The Reality Behind "Sovereign Cloud"
Not all "sovereign cloud" claims are equal. We compared European hosting providers on what actually matters: legal jurisdiction, surveillance law exposure, and real data sovereignty.
Year the US CLOUD Act was enacted, extending US reach to data stored overseas
18 U.S.C. § 2713
Active EU regulations that shape cloud sovereignty: GDPR, Data Act, NIS2
EU Official Journal
US-parented hyperscalers that meet the proposed highest EUCS sovereignty tier
ENISA EUCS — Draft Sovereignty Level
What Is Cloud Sovereignty?
Cloud sovereignty means your data is stored on infrastructure that is owned, operated, and legally controlled exclusively within a chosen jurisdiction. For European businesses, that means being insulated from extraterritorial laws like the US CLOUD Act (18 U.S.C. § 2713). A provider is not sovereign just because its servers sit inside the EU: if its parent company is incorporated in the United States, American authorities can compel disclosure of data in its custody regardless of physical location. Providers incorporated and controlled entirely under EU law, such as Alplink (Estonia), OVHcloud (France), and Scaleway (France), sit outside that chain. AWS European Sovereign Cloud, Microsoft Azure for Sovereignty, and Google Sovereign Cloud are ultimately controlled by US parent companies and, under the proposed EUCS highest sovereignty tier, would not meet the EU-control requirement. For GDPR Article 48, the (still draft) EUCS framework, and NIS2/DORA alignment, the jurisdiction of the controlling entity (not the physical location of servers) is what defines real cloud sovereignty.
Source: 18 U.S.C. § 2713 (CLOUD Act, 2018) · Regulation (EU) 2023/2854 (EU Data Act) · GDPR Art. 48 · EUCS Sovereignty Level Requirements
CLOUD Act Jurisdiction Chain
Who Is Actually Sovereign?
| Provider | Parent Jurisdiction | CLOUD Act Exposure | EUCS/SEAL Eligible | Open-Source Stack | Dedicated Infra |
|---|---|---|---|---|---|
| Alplink | Estonia (EU) | No exposure | Structurally eligible2 | 100% open source | Dedicated per customer |
| AWS Sovereign Cloud | USA | Full exposure1 | Not eligible | Proprietary | Shared tenancy |
| Azure Confidential | USA | Full exposure1 | Not eligible | Proprietary | Shared tenancy |
| OVHcloud | France (EU) | No exposure | Eligible | Partial | Shared tenancy |
| Scaleway | France (EU) | No exposure | Eligible | Partial | Shared tenancy |
1 18 U.S.C. § 2713: US authorities can compel data disclosure regardless of where data is physically stored. 2 The EUCS sovereignty level is still a proposed framework (ENISA draft); no provider is formally certified today. "Structurally eligible" means the provider already meets the EU-incorporation and control requirements of the draft.
The Laws You Need to Know
CLOUD Act (2018)
Allows US law enforcement to compel US-headquartered companies to produce data stored anywhere in the world, including EU data centers.
18 U.S.C. § 2713 — Clarifying Lawful Overseas Use of Data Act
EU Data Act (2024)
Requires cloud providers to prevent illegal international data transfers and provide transparency about jurisdictional risks to customers.
Regulation (EU) 2023/2854, Art. 27-28
EUCS Sovereignty Levels (draft)
The proposed EU Cybersecurity Certification Scheme defines sovereignty tiers. The highest tier, as currently drafted, would require: EU-incorporated provider, no foreign ownership control, and data processing exclusively within the EU. The final framework has not yet been adopted.
ENISA EUCS Candidate Scheme — Sovereignty Level (draft)
Frequently Asked Questions
Everything you need to know about Alplink's European cloud hosting.
Can a US-owned cloud provider be truly GDPR-compliant?
Data residency in the EU does not guarantee sovereignty. Under the CLOUD Act (18 U.S.C. § 2713), US authorities can compel US companies to hand over data regardless of physical location. GDPR Article 48 prohibits such transfers without a valid legal basis under EU law.
What is the EUCS sovereignty certification?
The EU Cybersecurity Certification Scheme (EUCS) is an ENISA-led candidate framework that defines three levels of assurance. In its current draft, the highest sovereignty tier would require the provider to be EU-incorporated with no foreign ownership control, which would exclude US hyperscalers from that top tier. The scheme has not yet been formally adopted.
Why does open-source matter for data sovereignty?
Proprietary cloud stacks create vendor lock-in and opacity. Open-source infrastructure (Linux, Odoo, WordPress, Nextcloud) allows full auditability, no hidden data collection, and the ability to migrate between providers without losing your data.
What makes Alplink different from OVHcloud or Scaleway?
Alplink provides fully managed open-source applications (Odoo, WordPress, Nextcloud, Matomo) on dedicated, isolated infrastructure per customer. OVHcloud and Scaleway offer shared IaaS; you still need to manage the software stack yourself.
How does dedicated infrastructure improve security?
Each Alplink customer gets isolated compute, storage, and network. No shared tenancy means no noisy-neighbor performance issues, no cross-tenant data leakage risk, and full control over your security perimeter.
What is the difference between data residency and data sovereignty?
Data residency means your data is physically stored in a specific country. Data sovereignty means the data is subject only to that country's laws. A US company storing data in Frankfurt still falls under US CLOUD Act jurisdiction, so you have EU residency but not sovereignty.
Does the EU-US Data Privacy Framework solve the CLOUD Act problem?
No. The EU-US Data Privacy Framework (DPF) addresses commercial data transfers under GDPR Article 45, but does not override the CLOUD Act's compelled disclosure provisions. US law enforcement can still compel US companies to produce data regardless of DPF protections.
What happens to my data if I leave Alplink?
You own your data. Alplink runs 100% open-source software (Odoo, WordPress, Nextcloud, Matomo), so there is no proprietary format lock-in. We provide full data exports in standard formats and assist with migration to any other provider or self-hosted setup.
Which EU regulations require sovereign cloud hosting?
The EU Data Act (Regulation 2023/2854) requires transparency about jurisdictional risks. The NIS2 Directive mandates supply chain risk assessment for essential entities. DORA (Digital Operational Resilience Act) requires financial entities to manage ICT third-party risk. The upcoming EUCS certification framework will formalize sovereignty requirements for public procurement.
Still have questions? We're here to help.
Contact UsReady for Actually Sovereign Hosting?
EU-incorporated. Open-source stack. Dedicated infrastructure. No CLOUD Act exposure.
Get Started FreeThis analysis cites primary sources (US Code, EU regulations, ENISA framework). All comparisons reflect provider disclosures as of the last-updated date. Not legal advice. Consult your DPO or counsel for jurisdiction-specific guidance.
Understanding Cloud Sovereignty in Europe
For European businesses, choosing a cloud provider is no longer just a technical decision. The US CLOUD Act (18 U.S.C. § 2713) grants US authorities the power to compel any US-headquartered company to hand over data, regardless of where that data is physically stored. This creates an irreconcilable conflict with GDPR Article 48, which prohibits such transfers without a valid EU legal basis. The EU Data Act (Regulation 2023/2854) now requires cloud providers to transparently disclose jurisdictional risks. Meanwhile, the ENISA EUCS framework introduces sovereignty tiers that no US hyperscaler can qualify for at the highest level. Alplink is incorporated in Estonia, operates exclusively under EU law, and runs a 100% open-source stack on dedicated infrastructure per customer. See our vision, audit our infrastructure transparency, or start with managed Odoo or managed WordPress. This is cloud sovereignty by architecture, not by marketing.