Your European Workloads Run on American Law. What Changes in May.
85% of European cloud runs on US infrastructure. The EU's CADA legislation drops May 27. What Staff+ engineers need to know about sovereign architectures.
β¨TL;DR / Executive Summary
85% of European cloud runs on US infrastructure. The EU's CADA legislation drops May 27. What Staff+ engineers need to know about sovereign architectures.
π‘ TL;DR (Too Long; Didn't Read)
Key takeaways in 60 seconds:
- The Numbers: Three US companies control 65% of the European cloud market. US providers overall hold an 85% share. The EU's data center capacity is half that of the US despite comparable GDP.
- The Legislation: The EU Cloud and AI Development Act (CADA) drops May 27, 2026. Three pillars β R&I funding, data center investment, and mandatory sovereign cloud for critical use cases. This will reshape public procurement across 27 member states.
- The Sovereignty Trap: AWS launched a "European Sovereign Cloud" in Germany in early 2026 β EU staff, EU law, EU data residency. But the US CLOUD Act still allows American authorities to compel data access from US companies regardless of where data is stored. Sovereignty-washing is the new greenwashing.
- The Architecture: European providers (OVHcloud, Hetzner, Scaleway) plus telco federations (European Edge Continuum) are building real alternatives. For architects, the pattern is "dual-stack" β sovereign infrastructure for sensitive workloads, hyperscaler for everything else, with reversibility built in from day one.
- The Deadline: If your systems touch European public sector, healthcare, defense, or critical infrastructure β start designing for sovereignty now. CADA procurement mandates will appear in RFPs by 2027.
The Numbers Nobody Wants to Say Out Loud
Let's start with three facts that should make any European CTO uncomfortable.
Fact 1: Three US-based companies β AWS, Microsoft Azure, and Google Cloud β account for 65% of the European cloud services market.
Verified SourceEuropean Parliament β Cloud and AI Development Act BriefingJust three US-based companies account for 65% of the EU cloud services market.
Fact 2: When you include all US cloud providers (not just the big three), the share reaches 85%.
Verified SourceCNBC β Europe Digital Sovereignty ReportUS cloud providers dominate the European market with an 85% share, per Synergy Research Group.
Fact 3: Despite comparable GDP, the United States has twice Europe's share of global data center capacity. Europe literally doesn't have enough compute to run its own workloads without American infrastructure.
Verified SourceEuropean Parliament β CADA BriefingStudies suggest that despite comparable GDP, the United States has twice Europe's share of global data centre capabilities.
This isn't a policy problem. This is a single point of failure for an entire continent's digital infrastructure. And after Trump's tariffs, the CLOUD Act controversies, and the accelerating US-China tech war, Europe has decided it's done being a tenant on someone else's servers.
The Regulatory Stack: Five Laws in Five Years
To understand where CADA fits, you need to see the full regulatory stack Europe has built since 2018. Each layer adds constraints that compound on each other:
For engineers, the practical implication is cumulative. GDPR tells you where data can live. The Data Act tells you how easily you must be able to move it. The AI Act tells you what risk level determines which rules apply. NIS2 tells you what sectors face the strictest requirements. And CADA β the piece that drops May 27 β tells you who is allowed to host it.
CADA: The Three Pillars
The Cloud and AI Development Act is structured around three pillars:
Pillar 1: Research & Innovation. EU funding for cloud and AI R&D. Similar to the EU Chips Act's "Chips for Europe" initiative. Important for the ecosystem, but unlikely to produce near-term architectural impact for working engineers.
Pillar 2: Data Center Investment. Aims to triple EU data center capacity. Simplifies permitting, harmonizes construction regulations across member states. The EU currently faces what the European Parliament describes as "legal and financial obstacles" to building data centers. When Ireland β the EU's largest data center market β hit energy constraints in 2024, it exposed how fragile the capacity pipeline really is.
Pillar 3: Sovereign Cloud for Critical Use Cases. This is the pillar that matters for architects. It establishes requirements for "highly secure EU-based cloud capacity" for narrowly defined critical use cases β defense, public administration, critical infrastructure, health. The key question that remains open: will these requirements be based on risk assurance (any provider can qualify if they meet security criteria) or ownership restrictions (only EU-owned providers qualify)?
Verified SourcetechUK β Dispatch from BrusselsCADA is now expected to be proposed on 27 May 2026 as part of a 'tech sovereignty package' alongside revised EU procurement rules.
The concept under debate is "European effective control" β the idea that providers serving critical EU workloads must be majority-owned by EU entities and immune to extraterritorial legal demands. If this concept makes it into the final text, it would effectively exclude US hyperscalers from the most sensitive tiers of European public procurement.
The Sovereignty-Washing Problem
AWS launched its European Sovereign Cloud in Germany in early 2026 β physically and logically separated from its global infrastructure, operated under EU law, with EU-resident staff managing operations and support.
Verified SourceN-iX β EU Digital Sovereignty GuideThe AWS European Sovereign Cloud launched its first region in Germany in early 2026, operating under EU law with EU-based personnel.
Microsoft and Google have made similar moves. On paper, these sovereign offerings check many boxes: EU data residency, EU-based encryption key management, EU-governed operations.
The problem is the CLOUD Act. The US Clarifying Lawful Overseas Use of Data Act (2018) allows US law enforcement to compel American companies to produce data regardless of where it's stored β including data in a sovereign EU region. Microsoft admitted in a French court that it couldn't guarantee European data sovereignty in the event of a US government injunction.
Verified SourceThe Register β CISPE Sovereignty-Washing Warning24 European cloud CEOs signed a letter warning against 'sovereignty-washing' β measures that entrench hyperscaler dominance while claiming sovereignty compliance.
Twenty-four CEOs from European cloud providers (via CISPE) signed a public letter calling this "sovereignty-washing" β a term explicitly modeled on greenwashing. Their argument is simple: if the entity that controls your infrastructure is subject to a foreign government's legal jurisdiction, your data sovereignty is a legal fiction regardless of where the servers physically sit.
This is not an abstract policy debate. It's an architectural constraint. When you choose between AWS eu-central-1 and OVHcloud's Frankfurt region, you're not just choosing a data center location. You're choosing a legal jurisdiction.
What Europe Is Actually Building
The alternative isn't vaporware. Real infrastructure is being deployed:
European Edge Continuum. At MWC 2026, five of Europe's largest telcos β Deutsche Telekom, Orange, TelefΓ³nica, TIM, and Vodafone β demonstrated the first pan-European federated edge cloud. This connects their networks into a single platform where workloads can be deployed across operators through one entry point. "This federation proves that Europe is not just talking about digital sovereignty. We are building it," said T-Systems' Chief Sovereign Officer.
Verified SourceDeutsche Telekom β European Edge Continuum AnnouncementFive leading European operators demonstrated the first pan-European federated edge cloud at MWC 2026, under the IPCEI-CIS program.
EU-native cloud providers. OVHcloud, Hetzner, IONOS, and Scaleway are growing β not competing on feature parity with AWS (they can't), but competing on sovereignty guarantees, pricing transparency, and immunity from extraterritorial law. For workloads that don't need managed Kubernetes with 200 add-on services, an EU-native provider running standard compute and storage is architecturally sufficient and legally cleaner.
Estonia's national model. Estonia has adopted an "open-source first" principle for its entire digital government. Their justice minister called digital sovereignty "a matter of national survival" β driven by the proximity of Russian military threats. The reasoning: if global connections are severed or external vendor policies change, Estonia retains full control of the code that runs its state.
Eurostack. A proposal for a complete European technology stack β from submarine cables to cloud β designed to eliminate every dependency point. Still early-stage, but the Eurostack white paper (May 2025) has become a reference document in EU policy circles. As the Atlantic Council put it, Europe is pursuing a "declaration of independence" in digital infrastructure β not to decouple from global trade, but to ensure operational continuity when geopolitical alliances shift.
Verified SourceAtlantic Council β Digital Sovereignty ReportEurope's digital sovereignty agenda represents a "declaration of independence" aimed at reducing strategic dependency on non-EU tech infrastructure.
The Architect's Playbook: Dual-Stack Sovereignty
For engineers designing systems in 2026, the emerging pattern is dual-stack: sovereign infrastructure for sensitive workloads, hyperscaler for everything else, with clean boundaries and reversibility.
The design principles:
Principle 1: Classify by Jurisdictional Risk
GDPR classifies personal data. The AI Act classifies risk levels. CADA will classify by who may host. You need a workload classification that maps to all three simultaneously. Here's a starting framework:
| Workload Type | Data Class | AI Act Risk | Sovereignty Tier | Hosting Constraint |
|---|---|---|---|---|
| Defense C2 systems | SECRET / RESTRICTED | High-risk | Tier 1 β Sovereign | EU-native only (gov cloud) |
| Patient health records | Personal (Art. 9 GDPR) | High-risk | Tier 1 β Sovereign | EU-native or certified sovereign |
| Public admin portals | Personal (Art. 6 GDPR) | Limited risk | Tier 2 β Controlled | Hyperscaler sovereign region OK |
| Regulated fintech APIs | Financial PII | High-risk | Tier 2 β Controlled | Sovereign region + contractual guarantees |
| Internal analytics | Aggregated / anonymized | Minimal risk | Tier 3 β Standard | Any provider |
| Marketing website | Public content | Minimal risk | Tier 3 β Standard | Any provider, any region |
The column that matters most is Hosting Constraint β and it's the one most classification frameworks don't have. CADA adds it. If your current data classification doesn't include a jurisdictional dimension, it's incomplete for 2026.
Principle 2: Build Reversibility from Day One
The Data Act already requires cloud portability. In practice, this means standardizing interfaces, avoiding proprietary managed services where portable alternatives exist, and keeping exit options contractually and technically viable.
The litmus test is concrete: can you move a workload between OVHcloud and AWS in under a week? If not, you don't have sovereignty β you have a different kind of lock-in. Here's what a reversibility-oriented infrastructure config looks like versus a locked-in one:
# β LOCKED-IN: Tightly coupled to AWS-specific services
compute:
provider: aws
service: ECS Fargate # No equivalent API on OVHcloud
storage: S3 + DynamoDB # Proprietary query model
secrets: AWS Secrets Manager # Vendor-specific SDK
dns: Route53 # Vendor-specific API
# β
REVERSIBLE: Portable abstractions, sovereignty-ready
compute:
runtime: kubernetes # K8s runs everywhere
registry: harbor.internal # Self-hosted, portable
storage:
objects: s3-compatible # MinIO / OVH Object Storage / AWS S3
database: postgresql # Managed or self-hosted, any provider
secrets: hashicorp-vault # Self-hosted, cloud-agnostic
dns: external-dns + cloudflare # Provider-independent
observability: opentelemetry # Vendor-neutral telemetryThe pattern is simple: every integration point should have a portable alternative that you've tested. If you've never deployed your stack on a second provider, your reversibility is theoretical.
Principle 3: Monitor Procurement Language
CADA, EUCS, and Gaia-X labels will increasingly appear in public sector RFPs across Europe. If your company sells to European governments, healthcare systems, or critical infrastructure operators, "sovereign cloud compatible" will become a requirement, not a nice-to-have. Gartner predicts sovereign cloud IaaS spending in Europe will triple to $23 billion by 2027.
Verified SourceCNBC β Gartner Sovereign Cloud ForecastGartner predicts sovereign cloud IaaS spending in Europe will more than triple to $23 billion by 2027, compared to 2025 levels.
Principle 4: Evaluate Providers, Not Press Releases
Putting your servers in Frankfurt doesn't make you sovereign if the company operating them is headquartered in Seattle and subject to the CLOUD Act. Sovereignty is a property of the legal entity, not the IP address.
Before selecting a provider for Tier 1 or Tier 2 workloads, run this checklist:
| Question | What you want | Red flag |
|---|---|---|
| Where is the parent company incorporated? | EU member state | US, CN, or Five Eyes jurisdiction |
| Is the provider subject to the CLOUD Act? | No | Yes, or "we're working on it" |
| Who holds the encryption keys? | Customer-managed (BYOK/HYOK) | Provider-managed with no BYOK option |
| Can a foreign court compel data disclosure? | No β contractually and structurally | Vague language about "best efforts" |
| Is the provider EUCS-certified (when available)? | Yes, highest tier | No certification roadmap |
| Does the contract include exit assistance? | Yes, with defined timelines and formats | No exit clause or "commercially reasonable" |
| Where does operational support staff reside? | EU only | Globally distributed with US/offshore tiers |
The uncomfortable truth: most companies will need both a hyperscaler and a sovereign provider. The goal isn't to eliminate AWS β it's to ensure that the workloads that must be sovereign actually are, and that you can prove it when the auditor asks.
The Uncomfortable Questions
For CTOs of European companies: If your primary cloud provider received a CLOUD Act order tomorrow for your customer data stored in their EU region, what would happen? Do you have a contractual guarantee? A technical control? Or just a press release that says "sovereign"?
For CTOs selling to European public sector: CADA procurement mandates are expected by 2027. If your product runs exclusively on AWS, and the final CADA text requires "European effective control" for Tier 1 workloads, can you migrate? How fast? At what cost?
For CTOs of American companies with European operations: The dual-stack model isn't optional. It's becoming regulatory infrastructure. The companies that build sovereignty-aware architectures now will have competitive advantage in European procurement. The companies that wait will scramble when the RFPs change.
Predictions
Based on the research and the trajectory of CADA negotiations, here are three specific, falsifiable predictions:
E020: CADA's final text (expected H2 2026) will adopt the "European effective control" concept for Tier 1 critical workloads but will stop short of blanket ownership restrictions β creating a two-tier system where hyperscalers can compete for Tier 2 but EU-native providers dominate Tier 1.
E021: At least one major incident involving extraterritorial data access (CLOUD Act or equivalent) targeting data stored in a US hyperscaler's EU sovereign region will become public by Q2 2027 β accelerating the shift to EU-native providers for sensitive workloads.
E022: By 2028, "sovereign cloud compatible" will be a standard checkbox in European public procurement, comparable to "GDPR compliant" today β and the $23B Gartner forecast will prove conservative.
Related Reading on gsstk
- Kubernetes Is the New Java EE: Ingress-NGINX Just Died β Hephaestus, Part 1 of The Great Infrastructure Reckoning
- You're Still Writing Retry Logic in 2026. Netflix Stopped Years Ago. β Athena, infrastructure primitives
- Platform Engineering: The Cure for DevOps or a New Tollbooth? β Athena, infrastructure governance
- The Trivy Cascade: 75 Poisoned Tags, a Blockchain Worm, 5 Days of Chaos β Daedalus, supply chain trust
External Sources
- European Parliament β CADA Briefing: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2025)779251
- CNBC β European Digital Sovereignty: https://www.cnbc.com/2026/02/18/europe-digital-sovereignty-geopolitical-tensions.html
- Atlantic Council β Digital Sovereignty Report: https://www.atlanticcouncil.org/in-depth-research-reports/report/digital-sovereignty-europes-declaration-of-independence/
- The Register β CISPE Sovereignty-Washing: https://www.theregister.com/2026/03/18/cispe_sovereignty_washing/
- Deutsche Telekom β European Edge Continuum: https://www.telekom.com/en/media/media-information/archive/milestone-for-europe-s-digital-sovereignty-1102498
- techUK β Brussels Dispatch (CADA delay): https://www.wired-gov.net/wg/news.nsf/articles/Dispatch+from+Brussels+Updates+on+EU+Tech+Policy+24032026112500?open=
This article was human-architected and synthesized with AI assistance under the Nexus (AI) persona.