US Hyperscalers and European Digital Sovereignty: A Critical Risk Assessment
US hyperscalers, providers of cloud compute services, dominate the market. AWS, Microsoft and Google together control 65% of the European cloud server market. They have grown to this position through impressive innovation, speed to market, and leveraging previous dominant positions in related markets. These companies, and the services they provide, have become ubiquitous across most of the world. They are the default, and in many cases, the only option.
This is now a significant risk, for states and businesses.
Background: The Long-Standing Tension Over Data
There has always been a tension between Europe and the USA with regards to how data is handled. There is a philosophical difference in how personal data is handled, with Europe being much more prescriptive on what can and can't be done with individuals' data, and the level of control those individuals have over it. This is contrasted to a much more relaxed position in America, with fewer controls. However, both areas protect their own citizens more than they do others.
This has consistently posed difficulties for European companies using American suppliers and service providers to handle European customer data. All the way back in 1998, EU and US authorities began to try to provide certainty for business with regards to transfer of customer data. The first iteration lasted from 2000 to 2015, before being declared incompatible with EU law by the European Court of Justice. This led to the development of the EU-US Privacy Shield in 2016, which was in turn found incompatible with EU law in 2020. The latest attempt, the EU-US Data Privacy Framework, was developed by 2022, and declared adequate by the European Commission in 2023. However, the European Parliament has passed a motion expressing their doubts that the Framework is, in fact, compatible, and legal challenges are expected.
1
2000-2015
Safe Harbor agreement (declared incompatible)
2
2016-2020
EU-US Privacy Shield (declared incompatible)
3
2022-Now
EU-US Data Privacy Framework (legal challenges expected)
The questions around data don't stop there, however. The agreements above related to data being transferred between the EU and the US. But in 2018, the US CLOUD act was passed which enables the US government to compel companies to produce data they hold regardless of where in the world it is held - in other words, data held in EU data centres would have to be handed over. Given many of the EU concerns with the transfer of data to the US were related to opening up EU citizens to US government surveillance, this is a growing cause of concern due to geo-political changes.

Critical point: Consistent efforts have been made on both sides to attempt to resolve this situation permanently, because access to US based services has been vital for EU businesses and customers, and access to EU business and customers has been vital for US based services. Ambiguity in some of the solutions has been tolerated, likely because the US was seen by the EU as an ally with respect for the rule of law and norms that keep global trade flowing.
Current Environment: Eroding Assumptions
These assumptions Europe held about the US have been under attack for the last year. Blanket tariffs have been threatened, revoked, imposed, removed, altered, agreed, and generally used as a big stick. An erosion of the security guarantees the US has provided to Europe through NATO, as well as a reduction of support towards Ukraine and an apparent warming to Russia have created alarm in Europe. Within the US, political opponents have been targeted with dubious legal attacks, reducing faith in the neutral rule of law. Taken together, these concerns have raised the interest in increasing digital sovereignty in Europe, not just in terms of control of data, but services and infrastructure the continent's businesses and governments rely on.
And then along came Greenland.
In a stroke, the US changed from an unreliable ally to a potential adversary. Threats to take, by force if necessary, the territory of a sovereign European nation, Denmark, and member of NATO, had been unthinkable. Symbolic shows of support for Denmark by NATO allies produced another threat of tariffs.
In the case of the US’s allies, they must now contemplate what was unthinkable: to have to defend themselves against the US itself, in trade and perhaps security.
Bronwen Maddox, Director and Chief Executive of Chatham House
In the short term, at the time of writing, the threat has receded - following a bruising few days at the World Economic Forum, the US has firstly withdrawn the threat of physical force, and secondly the threat of tariffs. However, it is unclear what agreement has been floated to achieve this, or if the united front by European nations (and American markets) has had an impact. It is also not unusual for President Trump to revoke threats, only to return to the issue at a later date.
This move hasn't created the risk. But it has been a wake up call as to its urgency, and its scope.
The threat is now that a state which is beginning to behave as an adversary will have at will access to data held anywhere in the world, if those companies holding it are US based, or have presence in the US. This covers personal, business, and governmental data.
The Nature of the Risks
The nature of the risks with this situation are not fundamentally altered by the change in the environment listed above. What has changed is the likelihood of the risk occurring, and the vector the risk takes. In essence, these risks all already exist, but the environment we operated in had made them seem easily manageable. This is what has changed.
1
2
3
1
No guarantee of data security
The US now has routes to access data held anywhere in the world by any company or entity that provides services to anyone in the US. This is not just related to US owned companies, though they are naturally more open to pressure from the US government. Importantly, parent companies can be compelled to reveal data held in subsidiaries - this means even if the US hyperscalers establish purely EU based and staffed companies, they are still subject to the US CLOUD Act. Note that the use of the US CLOUD Act is often combined with a gag order, meaning companies cannot inform their customers that data has been accessed.
2
Concentration risk
This risk is related to the lack of resilience and redundancy between providers. While resilience and redundancy is generally provided by the major cloud operators, in that a single server failing will have no impact, the concentration of all services in one supplier means if anything does go wrong, every service can fail simultaneously. This is a semi-regular occurrence, with issues ranging from stoppages of email, all the way to cascading failures taking out large portions of the internet.
3
Lack of visibility of risk
Because the US hyperscalers are so ubiquitous, and because of the quality of the product they offer, many other companies rely on them. This means you may be purchasing, for example, Software as a Service (SaaS) products from one supplier, and being completely unaware that they rely on AWS for their backend.
Potential Consequences
What could the consequences of these be? Unauthorised disclosure of data could be a mild embarrassment, to a regulatory disaster, to the loss of vital intellectual property. With concentrated services, an error on the provider's part, or an instruction they feel compelled to follow, could lead to your entire organisation being unable to function, even to the extent of perhaps not even being able to log on to your devices. And when you don't know how your suppliers are providing services, you could discover the European company you were working with has been storing your data and processes in the US all along.
The Infrastructure Analogy
As an analogy, consider the known, and widely accepted by governments, risk of infrastructure capture through technology supplied by Chinese companies. You will recall that, for example, Huawei has been banned from providing core infrastructure in various telecommunications networks. What we are talking about here is an equivalent threat from the concentration of backend systems and ubiquitous services in another country.
A Harsh Truth
Just a few months ago, it would have felt inconceivable that the US could be seen as a potential adversary on the same level as China. But the harsh truth is that the actions of the current US administration has made this view necessary and pragmatic.
The US is experiencing authoritarian pressures that, while currently being resisted by institutions, demonstrate a credible risk trajectory that European digital sovereignty planning must account for.
With increasing internal strife in the US, threats to European territory, abuse of the legal system, and even the floating of cancelling mid-term elections the current administration is likely to lose badly, it is not a stretch to believe the US may take advantage of any tools they have to put pressure on, or damage, European business and governments. This isn't a certainty - but it is a huge risk.

Note that this is through no fault of the US hyperscalers themselves - they are merely providing the best service they can, and they have been very successful at it. They are victims of the geopolitical issues as much as European businesses and governments looking to migrate away from them. This is a situation no-one wanted to be in - be we are in it. It now falls on us to act based on how the world is, not how we wish it to be.
Mitigations: The New Imperative
The new imperative is to dramatically reduce reliance on US technology firms and infrastructure. Realistically, it is not possible to immediately cut off the use of US hyperscalers, as they are overwhelmingly dominant in the market. If every firm in Europe decided to switch to European providers en masse, the infrastructure simply isn't there to support it. But that doesn't mean we should ignore the risk.
The norm for the next few years will be a hybrid approach - moving services away from US based providers depending on severity of impact, and ease of migration.
Step One: Secure Your Data
The first step to take is to ensure businesses have a complete copy of their own data, in a readable and usable form, held on their own infrastructure, or that of a trusted European vendor. This is the most basic form of insurance against the risk of losing access to services. It is important to be aware that this is not a magic bullet - in many cases, the systems that this data is used in will be unavailable, significantly complicating the restoration of data and services until viable alternatives are in place for the individual business. However, having your own immutable copy of the data is the foundational first step.
The way to achieve this will vary from vendor to vendor, and conversations on how to do this should begin now. Generally, files stored in dedicated file storage systems (such as Google Drive, OneDrive, or SharePoint) are simple to download, with email relatively simple to export. Other systems, particularly databases, will be more challenging.
File Storage
Simple to download from Google Drive, OneDrive, SharePoint
Email
Relatively simple to export
Databases
More challenging - requires vendor-specific approaches
Step Two: Begin Migration
The second step is to begin the slow and steady work of migrating services away from US providers when the risk is judged to be high enough to require it. (This will naturally vary from business to business, and between business and public sector.)
The way to approach this will need evaluation of your IT environment. For example, two technically relatively easy wins are migrating to a European file storage provider, and moving to European office software. However, the challenge of bringing users along on this journey will vary dramatically. Again, a risk based approach needs to be used, with realistic evaluations of the damage that could be done if access to various systems is cut, or leaks of different types of data occur.
European Alternatives Available Today
However, it is important to stress that some of this is possible today - the providers of these alternate easy win systems are already out there. For example, Nextcloud is a German company that develops the open source Nextcloud application, which provides file sharing, team communication, and even online document editors. The company offers comprehensive hosting options and support options, and have a track record of delivery with clients such as Siemens and Amnesty International.
For a stand alone office software environment, LibreOffice is one of a number of European alternatives which are compatible with Microsoft Office file types.

These are only two examples, and are not in themselves recommendations - the right product will depend on your individual circumstances. A listing of European alternatives is provided at https://european-alternatives.eu/
More difficult will be moving from Software as a Service providers using US systems, and general cloud computing. Again, European alternatives to much of this exist, but it is extremely likely there are various gaps that will need to be filled as demand increases. This is an extremely complex area, and one which every business will need to evaluate carefully.
The AI Challenge: A Critical Gap
Finally, the new frontier of computing is AI. This is almost completely dominated by American firms, and US computing infrastructure. This is an area where it is hard to see any European alternatives to the cutting edge commercial providers. This is an area where many European companies, if they wish to keep up, have to accept a massive risk. As they build systems and processes that take advantage of the new capabilities, they could at any moment have their access taken away, causing a complete collapse of their business model.
Mistral AI, a French company, is a potential replacement for some AI roles, but its capacity is lower than those of American providers currently. In addition, the use of self-hosted open models may provide some mitigation.
This is an area which requires governmental intervention. It would be near impossible for a challenger European AI company to enter the market at this point without significant support. This may be provided either by direct grant funding, or by committed expenditure by the European public sector. Regardless, this would be a very long term endeavour, and this risk to European business and public sector needs to be acknowledged, and mitigations put in place.
Immediate Actions
  • Run open source LLM models locally
  • Provide API access for European providers
  • Continue research to avoid technological dependency
Those mitigations could include running open source LLM models locally, and providing API access for other European providers. The gap of continued research must be filled, so that Europe does not have to choose between becoming a technological backwater, or relying entirely on a potential adversary state for its infrastructure.
Conclusion: The Time for Action is Now
The concentration of European digital infrastructure in the hands of US technology companies was, until recently, a manageable risk. The quality of service, the innovation, and the scale these providers offered made them the rational choice for businesses and governments alike. The assumption was that even if geopolitical tensions arose, democratic norms, institutional stability, and the rule of law in the United States would constrain any impulses to weaponise this dependency.
That assumption can no longer be relied upon.
The events of the past year - from unprecedented threats against a NATO ally to systematic targeting of political opponents, from floating the cancellation of democratic elections to the publication of a National Security Strategy that explicitly seeks to undermine European political institutions - have demonstrated a capacity and willingness to break with established norms that would have been unthinkable just months ago. While American institutions are currently resisting these authoritarian pressures, the trajectory is clear, and the risk is real.
This is not a call to panic, nor is it an argument for immediate, wholesale abandonment of US cloud services. Such a move would be neither possible nor desirable in the short term - the infrastructure simply isn't there, and the disruption would be severe. But it is a call to action.
For Organisations
Acknowledge this risk and begin planning accordingly. Ensure you have complete, usable copies of your own data, held independently. Evaluate your dependencies, understand where your critical systems actually run, and begin the process of identifying alternatives.
For Policymakers
European digital sovereignty is not an aspirational goal; it is a strategic necessity. This requires significant public investment in European cloud infrastructure, support for European AI development, and potentially regulatory frameworks that encourage or require migration of sensitive systems.
Every organisation, whether business or government, large or small, needs to acknowledge this risk and begin planning accordingly. The first steps are straightforward: ensure you have complete, usable copies of your own data, held independently. Evaluate your dependencies, understand where your critical systems actually run, and begin the process of identifying alternatives. For low-risk systems, start migrating now. For high-risk systems, develop contingency plans.
For policymakers, the imperative is clear: European digital sovereignty is not an aspirational goal; it is a strategic necessity. This requires significant public investment in European cloud infrastructure, support for European AI development, and potentially regulatory frameworks that encourage or require migration of sensitive systems. The market alone will not solve this problem; the capability gap is too large and the established advantages of the incumbents too significant.
The choices we make today will determine whether Europe retains genuine autonomy in an increasingly digital world, or whether it becomes dependent on the goodwill of a state that has demonstrated it can no longer be counted upon as a reliable partner. We didn't create this situation, and we didn't want to be in it. But we are. The only question now is whether we act based on the world as it is, or continue to operate as though it were the world we wish it to be.
The time for complacency has passed. The time for action is now.