When Microsoft blocked the email account of the Chief Prosecutor of the International Criminal Court (ICC) in May 2025, it was a wake-up call for many IT managers in Europe (heise online). The background: US President Trump imposed sanctions against the ICC in February 2025. Microsoft implemented these sanctions, forcing the Chief Prosecutor to switch to the Swiss email provider Proton.
The Open Source Business Alliance (OSBA) called the move unprecedented and urgently demanded European alternatives.
What sounds like a geopolitical isolated event reveals a structural problem that affects European companies of all sizes: Those who operate critical business processes and data on US cloud infrastructure relinquish a piece of control, whether knowingly or not.
What does data sovereignty mean?
Data sovereignty (often referred to as digital sovereignty) describes the ability to retain full control over one’s own data, systems, and digital processes. This encompasses not only the physical location of the data but also the question of which law the cloud provider is subject to, who has access to the infrastructure, and how transparently operations and governance are regulated.
Specifically, it concerns three dimensions:
Data ownership: Where are my data stored and processed? Who can access it? Do my data remain in Austria or at least in the EU?
Technological sovereignty: Am I dependent on proprietary services of a single provider? How difficult would it be to switch providers?
Operational sovereignty: Who actually operates the infrastructure? Which jurisdiction is the operator subject to?
Why is "data center in the EU" not enough?
Many companies are under a false sense of security because their US cloud provider operates data centers in Europe. However, the physical location alone does not solve the problem.
The US CLOUD Act of 2018 requires US companies to provide customer data upon government request, even if that data is stored in data centers outside the USA. In July 2025, Microsoft's Chief Legal Officer in France admitted before a Senate committee that Microsoft cannot guarantee that data of European customers will not be disclosed to the US government (Golem, Dr. Datenschutz).
This means: As long as the cloud provider is a US company, there remains a residual risk, regardless of where the data center is located. For companies that process personal data, operate in regulated industries, or manage critical infrastructure, this poses a serious compliance and business risk.
The drivers: GDPR, NIS2, and geopolitical reality
Three developments make the issue of data sovereignty particularly urgent right now:
Regulatory pressure: The GDPR imposes clear requirements on the processing of personal data. The NIS2 directive tightens security requirements for operators of critical infrastructures and their suppliers. Companies that do not comply with these requirements risk significant penalties.
Geopolitical uncertainty: The events surrounding the ICC have shown that political decisions in the USA can have direct impacts on European IT infrastructure. Sanctions, export restrictions, or political conflicts can, in extreme cases, lead to sudden restrictions on cloud services.
Growing dependence: US hyperscalers still control around 70 percent of the European cloud market (Fortune Business Insights). The deeper companies invest in proprietary services, the more difficult and costly it becomes to switch later, also known as vendor lock-in. A Bitkom survey confirms the trend: More and more companies in the DACH region are consciously turning away from US providers.
What can SMEs and startups do concretely?
The good news: Data sovereignty is not just a privilege of large corporations. Especially for SMEs and startups, there are practical ways today to achieve digital independence without having to forgo modern cloud technology.
Evaluate European cloud providers: The market for European alternatives is growing. Providers like Exoscale, Hetzner, OVHcloud, Scaleway, or STACKIT offer sovereign infrastructure with data locations in the EU, some with data centers directly in Austria. These providers are subject solely to European law.
Focus on open-source standards: Building your infrastructure on open standards avoids the dreaded vendor lock-in. Containerized applications can be moved between different cloud providers as needed without having to rebuild the entire architecture.
Realistically assess migration efforts: Migrating from AWS, Azure, or GCP to a European provider is not rocket science, unless you've relied too heavily on proprietary managed services. Standardized container workloads can usually be moved with manageable effort. We have done exactly that with a healthcare application and documented our experiences from migrating from AWS to Exoscale.
Consider compliance from the start: Especially for companies in the healthcare sector, finance, or the public sector, a sovereign cloud infrastructure is not just a competitive advantage, but increasingly a regulatory necessity.
Data sovereignty as an opportunity
The topic of data sovereignty is often portrayed as a burden, as an additional requirement that incurs costs and creates complexity. I see it differently: Those who invest in sovereign infrastructure now not only gain compliance security but also build trust with customers and partners. Especially in the DACH region, data protection is perceived as a quality feature.
For us at agsolutions, data sovereignty is therefore a central issue. We rely on European infrastructure and operate our customers' applications on Exoscale, a European cloud provider with data centers, among others, in Vienna. In combination with Kubernetes, Infrastructure as Code, and automated CI/CD pipelines, we create a platform that is modern, scalable, and sovereign.
If you are wondering whether a sovereign cloud solution is right for your company, take a look at our offer for Sovereign EU Cloud & DevOps with Exoscale. We offer a free workshop where we analyze your starting position together and develop specific recommendations.
