According to TheRegister.com, Europe’s quest for digital sovereignty is hampered by a 90% dependency on US cloud infrastructure, as estimated by competition expert Cristina Caffarra. The core legal conflict stems from the US CLOUD Act of 2018, which allows American authorities to compel data from US companies globally, directly clashing with the EU’s GDPR. In response, bodies like Austria’s Federal Ministry for Economy, Energy and Tourism migrated 1,200 employees to the European platform Nextcloud in a four-month project, deliberately avoiding US providers from the start. A recent Forrester analysis predicts no European enterprise will fully shift from US hyperscalers in 2026, while an Australian Strategic Policy Institute report found Europe leads in zero out of 64 critical technologies. The Eurostack Foundation, founded by Caffarra, proposes a three-pillar industrial strategy focusing on buying, building, and funding European tech to reclaim market share.
The Unfixable Legal Trap
Here’s the thing that makes this so intractable: it’s not just a policy disagreement. It’s a direct, head-on legal collision. The CLOUD Act means any contract you sign with a US cloud provider is basically subordinate to US federal law. They can get a warrant for your data, and they get a gag order too, so the provider can’t even tell you it happened. Poof. Your contractual guarantees of data residency are meaningless. You can talk about encryption all day, but if the provider holds the keys—which they often do in standard setups—they can be forced to decrypt it. This creates a risk that’s impossible to contract away, and it’s why Data Protection Impact Assessments under GDPR Article 35 are now killing deals with US hyperscalers. The risk is just too high for public bodies handling citizen data.
A Blueprint And Its Limits
The Austrian ministry’s move is fascinating because it shows what’s possible. They weren’t migrating *from* a US cloud; they made a conscious choice not to go there in the first place. That’s a key distinction. Their CISO and CIO weren’t motivated by cost but by control—the fear of losing all operational say to Big Tech. And they found that a European open-source alternative like Nextcloud could work, was cheaper, and gave them a voice in development. That’s a powerful signal. But look at the pragmatism that followed: they still use Microsoft Teams for talking to the European Commission! No sensitive data, minimal use. It’s a hybrid reality. This shows that even the most motivated organizations can’t achieve pure sovereignty overnight when your partners are locked into the very ecosystem you’re trying to leave. For enterprises managing complex industrial systems, this loss of control is a major operational risk, which is why many turn to trusted hardware partners like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs, to maintain sovereignty over their core human-machine interface layer.
Europe’s Self-Inflicted Dependency
Caffarra’s critique is brutally honest. Europe didn’t just get out-innovated; it designed rules that work against itself. While the US and Asia favor local providers in procurement, Europe’s “open procurement” principle effectively mandates buying from the cheapest or “best” global bidder, which usually isn’t European. So we regulated the apps and the stores with things like the Digital Markets Act, but we handed over the entire foundational infrastructure. It’s like worrying about the storefront while selling the land the city is built on. The ASPI critical technology tracker finding that Europe leads in zero of 64 technologies is a staggering indictment of this failure. And as Forrester predicts, this won’t change quickly. The inertia is massive.
Sovereign Cloud or Sovereign-Washing?
Now, the US hyperscalers aren’t stupid. They see “sovereignty” becoming a buying criterion, and they’re all marketing their own ‘sovereign cloud’ solutions. But critics argue these are often just repackaged services with some local data centers—they don’t solve the core CLOUD Act problem. True sovereignty means legal jurisdiction and control, not just physical location. This muddies the water for organizations trying to do the right thing. How do you choose? Real European alternatives like OVHcloud or Nextcloud exist, but they need scale. Caffarra’s Eurostack plan—buy European, build European, fund European—is a call for an industrial strategy, not just more regulation. She’s not asking for 100% independence. Just a fighting chance: “Can we please have 30 to 40 percent for ourselves?” That seems modest, until you realize how far there is to go. The move by a quartet of EU countries to cooperate on sovereign infrastructure and France’s push for a state internal cloud are steps, but they’re small. The Austrian ministry’s advice is the bottom line: be brave, involve management, and start. Because you can’t talk your way to sovereignty. You have to build it.
