Amazon Web Services has launched its European Sovereign Cloud to general availability, marking a €7.8 billion investment in physically and logically separated infrastructure. The service, now available in Brandenburg, Germany, aims to address European regulatory requirements and growing geopolitical concerns about U.S. access to data. While AWS emphasizes that the cloud will be operated exclusively by EU residents under a new German parent company structure, significant questions persist about whether this separation can truly protect against U.S. government data requests.
The infrastructure uses partition name aws-eusc and region name eusc-de-east-1, operating completely separately from AWS's global regions. All components, including dedicated IAM, billing systems, and Route 53 name servers using European Top-Level Domains, remain within EU borders. AWS European Sovereign Cloud GmbH, a new German parent company with three subsidiaries handling infrastructure, certificate management, and employment, manages the operations. Stéphane Israël, an EU citizen, serves as managing director alongside Stefan Hoechbauer, vice president of AWS Germany and Central Europe.
An AWS software development engineer who deployed services to the European Sovereign Cloud confirmed that the technical isolation exists in practice. Writing on Hacker News, the engineer explained:
AWS has set up proper boundaries between the European Sovereign Cloud (ESC) and global AWS. Since I'm based out of the US, I can't see anything going on in ESC, even in the service we develop. To fix an issue there, we have to play telephone with an engineer in ESC... All data is really 100% staying within ESC.
The engineer also warned about trade-offs, noting that isolation "really slows down debugging issues. Problems that would be fixed in a day or two can take a month."
Despite this technical isolation, practitioners and analysts have raised fundamental concerns about legal protection. Sam Newman, an independent technology consultant, wrote on LinkedIn:
Unless I've misunderstood the US patriot act (which is possible), the new EU AWS Sovereign cloud offering does nothing to protect customer data from being accessed by the US government. So I'm not entirely sure what this is for, other than companies wanting to pay (I assume) a premium to look like they are doing something in the face of a more erratic US regime.
Marko Teklic, an ICT solutions coordinator, echoed similar concerns, noting that under the Foreign Intelligence Surveillance Act and CLOUD Act, AWS, as a U.S.-headquartered company, remains subject to U.S. jurisdiction for its European operations. The CLOUD Act allows U.S. authorities to request data from cloud providers regardless of the cloud provider's physical location. Courts can require parent companies to produce data held by subsidiaries, which could make AWS European Sovereign Cloud GmbH's separate structure legally insufficient.
A commenter in a Reddit thread outlined the mechanism:
The act applies to 'all electronic communication service or remote computing service providers that operate or have a legal presence in the U.S.' Courts can require parent companies to provide data held by their subsidiaries.
Some believe AWS's structure might offer protection. One Hacker News user suggested that, under European governance, Amazon could tell the U.S. government that EU employees refused to comply with data requests because doing so would violate EU law. Skeptics countered that AWS could work around this by obfuscating commands to local employees or by temporarily sending U.S. employees to Europe.
Practitioners have posed pointed questions that AWS hasn't answered. S. Maud asked on Jeff Barr's LinkedIn post whether AWS would comply if the U.S. government issued a Cloud Act warrant for military operations data stored in the sovereign cloud. Sebastian Vogelsang raised technical concerns about remote intervention:
What prevents a remote kill switch? If AWS corporate or the US government directed that this infrastructure be disabled, what technical or legal mechanism would prevent that? Is the software stack fully independent, or does it rely on licenses, updates, or control planes that could be revoked from outside the EU?
The software trust issue extends beyond operations. While Hacker News commenters noted that AWS's Nitro hypervisor team is based in Berlin, questions remain about the broader AWS software stack. Has it been audited for backdoors? Could code developed in the U.S. contain mechanisms for remote access?
When asked whether AWS European Sovereign Cloud resembles AWS's China regions, principal cloud architect Ivo Pinto confirmed it's "even a better comparison than govcloud." Yet there's a crucial difference: AWS China operates through independent Chinese companies (Sinnet and NWCD), while AWS European Sovereign Cloud remains wholly owned by Amazon.com Inc.
Eric Swanson from CarMax explained what the offering actually achieves:
US ownership and headquarters mean US law can still apply to the provider, regardless of where the infrastructure runs. Sovereign cloud offerings do not override the Patriot Act. They mainly reduce overlap across other contexts: data location, operational control, employee access, and customer jurisdiction.
Organizations seeking sovereignty without U.S. ownership have European alternatives available, including German provider Hetzner, French provider Scaleway, Swiss provider Infomaniak, and StackIT by Schwarz Digits (Lidl's parent company), which multiple commenters on LinkedIn and Reddit highlighted as genuinely European sovereign cloud options.
The service launches with approximately 90 AWS services, with plans to expand through sovereign Local Zones in Belgium, the Netherlands, and Portugal. AWS projects the €7.8 billion investment will contribute €17.2 billion to the European economy over 20 years.
AWS now competes with Microsoft and Google Cloud's S3NS offering, developed with Thales. Mark Surrow noted on LinkedIn that Microsoft "had to admit it directly in a French court" that it cannot guarantee data sovereignty for EU customers. The fundamental question persists: can any U.S.-owned sovereign cloud protect European data from U.S. government access under the CLOUD Act and FISA? Until AWS answers this, organizations with strict sovereignty requirements may look elsewhere.