Why Digital Sovereignty Matters for European Companies
TL;DR: US law (the CLOUD Act) allows the US government to compel American companies to hand over data. Even if that data is stored in Europe. Choosing an "EU region" on AWS or Azure doesn't change this. Real digital sovereignty requires an EU-incorporated provider, EU data residency, and the option to self-host. Without all three, your GDPR compliance depends on a legal framework that European courts have already struck down twice.
Every European company that builds software faces the same uncomfortable question sooner or later: who actually controls your data?
You picked AWS, GCP, or Azure because the tooling is good and the ecosystem is vast. Then you discover that a foreign government can legally demand access to your (and your customers') data. That's not a theory or proposal. It's in place, right now.
This post explains why that's the case, what it means for your compliance posture, and what the alternative looks like.
The CLOUD Act Problem
The Clarifying Lawful Overseas Use of Data (CLOUD) Act was signed into US law in 2018. It compels US-headquartered companies to hand over data to US law enforcement. Regardless of where that data is physically stored.
That means:
- Data on an AWS server in Frankfurt? Subject to a US warrant.
- Data on an Azure server in Amsterdam? Subject to a US warrant.
- Data on a GCP server in Zurich? Subject to a US warrant.
The CLOUD Act doesn't care about the geography of the hardware. It cares about the jurisdiction of the company that controls access to it. If the provider is incorporated in the US, US law applies to all data in its possession, custody, or control.
This isn't a theoretical edge case. It's operational reality for every company running on a US-headquartered cloud provider.
"EU Region" Does Not Mean EU Jurisdiction
Cloud providers are aware that European customers worry about this. That's why they advertise EU regions, EU data residency options, and "sovereign cloud" products. These sound reassuring. But they aren't.
The distinction matters: geography of storage is not the same as jurisdiction over access. An EU data center operated by a US company does not give you EU jurisdiction. It gives you US jurisdiction with EU hosting.
European courts understand this. The Court of Justice of the European Union (CJEU) invalidated the EU–US data transfer frameworks twice — Safe Harbor in 2015 (Schrems I) and Privacy Shield in 2020 (Schrems II) — precisely because US surveillance law doesn't provide protections equivalent to EU fundamental rights.
The current EU–US Data Privacy Framework (DPF), adopted in 2023, is already facing legal challenges. Whether it survives the next court challenge is an open question. Building your compliance strategy on a framework that has been struck down twice before is a risk that could have drastic consequences for your business.
What Changes with GDPR, DORA, and NIS2
The regulatory environment is moving in one direction: more accountability for where data lives and who can access it.
| Regulation | What it requires | Who it affects |
|---|---|---|
| GDPR | Lawful basis for processing, data subject rights, and adequate protection for international transfers | Every company processing EU personal data |
| DORA (Digital Operational Resilience Act) | IT risk management, third-party provider oversight, and incident reporting for financial entities | Banks, insurance companies, fintechs, and their critical IT providers |
| NIS2 (Network and Information Security Directive) | Cybersecurity risk management, supply chain security, and incident reporting | Essential and important entities across 18 sectors, including digital infrastructure |
All three regulations push toward the same conclusion: you need to know exactly where your data is, who can access it, and under which legal framework. Using a provider subject to foreign jurisdiction makes answering those questions harder, not easier.
For companies in regulated industries like finance, healthcare, legal or the public sector this isn't just about best practices but about being able to demonstrate to auditors and regulators that your infrastructure choices are defensible.
What Real Sovereignty Looks Like
Digital sovereignty isn't a feature you can toggle on. It's an architecture decision that requires three things:
1. EU-Incorporated Provider
The company operating your infrastructure must be subject to EU law and EU courts, not US law with an EU subsidiary. Corporate structure matters because legal obligations follow the parent entity, not the data center address.
2. EU Data Residency
Your data must be stored on servers physically located in the EU. This is the part most providers already offer, but it's only one piece of the puzzle. Without EU jurisdiction over the provider, data residency alone doesn't protect you.
3. Self-Host Option
The strongest form of sovereignty is running the platform on your own hardware. No third party has access. No provider can be compelled to hand over data because no provider holds the data. You control the servers, the network, and the keys.
How ZWRM Handles This
ZWRM is an EU-incorporated company (we're headquartered in Germany). Our managed cloud runs on dedicated Hetzner servers in Germany and Iceland. Your data stays in Europe, under EU jurisdiction, subject only to EU law and EU courts.
But we go further: the entire ZWRM platform is self-hostable. You can run it on your own servers (for example in Datacenters from Hetzner, Ionos, OVH or on-premises) and never send a single byte through our systems. Self-hosted means you control the infrastructure, the data, and the encryption keys.
| US cloud provider | ZWRM Managed | ZWRM Self-Hosted | |
|---|---|---|---|
| Data stored in EU | Optional (EU region) | Yes (Hetzner, Germany) | Yes (your servers, your location) |
| Provider jurisdiction | US | EU | You (no provider access) |
| CLOUD Act exposure | Yes | No | No |
| Auditability | Limited | Full | Full |
| Self-host possible | No | N/A | Yes |
This isn't about fear-mongering or telling you to drop AWS tomorrow. It's about understanding the trade-offs you're making and having an alternative when those trade-offs are no longer acceptable.
Why This Matters for Builders
If you're building a fintech, a healthtech product, a legal platform, or any application that handles personal data, your customers' data is your responsibility. Not your cloud provider's. Yours.
Choosing a sovereign infrastructure is about being able to answer three questions honestly:
- Where does my customers' data live? On servers in Europe.
- Who can access it? Only people and systems I authorize, under EU law.
- Can a foreign government compel access? No.
If you can't answer all three today, it's worth understanding why. And what it would take to change that.
Want to run your applications on infrastructure you control, in Europe? Start a free 14-day trial at zwrm.eu.
