Europe's quiet revolt against US cloud

Something shifted in 2025.

Switzerland's data protection authorities declared that public bodies using Microsoft 365 for sensitive data is, in most cases, unlawful.¹ Schleswig-Holstein, Germany's northernmost state, is removing Microsoft from 30,000 civil servants' workstations.² Denmark's Minister for Digitalisation announced her ministry will be Microsoft-free by autumn.³ Copenhagen and Aarhus had already started.⁴

These aren't isolated decisions. They're a pattern.

The US CLOUD Act

The US CLOUD Act, passed in 2018, allows federal law enforcement to compel US-based technology companies to hand over data stored on their servers—regardless of where those servers are physically located.⁵ Data in a Microsoft data centre in Frankfurt? Still accessible. AWS in Dublin? Same story.

This wasn't always perceived as a crisis. The legal mechanism existed, but the political trust did too. European governments tolerated the theoretical risk because the practical benefits of US cloud services were enormous, and transatlantic relations were stable enough that the risk felt abstract.

That calculation has changed. Trump's return to office, explicit threats toward Greenland, and rising US-EU tensions have made the abstract concrete. Danish officials explicitly cited American espionage concerns as a factor in their Microsoft phase-out:

"Denmark's relationship with the US, a major exporter of digital services, has become strained by Trump's stated ambition of taking control of Greenland and recent reports the US wants to step up spying on Greenland and Denmark."³

The shift isn't technical—it's political. Trust has eroded.

The Swiss resolution puts it plainly:

"US providers can be obligated under the CLOUD Act, enacted in 2018, to hand over customer data to US authorities without following international legal assistance rules—even when this data is stored in Swiss data centres."¹

For governments handling citizen data, this represents an unacceptable loss of sovereignty.

The trade-off nobody wants to make

Here's the uncomfortable truth: Microsoft 365 is excellent software. Word and Excel just work. The formats are ubiquitous. Training costs are low because everyone already knows how to use it.

LibreOffice is capable, but it's not the same. Munich famously tried this migration in the 2000s, then reversed course in 2017, citing interoperability problems and user resistance.² Schleswig-Holstein's digitisation minister acknowledges the challenge directly:

"If people aren't guided through it, there's an outcry and everyone just wants to go back to how it was before."²

The core tension is User Experience & Compatibility versus Security & Sovereignty.

European organisations face an impossible choice: accept legal exposure to a foreign government's data demands, or accept worse tooling and painful migrations. Neither option is good.

Jan Damsgaard, head of the Department of Digitalisation at Copenhagen Business School, framed the stakes clearly:

"Denmark, as the most digitised country in the world, is completely dependent on American tech companies and that is clearly not a sustainable situation."³

Why encryption isn't always the answer

The obvious response is end-to-end encryption. If Microsoft can't read your data, they can't hand it over. Problem solved.

Except it isn't. The Swiss resolution notes that most SaaS solutions don't offer true end-to-end encryption that excludes provider access to plaintext data.¹ And there's a reason for that: cloud services need to process your data to be useful.

Search requires indexing. Collaboration requires the server to merge edits. AI features require access to content. The functionality that makes cloud software valuable is precisely what makes client-side-only encryption impractical.

You can encrypt data at rest. You can encrypt data in transit. But if the service needs to do anything meaningful with your data, someone other than you needs access to the keys at some point. The CLOUD Act problem isn't solved by better cryptography—it's a jurisdictional issue masquerading as a technical one.

The Swiss authorities reached the same conclusion:

"The use of international SaaS solutions for particularly sensitive or legally protected personal data by public bodies is only permissible when the data is encrypted by the responsible body itself and the cloud provider has no access to the key."¹

For most organisations, that condition is impossible to meet while retaining useful functionality.

The Third Path: Well-funded FOSS with commercial support

There's a third path forming, and it looks like this: open-source software, commercially supported, designed for self-hosting.

Nextcloud and IONOS are launching Nextcloud Workspace as a sovereign Microsoft 365 alternative—fully GDPR-compliant, hosted in Europe, with enterprise support.⁶ IONOS provides the infrastructure; Nextcloud provides the software. The customer retains control of their data because the data never leaves infrastructure they control.

Achim Weiß, CEO of IONOS, articulated the value proposition:

"As German providers, IONOS and Nextcloud guarantee their users sovereignty over their data—we rule out access by third parties as permitted by the US CLOUD Act. Our cooperation therefore gives Nextcloud customers the legal security they need."⁷

This model inverts the SaaS relationship. Instead of trusting a provider with your data and hoping jurisdiction doesn't become a problem, you run the software yourself—or on European infrastructure under European law—and pay for support, updates and integration work.

The provider never touches your data. They can't comply with a CLOUD Act request because they don't have access to anything worth requesting.

IONOS is explicit about what this means in practice:

"The entire cloud infrastructure is made in Germany, hosted in data centres under German jurisdiction. Data transfers to third countries? Excluded. Access by foreign intelligence agencies? Not possible. IONOS operates under European law only—with no exceptions."⁸

Ecosia and Qwant have done something similar for search. Their joint venture, European Search Perspective, launched a sovereign search index in August 2025—the first time in Ecosia's 16-year history that it's delivered results from infrastructure it controls.⁹ Christian Kroll, CEO of Ecosia, explained the reasoning:

"Having our own search infrastructure is a critical step towards plurality; a healthy and diverse search market reflecting multiple perspectives, and building Europe's own digital tools."¹⁰

The explicit goal is reducing dependence on US providers for critical digital infrastructure.

What this requires to scale

For this model to work at scale, a few things need to happen.

First, the software needs to be genuinely good. Open-source alternatives have historically lagged proprietary options on polish and usability. That gap is narrowing, but it needs to close further. Users will tolerate some friction for sovereignty, but not unlimited friction.

Second, the commercial support layer needs to be robust. Self-hosting is only viable for large organisations if they're not also building internal expertise from scratch. The support companies need to be well-funded, responsive and capable of handling enterprise-scale deployments.

Third, interoperability standards need to improve. Organisations don't exist in isolation. If your government ministry runs Nextcloud but your contractors run Microsoft, you need document formats and collaboration protocols that work across both. The EU's push for open standards helps, but practical compatibility matters more than theoretical compliance.

Fourth, procurement practices need to change. Buying Microsoft is easy—there's a contract, a price and a vendor to blame if things go wrong. Self-hosted open-source with commercial support is a more complex arrangement. Government procurement frameworks need to accommodate this model without making it prohibitively bureaucratic.

The stakes

This isn't really about LibreOffice versus Word. It's about whether European governments and businesses can operate critical functions without legal exposure to foreign jurisdictions.

The CLOUD Act isn't going away. If anything, US data demands are likely to expand under an administration that views allied nations' sovereignty as negotiable. The question for European organisations isn't whether to address this—it's how.

Denmark's business minister summarised the broader concern:

"If we only use their solutions, it makes our society extremely vulnerable in a world that is changing with pressure from great powers, geopolitical tensions, and a technology race. That is why we must develop our own solutions."⁴

The well-funded FOSS model offers a path that doesn't require choosing between security and usability. It's harder than signing an enterprise agreement with Microsoft, but it's easier than accepting that a foreign government has legal access to your citizens' data.

Schleswig-Holstein expects to save tens of millions of euros over time.² Denmark anticipates similar benefits.³ The financial case reinforces the sovereignty case.

That said, the financial savings should also flow back into the FOSS ecosystem. Governments can close the gap on usability and interoperability by funding development, supporting standards work, and investing in training.

The transition will be difficult. Some organisations will stumble. But the direction is clear, and the underlying logic isn't going to reverse. The era of unquestioning trust in US cloud providers is ending. What replaces it is still being built.

---

References