CLOUD Act

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), signed into US law in 2018, gives law enforcement and national security agencies the authority to compel US-headquartered cloud providers — including AWS, Azure, and Google Cloud — to produce customer data regardless of where it is physically stored. This includes data held in EU data centres. The CLOUD Act is the primary legal basis for European cloud sovereignty concerns: any cloud service operated by a US company is in principle subject to US government access demands, undermining EU data protection and national security requirements. European sovereign cloud frameworks, including France's ANSSI SecNumCloud certification, explicitly require providers to be immune from non-EU legal access requests.

In April 2026 the CLOUD Act became directly visible in EU institutional procurement. The European Commission's €180m sovereign cloud framework, selecting four awardees across the SEAL-1 to SEAL-3 tiers, was explicitly structured to exclude CLOUD Act-subject companies from EU institutional data — yet S3NS, the Thales and Google Cloud joint venture, won a slot at SEAL-2 on infrastructure that runs on Google Cloud. France's Senate had previously heard Microsoft acknowledge it could not guarantee French customer data would never be disclosed under US legal orders; the same structural exposure attaches to workloads running on Google infrastructure via S3NS. The Open Rights Group cited the CLOUD Act in its April 2026 report arguing Britain's US-tech dependency is a national security vulnerability, noting it as the mechanism by which the US could compel disclosure of UK Government data held on AWS or Azure without UK consent.

The CLOUD Act was intended primarily for law enforcement cooperation but has become a geopolitical instrument shaping the entire EU sovereign cloud market. France's SecNumCloud, Germany's GAIA-X, and the EU Cloud Computing Certification Scheme all define compliance partly by reference to immunity from non-EU legal orders. European sovereign cloud spending is forecast to triple from roughly $7 billion in 2025 to $23 billion by 2027, with CLOUD Act exposure as a core driver. Whether member states follow EU institutions in CLOUD Act-based exclusions will determine whether that exposure becomes a genuine structural barrier to US cloud market share in Europe.

France's decision in April 2026 to award the Health Data Hub hosting contract to Scaleway — migrating millions of French citizens' health records off Microsoft Azure in a deal reported at around €180m — is the most concrete proof yet of the CLOUD Act reshaping procurement at national level, not just EU institution tier. The explicit trigger named in French parliamentary briefings was the Act's exposure: a US-domiciled provider cannot guarantee French health data will never be accessed under a US government order.

The Commission's CAIDA (Cloud and AI Development Act), leaked in May 2026 and tabled for adoption 27 May 2026, is expected to codify CLOUD Act immunity as a statutory procurement criterion for EU public bodies handling financial, judicial, and health data — effectively extending France's HDH reasoning to the whole single market. CISPE's rival Sovereign and Resilient Cloud Framework, launched 24 April 2026, positions itself as the binary certification standard CAIDA should reference, directly contesting the Commission's graduated SEAL tiers.

If CAIDA passes in its leaked form, the CLOUD Act stops being a voluntary exclusion criterion and becomes a hard statutory bar for defined data categories across all 27 member states, accelerating the €23bn sovereign cloud market forecast and increasing structural pressure on AWS, Azure, and Google Cloud to establish legally independent EU subsidiaries or accept permanent exclusion from a growing share of European public procurement.