// EUROPEAN CLOUD INDEPENDENCE
Towards European Cloud Independence
Analysis of the CLOUD Act, European cloud dependency, and a practical sovereignty strategy. Covers legal risk, European alternatives, migration phases, and cost modelling for CTOs and platform teams.
// EXECUTIVE SUMMARY
Executive Summary
The US CLOUD Act gives American authorities legal access to any data held by US companies, regardless of where that data is physically stored. No contractual clause or EU data protection regulation overrides this. With US providers controlling 70% of a €75B European cloud market, this is not a niche compliance concern — it is a structural dependency affecting critical infrastructure across the continent.
Cloud independence rests on three pillars: jurisdictional independence (European-owned infrastructure under European law), technical portability (Kubernetes and open standards eliminating provider lock-in), and operational capability (internal expertise to run your own platform).
Kubernetes makes this practically achievable — it abstracts away cloud differences the same way Linux abstracted away hardware differences a generation ago. For large systems, with dozens of development teams, the transition is a 5–7 year generational migration, not a rip-and-replace: new workloads start European, existing workloads migrate during natural refresh cycles. For greenfield deployments there is nothing blocking to go full European.
Organisations that start now will reduce costs — in some cases by 60% or more — while gaining strategic independence from US jurisdictional exposure.
// THE AWAKENING
The Awakening
“Microsoft cannot guarantee that European customer data will never be transmitted to US authorities.”
This isn't speculation or independence advocacy. Microsoft's own representative, under oath before the French Senate, admitted the fundamental truth: no contractual clause can ever override US law.
This changes the risk calculus for every European organisation using US cloud services. The risk is not just in data and systems exposure — it's reputational. The public outrage when DigiD falls into the wrong hands. SIDN choosing for AWS. Governments on Azure.
// THE STRATEGIC REALITY
The Strategic Reality
70%
Of the European cloud market is controlled by US providers
EUR 75B
The European cloud market in 2025
15%
European providers' market share. Down from 29% in 2017.
Each euro spent on US cloud deepens Europe's strategic dependency. This isn't ideological — it's economic reality. US policy increasingly treats allies as competitors. The CLOUD Act crystallises this shift into legal obligation.
Source: Synergy Research Group, European Cloud Market Report, 2024
// THE MECHANISM
The CLOUD Act — What It Actually Means
The mechanism is simple:
US Government warrant → US Company (AWS / Azure / Google) → Must comply regardless of data location → Your European data accessed
Three provisions that matter:
Extraterritorial Reach
The CLOUD Act applies to any data controlled by US companies, anywhere in the world. Your data doesn't need to be in the US. It just needs to be held by a US company.
Gag Orders
Companies can be legally prohibited from notifying you that your data has been accessed. You may never know.
No GDPR Exception
US law does not recognise EU data protection as grounds for non-compliance. GDPR doesn't protect you here.
This isn't theoretical. It has happened:
- -French Health Data: The Ministry of Health was forced to reconsider its Microsoft contract after legal analysis confirmed the exposure.
- -Dutch Government: A DPIA found that Microsoft products created “high privacy risks” for government use.
- -EU Court rulings: Schrems I and II invalidated successive EU-US data transfer frameworks — because the underlying problem hasn't changed.
What services are at risk
The data at stake isn't just personal — it's strategic.
- -Healthcare: 450+ million patient records across EU member states
- -Education: 70+ million students in public education systems
- -Government: Tax, identity, and social services for entire populations
These are fundamental services. They aggregate data on millions of citizens — healthcare records, educational data, government services, performance metrics, family information, and longitudinal records.
Current platform dependencies — Azure and AWS for infrastructure, GitHub for source code, Datadog for observability, MongoDB Atlas for data — create invisible exposure. Every integration deepens the dependency. Today's convenience becomes tomorrow's strategic constraint.
// THE FRAMEWORK
What Is Cloud Independence?
Three pillars define meaningful independence from US cloud jurisdiction.
1
Jurisdictional Independence
Infrastructure owned by companies not subject to US jurisdiction. European legal framework as the only applicable law.
This enables local market compliance, proper data management, and regulatory alignment across European jurisdictions.
2
Technical Portability
Kubernetes and open standards enable workload movement. No proprietary lock-in to any single provider's ecosystem.
This enables scalability, cost efficiency, and long-term technical health. You choose your provider based on merit, not migration cost.
3
Operational Capability
Internal expertise to operate and evolve infrastructure. Strategic capability, not outsourced dependency.
This enables digital independence, innovation potential, and a unified digital culture. Your platform team runs your platform — not a vendor's support desk.
Cloud independence doesn't mean rejecting US services entirely. Edge services (WAF, CDN), AI capabilities, and other tools that don't create lock-in or jurisdictional exposure can come from anyone. Independence means controlling your core infrastructure and data.
// THE TECHNOLOGY
Why Kubernetes Makes This Possible
History is repeating — and the answer is the same.
| Era | Lock-in | Liberation |
|---|---|---|
| 1990s | Proprietary Unix (HP-UX, Solaris, AIX) — vendor lock-in was the business model | Linux — open source, standardised, portable. Hardware became commodity. |
| 2015–2024 | Proprietary Cloud (AWS, Azure, GCP) — history repeating | Kubernetes — open source, standardised, portable. Infrastructure becomes commodity. |
Just as Linux abstracted hardware differences, Kubernetes abstracts cloud differences. Your applications become truly portable.
Kubernetes is open source, governed by the CNCF with 7,000+ contributors. No single company controls it. The same application deploys on any provider — European or otherwise — without modification. The provider becomes a commodity. You choose based on price, location, and capability — not migration cost.
// THE ECOSYSTEM
The European Kubernetes Ecosystem
This isn't theoretical. The ecosystem exists, is production-ready, and is growing.
Tier 1 — Generalists
Multi-region, multi-AZ Kubernetes with full ecosystem support.
| Provider | Country | Key Facts |
|---|---|---|
| Scaleway | France | 3 regions (Paris, Amsterdam, Warsaw). Multi-AZ Kapsule. Full ecosystem: compute, storage, DNS, serverless, container registry. |
| STACKIT | Germany | Backed by Schwarz Group (Lidl). German sovereignty focus. BSI C5 certified. |
| OVHcloud | France | 33 data centres. Managed Kubernetes. Largest European cloud provider. |
Tier 2 — Specialists
| Provider | Country | Key Facts |
|---|---|---|
| Hetzner | Germany | Cost-effective bare metal K8s. Developer favourite. Exceptional price-performance. |
| Exoscale | Switzerland | Swiss privacy laws. Regional focus. Simple, well-executed managed K8s. |
| Open Telekom Cloud | Germany | OpenStack-based. Enterprise relationships. Telco heritage. |
This is a federated marketplace — European providers contributing compute and storage commodities. Not replicating hyperscalers. Making them unnecessary for core workloads.
// THE STRATEGY
A Generational Migration
For large systems, with dozens of development teams, this is not a rip-and-replace. It's a 5–7 year strategic reorientation that becomes part of how you build and operate. For greenfield deployments there is nothing blocking to go full European.
Three Principles
01
New workloads first
Start greenfield projects within the European cloud native ecosystem. Don't touch production. Build confidence on new work.
02
Natural migration
Move existing workloads during scheduled updates and refresh cycles. The application needs a rewrite anyway? Deploy it on European infrastructure.
03
Hybrid tolerance
Accept complementary services (WAF, CDN, AI) from anyone. Independence applies to core infrastructure and data, not to every API call.
The Roadmap
| Phase | Timeline | What Happens | Success Metric |
|---|---|---|---|
| Foundation | Months 1–12 | Complete infrastructure audit. Establish Kubernetes platform foundation. Join European cloud native ecosystem. Deploy first workload. | Platform operational, first workload deployed |
| Capability | Years 1–3 | All new projects on European infrastructure. Build internal platform expertise. Develop migration playbooks. Cultivate ecosystem relationships. | 100% new workloads on European cloud |
| Migration | Years 3–6 | Systematic legacy migration during refresh cycles. Transition DevOps tooling to European alternatives. Achieve full developer platform independence. | 80% workloads on European infrastructure |
| Maturity | Year 5+ | Full operational independence achieved. Internal capability mature. Lead European cloud native ecosystem. | Strategic independence operational |
Sustainability bonus: European clouds can lead on environmental transparency — energy usage per workload, water consumption, hardware lifecycle — where hyperscalers can't. Tools like KEIT (Kubernetes Emissions Insights Tool) put carbon reporting in developers' hands. Increasingly relevant for organisations required to report on digital supply chain emissions.
// CASE STUDY
Case Study: The Git Platform Decision
Every engineering organisation faces this decision. It's a microcosm of the broader independence question.
The situation: Your developers are unhappy with Bitbucket. Limited runner flexibility, no native Kubernetes executor, no built-in security scanning. GitHub is the popular choice — best developer mindshare, the obvious reflex.
The strategic question: Should this be a popularity contest, or a decision about freedom to operate?
Total Cost of Ownership
250 active developers. CI/CD, security scanning, and container registry included.
| Component | GitHub Enterprise + GHAS | Bitbucket Premium + Snyk | GitLab CE Self-Hosted |
|---|---|---|---|
| Platform license | $63,000/yr | $18,000/yr | $0 |
| Security scanning | $147,000/yr | ~$75,000/yr | $0 |
| CI compute (K8s) | ~$6,000/yr | ~$6,000/yr | ~$4,000/yr |
| Container registry | ~$1,200/yr | ~$3,600/yr | ~$120/yr |
| Server infrastructure | N/A | N/A | ~$2,400/yr |
| Operations (0.2 FTE) | N/A | N/A | €45,800/yr |
| TOTAL | ~$217,200/yr | ~$102,600/yr | ~€52,300/yr |
GitLab CE saves ~€148,000/yr vs GitHub Enterprise. ~€43,000/yr vs Bitbucket Premium.
Sovereignty Comparison
| Criterion | GitHub | Bitbucket | GitLab Self-Hosted |
|---|---|---|---|
| Data location | US (Azure) | US/AU (AWS) | You choose |
| Company jurisdiction | US (Microsoft) | US/AU (Atlassian) | Your jurisdiction |
| CLOUD Act exposure | Yes | Yes | None if EU-hosted |
| Source code access | SaaS only | SaaS only | Full source (MIT) |
| Exit strategy | Git portable, Actions not | Git portable, Pipelines not | Everything portable |
GitLab CE is a complete DevSecOps platform — Git, CI/CD, container registry, security scanning, issue tracking, documentation — at zero license cost. It replaces Bitbucket + Jira + Confluence + Snyk + Docker Hub + Artifactory. One platform, self-hosted, European.
The developers want GitHub because it's popular. Give them something better: a platform that's equally capable, radically cheaper, and keeps their code in Europe.
Note: All figures based on 250 active developers. GitLab CE includes one-time setup cost of ~€17,600 (4 weeks). Operations cost (0.2 FTE) applies to GitLab but note that Bitbucket and GitHub also require operational effort not reflected in their totals.
Start Now. Move Deliberately. Build Independence.
This is a generational migration. The organisations that start now will have operational independence in 5–7 years. Those that wait will face the same decision later — with deeper lock-in, higher costs, and less time.
→ Clouds of Europe — the practitioner community for European cloud independence
Want the full presentation?
We deliver “Towards European Cloud Independence” as a presentation for leadership teams, platform teams, and board-level audiences. Request a session for your organisation.
Request the presentation →Know your lock-in.
A Freedom to Operate Audit maps every SaaS dependency, quantifies the cost, and builds a migration plan your CFO will approve. 2–3 weeks.
Freedom to Operate Audit →Need the full infrastructure picture?
Start with an assessment — current state, gaps, roadmap.
Strategy & Advisory →