Amazon Web Services recently became the latest US company to launch what it calls “a new, independent cloud for Europe.” Microsoft announced a Cloud for Sovereignty offer in July 2022 and Oracle its EU Sovereign Cloud offer last June.
These programs attempt to address European concerns about keeping data within EU borders. At stake is Europe’s quest for “digital sovereignty,” and whether it attempts to boost the continent’s digital performance or veers into protectionism. France is fighting hard to limit non-European cloud providers. Germany is pushing back, supported by small EU members and the US.
In 2021, France’s national cybersecurity agency ANSSI revised its cybersecurity certification program to effectively preclude foreign cloud firms from providing services to government agencies. France’s European Commissioner Thierry Breton wants the same rules to apply in the upcoming European certification scheme. According to the latest leaked draft dating from August, the new upcoming European cloud certification scheme would prevent non-European vendors from providing “high assurance level” cloud services not just in government services, but to a broad spectrum of critical commercial sectors.
Europe is divided. Traditionally, Paris counts on Berlin’s support to push digital sovereignty that favors its national champions over foreign suppliers. In contrast, small EU members prefer to buy the best available technology regardless of its provenance. Estonia, the Netherlands, and Greece have objected to the French proposed new cloud certification rules, saying they would raise costs and stifle competition.
Germany now seems to be leaning in their direction. The Free Democratic Party, in control of key ministries in Berlin, has criticized France’s cloud push and the German Federal Office for Information Security has endorsed the Amazon European Sovereign Cloud. Director General Claudia Plattner said she was “very pleased to constructively accompany the local development of an AWS cloud, which will also contribute to European sovereignty in terms of security.”
France’s cloud Colbertism — an economic policy promoting state intervention and protectionism — is in jeopardy. Amazon’s new European product cannot be sovereign because it is subject to the US FISA and Cloud Act, American laws that require US companies, US citizens or foreign subsidiaries on US soil to hand over data to US security agencies, complains French centrist parliamentarian Philippe Latombe. Germans are “exchanging their industrial dependency on Russian gas for a dependency on American digital companies” that could access European company data and engage in “economic intelligence.”
US, Japan, and other non-European governments are pushing back, too. US Trade Representative Katherine Tai raised concerns about the French and EU cybersecurity certification schemes in a call last year with European Commission Executive Vice President in charge of trade Valdis Dombrovskis. “The issue now has risen to a high level of official concern for the US government,” says Kenneth Propp of the Atlantic Council.
US cloud providers hope their “sovereign clouds” will allow them to continue doing business in Europe. According to Amazon’s Arnaud David, the company’s new European cloud services include safeguards, controls, and security features that prevent access to customer data unless customers give access. Amazon even provides its customers with encryption tools. If Amazon is requested to send data to US administrations, David says it will “challenge every request it deems inappropriate, especially if it is contrary to local law, like the EU’s General Data Protection Regulation.”
For experts, the promises do not prevent a transatlantic legal conflict. Under the Cloud Act, US-based cloud service providers must comply with requests from US agencies, irrespective of where data is stored in the world, says Jean-Sébastien Mariez, founding partner of the French tech law firm Momentum Avocats.
This requirement can conflict with EU data protection law. A 2022 memo by the Dutch National Cyber Security Center says US cloud service providers’ plans providing protection from US laws are irrelevant. US intelligence agencies can always circle around them.
The economic stakes are enormous. A new study from the Brussels-based think tank ECIPE projects that driving out US cloud leaders could cost the EU up to €610 billion within two years of implementation. EU companies would be blocked from using the world’s most advanced cloud services and forced to pay high prices to second-tier European cloud providers, warns author Matthias Bauer.
Théophane Hartmann is a tech reporter for EURACTIV France. He previously worked as an IT Strategy consultant.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.