Blog

EU Data Sovereignty and U.S. Tech, What to Consider

Written by Sian Parany | May 7, 2025 10:29:46 PM

The European Union (EU) is intensifying efforts to strengthen data governance, enhance data protection, and reduce dependence on U.S. technology companies. These initiatives reflect the EU’s ambition to assert regulatory leadership, the growing mistrust of foreign entities, and a drive for economic self-reliance amid geopolitical uncertainties.

Currently, a significant portion of European data resides on U.S.-controlled cloud platforms such as those provided by Microsoft, Amazon, and Google, which collectively dominate over two-thirds of the European market. Many organizations rely heavily on U.S.-developed SaaS products such as Slack, Salesforce, Oracle NetSuite, and Microsoft Dynamics.

For years, dependence on U.S. technology has been seen as inevitable due to the reliability, advanced features, and performance of these mature cloud and SaaS providers. Consequently, many EU organizations find switching away from these services would be challenging despite the growing push for digital autonomy.

 

This article explores the EU’s prioritization of data sovereignty, the conflict between EU data protection laws and U.S. regulations, and how hosting an encryption gateway could enable continued use of U.S. technologies while mitigating legal vulnerabilities tied to foreign jurisdictions.

 

Why Data Sovereignty is Important

The proliferation of U.S. tech, coupled with geopolitical tension and growing support for EU “digital sovereignty” has surfaced a concern around EU data sovereignty. Data sovereignty refers to the legal authority a country or region has over data generated within its borders. These laws dictate how the data can be used, stored, and accessed.

 

When data moves across borders - or is stored in a different jurisdiction, it may fall under multiple legal frameworks (such as data residency and localization rules), making governance more complex.

The EU faces significant data sovereignty concerns, primarily because of conflicting legal frameworks, extraterritorial jurisdiction, surveillance risks, and regulatory incompatibilities with the U.S., even when data is stored and processed within the EU.

U.S. Laws Conflict With EU Data Protections

The CLOUD Act (2018) allows U.S. authorities to compel U.S companies (like Amazon [AWS], Microsoft [Azure], and Google [GCP], etc.) to hand over data stored anywhere in the world. This includes EU-based servers, via subpoenas or court orders. This conflicts with GDPR’s data localization and privacy rules. In addition, the Foreign Intelligence Surveillance Act (FISA) Section 702 permits warrantless surveillance of non-U.S. persons, raising fears that EU citizens’ data could be accessed by U.S. intelligence agencies without EU judicial oversight.

Until a court determines that U.S. public clouds and supplier-controlled EU sovereign clouds can reject FISA 702 and CLOUD Act requests for access to EU citizens' data, their total compliance with EU data privacy laws remains grey. This legal ambiguity raises doubts about their ability to adhere to GDPR and other EU regulations.

The Schrems II ruling (2020)

This conflict was put into play via The Schrems II ruling (2020) by the Court of Justice of the European Union (CJEU). The case originated from privacy activist Max Schrems, who challenged Facebook Ireland’s transfers of EU user data to the U.S. under Standard Contractual Clauses (SCCs). He argued that U.S. surveillance laws (e.g., FISA Section 702 and the CLOUD Act) exposed EU data to unlawful access, violating GDPR and the EU Charter of Fundamental Rights. The EU Court of Justice invalidated the Privacy Shield agreement, citing inadequate U.S. protections against surveillance.

Lack of True Sovereignty in "EU-localized Clouds”

To cater to the EU, many U.S. cloud and SaaS providers offer EU-localized cloud. An EU-localized cloud is a cloud computing service designed to store and process data within the EU, aligning with EU data sovereignty laws like the GDPR, Data Act, and NIS2 Directive. These clouds aim to minimize exposure to foreign laws.

Despite offering EU-based infrastructure, U.S. cloud providers' "sovereign" solutions (e.g., AWS European Sovereign Cloud, Azure EU Data Boundary, etc.) fail to fully address EU data sovereignty concerns. While EU-localized clouds improve compliance, they cannot override U.S. legal jurisdiction (like the CLOUD Act). Many U.S. companies have joined GAIA-X, as not quite full members - this does not negate that they remain subject to US jurisdiction under the CLOUD Act.



EU Regulatory Change

Recently, the EU has been making steps to prioritize homegrown solutions whilst strengthening data security and sovereignty. These steps have included exploring new frontiers beyond GDPR for data governance, including the EU Data Act, DORA, and NIS2 Directive. Together, these regulations create a comprehensive framework for protecting EU citizens' data rights, securing critical infrastructure, and reducing dependence on foreign technologies, all essential pillars of digital sovereignty (and data sovereignty).

GDPR

GDPR, enacted in 2018, establishes strict rules for collecting, processing, and storing personal data of EU residents. It also limits cross-border data transfers to countries with adequate privacy protections, exemplified by the invalidation of the EU-U.S. Privacy Shield in the Schrems II ruling.

The Data Act

The Data Act, a complement of the European Data Governance Act, was effective from January 2025, with phased implementation through September 2025. The Data Act aims to enhance data sovereignty by regulating the use and sharing of non-personal data generated by IoT devices and other systems. It strengthens transparency obligations and fosters innovation while reducing reliance on non-European platforms. It clarifies who can use what data and under which conditions.

 

The NIS2 Directive

Effective October 2024, the NIS2 Directive strengthens cybersecurity across 18 critical sectors by mandating risk management measures and incident reporting. It enhances cooperation among EU member states to protect essential services from cyber threats, supporting broader data sovereignty goals.

 

Digital Operational Resilience Act (DORA)

DORA focuses on ensuring operational resilience in the financial sector by enforcing stringent ICT risk management and oversight of third-party providers. By addressing systemic risks tied to digital dependencies, it safeguards critical infrastructure while reinforcing EU sovereignty in finance.

 

A Practical Alternative to Resource-Intensive Migration to EU Providers

Switching entirely to EU-based technology providers is a complex and resource-heavy undertaking for many EU organizations. Such a transition could disrupt operations, given the advanced capabilities and maturity of U.S. technologies. However, there are effective strategies that enable EU organizations to maintain compliance with regulations like GDPR, NIS2, and the Data Act while continuing to leverage U.S.-based technologies. These solutions focus on mitigating risks associated with U.S. laws, such as the CLOUD Act, rather than necessitating a complete overhaul of existing systems.

Balancing Sovereignty and Convenience With Compliant Security Measures

Encouraging organizations to adopt EU-based providers requires significant legislative efforts and penalties for non-compliance. Current EU regulations, DORA, the Data Act, NIS2, and GDPR do not explicitly mandate exclusive use of EU-based companies. However, these frameworks impose stringent requirements for data protection, cybersecurity, and vendor risk management, making compliance more complex when relying on non-EU providers. Despite these challenges, viable solutions exist.

Staying Compliant While Using U.S.-Based Companies

Organizations can adopt the following measures to align with EU regulations while utilizing U.S.-based services:

  • Data Encryption and Tokenization: Employ robust encryption and tokenization techniques to safeguard sensitive data processed or stored by U.S. providers.
  • Contractual Safeguards: Include provisions in vendor contracts ensuring GDPR compliance, incident reporting, and adherence to EU security standards.
  • Data Localization with Tokenization: Store sensitive data within the EU to limit exposure to extraterritorial laws such as the U.S. CLOUD Act.
  • Vendor Audits: Conduct regular audits of U.S.-based providers to verify compliance with EU regulations like DORA and NIS2.
  • Minimize Data Transfers: Use pseudonymization or anonymization to restrict personal data transfers outside the EU.

These strategies mitigate risks while maintaining compliance with EU regulatory frameworks, offering a practical alternative to fully transitioning to EU-based providers.

 

How Self-Hosting a Cloud Data Protection Gateway Helps

EU organizations can deploy a self-hosted data security platform at their network level. This solution encrypts or tokenizes sensitive data before transmitting it to U.S.-based SaaS or cloud provider servers, ensuring enhanced control over data sovereignty whilst maintaining application functionality..

Learn more about: Self-hosting a cloud data protection gateway

StratoKey Can Help Secure EU Data Before Sharing With External Providers

StratoKey’s Cloud Data Protection (CDP) gateway offers advanced encryption and tokenization capabilities. The gateway processes sensitive data within the organization’s network, converting it into ciphertext or tokens before transmission to third-party applications or services. Unauthorized access bypassing the StratoKey gateway results in unintelligible ciphertext or tokens.

Tokenization For On-shoring Data

StratoKey assists EU organizations in meeting data sovereignty requirements by securely storing sensitive information locally using tokenization. Tokens replace sensitive data (e.g., PII) and can be stored in databases hosted on infrastructure controlled by the organization.

Mitigate Jurisdictional Risks

StratoKey ensures encryption keys, token vaults, and data control remain within the EU, helping protect sensitive information from foreign laws like the CLOUD Act or FISA Section 702.

Strengthened Security Posture

StratoKey delivers end-to-end encryption with customer-controlled access, ensuring only authorized users can decrypt data, even if intercepted. Unlike BYOK (Bring Your Own Key) solutions, where providers manage infrastructure, self-hosting eliminates third-party access to plaintext data. Additional features such as identity-aware authentication, live monitoring, security analytics, and policy enforcement help organizations comply with regulations like GDPR, DORA, NIS2 Directive, and the EU Data Act.

 

Conclusion

Self-hosting a CDP gateway offers a practical solution for EU organizations leveraging U.S.-based technologies while implementing robust data sovereignty measures that mitigate legal vulnerabilities associated with U.S. cloud providers and ensure compliance with evolving EU regulations.

 

Contact us to learn how StratoKey can assist in protecting and on-shoring sensitive data.

See our data sovereignty solutions for Salesforce, ServiceNow, SAP Business ByDesign & S/4HANA, Oracle NetSuite, and other applications.