Data Localization and the Sovereign Cloud: EU Cloud Regulations Explained

8 minute read | January.20.2026

Digital Sovereignty in the Context of Geopolitical Uncertainty

Scrutiny of European Union's dependence on non-European cloud services is intensifying amid geopolitical tensions and rising cyber risk. U.S. hyperscalers control more than 70% of the EU cloud market, while European providers’ share has nearly halved since 2017.¹

There are growing concerns that U.S. dominance could become a source of geopolitical leverage. Similar concerns exist regarding Chinese cloud providers expanding into the European cloud market. As a result, the EU and its member states are increasingly focused on foreign clouds.

The complexity of this legal landscape has fueled concern and confusion about the legal requirements for non-European cloud services usage. To help, we address and dispel three common myths surrounding European cloud regulations.

Myth 1: European law requires servers located in the EU

European law does not include explicit or general data localization requirements.

European law focuses mostly on risk-based assessments rather than on prohibiting non-European clouds in general. In some cases, this can lead to de facto data localization requirements or other measures that non-European cloud providers and their customers need to consider. Nevertheless, non-European cloud providers are not excluded.

To navigate European laws that could lead to de facto data localization requirements, non-European cloud providers and their customers should pay special attention to:

GDPR (Regulation (EU) 2016/679)

The key rules for cloud services concern personal data transfers to countries outside the EU. Such transfers are only allowed if:

Transfer is based on an adequacy decision of the European Commission, or
Transfer is based on appropriate safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), together with a Transfer Impact Assessment (TIA)

Even with an adequacy decision, it is sometimes advisable to prepare SCCs and TIAs in case the adequacy decision is later struck down, as in the Schrems I and Schrems II cases.²

EHDS (Regulation (EU) 2025/327)

The European Health Data Space (EHDS) regulates the primary and secondary use of electronic health data for healthcare and research for scientific purposes.
It allows EU member states to require that health data be stored and processed exclusively within the EU, unless a GDPR adequacy decision exists for the destination country.
EHDS also limits third-country access based on strict reciprocity: EU entities should only share health data if they receive equivalent access in return.

Data Act (Regulation (EU) 2023/2854)\

The Data Act sets rules for “data processing services,” a broad term that includes IaaS, PaaS, and SaaS cloud services. It requires providers to implement safeguards preventing third-country access to non-personal data stored in the EU if such access would violate EU or member state law.
Data can only be disclosed to foreign authorities under an international agreement or bilateral arrangement with a member state.
Notably, the Data Act does not prohibit non-European cloud providers or storing non-personal data outside the EU. The Commission’s guidance confirms that companies remain free to choose where to store non‑personal data.

NIS-2 Directive (Directive (EU) 2022/2555)

The Directive on Security of Network and Information Systems (NIS-2 Directive) aims to establish a high common level of cybersecurity across the EU, covering cloud computing service providers.
Covered entities must implement appropriate technical, operational, and organizational measures to manage cyber risks and mitigate incident impacts, tailored to their specific risk profile.
The directive requires conformity with the state of the art but does not demand absolute security or provide a prescriptive list of controls.
While NIS-2 does not generally mandate data localization, risk assessments under Article 21 may require companies to choose EU-based providers, particularly where supply chain security and subcontractor relationships raise significant concerns.

DORA (Regulation (EU) 2022/2554)

The Digital Operational Resilience Act (DORA) aims to foster the operational resilience of financial entities. It applies to financial entities and to third‑party ICT (information and communication technology) service providers, including cloud computing, network infrastructure, and other digital services delivered over ICT systems.
DORA indirectly regulates non‑critical ICT providers through mandatory contractual obligations to be observed in agreements with financial entities.
While it does not impose general localization or ban non‑European clouds, providers designated as “critical” must establish an EU presence.
Parties must agree on the service and data-processing locations upfront, with prior notice required for any change--this could lead to a de facto localization.

Myth 2: Non-EU cloud providers are banned from government contracts

Non-European cloud use by EU institutions and member state agencies has sparked sovereignty debates, as concerns about foreign interference run particularly high in the public sector. As such, the EU and member states, including Germany and France, have introduced additional requirements for government clouds use.

Despite these additional safeguards, non-European cloud providers are often still able to perform services.

EU Institutions

In October 2025, the European Commission published its Cloud Sovereignty Framework, defining eight sovereignty objectives for EU institutions procuring cloud services.

Some key sovereignty objectives for non-European cloud providers and their customers involve considering whether the cloud service is:

headquartered outside the EU,
processes data outside the EU,
exposed to the influence of a foreign government,
dependent on non-European goods and technologies, or
able to run, support, and evolve without foreign control.

Since these objectives are only minimum requirements and are not precisely defined, the required level for each objective may differ for each procurement. Furthermore, the ultimate decision will likely be predominantly influenced by other factors, such as price and performance.

German Federal Authorities

Germany’s Federal Office for Security in Information Technology (BSI) has issued binding minimum standards for federal agencies using external clouds. To meet these requirements, providers must comply with the BSI’s Cloud Computing Compliance Criteria Catalogue (C5).

Key expectations for non‑European providers include:

Transparency and control over all processing locations,
Robust transparency on handling of government requests, and
Limits on access to data by state authorities.

The C5 criteria do not impose explicit localization, nor do they exclude non-European cloud providers from serving federal authorities in Germany.

French authorities

The French requirements for cloud use in the public sector (SecNumCloud certification) are some of the strictest in Europe.

Key requirements:

The cloud provider must be immune to requests from public authorities of third countries.
The service provider must store and process client data within the EU.
Service administration and supervision operations must be conducted within the EU.
The service provider's registered office, central administration and principal place of business must be located within the EU.

Although these requirements may seem to ban non-European cloud providers at first glance, practice shows that, through joint ventures with local companies, non-European cloud providers can still serve clients with their cloud products.

Myth 3: Only domestic clouds can be “sovereign clouds”

The term "sovereign cloud" is a buzzword. Despite the lack of a defined legal term or a universally understood concept, the term is used frequently.

A protectionist interpretation links the term “sovereign cloud” to clouds operated by domestic companies using domestic servers. However, this approach has technical limitations, as the provider’s origin or server location alone does not guarantee the intended level of security. A court in Ontario ordered the French provider OVHcloud to disclose data stored on European servers to Canadian police, illustrating that location is not an absolute shield.

A more convincing interpretation treats “digital sovereignty” as shorthand for compliance with EU law, focusing on safeguards against third‑country access to cloud‑hosted data. EU regulations prioritize preserving data protection and cybersecurity standards rather than mandating localization. Germany’s Federal Office for Information Security (BSI) adopts this pragmatic view, stating that relying only on local cloud solutions is often “simply not possible” and would block access to global innovation while creating economic and administrative risks.

In practice, digital sovereignty is best served by ensuring that providers comply with EU rules and respect EU fundamental rights, rather than by imposing bans or rigid localization. Specific location demands in individual cases often exceed binding law and reflect policy preferences rather than legal obligations.

Bottom Line:

There is no general ban on non-European cloud providers for either private or public clients.
Cloud providers and their customers should verify compliance with data, cloud or cybersecurity regulations regardless of headquarter or server locations.
Companies companies should seek to understand the specific requirements that apply to their cloud services by asking:
- Is the sector subject to specialized regulations? (e.g., healthcare or finance sector, critical infrastructure)
- What types of data do they store in the cloud? (e.g., personal data, health data, accounting data)

For questions, please contact Dr. Christian Schröder.

¹Förster, European cloud market grows – and US providers benefit, Heise‑online, July 29, 2025.

²CJEU, Judgement of 6 October 2015, Schrems I, C-362/14 (https://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=8245117); CJEU, Judgement of 16 July 2020, Schrems II, C-311/18 (https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=8245926).

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
White Collar
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Dr. Odey Hardan Associate, Strategic Advisory & Government Enforcement (SAGE), Cyber, Privacy & Data Innovation

Düsseldorf

See my bio

D:+49 211 36 78 7 602
E: [email protected]

Practice:

Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Dr. Odey Hardan Associate

Düsseldorf

Prior to joining Orrick, Odey served as a research assistant to a distinguished chair focusing on European law, where he authored several academic papers. Throughout his doctoral studies, he delved deeply into the intricate realms of European, international, and data protection law.

Additionally, Odey contributed to significant legal opinions and gained practical experience by supporting the representation of the German Federal Government in pivotal cases before the Federal Constitutional Court, including the proceedings on the European Patent Convention, CETA and the EU-Singapore Free Trade Agreement.

Before starting his legal practice, he also worked as a research assistant for an international UK-headquartered law firm.