Europeans built their single market so that bytes could travel from Lisbon to Tallinn as freely as trucks cross the mountainous Brenner Pass from Austria to Italy. Officially, the goal is intact: the Free-Flow-of-Non-Personal-Data Regulation bans member-state rules that pin ordinary industrial data to one country, except on narrow public-security grounds.
Yet reality looks different. Sector-specific laws and sovereign cloud labels tie critical datasets to domestic servers. Luxembourg prods banks to keep ledgers inside the European Economic Area – and, in practice, often inside the Grand Duchy itself. France’s SecNumCloud seal refuses certification to any cloud provider subject to non-European law, forcing public-sector and health data into European-owned infrastructure. German law lets patient records leave only for another European country or a country with European-approved privacy laws, and then only through a provider that keeps a registered base in Germany. Each rule scratches a domestic political itch; none is demanded by the European Union’s GDPR privacy rules.
The patchwork mirrors a wider global drift that undercuts the efficiency promises of seamless cloud computing. By early 2023, the OECD logged 96 explicit localization measures in 40 countries, more than two-thirds wedded on-shore storage to outright transfer bans.
Firms pay the bill. When regulation merely requires a domestic copy, average data-management costs jump 16%; tack on a cross-border ban, and they soar 55%, and one in twelve companies says it would quit foreign markets altogether—yet 70% see no privacy, security, or innovation upside.
Those costs land hardest on the small and mid-sized firms. Duplicated data centres dilute scale economies, fragment security operations, and turn threat-intelligence sharing into a postcode lottery. What started as a bid for sovereignty risks carving the continent into counterproductive cloud computing fiefdoms.
Governments offer two reasons for imposing localization: economic and security. Foreign platforms allegedly keep more home-grown network value than they give back. Second, a security leak — either a loss of domestic control or a strategic edge — could be handed to rivals.
The security concerns are acute with both China and the US. Chinese law requires companies to hand over all data on request to the authorities without independent court oversight. The American CLOUD Act allows Washington to seek data stored by US cloud companies anywhere in the world, though the requests face legal challenges.
Within Europe, similar barriers frustrate seamless data transfers. Although the EU’s Data Act requires cloud providers to disclose every jurisdiction with legal reach over their infrastructure, national schemes such as France’s SecNumCloud apply these tests unevenly.
Reform might be on the horizon. The Data Governance Act came into force in December 2024, the Data Act applies from September 2025, and the forthcoming European Health Data Space creates new sharing obligations that only work if data can cross borders. Their success hinges on scrapping, not multiplying, localization carve-outs.
The European Cloud Services Scheme would hand every kind of cloud service – from simple online storage and raw computing power, to developer-friendly platforms, to fully-fledged web applications – a single EU-wide cybersecurity passport, graded by assurance level and replacing the current patchwork of national seals.
Yet talks on the scheme are at an impasse. They have swung back and forth between a purely technical standard and a France-led bid to bolt extra sovereignty tests onto the highest tier. In February, industry groups warned that endless rewrites could sink the scheme and urged the Commission to adopt a clean, jurisdiction-neutral text.
Several additional steps would help. First, pivot from location to access: regulators should police who can reach data, via encryption, audit trails, and court-tested contractual clauses — instead of drawing circles on a map. Second, finish the cybersecurity scheme without nationality tests and make its “high assurance” level the default benchmark for critical workloads. Third, cap national carve-outs: any future localization rule should pass a published risk-proportionality test and sunset unless renewed. Fourth, as Johan Michels of Queen Mary University suggests, write a GDPR code of conduct so that hospitals, utilities, and banks can trust one sovereignty playbook rather than 27 different national ones.
Europe bulldozed its customs posts to create a continental market; it needs the same wrecking ball online. A lean, audit-ready rulebook for data could slash red tape, fatten Europe’s AI factories, and let regulators wall off the genuinely sensitive troves. In a cloud economy built on scale, patchwork borders are a luxury Brussels can no longer afford.
Dr. Anda Bologa is a senior researcher in the Tech Policy Program at the Center for European Policy Analysis (CEPA).
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
2025 CEPA Forum Tech & Security Conference
Explore the latest from the conference.
