The US CLOUD Act: What European Businesses Need to Know

If your business stores data with a US cloud provider, that data may not be as private as you think. The US CLOUD Act gives American law enforcement the power to access your data, even when it is stored in Europe, and even without telling you. For European businesses, this creates a direct conflict with GDPR and a real risk to client confidentiality.

What is the CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a US federal law passed in 2018. It gives US law enforcement agencies the authority to compel any US-headquartered company to hand over data in its possession, custody, or control. The critical detail: this applies regardless of where the data is physically stored.

If your data sits on a server in Frankfurt, Amsterdam, or Stockholm, but that server is operated by an American company like AWS, Google, Microsoft, or Dropbox, the CLOUD Act still applies. Jurisdiction follows the company, not the server location.

Why "EU region" does not protect you

Many US providers now offer EU data regions, and some market them as "sovereign cloud" or "EU data boundary" offerings. These are misleading. The CLOUD Act overrides the storage location. A US company operating an EU data centre is still a US company, subject to US law.

This is not a theoretical concern. In June 2025, Microsoft's chief legal officer in France confirmed under oath at a French Senate hearing that the company cannot guarantee data sovereignty against US authorities, even for data stored in France under a French-marketed "sovereign" offering.

The same applies to every major US cloud provider. AWS, Google Cloud, Azure, Dropbox, and Google Workspace are all headquartered in the United States and all subject to the CLOUD Act.

The direct conflict with GDPR

GDPR Article 48 states that transfers of personal data to third-country authorities are only lawful when based on an international agreement, such as a Mutual Legal Assistance Treaty (MLAT). A unilateral CLOUD Act warrant is not such an agreement.

This puts US providers and their European customers in an impossible position. If the provider complies with a CLOUD Act demand, it violates GDPR. If it refuses, it violates US law. The provider will comply with US law, because that is where it is incorporated and where the legal consequences are immediate.

To make matters worse, CLOUD Act demands frequently include non-disclosure orders. The provider may be legally prohibited from informing you that your data has been accessed. You could be in ongoing breach of GDPR without ever knowing a demand occurred.

The Schrems II connection

The Court of Justice of the European Union's landmark Schrems II ruling in 2020 invalidated the EU-US Privacy Shield framework on precisely this basis: US surveillance law gives authorities access to EU personal data in ways that are incompatible with European fundamental rights, and EU citizens lack effective judicial redress in the US.

While the EU-US Data Privacy Framework was adopted in 2023 as a replacement, the European Data Protection Board has called for its re-evaluation. Multiple data protection authorities across Europe have stated that the framework does not fully resolve the fundamental conflict between GDPR and US surveillance law. The legal ground remains unstable.

Europe is already responding

This is not just a compliance concern for individual businesses. European governments are taking action at a policy level.

The European Commission is preparing a "Tech Sovereignty Package" expected in May 2026 that would restrict the use of US cloud platforms for processing sensitive government data across EU member states. France has announced it will replace US tools like Microsoft Teams with government-developed alternatives for all state services. Denmark has begun phasing out Microsoft software in parts of its public administration.

According to Gartner, worldwide sovereign cloud spending is projected to reach $80 billion in 2026, with European spending growing 83% year-over-year. GDPR enforcement has intensified, with cumulative fines reaching over 7 billion euros as of early 2026.

The direction is clear: European organisations are moving away from US cloud providers for sensitive data.

What European businesses should do

If your organisation stores personal data, client records, financial information, health records, or any regulated data with a US cloud provider, you should evaluate the risk and consider alternatives.

• Choose a European provider. Select a cloud storage provider that is incorporated in Europe, has no US parent company, and operates infrastructure exclusively in the EU/EEA. This is the only way to ensure the CLOUD Act does not apply to your data.
• Use client-side encryption. If you must use a US provider, encrypt data before it leaves your systems and retain the encryption keys yourself. This does not solve the legal issue, but it means the provider cannot hand over readable data.
• Audit your supply chain.Check whether your SaaS tools, backup services, and file sharing platforms are operated by US companies or have US parent entities. "Sovereignty washing", where a European brand runs on US-controlled infrastructure, is increasingly common.
• Document your assessment. Under GDPR, you are expected to perform a transfer impact assessment when data may be subject to third-country access. Document the risks and your mitigation measures.

How NordenVault addresses this

NordenVault is incorporated in Norway (EEA) with no US parent company, no US subsidiary, and no operational presence in the United States. Our infrastructure runs exclusively in EU/EEA data centres. Because we are not a US company, the CLOUD Act does not apply to us or to the data we store.

Your data is governed exclusively by European law. We support client-side encryption for zero-knowledge storage, meaning even NordenVault cannot read your data. We provide EU/EEA data residency on every plan, not as an expensive enterprise add-on.

For European businesses that need cloud storage and backup without US legal exposure, that is what NordenVault was built for.