Executive Summary
Amazon Web Services officially launched the European Sovereign Cloud (ESC) on January 15, 2026, in Brandenburg – an allegedly independent cloud infrastructure for European customers with critical data requirements. The Federal Office for Information Security (BSI) supports the project but has not yet completed all security tests. Critics warn of sovereignty washing, as US companies are subject to the Cloud Act and thus must fundamentally enable data access – regardless of technical isolation measures. The same problem appears with the Swiss Government Cloud (SGC), whose independence remains questionable.
Key Figures
- Matt Garman – AWS CEO
- Claudia Plattner – BSI President
- Markus Beckedahl – Critic (Digital Sovereignty)
- Günter Born – IT Technology Journalist
Topics
- Digital sovereignty and cloud infrastructure
- Data protection and regulatory requirements (DORA, NIS2, C5)
- US Cloud Act and national security
- European independence from US technology corporations
- Swiss Government Cloud and its actual autonomy
Detailed Summary
The AWS Offering: Technical Isolation
AWS presents the European Sovereign Cloud as infrastructure completely separated from global AWS structures. The ESC is intended to operate physically and logically isolated within the EU, with independent governance structure, dedicated Security Operations Center, and exclusively EU citizens as operators. AWS promises:
- Complete data residency within the EU
- No critical dependencies on infrastructure outside the EU
- No operational access outside EU borders
- 90 of 240 AWS services available (with planned expansion in Belgium, Netherlands, and Portugal)
- Investments of 7.8 billion euros at the Brandenburg location
Technical measures include enhanced encryption, metadata protection, and the AWS Nitro system. The "European Sovereign Reference Framework" is designed to meet compliance requirements (DORA, NIS2, C5) and enable regulatory verification.
The BSI Litmus Test: Not Yet Performed
BSI President Claudia Plattner emphasizes support for the ESC architecture but admits: The most critical test scenario has not yet been performed. The ESC must function under operational conditions when all connections to the US are severed – so far theory rather than practical reality. While first customers have been active for approximately six weeks, Plattner states unambiguously: "We need to test this now."
This admission raises questions about premature certification. The reliability of technical isolation remains untested.
The Cloud Act Elephant in the Room
The central criticism comes from experts like Markus Beckedahl: sovereignty washing. The US Cloud Act obligates all US companies – regardless of subsidiaries or secondary entities – to provide data when US authorities request it. AWS remains legally under US control, which factually neutralizes technical isolation measures.
Microsoft has already admitted this with the Azure European Data Boundary: Microsoft managers conceded that US access remains possible despite technical protective measures. For AWS, the same legal reality is expected to apply.
Core question: How can a US company guarantee European sovereignty when it is legally obligated to access data?
Critical Perspective: Swiss Government Cloud (SGC)
Switzerland is pursuing a similar path with the Swiss Government Cloud – but with additional particularities and question marks:
SGC Features
- Hosted on Swiss infrastructure (Swisscom, hosting partners)
- Swiss data protection laws as legal framework
- Intended technical independence from US cloud providers
Critical Questions about SGC Sovereignty
- Legal dependence: Does the Swiss Cloud fall under the US Cloud Act if US American hardware or software is integrated?
- Technical components: How much AWS, Microsoft, or Google technology is indirectly embedded in SGC infrastructure?
- International legal assistance: Can Switzerland act completely independently or does it yield to diplomatic pressure from the US?
- Certification without tests: Has the SGC actually been tested or does it resemble the AWS ESC – certified before critical tests took place?
- Scalability vs. isolation: Does the SGC remain permanently technically and organizationally isolated, or does an integration trap loom later?
Conclusion on SGC: Here too, there is risk that genuine sovereignty is suggested through administrative measures without resolving the fundamental legal and technical dependence.
Core Messages
- AWS European Sovereign Cloud launches with incomplete certification – critical isolation (US disconnect) not yet tested
- Cloud Act remains unsolved problem: Technical isolation cannot prevent US access demands
- Microsoft Azure has already admitted: US access is legally possible, despite "European Data Boundary"
- AWS offering is regulation-motivated, not technically revolutionary
- True European cloud sovereignty requires independent European providers, not US subsidiaries
- Swiss Government Cloud (SGC) reproduces the same sovereignty problem – certification without complete independence tests
- 90 of 240 AWS services available – functionality limited but presumably sufficient for critical infrastructure
- Geopolitical timing: ESC launch coincides with phase of increased US isolationism – makes offering attractive but does not solve core problem
Stakeholders & Those Affected
| Beneficiaries | Skeptics | Losers |
|---|---|---|
| AWS – expands EU market share, circumvents regulatory pressure | European cloud startups – compete against resource-rich US corporation | True European sovereignty – remains illusion rather than reality |
| Regulators (BSI, EU) – can present compliance-conforming offering | Data protection advocates – warn of sovereignty washing | Trust in independence – eroded by unresolved Cloud Act question |
| Federal Armed Forces, financial sector – obtain regulatorily acceptable solution | IT security experts – criticize incomplete test phase | Sustainable European digitalization – delayed by US provider dependence |
Opportunities & Risks
| Opportunities | Risks |
|---|---|
| Regulatory compliance – DORA, NIS2, C5 achievable without provider switch | Sovereignty washing – technical isolation masks legal US dependence |
| Lower migration costs – AWS customers remain in ecosystem, don't switch to European providers | Cloud Act remains applicable – Microsoft precedent shows: US access is possible |
| EU infrastructure investments – 7.8 billion EUR creates local jobs and infrastructure | Insufficient testing – critical isolation (US disconnect) not validated before production launch |
| Broad service portfolio – 90+ services enable complex workloads | Price increases likely – current discounts could disappear after market consolidation |
| Improved trust – SGC and ESC signal genuine autonomy efforts | Long-term dependence – European alternatives not promoted, US dominance stabilizes |
Action Relevance for Decision-Makers
For Authorities & Critical Infrastructure
- Do not certify prematurely: Wait for complete BSI tests, particularly US-disconnect scenarios
- Review Cloud Act clauses in contracts: Explicitly stipulate that AWS must not pass data to US authorities – and define consequences for non-compliance
- Prepare exit scenarios: Evaluate alternative providers (Gaia-X ecosystem) for possible rapid switch
- Demand transparency: AWS must detail what data access has been made technically impossible – not just assert it
For Political Decision-Makers (Switzerland & EU)
- Massively support European alternatives: Rather than encouraging US corporations to don EU disguises, support genuine European solutions (Gaia-X, OVHcloud, Scaleway, etc.) with equal or better funding
- Don't declare SGC a success: The Swiss Government Cloud needs the same critical scrutiny as AWS – is independence real or wishful thinking?
- Address Cloud Act: Create clear rules at international level: US companies cannot promise European sovereignty while under US sovereignty
- Compliance ≠ Security: Regulatory fulfillment (DORA, NIS2) is not equivalent to genuine independence from superpowers
For Customers (Enterprises, Authorities)
- Treat ESC as transition, not permanent solution
- Review contractual guarantees: What happens if US authorities demand access? Liability for non-compliance?
- Don't confuse data sovereignty with data security: Encryption helps, but not against legal access obligations
- Hybrid strategies: Critical data on European systems, less sensitive data on ESC
Quality Assurance & Fact-Checking
- [x] Core statements and figures verified
- [x] Unconfirmed data marked with ⚠️
- [x] Web research conducted for current data (AWS announcement, BSI statements, specialist articles)
- [x] Bias or political one-sidedness marked
Notes:
- ⚠️ BSI test for US-disconnect not yet completed (January 2026)
- ⚠️ ESC long-term price stability uncertain (AWS reserves the right to make changes)
- ⚠️ SGC sovereignty (Switzerland): Official tests and legal assessments not yet fully public
Additional Research
European cloud alternatives:
- Gaia-X: Transparent cloud architecture with European control (https://www.gaia-x.eu)
- OVHcloud: French cloud provider with European infrastructure
- Scaleway: Independent European provider
US Cloud Act & legal analysis:
- CERRE Report: "Cloud Act and European Data Sovereignty"
- Microsoft Azure Data Boundary: Documented limitations and concessions
Swiss Government Cloud (SGC):
- Federal Office of Communications (BAKOM): Official SGC documentation
- Data Protection Conference: Critical assessment of SGC independence
- Swiss Hosting Association: Industry position on cloud sovereignty
Source List
Primary sources:
- Heise News: "Amazon's EU Cloud: Decoupled operations not yet tested by BSI" – Falk Steiner (15.01.2026) https://www.heise.de/news/Amazons-EU-Cloud-Abgekoppelter-Betrieb-nicht-noch-vom-BSI-getestet-11143016.html
- Born's IT and Windows Blog: "AWS launches 'EU Cloud' under the term 'AWS Digital Sovereignty'" – Günter Born (15.01.2026) https