EU companies on AWS... how are you actually handling the CLOUD Act exposure? Our legal team just flagged this and I'm trying to understand what others are doing

[-]

elatllat@reddit

AWS is a US company. Under the CLOUD Act (2018), US authorities can request access to data regardless of where it's physically stored.

Can the same be done for Microsoft Windows?

[-]

It's easier than anyone thinks. It wasn't that long ago that people were happily productive using windows for workgroups, novell, wyse terminals and AS400's. Most specialist apps can be run on Linux these days where needed and with stuff like ansible or puppet you can control your user estate fairly simply.

[-]

elatllat@reddit

Yes; Linux has no artificial limitations like Microsoft, so as long as there is willingness to adapt it's a powerful upgrade.

[-]

barrulus@reddit

This is true but my point is more that user resistance to change is painful but it is not insurmountable.

Most people don't need word or outlook or one drive

[-]

panzerbjrn@reddit

For me, not having OneDrive is actually one of the biggest obstacles to switching to Linux ¯\_(ツ)_/¯

Any data that isn't in Github lives in my OneDrive...

[-]

barrulus@reddit

There are plenty of alternatives :) Some complex, some simple, it's all about the use case. Also, you can use OneDrive on Linux, but in context of this thread that seems counterintuitive.

[-]

panzerbjrn@reddit

Alternatives such as?

I have spent a fair bit of time investigating OneDrive on Asahi on my MacBook, and it seems like it just isn't possible.

[-]

barrulus@reddit

Proton drive, nextcloud, jottacloud and filen to name a few.

Asahi on M series is pretty bleeding edge. There is a ton of stiff that doesn't yet work properly with it.

I'm not ready to drop my M1 into Asahi. But my Intel machine is a Nixos machine and is my daily driver. The M1 is my wife's browser and kids Minecraft box. (Hangs head in shame)

[-]

panzerbjrn@reddit

Well, if it doesn't work on an MBP M1, then it's not really useful to me... This is one of the things, if I used MacOS, then I could have a OneDrive that worked cross platform. With Linux I don't.

I really feel like Linux advocates don't understand what keeps people from adopting Linux. This fragmentation is one of the big reasons.

[-]

xxtoni@reddit

I honestly wouldn't even stress this point.

As long as you have your data they can use windows as far as I'm concerned. Not ideal but if we can move the infrastructure off hyperscalers I don't care that much about the client.

[-]

barrulus@reddit

I agree, I am just also a massive believer in ripping off the bandaid. If we have to go through pain, why not have one big surgery to fix it all. Recovery will be hard, but the gains are real.

BRING BACK DUMB TERMINALS!!!

[-]

xxtoni@reddit

My logic always is so many businesses use Google Workspace, if you can use that you can use any other office suite.

M365 + windows is one thing. It's integrated it has everything it's a complete thing from start to finish.

Another point is Mac OS, so many companies use that (I do privately as well). That's it's own ecosystem as well and surprise surprise somehow it works.

Another thing is in Europe the majority of our businesses are rather small and we have sooo many of them. Why would you use a hyperscaler as an SMB makes 0 sense.

Part of this was inflicted unto us by developers. They love using AWS and building scalable shit even if there is no real business use case for it.

[-]

barrulus@reddit

It's more complex than that though. Many small businesses use hyperscalers precisely because they don't have the staff or skills to do things in-house. And the small mom-and-pop IT consultancies that used to exist everywhere in the 2000s have largely disappeared, partly because of the cloud, so local access to skills and services has been hollowed out.

On top of that, we've been conditioned to believe that only the big players can make your business successful. Small businesses in particular fall prey to this, especially across the EU and US.

[-]

elatllat@reddit

Word in the web browser makes some happy

[-]

Elavia_@reddit

That "as long as there is willingness to adopt" is doing a lot of heavy lifting here, have you met users?

And a complete switch is still not feasible, there is no alternative to o365 that is justifiable from business perspective.

[-]

BCIT_Richard@reddit

AS/400 👀... We still use them in some Government Entites

[-]

420GB@reddit

Hell fucking yes

[-]

Ikinoki@reddit

What is the inexcusable reason to use those instead of say random cloud provider and their services in EU?

[-]

shimoheihei2@reddit

Do you use WeChat? AliPay? No? Why, do you not trust Chinese tech giants? Then why should I, as a non-US citizen, trust US tech giants.

[-]

que-loco-paranoid@reddit

I used AliPay/WeChat extensively while in China, and at this point in time I trust damn Communists more than US Nazis…

Bottom line is, EU should go the Chinese route of sovereignty and independence, rather than staying on US lifeline.

However in country where I reside, all government institutions are going even deeper into MS/Azure pockets, while political scream their usual promises, so I also don’t hope for any change and accept that we (EU) will keep on swallowing whatever USA drops our way - with smile

[-]

5panks@reddit

and at this point in time I trust damn Communists more than US Nazis…

Peak Reddit take right here.

[-]

que-loco-paranoid@reddit

For past 10+ years all pretending and masks fell off US politicians faces (and significant chunk of population). Don’t get me wrong, both places are dystopian and I wish EU would continue towards the path of independence from US Influence.

We aren’t married anymore, but it was not EU that initiated the divorce

[-]

5panks@reddit

I didn't say anything about EU sovereignty.

I said saying you trust THE Chinese Communist Party over even the US as it is today is something people only day in Reddit or if they live in China.

[-]

elatllat@reddit

A wise man once said "trust but verify"... this can only be done with open source.

[-]

burgonies@reddit

Or GCP

[-]

elatllat@reddit

GCP sucks pretty hard compared to AWS.

[-]

WalkingSucculent@reddit

The dream 🤩

[-]

elatllat@reddit

I have useless Microsoft licenses because there is no way to a store access to the associated account. I'm pushing for the dream.

[-]

CellPuzzleheaded99@reddit

This!

[-]

badaboom888@reddit

prob turning a blind eye or pretending it doesnt apply.

Relality is only real way is to host your own data to own your own data. No cloud businesses

[-]

WalkingSucculent@reddit

Most companies dont need cloud services. It's just hyped and they can outsource the outage responsability to tech giants. But realistically, nothing is better than an on-prem hardware, at least for most internal services

[-]

lesusisjord@reddit

“Most companies don’t need cloud services.”

So they have real estate available to house their own infra or co-locate? If co-locate, why not go cloud then?

[-]

TheAnswerIsBeans@reddit

Colo is your own “cloud” as we all know cloud is just a hype word for someone else’s servers.

[-]

barrulus@reddit

I was drawing clouds on whiteboards in sales meetings back in 1996/1997. That's what you did to show network infrastructure not relevant to the discussion. (BGP, OSPF, ATM etc....)

[-]

lesusisjord@reddit

Exactly my point. “Don’t need cloud.”

[-]

TheAnswerIsBeans@reddit

Sorry, thought you meant the other way. Agreed.

There’s a big push in Canada at the moment for “sovereign cloud”. We’re behind Europe when it comes to regulation, but some people are definitely giving more weight to the risk now.

[-]

lesusisjord@reddit

No, I get why you did. I edited my comment.

[-]

Elavia_@reddit

You may not need cloud services in the literal sense, but most businesses put themselves at a significant disadvantage by avoiding them. Sure, on prem is cheaper for stable workloads, but if I suddenly need to spin up 2 hosts with 256GB ram and 32CPU each tomorrow for a PoC I can just say "give me an hour", and then I can toss it in 10 minutes once it's no longer needed. And that's a tiny and primitive use case compared to what many companies are doing.

[-]

serverhorror@reddit

So that chocolate shop around the corner, or that chicken farm with 200 employees, or that steel factory should now go build massive IT (for each of their respective sizes) to self-host?

I think you should read up on what this means financially and, yes, risk wise.

[-]

WalkingSucculent@reddit

Chocolate shop may only need a shoebox sized NAS somewhere in a closet. Of course bigger companies requires bigger tooling and self hosting isn't always an option. But I won't buy that the chocolate shop needs a full AWS account with self replicating database cluster shenanigans for their activity.
I'm well aware of "what this means financially and, yes, risk wise". I'm just saying we went all cloud based, we all lost touch with the real hardware and software requirements, and sometimes bigger isn't better.

If that was only for me we would all downsize and get back to more grass-touching IT hahaha

[-]

serverhorror@reddit

If that was only for me

Buddy, do I have news for you. 😁

[-]

z960849@reddit

Not if you're doing anything at scale? Or don't have people with solid networking skills.

[-]

WalkingSucculent@reddit

Cloud providers didn't invent scaling. You can install and setup everything at home if you want. It's about money and willpower.

(That doesn't apply to all resources of course, everyone has its own context and needs. But i n my last job we used to have the good old VIP/HAproxy/web servers combo and we just added new web servers if needed, that worked well. Not every application requires a fully fledged k8s cluster hidden behind a cloud providers infrastructure to run.)

[-]

Important-6015@reddit

Yes and no. We run a massive on premise footprint and saying “yeah just add more compute” is as easy as scaling on the cloud is disingenuous at best. Especially right now, with hardware shortages. We’re getting mental lead times for servers. I mean, damn, I ordered some ~2 months ago and I got a call last week to say we’re really sorry but we can’t sell it to you at that price anymore. Pay us 2x the original price and we’ll still deliver it next week as promised.

[-]

Belgarion0@reddit

In the current situation even the cloud have issues with scaling. Hitting quota issues when trying to deploy in east us region. Requesting increased quota was not possible for the instance type we were using, so had to change to another instance type to be able to increase quota.

[-]

Important-6015@reddit

That’s very fair and i expected this would be the case, tbh. Still, compared to having to spec, get approval order - wait for delivery, build, firmware update and stress test and then add into a cluster..

[-]

WalkingSucculent@reddit

I didn't take this current situation into account. It really sucks indeed :/

Cloud providers will increase prices as well if not already done tho, they will face these problems as well

Good luck and stay strong in those times fellow tech cousin 💪🫡

[-]

Ssakaa@reddit

"at home" works great until your ISP or power or cooling become an issue. Then you have an outage and realize you need at least two homes, say, 250 miles apart...

[-]

WalkingSucculent@reddit

If power or ISP goes down, nobody but the janitor can work in my office, so having the local HR management solution going down isn't the issue. I'm not talking about ecommerce, customer-facing services or things that requires huge uptime. Sometimes we just don't NEED that and can live with a smaller footprint service. Not everyone works for an international company and needs this level of service.

But if you need, then yes, you're totally right.

[-]

z960849@reddit

My company had a similar setup and spent the past 3 years dealing with performance issues with our colo. We finally hired some consultants that fixed our networking issues. I'm a software developer but I know all of our issues would have been solved if we were in the cloud.

[-]

jimicus@reddit

I can assure you they'd have been replaced with a different set of issues.

[-]

SolarPoweredKeyboard@reddit

How do you scale up during peaks without having idle hardware during the dips? If you can expect a constant usage then, yeah, on-prem is probably the way to go. But if you can't?

There is for sure hybrid but I would not say it's easy to implement in all situations.

[-]

WalkingSucculent@reddit

Totally agree with you. My point was that it's not needed for every single app or service hosted.

[-]

buffer0x7CD@reddit

They kinda did. A lot of big systems that we currently use are either directly originated or heavily influenced by them. Zookeeper, dynamo , gfs , map reduce just to name a few

[-]

HowardRabb@reddit

Most companies don't need a website, email, business listing? Really?

[-]

AlCapone90@reddit

Saying that in such a blanket way is too easy.

For example, if you need 100 different applications there is a big possibilty that its much more cost sensitive to get it as SAAS then host and maintain it on your own.

[-]

RevolutionaryWorry87@reddit

This guy is right.

[-]

panzerbjrn@reddit

Eh? Why was this post removed? It seems pretty relevant to SysAdmins...

[-]

on_spikes@reddit

another day, another chatgpt post on r/sysadmin

[-]

Old-Flight8617@reddit

What are usual file away?

[-]

EnvironmentalToe4055@reddit

How does the Cloud Act work if you use a European based provider (Leaseweb, OVH etc...)?

Can't a judge order the US based subsidiary of OVH to let them get access to European servers?

[-]

rainer_d@reddit

Most companies just ignore it.

It’s not a problem, until it is.

[-]

jess-sch@reddit

Ignoring is a pretty good solution to GDPR compliance of major US cloud providers.

It doesn't matter whether Microsoft 365 is GDPR compliant as long as the judge writes the ruling in Microsoft Word.

[-]

cahcealmmai@reddit

This is how our higher ups are dealing with it at my old job. Glad that data privacy is not my job anymore.

[-]

Proud_Boot6703@reddit (OP)

Pretty much where we were. The "until it is" scenario that convinced our legal team: under the CLOUD Act, AWS can be compelled not to disclose that a request was made. So you'd never know it happened. for internal tooling with no sensitive personal data, the probability is low enough to accept and move on. For anything touching healthcare data, financial PII, or government contracts in the EU... it's moved from risk management to vendor qualification. We're starting to see RFPs that explicitly require EU cloud sovereignty

[-]

AdventurousSquash@reddit

This isn’t anywhere close to news so I’m surprised your legal team just now realized this to be honest.

[-]

markusro@reddit

Seriously, this has been true since the Patriot act. I think that was a bit after 9/11, maybe at most 2 years.

[-]

erikkll@reddit

My product is hosted in Europe at a European cloud provider.

On AWS, implementing encryption and managing your own encryption keys would be one way to improve data sovereignty. The cloud act still permits the US cloud provider to just shut down your service though.

Happened at the international criminal court in the hague and they have now moved away from Microsoft 365.

[-]

CyberYeeturity@reddit

Very interesting to hear about the ICC. Do you know what they ended up moving to?

[-]

madtowneast@reddit

https://cybernews.com/tech/icc-replacing-microsoft-workplace-software-opendesk/

[-]

sarge21@reddit

That's sanctions, not the cloud act

[-]

iama_bad_person@reddit

Some guy : forgets password

ICC: Fucking Microsoft, I'm switching to Linux (I use Arch BTW)

[-]

Proud_Boot6703@reddit (OP)

You're absolutely right that it proves the service-suspension risk is separate from the data-access risk. KMS and own-key encryption handles the data confidentiality angle but the CLOUD Act can compel AWS to pull the plug entirely without notifying you. we've been working through the full architecture with a DevOps team specifically because that risk is harder to mitigate than the encryption side. The most complete solution we've found is moving the regulated workloads to a provider with zero US legal exposure. STACKIT and OTC (Open Telekom Cloud) both operate under German law with no US parent company. Do you know where ICC landed? I saw they left Microsoft 365 but couldn't find what they moved to

[-]

macro_franco_kai@reddit

How about you ask the genius who approved migration from self-hosted on prem to some fancy color GUI cloud because it's cheap, safe and modern :)

[-]

OkEmployment4437@reddit

we've been through this with a handful of clients over the past year or so. the answer really depends on what you're actually running on AWS and how regulated your sector is. if you're processing healthcare data or financial PII, yeah you probably need to seriously look at moving the sensitive stuff to an EU provider. but if its mostly internal tooling and non-regulated workloads the practical risk from CLOUD Act is pretty low, your DPA with AWS already addresses most of what auditors ask about.

what we ended up doing for a couple clients was splitting workloads. regulated data and anything with personal data goes to a local provider, everything else stays on AWS because the tooling is just better for certain things. not cheap to set up but way more realistic than a full migration for most orgs.

[-]

Proud_Boot6703@reddit (OP)

This is the most useful framework I've seen in the thread... workload-splitting is exactly where we've landed too after a few weeks of analysis. Regulated and personal data moves to an EU provider, non-sensitive stays on AWS. the thing that shifted my thinking was looking at documented cases, an AI/ML startup moved $8k/month of egress-heavy workloads to OVH and landed at \~$3k with 24 hours of downtime. another SaaS company moved from $7,789/month to $2,115/month on Hetzner+OVH, and they explicitly cited CLOUD Act as the primary driver not cost. Workload splitting means neither of those extremes but the savings on just the regulated data tier would be meaningful. What did the auth/SSO layer look like when you separated the regulated workloads - that's the bit we're working through with our DevOps team right now

[-]

OkEmployment4437@reddit

auth was actually the easy part for us. we kept everything centralized in Entra and the EU workloads just federate to it via OIDC, the token exchange itself is low sensitivity metadata so it doesnt need to stay in the EU. only thing to double check is that your callback URLs arent passing app data back through AWS but in practice that almost never happens.

[-]

dedjedi@reddit

the splitting does open the risk of, if data classification is wrong initially or goes stale over time, you get liable while still spending effort. figure the cost of maintaining data classification into the cost of splitting the workload or you're back to square 1 while spending to be on square 2.

[-]

Professional_Mix2418@reddit

Simple don't use it. Use an EU Provider with EU UBO's...
It is not the legal team driving this, it is the entire business as it is a business risk regarding data souvereignty.
Yes fintech, legaltech; standard questions nowadays by the big clients like banks and law firms...

[-]

cytra821@reddit

The dirty secret: most EU companies on AWS are doing exactly what you were doing — assuming Frankfurt = safe and hoping nobody asks hard questions.

[-]

Vichingo455@reddit

I've been to 2 local businesses in Italy as a student (with school) and they run some stuff in local servers and other things mainly using Microsoft 365, Entra and Intune.

[-]

Jazzlike-Tear-7231@reddit

Jesus what the fuck is going on with this sub? I see post with the same structure nearly everyday. Looks like some shitty LLM prompt to gather info and develop its knowledge base

[-]

PlannedObsolescence_@reddit

Yep. Just your typical karma farming LLM spam bot. I am pretty disappointed how much engagement they normally get with actual people (although there's also a swath of LLM bots making top level comments as well).

[-]

rohepey@reddit

Sorry, wrong day to call Jesus /j

[-]

barrulus@reddit

that's because it is

Not just this sub... all of them

[-]

matiascoca@reddit

The practical reality is that most EU companies doing the "Frankfurt region = EU data residency" math are underestimating CLOUD Act exposure, because it applies to the parent company's access to data regardless of where the servers sit. The OVH/Scaleway path reduces that exposure meaningfully since they're French entities subject to GDPR enforcement rather than US law, but the egress cost comparison isn't always 12% savings, it depends heavily on your traffic patterns and which services you're using. The approach gaining traction in regulated sectors is a split architecture: EU-sensitive data processed on EU-sovereign infra, everything else stays on AWS for operational simplicity. It's not philosophically clean but it satisfies most legal teams and doesn't require a full migration.

[-]

rankinrez@reddit

Many people are worried about just that, and looking for European hostels as a result. But we’re poor competition.

[-]

Professional-Heat690@reddit

use a hosting provider that supports CMK. Problem solved?

[-]

Rich_Artist_8327@reddit

We moved to Hetzner and colocation. Move was slowihs but completed in 7months. Saved a ton of money, luckily bought the servers before RAM price hikes. Now we are fully european/opensource including CDN, domain registrars, phones, laptop OSes etc. All just works and some even better than before. I am amazed all these for me before unknown european products

[-]

buck-futter@reddit

My boss and I are fighting this at work, the solution will probably be colocation at a UK facility where we rent the space, the power and the internet link, but all the kit is our own and nobody gets access through the back door.

[-]

playahate@reddit

https://docs.aws.amazon.com/whitepapers/latest/overview-aws-european-sovereign-cloud/introduction.html

I wonder if aws is still required to turn over data of the US requests it within the eu sovereign cloud.

[-]

notospez@reddit

This is the solution. The ESC is managed by a European entity, with European employees. So any such request would basically be a shareholder calling the European board of directors of that European entity and telling them to break EU law.

[-]

WalkingSucculent@reddit

We moved away. To ovh. It just works. We weren't using the fancy AWS stuff, just VMs (like most people I guess)

Costs were reduced by 12% and we got some messages from our end customers congratulating us. So win-win in my book

[-]

Z3t4@reddit

As log as their dc don't catch fire they work well...

[-]

WalkingSucculent@reddit

Statistically I'd like to think that they burned down once, so low chances of it happening again :p

And so far (18 months in for the project we migrated) we had less outages on OVH than on AWS comparatively

[-]

Nu-Hir@reddit

Hey, they said the same thing about the Cuyahoga river and it caught fire a second time.

[-]

Nu-Hir@reddit

And given that this is a discussion about EU stuff, I figured I should probably give context to people who don't know about this.

https://www.smithsonianmag.com/history/cuyahoga-river-caught-fire-least-dozen-times-no-one-cared-until-1969-180972444/

[-]

WalkingSucculent@reddit

Don't bring misfortune to me witch 😶‍🌫️

[-]

xxtoni@reddit

How much data loss was there when it happened?

[-]

Z3t4@reddit

Doesn't matter, you should have backups anyway. What mattered was the service disruption, for weeks, forcing companies to deploy elsewhere.

[-]

badaboom888@reddit

i mean aslong as ur data aint in a aws uae data center getting bombed either :)

[-]

Proud_Boot6703@reddit (OP)

12% is actually one of the more believable numbers I've seen... other documented migrations are on more extreme ends. Hopsworks (AI/ML platform) got 62% on OVH because their egress bill was enormous - AWS charges $0.09/GB outgoing, OVH is effectively free. EVA Real Estate (PropTech startup) went from $1,300/month to $250/month on Hetzner Proxmox - 81% but they were almost entirely on EC2+RDS with no proprietary AWS services at all. your 12% makes sense if you weren't egress-heavy and were already on fairly standard compute. The team being happier is genuinely underrated, sysadmins who know metal tend to hate the AWS abstraction layer. Our engineers said the same thing when we started mapping the migration

[-]

--Arete@reddit

What your legal team points out is 100% true, but lacks some nuance. This risk should be carefully considered and described within the risk assessment.

Generally speaking I would always try to find options and then evaluate the pros and cons of both options. Many times the risks involved in choosing a lesser known provider is greater than the risk involved in going with an established one.

If there is any doubt this should be cleared with management to make sure they fully understand the risk of using a U.S. provider but also the risk of finding an alternative.

[-]

Proud_Boot6703@reddit (OP)

It's not "AWS bad" it's a proper risk/cost matrix per workload. What's changed our view is looking at what other companies actually decided. the anonymous SaaS startup case that was published on HackerNews in 2025 mapped it explicitly: they moved $7,789/month of workloads to Hetzner+OVH and their stated primary driver was CLOUD Act + GDPR sovereignty, not cost, the 73% saving was the bonus. 37signals (Basecamp) framed theirs purely as cost: $3.2M/year to under $700k. The pattern is that the calculation changes completely depending on whether you have regulated data or government/healthcare clients who are starting to make EU sovereignty a vendor requirement. We've been building exactly this matrix with some outside help - mapping which workloads carry jurisdictional risk versus operational risk if migrated. The "lesser known provider" risk is real but BSI C5 certification on STACKIT and HDS certification on OVHcloud closes a lot of that gap for auditors

[-]

tpickett66@reddit

My company (US based with EU customers) has been looking at AWS' EU sovereign cloud for when we hit with this.

[-]

xxtoni@reddit

Still owned by US amazon, Cloud act still applies.

[-]

madtowneast@reddit

I have my doubts this would not cause issues down the road. Feels very “trust me bro”

[-]

HoustonBOFH@reddit

The entire cloud is "Trust me bro..."

[-]

Fragrant-Amount9527@reddit

I’m not necesarily advocating for it, but have you considered AWS European Sovereign Cloud?

[-]

Consistent-Milk-5895@reddit

Its still a US Company and still falls under the cloud act, thats called EU washing

[-]

pixeladdie@reddit

Are you suggesting Amazon stood up a separate entity to meet the letter of this law and didn’t actually meet the legal obligations?

[-]

Consistent-Milk-5895@reddit

Yes, it is that exactly, See u/FuriousRageSE s comment

[-]

pixeladdie@reddit

So the US gov tells AWS to affect some change (surveillance, data gathering, etc) on the EU side, US side tells EU "do thing" and then the entirely EU controlled cloud does what? Complies blindly?

I have to think some lawyers get involved at that point.

[-]

Michal_F@reddit

No it's an EU company owned by a US company ;)

[-]

FuriousRageSE@reddit

a company owned by a US company, is liable under US laws..

[-]

Bob_Spud@reddit

AWS EU Sovereign Cloud is a marketing exercise. The US Cloud Act also applies to their foreign subsidiaries.

AWS European Sovereign Cloud: Digital sovereignty or sophisticated marketing?

CLOUD Act = Clarifying Lawful Overseas Use of Data Act it is a misleading name.

An important point. It is called the CLOUD Act it is all devices not just those in cloud service providers. If you outsource you infrastructure, databases and application and the like to an MSP that is owned by a US company the US can still access it by the CLOUD Act.

[-]

NekkidWire@reddit

That won't help a single bit.

[-]

SambalBij42@reddit

That's still US...

https://european.cloud/2026/01/aws-esc-launch/

Although operated by EU-resident staff, the AWS ESC company is a 100% subsidiary of Amazon.com Inc.
AWS ESC does not offer protection against the US CLOUD Act and it does not help to reduce the strategic dependency of Europe in the digital space.

That EU based AWS subsidiary is owned by Amazon Inc, under US jurisdiction, so that cloud act still applies...

[-]

Brent_the_constraint@reddit

So, it is not in any way governed by a US entity? How exactly does this work?

[-]

b4k4ni@reddit

That's the issue with the cloud act. The main company is still in the US - it's not a separate entity from amazon. Like a real, unique EU company without any roots to amazon.

Even if the servers are in the EU and managed by a local company, if there's still a US company behind it, they WILL transfer data. Microsoft said as much. And some other examples.

If you want to be safe, you need to use a EU company/service without any US ties.

[-]

WalkingSucculent@reddit

That's a huge joke and is not protected against the main cloud act issue. That's sovereignty-washing at its finest

[-]

shimoheihei2@reddit

All US tech companies can and have handed over user data to the US government, even when hosted abroad. To me, it seems crazy for any non-US organization to use cloud services by a US tech giant. It'd be like a US organization storing things on a Huawei server. There are lots of European alternatives: https://european-alternatives.eu

[-]

deadnerd51@reddit

I think it mainly stems from the US tech giants being the largest and most documented competitors in that space. Sure there are many EU alternatives, but non at any scale similar to that of US tech giants.

And, outside of government or heavily regulated industries, it isn’t really a concern for most companies. GDPR has many clauses and sections that take this into account. So long as you meet the requirements and do your due diligence, you are covered.

[-]

almightyloaf666@reddit

Yeah, by moving to OVHcloud. It is cheaper so that's another win. Drawback is that their offering is not as complete as the US giants, but they also don't have the ressources or customer base of them either

[-]

que-loco-paranoid@reddit

Please revisit this comment after you spent some time abroad

[-]

burgonies@reddit

Manage your own encryption keys.

[-]

nbs-of-74@reddit

Curious if this is an issue for European subsidaries of US corporations, as well as their European franchisee's. Since the US side is naturally going to build global infrastructure on Azure/AWS. This is likely to include delivery and loyalty solutions that will include European customers details, not just your backend financial and SCM systems.

[-]

DisappointedSpectre@reddit

Or at the minimum some kind of access under an umbrella account somewhere that could theoretically access content of the paid accounts under it. Even if that was technically a misconfiguration by the account holder AWS wouldn't care with a subpoena in front of them. Or a break glass account with keys to everything that lives in US-East-1.

[-]

mortsdeer@reddit

Gotta say, the Orange one and his cronies chest thumping like this may be the greatest boon to European service providers. As long as we seemed reasonable, the sovereignty arguments didn't get respected. Now the worst case possibilities sound more possible.

[-]

lilelliot@reddit

I don't know the answer to this, but isn't a part of this solution the partnerships the US hyperscalers have inked with European companies to essentially operate independent "instances" of their cloud services? For example, Google Cloud with T-Systems: https://www.t-systems.com/de/en/sovereign-cloud/solutions/sovereign-cloud-powered-by-google-cloud

I don't know if this completely covers concerns regarding the CLOUD Act because I know it was initiated as a result of GDPR, but maybe?

[-]

Nyohn@reddit

We don't use any cloud services for any data of importance or value.

[-]

FalconDriver85@reddit

Moving from AWS to Azure. 😁 No, really, we already where hybrid multi-cloud, now we will be hybrid-cloud

[-]

mrrichiet@reddit

Hmmm, thanks for the insight, this is something I hadn't considered.

It sounds like a nightmare. I'd bury my head in the sand and wait until you get a "request". If you do get one, get your lawyers to delay so you can join a class action with everyone else who is in the same boat.

[-]

xplorerex@reddit

Use Amazon Germany. It is registered there and doesnt have to enact US laws.

[-]

CellPuzzleheaded99@reddit

That's already debunked. AWS will always have US ties, even if you place this operation in a German legal entity with only German staff. At the end of the day AWS will be forced to hand over the data, in any way possible.

[-]

xplorerex@reddit

Amazon Germany is its own entity.

[-]

CellPuzzleheaded99@reddit

Yes..... and who is owner of this legal entity?? Even with x legal constructions between AWS in the US and this entity in Germany, it is still part of AWS.

[-]

xplorerex@reddit

Ok, since you are not getting it:

Amazon US is the parent company of Amazon Germany.

That makes Amazon Germany its own entity in its own right. Only companies have parent companies.

Amazon Germany is a PLC, so all of this is publically verifiable.

As its a company in Germany, it is bound by German law and EU data protections, which means they can't share with the US.

The US cloud act only means they can request the data from other jurisdictions. That request won't be granted because of German law, because they are a German company, bound to German law and EU law.

Even if by some miricle the German courts allowed it, EU law would also prevent it.

[-]

WalkingSucculent@reddit

https://european.cloud/2026/01/aws-esc-launch/
https://andreafortuna.org/2026/01/26/AWS-european-sovereign/

However, you're in your own right to ignore the truth

[-]

DrStalker@reddit

Ask your AWS rep. Amazon often has documents on how AWS can used in compliance with various laws/legal requirements/security requirements, and they might have something about this you can shove into your risk register and forget about.

Otherwise, you wait for legal and management to decide what to do.

[-]

theculture@reddit

I would read this:

https://aws.amazon.com/blogs/security/five-facts-about-how-the-cloud-act-actually-works/

[-]

serverhorror@reddit

The cloud act isn't a problem as such. Every European court can order companies to provide access as well.

What is a problem, that the US is (arguably) a hostile entity.

We're less worried about China stealing IP than we are about the US.

Alas, the US has all the systems. We're "accepting the risk". The investments required to replace systems and vendors (if they even exist) aren't feasible... not at this point.

[-]

b4k4ni@reddit

It depends on what you have or do. If you have AWS for some shenanigans and nothing productive, it would be fine. Encryption and so on can only go so far - if the service or VM runs there, they can interfere. And it's not only about the NSA looking, it's also about Industrial espionage. And that's nothing new - they do this as "allies" for ages already. I mean, Snowden also showed as much.

If you can. get a real EU based provider and transfer everything. Cost might be the same, functions might differ a bit, you need to migrate and maybe have a few compromises to make. But in the long run, it's the better option. Stay away from any US company services.

[-]

Bob_Spud@reddit

"Industrial espionage" is a good point.

The US has used security to hide their industrial espionage activities. The Echelon Project was setup by by the 5-EYES for their security, it was corrupted by the US for industrial/commercial espionage. This is not conspiracy theory, its been well document by the EU Parliament.

European Parliament Report on the existence of a global system for the interception of private and commercial communication (ECHELON interception system)

https://www.europarl.europa.eu/doceo/document/A-5-2001-0264_EN.html

[-]

NekkidWire@reddit

EU company steering clear of AWS.

First of all, "cloud" is just an infrastructure that you don't own and pay monthly to access. It has to fulfill all requirements (availability, integrity, access control, disaster recovery etc.) as any other infrastructure, plus the added hassle of not being physically traceable to your rack in your data centre.

So if you "must" use cloud, you need to set up everything, plus defend against the additional attack vector of the cloud provider or its employees. And that is very much impossible.