload, how to manage the transition without disrupting operations, and how to build a multi-cloud architecture that balances pragmatism with compliance.

The European providers stepping into this space — OVHcloud, Scaleway, Hetzner, Nextcloud, Open Xchange, and others — are maturing rapidly. They may not match every hyperscaler feature, but for many workloads, especially those involving personal data, health records, or financial information, they offer something the US giants structurally cannot: immunity from extraterritorial US law.

At Cirran, we help European companies navigate this transition — from sovereignty audits and regulatory risk assessment to hands-on migration planning. If your organisation is evaluating its cloud strategy in light of these changes, get in touch for an initial assessment.