Microsoft admitted that it 'cannot guarantee' data sovereignty [0] "on June 18 before a [French] Senate inquiry into public procurement and the role it plays in European digital sovereignty" as the CLOUD Act "gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil."
It'd be great if they could clarify in their FAQ [1] if and how the CLOUD Act affects them.
It seems like the entire point is precisely to get around the CLOUD Act.
By setting it up with a European governance structure, Amazon can tell the US government "hey we told them give us the data, but they refused because that would send them to jail under EU law, and they're a legally separate entity so there's nothing we can do."
This is very intentionally not just a regular foreign subsidiary owned by the parent company.
> as the CLOUD Act "gives the US government authority to obtain digital data
AWS maintains a similar stance, too [0]?
The CLOUD Act clarified that if a service provider is compelled to produce data under one of the limited exceptions, such as a search warrant for content data, the data to be produced can include data stored in the U.S. or outside the U.S.
> Microsoft admitted that it 'cannot guarantee' data sovereignty
Hm. As for AWS, they say that if the customer sets up proper security boundaries [0], they'll ensure will keep their end of the bargain [2][3]:
As part of the technical design, access to the AWS European Sovereign Cloud physical infrastructure and logical system is managed by Qualified AWS European Sovereign Cloud Staff and can only be granted to Qualified AWS European Sovereign Cloud Staff located in the EU. AWS European Sovereign Cloud-restricted data will not be accessible, including to AWS employees, from outside the EU.
All computing on Amazon Elastic Compute Cloud (Amazon EC2) in the AWS European Sovereign Cloud will run on the Nitro System, which eliminates any mechanisms for AWS employees to access customer data on EC2. An independent third party (the UK-based NCC Group) completed a design review confirming the security controls of the Nitro System (“As a matter of design, NCC Group found no gaps in the Nitro System that would compromise these security claims”), and AWS updated its service terms to assure customers “there are no technical means or APIs available to AWS personnel to read, copy, extract, modify, or otherwise access” customer content on the EC2 Nitro System.
Customers also have additional mechanisms to prevent access to their data using cryptography. AWS provides advanced encryption, key management services, and hardware security modules that customers can use to protect their content further. Customers have a range of options to encrypt data in transit and at rest, including options to bring their own keys and use external key stores. Encrypted content is rendered useless without the applicable decryption keys.
The AWS European Sovereign Cloud will also benefit from AWS transparency protections over data movement. We commit in the AWS Service Terms that access to the EC2 Nitro System APIs is "always logged, and always requires authentication and authorization." The AWS European Sovereign Cloud also offers immutable, validated logs that make it impossible to modify, delete, or forge AWS CloudTrail log files without detection.
It would seem like the problem is one of the business layout and technical layout.
Organize your business and your tech correctly and you can have an owned foreign subsidiary that can comply with local laws. But things would have to be quite separate.
Yep, to the extent that short (at best, cause they are potentially fallible) of a warrant canary getting snuffled it is very possible that a company could set up a subsidiary for appearances.
Or, just buy bits of control interest outright (CryptoAG?)
> The AWS European Sovereign Cloud is the only fully-featured, independently operated sovereign cloud, backed by strong technical controls, sovereign assurances and legal protections.
independently OPERATED, not independently owned
therefore: still under the jurisdiction of the US regime
Wait, how does this work? If it is owned by a US company but operated by people inside the EU, I would expect the actual laws in effect to be the EU ones. I mean, that’s who can actually send police to stomp around and physically take the hard drives if they really want to.
The US can of course command the US owners to instruct their EU based employees to do something illegal in the EU, but if your boss tells you do do something illegal, you are still breaking the law if you do it…
Exactly, this seem pointless for people serious about staying away from US owned data stores. I know first hand of EU based businesses that left AWS (and all other US owned services) before 2020 due to customer (B2B) demand which in turn was due to the Cloud Act[1], and for whom it today would be completely untenable to return.
Congress as it is are cowards incapable of protecting the law, it is merely a regime based law until Congress can prove and rebuild trust that it has a backbone.
Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...
All of these isolation sovereignty iniatives are window dressing to the bigger problem that the EU and other countries are massively dependent on proprietaey US-centric software stacks.
You mean the same Germany that uses its domestic access to the bargain basement cloud providers like Hetzner and Contabo to de-anonymize Tor users for international law enforcement?
Or the Germany that bought Crypto AG along with the CIA to backdoor encryption hardware?
> Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...
Id argue that very few software components are written (let alone maintained) by US staff. This is basically another major player (there are other sovereign clouds) reading the writing on the wall and doing what is necessary to avoid losing business or being irradiated from the market.
CloudFlare CEO, take notice. Look how the big boys do business and maybe learn a thing or two.
I worked on a team deploying a service to European Sovereign Cloud (ESC). Disclaimer - I am a low level SDE and all opinions are my own.
AWS has set up proper boundaries between ESC and global AWS. Since I'm based out of the US I can't see anything going on in ECS even in the service we develop. To fix an issue there we have to play telephone with an engineer in ESC where they give us a summary of the issue or debug it on their own. All data is really 100% staying within ESC.
My guess is that ESC will be less reliable than other regions, at least for about a year. The isolation really slows down debugging issues. Problems that would be fixed in a day or two can take a month. The engineers in ESC don't have the same level of knowledge about systems as the teams owning them. The teething issues will eventually resolve, but new features will be delayed within the region.
Still it sounds like it would be the optimal choice for a redundancy zone in some senses since its probably not going to have any accidental dependency on us-east-1.
How effective would this setup be if the parent company in the US is ordered to order the EU subsidiary to do something not in the interests of the EU?
If it breaks the law in the EU, then the European employees staffing the data center refuse, because they don't want to go to jail or pay fines.
That's the entire point of setting it up like this.
Think of it like fast-food franchises. They have to sell the same food and use the same branding and charge the same prices. But if McDonald's tells you to start selling cocaine on the side, you tell them nope, that's not in the contract and I don't feel like going to prison.
What if the software is developed and potentially backdoored in the US and deployed by the EU team in the sovereign region? Or did they rewrite the entire AWS stack?
If the EU employees can look around the code, it would then get quite interesting if they were to point out a backdoor. which they would of course raise with an EU based CERT.
In a way that protects US customers as well having a set that can't be stopped from doing that.
I don't think there are any protections against that. On the other hand, you'd have to ask yourself how realistic it is that the US is forcing Amazon to secretly backdoor its own software for US spying abroad? I can't give an answer on that one, you'll have to form your own opinion.
I imagine that if a back door were ever discovered, AWS's reputation would tank so hard that a lot of companies would probably never do business with it again.
The prices for the only region in Germany are very similar to the prices in eu-west-1 (Frankfurt), except in € instead of $, so that’s basically a 16% markup by today's exchange rate. Also, AMD CPUs appear to be completely missing.
If push comes to shove, these services can and will be weaponized against EU interests. They are bugged and backdoored to the brim. If we see a risk in chinese-made electrical buses which can potentially be remotely shut down by an integrated sim card, then using AWS should be a no go in the current political climate - no matter how much lipstick they put on that pig.
Last week, after receiving a fine in Italy, the Cloudflare CEO demonstrated that US tech leadership are extremely emotionally volatile and can lash out in all directions, threatening unrelated parties with shutdown of service. This is in line with Peter "anti christ" Thiel and Elon "nazi salute" Musk going off the rails. Maybe it is a drug-induced psychosis from their annual gathering in the desert where US tech workers consume illegal substances, I don't know.
What if someone scratches Bezos' yacht by accident and then he threatens to shut down the DC? Or he might get upset about a CO2 surcharge when refueling his private jet? Can we really take these risks?
I was actually surprised to see this:
"As we make this change, we will continue to work as a blended team of EU residents and EU citizens, with all personnel working from EU locations, before gradually completing our transition to EU citizen operations for the AWS European Sovereign Cloud." This looks like a more serious attempt to make it independent of US meddling. It will not protect it fully, but still.
Critical infrastructure. The US has a history of forcing their way into many parts of it [1] and we know they use it for leverage whenever it's suitable. Furthermore, if you control the information flow of a system, then decision making based on that information becomes dependent on those who control it.
I would love to see a US specific version of this as well. Something similar to GovCloud with the same security controls and employee vetting but accessible to commercial customers.
Yeah.... no thx. Hard voice against it and anything that comes from the US. There is tons of stuff that is genuinely cool, we got tons of stuff it would be barbaric to spit in the soup.
However I'm pretty sure at this point that even the GAFAM are tired of this situation and that they don't care if giants their size show up in Europe. I'm genuinely thinking that what is also happening with AI (eg : free knowledge drop) is some kind of mechanism to allow those new giants to emerge in other places than US.
Being the bright star that takes all the broken stuff on the head is not always the smartest move - at some point if you are blocking everything from showing up just because you exist, you are just slowly creating conflict against you - which i'm pretty sure the GAFAM are not interested in.
I'm pretty sure there is a lot of power dynamic shift happening just now, AI bubble is just a tool that permit it -- the amount of startups that are allowed to launch on the simplest product are crazy --
tldr : creating incumbents then beating them is a display of power ; not caring is a display of power, having too much money is a display of power, being blocked due to political and social movement is weakening the velocity of these entities - i'm pretty sure atp that creating new giants in Europe would help them more than to continue in what appears like a colonialist endeavor - which they probably don't like either (they just want to market and win)
It'd be great if they could clarify in their FAQ [1] if and how the CLOUD Act affects them.
[0] https://www.theregister.com/2025/07/25/microsoft_admits_it_c...
[1] https://aws.eu/faq/
By setting it up with a European governance structure, Amazon can tell the US government "hey we told them give us the data, but they refused because that would send them to jail under EU law, and they're a legally separate entity so there's nothing we can do."
This is very intentionally not just a regular foreign subsidiary owned by the parent company.
AWS maintains a similar stance, too [0]?
> Microsoft admitted that it 'cannot guarantee' data sovereigntyHm. As for AWS, they say that if the customer sets up proper security boundaries [0], they'll ensure will keep their end of the bargain [2][3]:
[0] https://aws.amazon.com/compliance/cloud-act/[1] https://aws.amazon.com/compliance/shared-responsibility-mode...
[2] https://d1.awsstatic.com/onedam/marketing-channels/website/a...
[3] https://aws.eu/esca/
Organize your business and your tech correctly and you can have an owned foreign subsidiary that can comply with local laws. But things would have to be quite separate.
I doubt it, a majority owned subsidiary is usually passed through for many legal purposes.
Or, just buy bits of control interest outright (CryptoAG?)
independently OPERATED, not independently owned
therefore: still under the jurisdiction of the US regime
The US can of course command the US owners to instruct their EU based employees to do something illegal in the EU, but if your boss tells you do do something illegal, you are still breaking the law if you do it…
Exactly, this seem pointless for people serious about staying away from US owned data stores. I know first hand of EU based businesses that left AWS (and all other US owned services) before 2020 due to customer (B2B) demand which in turn was due to the Cloud Act[1], and for whom it today would be completely untenable to return.
[1] https://en.wikipedia.org/wiki/CLOUD_Act
All of these isolation sovereignty iniatives are window dressing to the bigger problem that the EU and other countries are massively dependent on proprietaey US-centric software stacks.
Not as much as you might think. The most important component -- Nitro -- basically runs out of Germany.
Or the Germany that bought Crypto AG along with the CIA to backdoor encryption hardware?
Id argue that very few software components are written (let alone maintained) by US staff. This is basically another major player (there are other sovereign clouds) reading the writing on the wall and doing what is necessary to avoid losing business or being irradiated from the market.
CloudFlare CEO, take notice. Look how the big boys do business and maybe learn a thing or two.
AWS has set up proper boundaries between ESC and global AWS. Since I'm based out of the US I can't see anything going on in ECS even in the service we develop. To fix an issue there we have to play telephone with an engineer in ESC where they give us a summary of the issue or debug it on their own. All data is really 100% staying within ESC.
My guess is that ESC will be less reliable than other regions, at least for about a year. The isolation really slows down debugging issues. Problems that would be fixed in a day or two can take a month. The engineers in ESC don't have the same level of knowledge about systems as the teams owning them. The teething issues will eventually resolve, but new features will be delayed within the region.
>To fix an issue there we have to play telephone with an engineer in ESC where they give us a all the data we need or get fired.
?
AWS should be ditched altogether and something Europe based chosen even if it requires investment.
Same with Apple iCloud - one day Europeans will wake up and see that all their pictures have been deleted.
Possible this happens due to bugs in iCloud's GDPR implementation.
https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_Stat...
That's the entire point of setting it up like this.
Think of it like fast-food franchises. They have to sell the same food and use the same branding and charge the same prices. But if McDonald's tells you to start selling cocaine on the side, you tell them nope, that's not in the contract and I don't feel like going to prison.
I imagine that if a back door were ever discovered, AWS's reputation would tank so hard that a lot of companies would probably never do business with it again.
probably 100%?
Of course these services are backdoored.
The prices for the only region in Germany are very similar to the prices in eu-west-1 (Frankfurt), except in € instead of $, so that’s basically a 16% markup by today's exchange rate. Also, AMD CPUs appear to be completely missing.
Last week, after receiving a fine in Italy, the Cloudflare CEO demonstrated that US tech leadership are extremely emotionally volatile and can lash out in all directions, threatening unrelated parties with shutdown of service. This is in line with Peter "anti christ" Thiel and Elon "nazi salute" Musk going off the rails. Maybe it is a drug-induced psychosis from their annual gathering in the desert where US tech workers consume illegal substances, I don't know.
What if someone scratches Bezos' yacht by accident and then he threatens to shut down the DC? Or he might get upset about a CO2 surcharge when refueling his private jet? Can we really take these risks?
[1] https://www.radiofrance.fr/franceculture/guerre-economique-c...
https://cybernews.com/news/europe-internet-control-sovereign...
However I'm pretty sure at this point that even the GAFAM are tired of this situation and that they don't care if giants their size show up in Europe. I'm genuinely thinking that what is also happening with AI (eg : free knowledge drop) is some kind of mechanism to allow those new giants to emerge in other places than US.
Being the bright star that takes all the broken stuff on the head is not always the smartest move - at some point if you are blocking everything from showing up just because you exist, you are just slowly creating conflict against you - which i'm pretty sure the GAFAM are not interested in.
I'm pretty sure there is a lot of power dynamic shift happening just now, AI bubble is just a tool that permit it -- the amount of startups that are allowed to launch on the simplest product are crazy --
tldr : creating incumbents then beating them is a display of power ; not caring is a display of power, having too much money is a display of power, being blocked due to political and social movement is weakening the velocity of these entities - i'm pretty sure atp that creating new giants in Europe would help them more than to continue in what appears like a colonialist endeavor - which they probably don't like either (they just want to market and win)
Idk I might be extrapolating like a mad man
Just stop using clouds run your own computers.