Since the rapid development of AI and the increase of digitalisation in Germany, many German companies started worrying more about GDPR and data sovereignty. Then the US CLOUD Act was introduced. It clarifies the legal use of data outside the US and its implications for global data protection. This shift raised new questions about how safe it is to rely on American cloud providers in Europe. Companies are now weighing the benefits in terms of cost and performance against the potential risks of US legislation affecting their data safety.
Some European providers are slowly gaining attention because they focus strongly on privacy and data protection as it’s now extremely important for organizations to be aware of their GDPR compliance obligations and the implications of using US-based services.
This is becoming a problem because when German companies use American cloud services, they are building their entire digital infrastructure on an American foundation. Even if the servers are located in Frankfurt or Cologne, control remains in one of the cities in the US. And this is now causing great concern in the EU.
Are we seeing companies in Germany actively switching to local cloud providers, or is there still a strong dependence on providers such as AWS and Azure?
How Europe became dependent on US clouds
For a decade, American companies have been successful thanks to managed services and a global backbone network and the European providers have underperformed in terms of service latitude and ecosystem. This gap is narrowing, but it has not been eliminated, especially in the area of advanced AI tools, ML/LLM platforms, and global infrastructure that took over a decade to build.
The influence reached beyond normal business use. Even the German military depended on American cloud services for some projects. The Bundeswehr wanted sovereign, secure infrastructure, but European alternatives didn’t have the technical capabilities they needed. Before AI became such an important player in political communication, it was convenient working with American companies anyway, despite all the security concerns. A big chunk of Germany’s budget was and still is going to the US, when it could also be invested in building German IT capabilities or digitalisation.
With the introduction of the US CLOUD Act things have shifted. The CLOUD Act is an amendment to the old rules on access to electronic data. The US Congress passed the law in 2018, and it started working right away. It is not a completely new law but more an update of old American rules from the 1980s. These rules describe how US authorities can obtain data from Internet services that fall under US jurisdiction even if based in the EU. Now, in such cases, a company is required to hand over any user data which it owns. Foreign companies may also be subject to the law if they have a connection to the US such as an office, a subsidiary, contracts with US customers, etc.
It is not as easy as it sounds – all requests are still decided step by step and through official procedures. The requests must be specific and usually apply to serious crimes. And if the data is encrypted and the keys are not stored by the service, the law does not oblige the company to decrypt it. Still, the situation raises significant concerns for the EU cybersecurity regulations.
When GDPR meets the CLOUD
European companies already had to follow GDPR rules before the US CLOUD Act or the rise of AI. But the situation became more serious once two different legal systems started to overlap.
The US CLOUD Act is still very much against the GDPR requirements. This means that all the US companies based in the EU will have to rethink their business processes because even choosing a European data center now doesn’t mean GDPR compliance.
There are European options available. Companies like IONOS, Scaleway, and OVHcloud promise GDPR compliance and data sovereignty. German providers like SecureCloud and luckycloud specifically market their sovereignty advantages. But the reality is that they can’t yet compete with American providers nor do they have nearly similar experience and reliance. It also concerns technical capabilities and Germany is technologically dependent in many areas. That’s also the reason that most European providers focus on small and medium businesses – because they can’t handle the complex requirements of large enterprises.
The idea of pure European cloud independence is in fact too expensive and technically challenging.
European companies choose non-European cloud providers to access technical capabilities, pricing, or services that European suppliers simply don’t offer yet.
This creates a genuine business problem. As a business owner, you want to support European alternatives and maintain data sovereignty, but you also need to stay competitive. Sometimes these goals work against each other.
The regulatory environment keeps evolving. The European Commission is developing new AI and cloud regulations for late 2025. They specifically address the gap between Europe’s existing capacities and its needs, particularly in light of the growing technological demands associated with AI. Simultaneously, the political pressure for more sovereignty keeps growing, especially with concerns about current US policies toward Europe.
Practical options for German Companies
What should German companies do in such circumstances? It’s important to support local providers, stay efficient in daily operations, and still respect GDPR rules. It requires a wise approach,including risk and change management.
One possible way is to use European alternatives for less critical applications while keeping American providers for advanced tasks. This provides some sovereignty benefits while maintaining competitive capabilities.
Another important point is that it’s not worth it to only rely on the political situation since there was a lack of geopolitical stability for a long time already.
The crucial step is to audit your business carefully and think about it in a strategic way:
Consult an experienced legal advisor. GDPR and US data access regulations are complex; mistakes carry serious compliance and financial risks.
Compare total cost of ownership over 3–5 years. Don’t focus solely on the initial cost. On-premises solutions require higher capital expenditures but can be cost-effective for stable workloads with large data volumes.
Make decisions based on the business area. Define your requirements and acceptable risk level, then choose an architecture that fits.
Decisions made today regarding cloud technologies will have long-term consequences as the regulatory framework continues to develop. Companies that take a proactive approach to data sovereignty may find themselves in a more advantageous position as European regulations develop and alternative solutions improve.
However, complete digital sovereignty may not be achievable in the short term. The technology gap, infrastructure requirements, and necessary knowledge and expertise are too great for most German companies to overcome on their own.
The key to solving this problem is to strike a balance between practical business needs and independence goals. Strategic diversification is better than complete dependence on a single supplier. Even partial sovereignty is already an advantage compared to complete dependence on foreign providers.
This balance will likely determine the competitiveness of the European digital sector for years to come. The way forward requires careful weighing of real business needs and idealistic sovereignty goals that may be practically unattainable.
