Data Sovereignty and US Cloud Providers:
What “stored in Europe” actually means

1st July 2026BlogAJ Thompson

Are you ready to get in touch?

Request a Call back

Why physical data residency in the EU does not guarantee legal protection from US extraterritorial law, and what genuine sovereignty requires.

For many UK and European organisations, the decision to use a US-headquartered cloud provider felt straightforward a decade ago. The infrastructure was excellent, the pricing was competitive, and compliance teams took comfort from knowing the data sat in an EU or UK data centre. That comfort is now being seriously tested. The geopolitical landscape has shifted, regulatory pressure has intensified, and a growing number of boards are asking a question their IT teams cannot always answer cleanly: if our data physically sits in Frankfurt or Dublin, but our provider has its headquarters in Seattle, who actually controls it? This article addresses three persistent myths about data sovereignty in the UK that are leading organisations to believe they are more protected than they are, and sets out what genuine control over your data actually requires in 2026.

Data sovereignty UK: two clouds, one EU, one US, locked together

Myth 1: “Our data is stored in an EU data centre, so it is covered by EU law”

This is the most common misunderstanding in the market, and the most dangerous one.

Data residency and data sovereignty are not the same thing. Residency is a geographical fact: it tells you where the server physically sits. Sovereignty is a legal reality: it tells you which jurisdiction’s laws govern that data and who has the authority to compel access to it.

The critical instrument here is the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018). Under the CLOUD Act, US authorities can compel a US-domiciled technology company to produce data held on its servers anywhere in the world, including within the European Union. The physical location of the data centre is legally irrelevant. If your cloud provider holds US incorporation, your data in Frankfurt is still potentially accessible to US government agencies under a valid CLOUD Act order, regardless of what the provider’s contractual terms say about EU jurisdiction.

Data Sovereignty and US Cloud Providers: What “stored in Europe” actually means Share on X

Why GDPR compliance doesn’t close the gap

The General Data Protection Regulation (EU Regulation 2016/679) does not resolve this conflict. GDPR governs how organisations collect, process and transfer data, and it imposes strict conditions on transfers of personal data outside the EEA. However, GDPR compliance is a separate question from CLOUD Act exposure. An organisation can be fully GDPR-compliant and simultaneously hold data that is legally accessible to US federal agencies. These are two different legal frameworks operating in parallel, and assuming that GDPR compliance provides a shield against extraterritorial US law is a mistake that has caught out a number of organisations.

The European Court of Justice reinforced this tension in its Schrems II judgment (Case C-311/18, 2020), which invalidated the Privacy Shield framework precisely because US surveillance law created risks that EU data protection law could not adequately counteract. While the EU-US Data Privacy Framework (adopted in 2023) has attempted to address this, legal challenges are already underway and the framework’s long-term durability cannot be guaranteed.

Data sovereignty UK: EU data residency versus US CLOUD Act jurisdiction.

Myth 2: “We are encrypted, so even if someone requests our data, they cannot read it”

Encryption is essential. It is not sovereignty.

Encryption protects data from unauthorised access by third parties during transit and at rest. It does not alter the legal status of that data or change who can compel its disclosure. A CLOUD Act order served on a US cloud provider does not require the provider to hand over readable data directly; it requires them to provide access. If the provider holds the encryption keys, or if key management is operated by the provider’s infrastructure, then the data is accessible. The encryption argument is only meaningful if the customer holds sole custody of their own encryption keys, managed entirely outside the provider’s environment.

The EU Data Act (Regulation EU 2023/2854), which came into force in 2024, is relevant here. It establishes rights around data access, data portability and the conditions under which data can be shared. It also reinforces the importance of contractual clarity around who holds keys and who can compel access. Organisations operating under regulated frameworks, including financial services firms subject to the EBA guidelines and healthcare organisations subject to sector-specific data protection obligations, need to read their cloud contracts with this in mind

Myth 3: “Digital sovereignty is a concern for governments and large enterprises, not for us”

The regulatory reality does not scale by company size.

GDPR applies to any organisation that processes the personal data of EU residents, regardless of that organisation’s size or revenue. If you have even one customer in the EU, GDPR applies. The fines for non-compliance are not theoretical: GDPR violations have resulted in penalties exceeding four billion euros since 2018, with regulators increasingly willing to pursue mid-market and smaller organisations as enforcement maturity increases.

The NIS2 Directive (Directive EU 2022/2555), which EU member states had to transpose into national law by October 2024, extends cybersecurity obligations significantly further down the supply chain than NIS1 did. UK organisations that provide services into the EU market, or that sit within the supply chains of NIS2-regulated entities, face indirect exposure to these requirements even absent direct transposition into UK law post-Brexit.

Beyond regulatory risk, there is a growing commercial reality. Industry data shows that data sovereignty has moved from a single line in an RFP to a substantive section requiring detailed responses. Organisations that cannot demonstrate genuine control over their data, not just contractual assurances from their cloud provider, are beginning to lose business to competitors who can.

What genuine data sovereignty in the UK actually requires

Meeting the standard that regulators and an increasing number of enterprise buyers now expect involves more than selecting an EU region in a hyperscaler’s dashboard. It involves understanding four things clearly:

  • Where your data physically resides, including backup systems, disaster recovery sites and any data that moves during processing. Data in transit across jurisdictions is as legally significant as data at rest, a point that is becoming more prominent as AI-driven workloads generate continuous data flows.
  • Which laws govern that data, including any extraterritorial reach from the provider’s country of incorporation, not just the country where the data centre sits.
  • Who can compel access to it, under what legal authority, and under what conditions the provider must notify you.
  • Whether you can move your data, on reasonable timescales, if you need to change provider or if a legal challenge requires you to act.

A hybrid architecture, where a provider not subject to US extraterritorial law operates sensitive workloads on infrastructure that sits entirely within UK or EU legal jurisdiction, is increasingly the practical answer for organisations that need to answer all four questions with confidence.

Three things to address before your next cloud contract renewal

1 Audit your key management arrangements.
Identify whether your cloud provider holds encryption keys, shares key management with you, or operates under a bring-your-own-key model. This single factor determines whether encryption provides meaningful sovereignty protection or merely security theatre.

2 Map the legal jurisdiction of your providers, not just their data centres.
For every significant cloud or SaaS contract, document the country of incorporation of the parent entity and assess whether the CLOUD Act or equivalent extraterritorial legislation applies.

3 Review your contractual data access and notification provisions.
Under GDPR Article 28, processors are required to assist controllers in meeting their obligations. Your contracts should specify what your provider will do, and what they will tell you, if they receive a government access request relating to your data.

What this means for your business

Data sovereignty has moved up the board agenda quickly, and not without reason. The combination of geopolitical uncertainty, maturing regulatory enforcement and a growing awareness of the gap between where data sits and who controls it is prompting organisations across every sector to look more carefully at their cloud architecture.

At Northdoor, we have been working with organisations on data governance, infrastructure and compliance challenges for three decades. We understand the IBM infrastructure landscape and the hybrid cloud architectures that allow organisations to keep sensitive workloads within genuinely sovereign environments without sacrificing the performance and scalability they need.

If any of the questions in this article are ones your team cannot currently answer with confidence, it is worth having a conversation. We will give you a straight assessment of where your exposure is and what your options are. No sales pitch, just a practical discussion.

Contact us

 

Take this to your next board meeting

We’ve put the key points from this article into a short briefing deck you can print, share or forward to your compliance team.

Download the PDF 

 

1

Our Awards & Accreditations