Hubert argues that EU regional hosting on Microsoft 365, Google Workspace, or AWS provides no real protection because the CLOUD Act gives US law enforcement reach into any data controlled by a US-incorporated company, with gag orders preventing disclosure. He frames the second Trump administration's unpredictable posture toward Europe as the trigger that turned a theoretical legal risk into an operational one Dutch ministries are now actively mitigating.
By submitting the piece and driving it to 173 points, dotcoma signal-boosted the thesis that GDPR contracts and EU regions are legally incoherent fig leaves over US extraterritorial jurisdiction. The submission framing positions this as a wake-up moment for European IT buyers.
The editorial emphasizes that the CLOUD Act has been law since 2018 and the technical community largely shrugged because everyone assumed a friendly DOJ would never actually invoke it against allies. The synthesis argues the inflection point is political, not legal: the Trump administration's tariffs, NATO renegotiation, and threats against EU officials removed the assumed backstop, forcing procurement officers to read the statute literally.
A piece by Bert Hubert (the PowerDNS founder, writing on korte.co) hit Hacker News at 173 points this week with a blunt thesis: the Dutch government has finally internalized that the US can read its emails. Not metaphorically. Literally. Any data sitting on Microsoft 365, Google Workspace, or AWS — including data in Frankfurt, Dublin, or Amsterdam regions — is reachable by US law enforcement under the CLOUD Act, and the provider is legally barred from telling the customer it happened.
This is not a new legal reality. The CLOUD Act passed in 2018, explicitly to overrule the Microsoft Ireland case where Microsoft had refused to hand over emails stored on Irish servers. What's new is the political climate making EU governments treat it as an operational risk rather than a theoretical one. Dutch ministries, German Länder, and French defense contractors have spent 2025 quietly rewriting procurement language. Hubert's piece crystallized the shift: digital sovereignty is no longer a Brussels talking point, it's a buying criterion.
The immediate trigger is the second Trump administration's posture toward European allies — tariffs, NATO renegotiation, public threats against specific EU officials. The Dutch read of the situation, paraphrased from Hubert: if the executive branch is unpredictable, the legal backstop you assumed existed (a friendly DOJ that would never actually invoke CLOUD Act against an ally) is not a backstop.
The technical community has known about the CLOUD Act for years and largely shrugged. The architectural assumption was: pick an EU region, sign a BAA or DPA, write GDPR into your contracts, done. That assumption is now legally incoherent, and procurement officers are starting to read the underlying statutes instead of the marketing pages.
The CLOUD Act's mechanism is simple and brutal: it asserts US jurisdiction over any data "in the possession, custody, or control" of a US-incorporated company. Microsoft Ireland Ltd. is wholly owned by Microsoft Corp., which is incorporated in Washington state. AWS EMEA SARL is wholly owned by Amazon.com Inc. The corporate-structure argument that EU subsidiaries are independent entities was tested and lost. The DOJ can serve a warrant on the Redmond parent and require production of bits sitting in a Dublin data center, with a gag order preventing the customer from being notified.
GDPR Article 48 says transfers to third-country authorities require an EU legal basis (typically an MLAT). The CLOUD Act says you produce when served, gag order included. These two regimes are in direct, irreconcilable conflict, and US providers operating in the EU are caught between them — a fact that EU data-protection authorities have started writing into formal opinions. The EDPB's 2023 opinion on the EU-US Data Privacy Framework explicitly flagged this as unresolved. The Schrems II ruling already invalidated Privacy Shield on similar grounds. The pattern is consistent and the direction is one-way.
The community reaction on HN was less "this is news" and more "finally people are saying it out loud." Top comments pointed at OVHcloud's recent growth (revenue up double digits in H1 2026, driven explicitly by sovereignty-conscious EU government and healthcare wins), Hetzner's expansion into managed Kubernetes, and IONOS Cloud's defense-sector traction. Scaleway's Iliad parent has been pitching "EU-controlled AI infrastructure" on the back of its Jupiter cluster. The interesting signal isn't the politics — it's that procurement RFPs from Dutch ministries are now arriving with hard exclusions on US-parented providers, including hyperscaler-owned 'sovereign' offerings like Bleu (Microsoft/Capgemini/Orange) and S3NS (Google/Thales).
The hyperscalers know this. Microsoft launched the EU Data Boundary in 2024. AWS announced its European Sovereign Cloud (de jure separate legal entity, German-staffed, first region in Brandenburg by end of 2025). Google's Sovereign Controls partnership with T-Systems. The bet is that legal-structural separation — a wholly-owned EU subsidiary with EU directors and EU-only staff — can defeat the CLOUD Act's "possession, custody, or control" test. Legal opinion is split. The DOJ has never conceded the argument, and the structures are untested in court.
If you're shipping software that handles EU personal data, three concrete things change. First, the region selector in your AWS or Azure console is now a latency choice, not a compliance choice — your DPO needs to know that, and your customer-facing data-residency claims need to be rewritten to match. "Data stored in EU" is true. "Data only accessible by EU authorities" is not. If you've been answering RFP questions with the former and implying the latter, you have a soon-to-be-discovered gap.
Second, if you sell to EU public sector, healthcare, or critical infrastructure, you need a real answer about non-US-parented providers. The shortlist is short: OVHcloud (FR, public), Scaleway (FR, Iliad), Hetzner (DE, private), IONOS (DE, public), UpCloud (FI), Exoscale (CH), and a handful of national clouds. None of them have AWS's service breadth. For most workloads — Postgres, Kubernetes, object storage, managed Kafka — they're sufficient. For anything depending on a specific hyperscaler managed service (Bedrock, BigQuery, DynamoDB), porting is a real engineering project, not a config change. Budget six months and a rewrite of your data layer.
Third, the "sovereign cloud" offerings from US hyperscalers are a hedge, not a fix. Microsoft Bleu, AWS European Sovereign Cloud, Google Sovereign Controls — these reduce the surface but don't eliminate it, and they cost more than the standard offering. They're worth evaluating if you're already committed to a hyperscaler ecosystem and need a procurement-acceptable story. They're not worth it if you have a greenfield option and EU-only customers.
The CLOUD Act isn't going away, and neither is GDPR. The pressure point is where they collide, and the political environment now incentivizes EU governments to test that collision in court. Expect a formal CJEU referral within 18 months on whether a US-parented EU subsidiary can lawfully comply with a CLOUD Act warrant against EU resident data — and expect the answer to push more procurement toward EU-controlled providers regardless of what the court says about the existing structures. If you build infrastructure or sell to EU buyers, start sketching what your stack looks like on Hetzner and OVHcloud now. You may not need to migrate. But the people writing your customers' RFPs are going to ask, and "we're on AWS Frankfurt" stops being an answer this year.
The fact that government agencies, particularly those that deal with international concerns like these are using non sovereign tech for communications is mind-blowing. They might as well use public gmail.. atleast it would be cheaper. If you want it not exposed directly, host it yourself and take me
In the meantime Belgian public sector will use Google Cloud, it seems: https://ittech-pulse.com/news/smals-partners-with-google-clo...
With DigiID, as with this, I never understood why countries give critical infrastructure contracts away from the country it directly impacts, provided they have a mature tech ecosystem. I thought the whole point was that it was critical?
Please give me all the data I promise I won't look into them. Unless this is about kids. Or terrorism. In fact, I might look into the data without telling you, because fsck /dev/hdu
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
If a politically stable nation with a good international reputation were to guarantee government respect for data privacy for data centres housed on its soil and run by its companies, that nation could become the Swiss bankers of data.Rolling your own "digital sovereignty" is not going to