Cloud sovereignty becomes a boardroom issue: What the EU tech sovereignty package means for DACH boards

29.05.2026

6 min read

The EU unveiled its Tech Sovereignty Package on 27 May. It proposes restricting the use of US cloud providers for sensitive government data across all 27 member states. Three US corporations control around 70 percent of the European cloud market. This turns a question that has lingered in IT procurement into a boardroom issue: whose law governs access to our data, and what happens if geopolitics shifts.

Key Takeaways

The EU is drawing sourcing lines. The Tech Sovereignty Package aims to restrict US cloud use for sensitive government data.
Three providers, 70 percent of the market. Concentration on AWS, Azure and Google Cloud has itself become a risk.
The CLOUD Act overrides contracts. US law can compel data disclosure regardless of server location.

Why this is now a boardroom issue

What is the CLOUD Act? The CLOUD Act is a US law that can require American companies to surrender data they store, no matter where the servers are located. A provider under US ownership cannot sidestep this obligation with a contractual promise of data residency, because the law overrides such promises.

Cloud selection used to be a procurement decision: which vendor delivers which service at what price. That view is outdated. With the EU package and growing awareness of the CLOUD Act, the question becomes a strategic risk assessment that the board, legal and compliance must tackle together. It revolves around operational resilience, geopolitical exposure and what happens if access is restricted for political reasons.

Recent events make this tangible. Reports emerged of a sovereign Microsoft service in Frankfurt that briefly stopped working, and of exposed cloud keys belonging to a US agency. These incidents are no longer abstract worries; they are concrete proof that dependence on a handful of providers is its own risk class. A board that hasn’t evaluated this has a gap in its risk register.

70 %

of the European cloud market is held by three US providers. This concentration has itself become a strategic risk.

Source: EU market analyses on the Tech Sovereignty Package, May 2026

What sovereignty means in practice

Sovereignty is not the same as data residency. A data centre in Frankfurt meets residency requirements, yet if the operator is under US ownership, exposure to the CLOUD Act remains. True sovereignty requires that neither operations nor legal access depend on a foreign jurisdiction. This distinction belongs in every boardroom discussion because it determines whether decisions are based on appearance or substance.

The EU has sent its own signal. In April, the Commission awarded a contract worth up to €180 million over six years to four European providers, explicitly including sovereignty criteria in the tender for the first time. This is more than symbolism. It establishes sovereignty as a procurement standard and creates a market for providers that meet these criteria.

Apparent sovereignty

Servers in the EU, operator under US ownership
Data residency promised by contract
CLOUD Act exposure remains

Reliable sovereignty

Operations and ownership within EU jurisdiction
No foreign legal leverage for access
Sovereignty anchored as tender criterion

What DACH boards should do now

The first step is an honest inventory of dependencies. Which critical processes run on which provider, where are the data located, and under which jurisdiction does the operator actually fall? Many organisations lack this map because cloud choices were historically decentralised and made by function rather than geopolitical risk.

The second step is not a hasty migration. No one benefits from pulling everything out of the US cloud overnight. A phased approach is more sensible: which workloads are non-critical and can stay where they are, and which are sensitive enough that the sovereignty question becomes mandatory. This prioritisation is a board decision because it weighs risk against cost and effort-and that is not a purely IT matter.

A server in Frankfurt proves nothing if foreign law can reach its data. Sovereignty is decided by jurisdiction, not postal code.

What remains is the classification as a mandatory task, not an optional extra. The direction of regulation is set, market concentration is real, and recent incidents show the risk is not theoretical. A board does not need to finish the assessment today. It does need to show that it has started. Anyone who cannot answer at the next audit or geopolitical upheaval has left the question too long in procurement.

Frequently Asked Questions

Does an EU data centre suffice for data sovereignty?

No. A location within the EU meets data residency requirements, but if the operator is owned by a US company, exposure to the CLOUD Act remains. True sovereignty requires that legal access is also bound to EU jurisdiction.

What does the EU Tech Sovereignty Package propose?

It proposes restricting the use of US cloud providers for sensitive government data across member states. The backdrop is high market concentration: three US providers control roughly 70 percent of the European cloud market.

Should companies migrate out of US clouds now?

Not across the board. A risk-based approach makes sense: non-critical workloads can stay, while sensitive ones should be evaluated against sovereignty requirements. A hasty migration introduces more risk than it resolves.

Why is this a board-level issue?

Because it touches on operational resilience, geopolitical exposure, and regulatory continuity-not just performance and price. This trade-off is for the board, legal, and compliance teams to weigh together, not procurement alone.

Are there credible alternatives?

The market is emerging. In April, the European Commission awarded its first cloud contract with explicit sovereignty criteria to European providers. This sets a standard and creates demand for sovereign offerings.