Once a pillar of transatlantic unity, the relationship between Europe and the US has become strained following disputes over NATO commitments, trade tariffs and diverging strategies on Russia’s aggression in Ukraine. For some in Europe, the US no longer appears to be the dependable partner it once was (see Tariff tensions undermine trust in cloud hyperscalers).

Yet Europe remains deeply intertwined with the American digital ecosystem. The leading US cloud hyperscalers — Amazon, Microsoft, Google, Oracle and IBM — do more than serve consumers; they power critical infrastructure for European enterprises and public institutions. Europe’s digital ambitions are closely tied to these providers, while the economic benefits for hyperscalers are substantial.

These companies are not blind to shifting sentiment. In response to concerns over legal jurisdiction and political interference, several US cloud giants have introduced so-called “sovereign cloud” offerings — these promise that data and operations will remain within European borders. At the same time, European cloud providers are positioning themselves as geopolitically neutral alternatives. Still, questions remain: what makes cloud platforms especially vulnerable to foreign government intrusion — and do the same rules apply to colocation providers?

The Cloud Act

This report provides an overview of Uptime Intelligence’s understanding of the US Cloud Act as it relates to colocation facilities (colos) and cloud providers. However, it is not intended as legal guidance and organizations should seek specialist advice before pursuing any course of action.

It is the first in a series of reports that will explore the issue of data sovereignty. Future reports will cover how encryption, certifications and operations affect extrajudicial accessibility.

The US Stored Communications Act 18 USC 2713, commonly referred to as the Cloud Act, states the following:

“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”

A few critical points stand out:

• Who it applies to: electronic communication services or remote computing services.
• When it applies: if the information is within possession, custody or control.
• Where it applies: whether information is stored inside or outside the US.

As a US law, it is legally binding only to organizations operating in the US. However, US cloud providers are legally required to provide access to data, even when that data is stored outside the US.

How it applies to hyperscalers

A cloud provider falls under a remote computing service, since both administrators and end users access it over a network.

It provides more than just data centers and servers — it also includes a middleware layer that adds cloud functionality. For example, a virtual machine service offers the capability to virtualize those machines, connect them to networks, and make them accessible to users. In a database service, a middleware layer stores and processes data on behalf of the customer.

Because this middleware gives the provider control and access to the data, the provider is bound by the Cloud Act.

Finally, as most hyperscalers are US companies, they are subject to this law. As such, the US umbrella corporation can be compelled to provide data from its European data centers or subsidiaries. Failure to comply with this request may result in that organization facing prosecution.

Third-party clouds are considered a grey area, as the hyperscaler provides the infrastructure while a local partner maintains operational control. In this case, vulnerability to extrajudicial access depends on the level of access retained by the hyperscaler. For example, technical capabilities such as root access, telemetry, or management of back-end encryption keys could still allow the hyperscaler to comply with US legal demands.

If the hyperscaler retains the ability to access the data, even when the local partner manages day-to-day operations, then it may still be required to comply with requests from US authorities. The extent of hyperscaler access to their partner-managed infrastructure is often unclear. Such third-party clouds include Google’s partnership with Thales in France (named S3NS) and Microsoft’s cloud collaboration with T-Systems in Germany.

How it applies to colos

A colocation provider does not provide a remote computing service. Rather, it provides access to physical space, power and connectivity for customers to install their own physical equipment. The owner of that equipment then uses it to make a remote computing service, such as a web application.

Because the colocation provider does not own the servers, it does not usually have possession, custody, or control of the data stored on them — although it may have custody of the physical hardware.

Within the US, a physical server can be seized through a court order. Outside the US, however, such a seizure would be difficult without the support of local enforcement authorities. A US court order given to a data center outside of the US would be invalid; instead, a local court order would be required.

US colocation providers with European data centers — such as Equinix, Digital Realty, CyrusOne, CoreSite, QTS Realty Trust, Stack Infrastructure, EdgeConneX and Flexential — are usually outside the scope of the Cloud Act.

However, US-headquartered colocation providers that offer managed services may be affected by the Cloud Act. If a colo provides managed services on top of the physical infrastructure, it may be classed as a remote computing service. For example, colos that manage an operating system, provide a backup service, or offer a private cloud could be deemed by authorities as having access to customer data.

European colocation providers — such as maincubes, DATA4 Group, Aruba.it, NorthC Datacenters, Green Datacenter, LuxConnect, Dataplex Group, Etix Everywhere, Euclyde Data Centers, Evoswitch, Servecentric and Ficolo — are not subject to US jurisdiction. As such, they are protected from US governmental access, even when providing managed services or having access to customer data.

It is the inherently remote architecture of cloud computing that exposes an organization to extraterritorial legal interference: a US-headquartered provider can access data stored abroad without being physically present, bypassing local jurisdictional safeguards.

How it applies to European cloud providers

Public cloud providers headquartered in Europe are not subject to US law. Example companies include OVHcloud, Scaleway, Deutsche Telekom (T-Systems), Orange Business, IONOS, Aruba Cloud, Exoscale, Stackscale, Hetzner, Gandi and CloudSigma.

They therefore cannot be compelled to provide data to US authorities. However, US law enforcement may request the assistance of local authorities through international treaties, which could force the cloud provider to assist under local law. For example, cooperating nations may work together in detecting and preventing terrorism.

If a European cloud provider has a US subsidiary, US authorities would only have access to that subsidiary, because the umbrella corporation is in Europe.

Ultimately, this independence gives European cloud providers a strong differentiator compared with US hyperscalers.