It'd be great if they could clarify in their FAQ [1] if and how the CLOUD Act affects them.
[0] https://www.theregister.com/2025/07/25/microsoft_admits_it_c...
By setting it up with a European governance structure, Amazon can tell the US government "hey we told them give us the data, but they refused because that would send them to jail under EU law, and they're a legally separate entity so there's nothing we can do."
This is very intentionally not just a regular foreign subsidiary owned by the parent company.
And US law will just let it go?
There are several options for AWS. They can simply just obfuscate command to local employees. Or fly US employees there just for this one task. "EU law" will find out after they are back in US - if ever. There is no way to escape CLOUD Act if it is US owned.
And if they fly American employees over, what makes you think they'd be let in the building, or under what credentials do you think they'd be accessing the system? Legally speaking, those Americans are simply from a partner company. Just because you're doing business with a partner company doesn't mean you let them into your building.
The point is that AWS is intentionally making it so they don't have options.
So yes, US law lets it go. The law is limited in terms of what it can affect outside US borders. If the EU doesn't want to cooperate, and the US isn't willing to engage in sanctions or war against the EU, then yeah the US is out of options.
Can engineers be dual eu/us citizens ? AWS uses a lot of ex military and US citizens with government clearance levels for their US govcloud. I don’t see an equivalent here
Amazon can promise the moon and the sky but if I wanted digital sovereignty within the eu it would not be with Amazon any more than I would trust tencent
That’s who those US employees would be, from the point of view of the EU branch… no reason to assume they’d let them in. Flying people over to do crimes seems like a risky idea.
Organize your business and your tech correctly and you can have an owned foreign subsidiary that can comply with local laws. But things would have to be quite separate.
I doubt it, a majority owned subsidiary is usually passed through for many legal purposes.
Just make it complex enough to confuse juries beyond a prosecutors famously low appetite for losing and you'll be absolutely fine.
Or, just buy bits of control interest outright (CryptoAG?)
AWS maintains a similar stance, too [0]?
The CLOUD Act clarified that if a service provider is compelled to produce data under one of the limited exceptions, such as a search warrant for content data, the data to be produced can include data stored in the U.S. or outside the U.S.
Hm. As for AWS, they say that if the customer sets up proper security boundaries [0], they'll ensure will keep their end of the bargain [2][3]:
As part of the technical design, access to the AWS European Sovereign Cloud physical infrastructure and logical system is managed by Qualified AWS European Sovereign Cloud Staff and can only be granted to Qualified AWS European Sovereign Cloud Staff located in the EU. AWS European Sovereign Cloud-restricted data will not be accessible, including to AWS employees, from outside the EU.
All computing on Amazon Elastic Compute Cloud (Amazon EC2) in the AWS European Sovereign Cloud will run on the Nitro System, which eliminates any mechanisms for AWS employees to access customer data on EC2. An independent third party (the UK-based NCC Group) completed a design review confirming the security controls of the Nitro System (“As a matter of design, NCC Group found no gaps in the Nitro System that would compromise these security claims”), and AWS updated its service terms to assure customers “there are no technical means or APIs available to AWS personnel to read, copy, extract, modify, or otherwise access” customer content on the EC2 Nitro System.
Customers also have additional mechanisms to prevent access to their data using cryptography. AWS provides advanced encryption, key management services, and hardware security modules that customers can use to protect their content further. Customers have a range of options to encrypt data in transit and at rest, including options to bring their own keys and use external key stores. Encrypted content is rendered useless without the applicable decryption keys.
The AWS European Sovereign Cloud will also benefit from AWS transparency protections over data movement. We commit in the AWS Service Terms that access to the EC2 Nitro System APIs is "always logged, and always requires authentication and authorization." The AWS European Sovereign Cloud also offers immutable, validated logs that make it impossible to modify, delete, or forge AWS CloudTrail log files without detection.
[1] https://aws.amazon.com/compliance/shared-responsibility-mode...
[2] https://d1.awsstatic.com/onedam/marketing-channels/website/a...
independently OPERATED, not independently owned
therefore: still under the jurisdiction of the US regime
Exactly, this seem pointless for people serious about staying away from US owned data stores. I know first hand of EU based businesses that left AWS (and all other US owned services) before 2020 due to customer (B2B) demand which in turn was due to the Cloud Act[1], and for whom it today would be completely untenable to return.
The US can of course command the US owners to instruct their EU based employees to do something illegal in the EU, but if your boss tells you do do something illegal, you are still breaking the law if you do it…
AWS has set up proper boundaries between ESC and global AWS. Since I'm based out of the US I can't see anything going on in ECS even in the service we develop. To fix an issue there we have to play telephone with an engineer in ESC where they give us a summary of the issue or debug it on their own. All data is really 100% staying within ESC.
My guess is that ESC will be less reliable than other regions, at least for about a year. The isolation really slows down debugging issues. Problems that would be fixed in a day or two can take a month. The engineers in ESC don't have the same level of knowledge about systems as the teams owning them. The teething issues will eventually resolve, but new features will be delayed within the region.
>To fix an issue there we have to play telephone with an engineer in ESC where they give us a all the data we need or get fired.
?
All of these isolation sovereignty iniatives are window dressing to the bigger problem that the EU and other countries are massively dependent on proprietaey US-centric software stacks.
Not as much as you might think. The most important component -- Nitro -- basically runs out of Germany.
Or the Germany that bought Crypto AG along with the CIA to backdoor encryption hardware?
Id argue that very few software components are written (let alone maintained) by US staff. This is basically another major player (there are other sovereign clouds) reading the writing on the wall and doing what is necessary to avoid losing business or being irradiated from the market.
CloudFlare CEO, take notice. Look how the big boys do business and maybe learn a thing or two.
CloudFlare’s objection to Italy’s demands were that Italy demanded CloudFlare censor websites outside of Italy for everyone, globally. CloudFlare refused to do so and said they’d stop providing services to Italy.
Do you realize what you’re asking for in ClodFlare listening to Italy? The US will get total say over what content can be hosted anywhere in Europe (by CloudFlare), due to that precedent being set (and their greater ability to coerce ClodFlare).
Your comment is contradictory: you phrased it as respecting sovereignty, but your actual demand is that CloudFlare allow the US to enforce edicts on the EU.
Last week, after receiving a fine in Italy, the Cloudflare CEO demonstrated that US tech leadership are extremely emotionally volatile and can lash out in all directions, threatening unrelated parties with shutdown of service. This is in line with Peter "anti christ" Thiel and Elon "nazi salute" Musk going off the rails. Maybe it is a drug-induced psychosis from their annual gathering in the desert where US tech workers consume illegal substances, I don't know.
What if someone scratches Bezos' yacht by accident and then he threatens to shut down the DC? Or he might get upset about a CO2 surcharge when refueling his private jet? Can we really take these risks?
People talking about EU sovereignty and US hegemony then crying Italy isn’t allowed to dictate terms globally are showing they’re not people with principles — they’re just losers who would be every bit as hegemonic as the US, they just lack the power to be and are publicly crying about it.
Just reading what they are demanding from Cloudflare and their reasoning for it is enough to turn pretty much anyone to Cloudflare’s side. And that’s before even digging into the details of the context preceding that whole conflict
There will be gnashing of the teeth, doomsaying galore, a few actual minor catastrophes... but we will be okay.
Not just okay, but we will be better off for it. The Internet will be better off for it, because the inescapable side effect will be at least a bit of re-decentralization.
Any European equivalent replacing what is lost will be better. Not because we have better coders or are even better people, mind you - far from it. It will be better because we will have the gift of hindsight; any replacement for web-based productivity services, search engines or social media springing up will be the product of a society and legislative system which has caught up at least in some sense to technological progress and which has been there, done that. The actual web two point oh.
So let's pull out as many plugs as we can. It'll hurt for a bit, but not only is it without alternative - it'll be fresh, it'll be fun and it'll be good in the end.
Let's get to work.
AWS should be ditched altogether and something Europe based chosen even if it requires investment.
Same with Apple iCloud - one day Europeans will wake up and see that all their pictures have been deleted.
Possible this happens due to bugs in iCloud's GDPR implementation.
https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_Stat...
That's the entire point of setting it up like this.
Think of it like fast-food franchises. They have to sell the same food and use the same branding and charge the same prices. But if McDonald's tells you to start selling cocaine on the side, you tell them nope, that's not in the contract and I don't feel like going to prison.
I imagine that if a back door were ever discovered, AWS's reputation would tank so hard that a lot of companies would probably never do business with it again.
probably 100%?
Of course these services are backdoored.
The prices for the only region in Germany are very similar to the prices in eu-west-1 (Frankfurt), except in € instead of $, so that’s basically a 16% markup by today's exchange rate. Also, AMD CPUs appear to be completely missing.
For a small/medium business in EU ESC is an overkill. Their data has no strategic value. Just use whatever infrastructure you want.
For any large company working at global level, owning cutting edge technology ESC is not a protection.
US just stolen a president of foreign country, do you really believe they would hesitate to do this with anybody else if they want?
Google Cloud also has the same product but with less "Google Cloud" branding:
S3NS |Thales x Google Cloud targeting a trusted cloud https://www.s3ns.io/en
Seriously though, what is stopping Europeans to "just build their own"? EU could provide some form of financing - cheap loans, tax breaks, favourable regulation etc. I know AWS is a million things, not just VMs, but is building a small cloud provider and scaling from there really that hard? Maybe I'm being super naive - ELI5 please?
In other words: making a cloud provider isn’t that difficult, making a cloud provider that people will use INSTEAD OF AWS is an exponentially harder problem.
[1] https://www.radiofrance.fr/franceculture/guerre-economique-c...
https://cybernews.com/news/europe-internet-control-sovereign...
However I'm pretty sure at this point that even the GAFAM are tired of this situation and that they don't care if giants their size show up in Europe. I'm genuinely thinking that what is also happening with AI (eg : free knowledge drop) is some kind of mechanism to allow those new giants to emerge in other places than US.
Being the bright star that takes all the broken stuff on the head is not always the smartest move - at some point if you are blocking everything from showing up just because you exist, you are just slowly creating conflict against you - which i'm pretty sure the GAFAM are not interested in.
I'm pretty sure there is a lot of power dynamic shift happening just now, AI bubble is just a tool that permit it -- the amount of startups that are allowed to launch on the simplest product are crazy --
tldr : creating incumbents then beating them is a display of power ; not caring is a display of power, having too much money is a display of power, being blocked due to political and social movement is weakening the velocity of these entities - i'm pretty sure atp that creating new giants in Europe would help them more than to continue in what appears like a colonialist endeavor - which they probably don't like either (they just want to market and win)
Idk I might be extrapolating like a mad man
Just stop using clouds run your own computers.