Why does the CLOUD Act matter to European banks?

The CLOUD Act (18 U.S.C. § 2713, enacted March 2018) compels US-headquartered providers to disclose data "regardless of whether such communication, record, or other information is located within or outside of the United States." Microsoft's H2 2024 transparency report shows 5,587 US law-enforcement demands for consumer data, 115 of them warrants for content stored outside the US. In late 2024 Microsoft France told the French Senate it cannot guarantee EU-hosted data won't be transferred to US authorities under a CLOUD Act order. For an EU bank, this creates a structural conflict with the EU Data Act Article 32 requirement to resist third-country governmental access to non-personal data, and with DORA-mandated audit rights enforceable in the host jurisdiction.

Does AWS European Sovereign Cloud escape the CLOUD Act?

Legally unresolved as of mid-2026. AWS European Sovereign Cloud is operated by EU-incorporated entities with EU-resident staff and dedicated infrastructure (first region eusc-de-east-1, Brandenburg, launching January 2026, €7.8B investment through 2040). A legal opinion commissioned by AWS argues the structure escapes CLOUD Act reach. A Dutch Ministry of Justice memo (February 2025) noted that the parent ownership is ultimately Amazon.com, Inc., and the CLOUD Act applies to providers with "possession, custody, or control" — corporate parent control plausibly satisfies that test. The question will only be settled by the first contested CLOUD Act warrant against an EU-resident hyperscaler subsidiary, which has not yet occurred.

What is Microsoft's "court-fight clause" and is it enforceable against CLOUD Act warrants?

Announced by Brad Smith at the Atlantic Council Brussels on 30 April 2025 and embedded as a contractual "European Digital Resilience Commitment" with EU national governments and the Commission, Microsoft pledges to challenge in court any government order to suspend operations in Europe and to escrow source code in Switzerland if it loses. Counter-evidence: Microsoft France's French Senate admission that it cannot guarantee non-transfer under a lawful CLOUD Act order, and the Microsoft / Karim Khan episode in which the ICC lost access to its chief prosecutor's Outlook account after EO 14203 sanctioned him. Microsoft denies actively cutting Khan off; the ICC migrated to openDesk anyway. The court-fight clause is a contractual commitment, not a statutory exemption.

How does DACH bank cloud regulation differ from generic EU cloud rules?

DACH bank supervision triangulates four layers. DORA (Regulation 2022/2554) applies EU-wide and creates direct supervision of the 19 Critical ICT Third-Party Providers. The ECB Guide on Outsourcing Cloud Services (16 July 2025) operationalises SSM expectations: concentration risk metrics, exit testing as a continuous obligation, audit rights as enforceable rather than contractual boilerplate. BaFin BAIT and MaRisk AT 9 (9th amendment, June 2024) align German national supervision with DORA; BaFin's March 2024 cloud guidance update adds specific German enforcement detail. FINMA Circular 2018/3 has been in force in Switzerland since 2018, is technology-neutral, and conditions outsourcing abroad on enforceable inspection rights in the host jurisdiction. The four converge on three operational requirements: a tested exit plan with a last-test date, jurisdictionally enforceable audit access, and a measurable concentration metric for ICT third-party providers.

How often must DORA exit plans be tested?

DORA Article 28(8) requires exit plans to be comprehensive, documented, and sufficiently tested and reviewed periodically. In practice the supervisory standard is at least one tabletop exercise or partial migration every two years for any ICT third-party arrangement supporting a critical or important function. Tests must validate data portability, that alternative providers exist, and that the time-to-cutover is realistic. The ECB Cloud Outsourcing Guide of 16 July 2025 reinforces the point by treating exit testing as a continuous obligation; ticking the contractual box once is no longer enough.

DORA 19 Critical Providers: Sovereignty Is a Bank Problem

Q: What are the DORA Critical ICT Third-Party Providers?

On 18 November 2025 the European Supervisory Authorities (EBA, EIOPA, ESMA) published the first official list of Critical ICT Third-Party Providers under the Digital Operational Resilience Act (Regulation (EU) 2022/2554, applicable from 17 January 2025). The list contains 19 designations, including AWS, Microsoft, Google Cloud, IBM, Bloomberg, LSEG, TCS, and Orange. Each designated provider sits under direct EU-level oversight by Lead Overseers under Articles 31–44 of DORA, with fines up to 1% of average daily global turnover applied per day for up to six months. Article 28 mandates contractual exit strategies, Article 30 specifies critical-function contract terms.

Q: What is the EU Data Act Article 32 conflict-of-laws provision?

Article 32(1) of Regulation (EU) 2023/2854 (applicable 12 September 2025) requires data-processing providers to take "all adequate technical, organisational and legal measures... to prevent international and third-country governmental access and transfer of non-personal data held in the Union where such transfer or access would create a conflict with Union law." Article 32(2) recognises a third-country court order only where it is based on an international agreement in force with the EU or relevant Member State. No EU–US CLOUD Act executive agreement exists, so a US warrant served on Frankfurt-hosted non-personal data is a statutory conflict the provider must resist. Most bank transactional metadata is non-personal under EU law and therefore falls inside Article 32's scope.

A top-down macro photograph of a deep-green printed circuit board on which the coastline and national borders of Europe are rendered as fine polished copper traces and gold solder pads, with major banking and datacenter hubs — Frankfurt, Paris, London, Dublin, Amsterdam, Zurich, Milan, Madrid, Vienna, Stockholm, Helsinki and Warsaw — marked by soldered SMD-style chip components and silkscreen reference labels. The surrounding seas and Atlantic remain as untouched green substrate, standing in for the article's thesis that EU data infrastructure is being physically rewired beneath the surface.

I’ve heard variants of the same line from probably a dozen people in the last six months. A consultant I know has done more US-to-EU migrations this calendar year than in his entire career before. A founder on LinkedIn wrote the other day: Trump effectively has a kill-switch to our highly digitalised society, and the thought of that is frightening. None of those people would have used the word “sovereignty” in 2023. All of them now use it without explanation.

Schleswig-Holstein, a German state of 2.9 million residents, is roughly 80% done shifting ~30,000 state workstations off Microsoft Office onto LibreOffice as of late 2025 (The Register, 15 Oct 2025), with Linux pilots running and full migration targeted for 2026. Airbus opened a tender in December 2025 for a sovereign EU cloud to host ERP, MES, CRM and PLM (over €50M, up to 10 years), and the EVP Digital told Les Echos she gave herself only an “80/20” chance of finding a qualifying provider (heise online, 19 Dec 2025). The ICC migrated off Microsoft Office onto openDesk, the open-source suite developed by Germany’s ZenDiS, in October 2025 (The Register, 31 Oct 2025), roughly six months after the US government effectively cut its chief prosecutor’s Microsoft email account under EO 14203 (see Just Security analysis; Microsoft asked UK Parliament to “correct the record” in Feb 2026). The Dutch parliament passed five separate motions in March 2025 to (i) remove DigiD from Kyndryl after its planned Solvinity acquisition, (ii) re-evaluate AWS hosting of the .nl domain, (iii) prioritise EU providers in procurement, (iv) mandate exit plans for all US-hosted systems, and (v) tender a national Dutch-controlled cloud (Computer Weekly; Euronews, 20 Mar 2025). Microsoft itself responded with a €40B+ EU datacenter expansion (40% capacity growth across 16 countries) and a contractually binding “court-fight clause”: Brad Smith publicly pledged that Microsoft will sue the US government rather than comply with an order to suspend EU operations (Microsoft “European Digital Commitments” blog, one-year-on update, 29 Apr 2026). And the European Commission is reportedly preparing to unveil a Tech Sovereignty Package on 27 May 2026 (the Cloud and AI Development Act, or CADA, plus a Chips Act 2.0) that would restrict EU member-state governments from using US cloud providers for sensitive public-sector data in healthcare, finance and judicial systems (CNBC, 7 May 2026).

I also see it in my day-to-day work. Every data or AI project we’ve run with banking clients in DACH in the last 12 months has had digital sovereignty on the agenda. Sometimes it is the agenda. On 18 November 2025 the European Supervisory Authorities published the first official list of Critical ICT Third-Party Providers under DORA: 19 designations, including AWS, Microsoft, Google Cloud, IBM, Bloomberg, LSEG, TCS and Orange (EBA press release). Every named provider now sits under direct EU-level oversight, with fines up to 1% of average daily global turnover applied per day for up to six months. Sovereignty in 2026 has therefore become a regulatory deliverable with a last-test date. The cause stack runs in two layers, worth separating: four converging legal pressures, plus a parallel opinion shift in how decision-makers price political risk.

A whiteboard-style diagram showing 8 of the 19 named Critical ICT Third-Party Providers designated by the European Supervisory Authorities under DORA on 18 November 2025: AWS, Microsoft, Google Cloud, IBM, Bloomberg (all US-HQ, shown in orange diagonal hatching), LSEG (UK) and TCS (India) shown in gray, and Orange (France) shown in blue, with '+11 unnamed designations' annotated below. The punchline '5 of 8 named = US-HQ' is circled in green, highlighting that the EU's critical-infrastructure list is itself a US-centric supply chain.

Policy shift

The sovereignty conversation in 2026 is not really about GDPR (that battle is six years old). It is about the collision of four legal vectors that until 2024 the market was prepared to ignore.

First, extraterritorial US instruments are no longer abstract. The CLOUD Act (18 U.S.C. § 2713) compels US-headquartered providers to disclose data “regardless of whether such communication, record, or other information is located within or outside of the United States.” Microsoft’s H2 2024 transparency report shows 5,587 US law-enforcement demands for consumer data, 115 of which were warrants for content stored outside the US (Microsoft CSR Government Requests). In late 2024, Microsoft France told the French Senate that it cannot guarantee data on its EU infrastructure won’t be transferred to US authorities under a CLOUD Act order. That was the moment the legal abstraction became a quotable admission from the provider itself. Then Executive Order 14203 (Federal Register, 12 Feb 2025; analysis, Winston & Strawn) sanctioned ICC officials, including Chief Prosecutor Karim Khan, and Khan promptly lost access to his Microsoft email (Computer Weekly). Microsoft denied actively cutting him off; the ICC migrated to openDesk anyway. Whatever the correct narrative, the empirical proof point landed.

FISA §702, reauthorised in April 2024 under RISAA (sunsets 20 April 2026, CRS R48592; Brennan Center §702 resource), continues to allow warrantless collection from US “electronic communication service providers”. That’s the same defect that invalidated Privacy Shield in Schrems II (CJEU C-311/18, 16 Jul 2020). NOYB’s announced intent to bring a broader CJEU challenge to the EU-US Data Privacy Framework rests squarely on the argument that the transatlantic data architecture is held up by a Biden executive order (EO 14086) that any subsequent administration can rescind. The General Court upheld the DPF in Latombe (T-553/23, 3 Sept 2025, Hogan Lovells); the appeal was lodged 31 October 2025 and is now pending.

Second, the EU has built statutory counter-pressure. The Data Act (Regulation (EU) 2023/2854) applies from 12 September 2025. Article 32(1) requires data-processing providers to take “all adequate technical, organisational and legal measures… to prevent international and third-country governmental access and transfer of non-personal data held in the Union where such transfer or access would create a conflict with Union law.” Article 32(2) recognises a third-country court order only where it is based on an international agreement in force with the EU. There is no EU–US CLOUD Act executive agreement. So a US warrant served on Frankfurt-hosted, non-personal banking-transaction metadata is now, on paper, a statutory conflict the provider has to resist. The switching-charge ban kicks in January 2027, removing one of the structural lock-ins.

The EU AI Act (Regulation 2024/1689) entered into force 1 Aug 2024; GPAI obligations applied from 2 August 2025 with a 10²⁵-FLOPs threshold for systemic-risk designation, and Commission enforcement begins 2 August 2026. Fines up to 7% of global turnover. Meta declined to sign the GPAI Code of Practice; OpenAI, Anthropic and Google signed. Compliance for the next frontier-model generation is unsettled and ultimately determined by Brussels.

Third, the EUCS sovereignty fight is the bellwether. ENISA’s draft European Cybersecurity Certification Scheme for Cloud Services removed the “high+” sovereignty requirements (EU HQ, EU staff, EU jurisdiction) under industry pressure in March 2024 and has not formally adopted a successor (ITIF analysis, May 2025; Hogan Lovells). France, Italy and Spain are reportedly pushing reinsertion. France’s national SecNumCloud standard already requires immunity from extraterritorial laws, and S3NS (Thales+Google JV) received SecNumCloud 3.2 qualification on 17 December 2025, the first such qualification for a US-tech-backed sovereign cloud.

Fourth, and most operationally consequential for anyone in financial services: DORA The Digital Operational Resilience Act (Regulation 2022/2554) applied from 17 January 2025. The 19-name CTPP list referenced above is the operational tip of it. Article 28 mandates contractual exit strategies; Article 30 specifies critical-function contracts; Articles 31–44 hand direct EU-level oversight to Lead Overseers with fines up to 1% of average daily global turnover applied per day for up to six months. The ECB Guide on Outsourcing Cloud Services (16 July 2025) clarifies SSM expectations: concentration risk, exit testing, audit rights as a continuous obligation rather than a contractual boilerplate. BaFin’s BAIT and MaRisk AT 9 (9th amendment, June 2024) align German national supervision to DORA; FINMA Circular 2018/3 has been in force since 2018 and is technology-neutral but conditions outsourcing abroad on enforceable inspection rights in the host jurisdiction. BaFin’s March 2024 cloud guidance update operationalises the same expectations at the German national level. The triangulation (DORA + ECB Guide + BAIT/MaRisk + FINMA 2018/3) now converges on three requirements for every DACH bank: a documented and tested exit strategy, contractually enforceable audit access in the actual jurisdiction, and a measurable concentration metric for ICT third-party providers. That’s why this is on every CIO’s agenda.

Roughly: that’s the policy shift. Four statutes, plus a CJEU pipeline that could collapse the DPF mid-decade, plus sector regulators operationalising those obligations into board-level requirements.

A top-to-bottom flow diagram showing how three US legal instruments (CLOUD Act 18 USC § 2713, Executive Order 14203, FISA §702 / RISAA — drawn as orange diagonal-hatched boxes representing extraterritorial pull) and three EU legal instruments (Data Act Article 32, EU AI Act, DORA plus the ECB Cloud Outsourcing Guide — drawn as blue solid boxes representing statutory counter-pressure) converge on a single green 'Three Requirements' deliverable for European banks: a documented and tested exit plan, contractually enforceable audit rights, and a measurable concentration metric for ICT third-party providers. The punchline 'Sovereignty = a deliverable with a last-test date' sits below.

Opinion shift

The second reason is harder to quantify but I think also harder to undo. The consultant I mentioned earlier framed it directly: the migrations he is being paid to do are not about anyone trusting Brussels more than Washington, they are about a US administration that demonstrated, repeatedly and on the record, that it will weaponise commercial dependencies against allies.

The political catalysts cluster tightly around two events. The Microsoft / Karim Khan episode put the precedent in the record. The threats to Greenland’s sovereignty (and the January 2026 Denmark tariff escalation, House of Commons Library CBP-10472) moved the conversation from precedent to plausible scenario. CSIS framed the Greenland crisis as “the catalyst for European digital awakening” (CSIS, 2025). Trump’s August 2025 threat to impose substantial tariffs and export restrictions against any country with digital services taxes, the DMA, or the DSA, followed by the December 2025 Bloomberg report naming Accenture, Siemens and Spotify as potential Section 301 retaliation targets, removed the remaining ambiguity about whether the lever would actually be pulled.

This is also why the well-meaning “Europe isn’t a sanctuary” pushback misses the structure of the decision. It is correct, on its own terms: the EU has its own surveillance creep (the EPRS VPN study, the recurring Chat Control proposals, German Impressum overhead, French ID rules, the UK’s age-verification regime). Stripe was founded by Irish brothers but is structurally a US company. ASML is technically Dutch but its supply chain and IP exposure put it inside the US Foreign Direct Product Rule. The September 2024 Dutch government move to take over licensing of NXT:1970i and 1980i DUV systems is the template for how that exposure plays out in practice. Proton, the most flagship “trust-based” Swiss company, has publicly threatened to leave Switzerland over the revised VÜPF surveillance ordinance and has begun relocating physical infrastructure to Germany and Norway. Two facts coexist: Europe is not clean, and the marginal exposure is still lower than running on a US-controlled stack.

Europe in 2026 is trying to distance more than it is trying to grow. The risk is real that the sovereignty conversation produces fragmented, slightly worse versions of every layer of the stack without producing a competitive EU tech ecosystem. The Airbus-A380 jibe (“database in France, frontend in Belgium, ops in Spain”) gets thrown around for a reason. The counter is structural: Airbus is doing fine, Schwarz Digits (Lidl/Kaufland’s IT arm) just won the Dutch Central Bank’s cloud away from AWS, OVHcloud crossed €1B in FY2025 revenue (+9.3% LFL), and Mistral closed a €1.7B Series C led by ASML in September 2025 with plans for a >$1B Sweden datacenter. The fragmentation critique tracks a real risk, but it isn’t a reason to stop.

What I’d hold

Two extreme facts coexisting. (1) Sovereignty is not a values play; it is the rational response to a US legal apparatus that demonstrated in 2025 it will weaponise commercial dependencies, and to an EU statutory stack that makes the non-action increasingly non-compliant. The policy shift forces the conversation; the opinion shift makes it stick. (2) The supply side is two orders of magnitude under-funded relative to the hyperscaler base it is meant to substitute for, and the EU’s own EUCS process can’t agree on what “sovereign” means. So the migration in 2026 will look like what Gartner is measuring: mostly partition-by-partition, with the first contested CLOUD Act warrant against an EU-resident hyperscaler subsidiary as the next inflection point.

The migrations are not about whether the EU is a sanctuary, they are about lowering the conditional probability of being unplugged by someone whose only obligation is to a different electorate. That’s not a directional call. It’s a structural one, and it’s why the topic is, quietly, the #1 agenda item of 2026.