Sovereign cloud, almost a year after Microsoft France's legal director couldn't guarantee EU data stays out of US reach
Posted by The_VisibleInvisible@reddit | sysadmin | View on Reddit | 13 comments
On June 10, 2025, Anton Carniaux (Microsoft France legal director) was asked under oath by the French Senate inquiry commission whether he could guarantee EU sovereign-cloud customer data stays out of US reach. He couldn't.
The structural reason predates the hearing. Microsoft v. United States (the Ireland warrant case, 2013-2018) tested whether US warrants reach data held by US-parented subsidiaries abroad. Microsoft won at the 2nd Circuit in 2016. The CLOUD Act, March 23, 2018, was written specifically to close that defense; the "possession, custody, or control" standard now reaches US parents over foreign subsidiaries regardless of data residency.
What's shifted since:
- S3NS (Thales ~80% / Google ~20%) got SecNumCloud 3.2 qualification on December 17, 2025. SecNumCloud caps non-EU stakes at 24% individually, 39% collectively.
- Bleu (Orange + Capgemini, distributing Microsoft Azure/365 on isolated French infrastructure) targets SecNumCloud for H1 2026.
- AWS European Sovereign Cloud launched January 15, 2026 in Brandenburg. Four German GmbHs, all 100% subsidiaries of Amazon.com Inc. Same parent-control structure that lost in the Ireland warrant case.
Practical split: legal-entity ownership and software-stack ownership are separate line items now. SecNumCloud closes the legal exposure path. Operational dependency stays. Patches, updates, security fixes still flow from the licensing parent. Pull the license, the qualified stack stops upgrading.
Long version, with the Schrems I (2015) and Schrems II (2020) timeline: https://thevisibleinvisible.substack.com/p/the-stolen-word
Anyone here actually migrated to S3NS or Bleu yet? Wondering what cracked on the ops side.
Kumorigoe@reddit
Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.
Do Not Conduct Marketing Operations Within This Community.
Your content may be better suited for our companion sub-reddit: /r/SysAdminBlogs
If you wish to appeal this action please don't hesitate to message the moderation team.
poro_8015@reddit
this is exactly why we went selfhosted instead of waiting on S3NS/Bleu timelines. running stuff on yundera means the legal entity question just disappears - no US parent, no CLOUD Act exposure. the operational dependency point you raise is real though, even selfhosted you're still pulling upstream patches from somebody. but at least the warrant surface is gone.
jimicus@reddit
Have you considered not asking ChatGPT to write your posts?
SevaraB@reddit
That’s kinda not cool. We’re telling everybody all over the world to post only in English, a language not everybody is fluent in, and then we give international posters crap for leaning on LLMs to help translate. You offering to stand up a model for them specifically tuned to “dumb down” the output?
The_VisibleInvisible@reddit (OP)
Considered. Declined. The bot keeps trying to add em-dashes and I'm out of remediation budget.
Real question though: which claim read hallucinated? S3NS shareholder split, SecNumCloud 3.2 qualification date, CLOUD Act §2701 "possession, custody, or control" standard, Microsoft v US 2nd Circuit timeline. Pick one and I'll show the source.
The "reads like ChatGPT" line is fair as a styling complaint, separate from substance. That's just how the prose comes out when I write. Read it as criticism or compliment. Same text either way.
Smooth-Zucchini4923@reddit
This part specifically is incomprehensible.
The part before that about the CLOUD act was clear, but also extremely obvious to anyone who remotely cares about the topic.
jimicus@reddit
It's readable, but it's very dense.
An entirely EU-based company with no US parent sets up their own cloud infra. But (unlike, say, Microsoft), they don't write the software stack that drives this cloud infra.
They purchase it from Microsoft.
Which means legally, the US can't go marching in and demand data pulled from this cloud infra.
However, it also means that there is a dependency on Microsoft to provide the software stack. If the license for it is pulled, the software can't get any more upgrades.
(Personal opinion): This isn't sustainable long-term. The US may not be able to legally demand access to the data, but they can sure as hell pressure Microsoft to terminate the licensing. And for that matter put spyware in an update, but let's not go there.
The_VisibleInvisible@reddit (OP)
The summary you gave is cleaner than mine. That's the operational read.
Your licensing pressure point has the precedent. Microsoft, Oracle, SAP, Amazon, and IBM all suspended Russia operations within two weeks of the February 2022 invasion. Microsoft cut existing license renewals in August 2023 and terminated full cloud access for Russian customers on March 20, 2024 under EU Sanctions Package 12. The mechanism doesn't need spyware. It just needs a license termination clause and a regulatory nudge.
S3NS and Bleu pre-negotiated long-term licensing terms with US-binding clauses precisely because they saw this pattern. Whether those contracts hold under maximum US pressure is the open question and yet to be seen.
rakim71@reddit
Yeah, this is unintelligible.
freethought-60@reddit
From your post I honestly didn't get all the details because it's not entirely understandable (it's probably a limitation of mine), but IMHO the point is that as long as you don't own everything that makes up an IT infrastructure, for better or worse you always depend on someone else more or less friendly as they may be. You know what I care about data sovereignty, wherever placed, if in the critical moment of need I then depend on someone else to be able to consume it, personally in my ignorant simplicity, mean little or nothing.
Ultimately, it's like you said: if you don't absolutely own (remaining generic) the software stack (and this also applies to the hardware stack, with its "firmware") you can do whatever you want, but you'll always depend on someone else.
Ssakaa@reddit
It's meandering AI slop. OP can't be bothered to express their own thoughts, though. We shouldn't be bothered trying to interpret them.
The_VisibleInvisible@reddit (OP)
Your hardware/firmware extension is right, and it's the part most sovereign-cloud talk skips. Software-stack dependency is one layer. The silicon underneath is another.
Most EU "sovereign" deployments run on Intel or AMD chips with closed-source management firmware (Intel ME/AMT, AMD PSP) and a network-capable subsystem the operator can't audit. The European Processor Initiative has spent years getting RISC-V/Arm HPC chips through SiPearl, but Rhea is targeted at HPC, not general cloud. Open-firmware paths (OpenTitan, coreboot) cover fractions of a real datacenter stack.
Your operational point lands. Sovereignty isn't binary. It's layered. Legal exposure can be closed (S3NS, SecNumCloud). Software stack stays licensed. Silicon stays foreign. Each layer you close costs more than the last.
RevolutionaryWorry87@reddit
Yeah it's hard to believe chatgpt