In an EU context, data sovereignty refers to Europe’s most sensitive data being effectively protected from undue external interference or extra-European laws. This description is set out in the Declaration for European Digital Sovereignty. 

This is part of the broader concept of digital sovereignty, which relates to the EU and EU Member States’ ability to exercise autonomy and free choice in respect of their own technological solutions. The EU-level desire for digital sovereignty has recently crystallized in a Declaration for European Digital Sovereignty. Adopted by EU Member States on November 18, 2025, this non-binding commitment is centered on a shared ambition to strengthen Europe’s digital sovereignty to support economic resilience, social prosperity, competitiveness and security.

Data sovereignty is not, by default, incompatible with the engagement of service providers located outside of the EU, including in the US, and accordingly, the Declaration for European Digital Sovereignty specifically anticipates “reaping the benefits of collaboration with global partners, when possible”.

Data localization

By way of contrast, data localization is a more restrictive concept. In an EU context, it refers to laws, regulations and/or policies (usually applicable to particular sectors or specific types of organizations) which mandate that data must remain in the EU. For example, in practice, the European Health Data Space requires data access bodies, trusted health data holders, and the EU health data access service to store and process personal electronic health data in the EU when conducting certain processing operations (subject to limited exemptions). Similarly, the EU Data Governance Act (applicable to public sector bodies) provides that future EU laws may designate certain data as highly sensitive, and restrict the transfer of that data outside of the EU.

For European organizations that are subject to data localization requirements, or which otherwise handle very sensitive data, a European private, public sovereign cloud or national cloud solution (as offered by various providers) may be the right solution. However, for others, including those committed to upholding the principle of European data sovereignty, US-based options may be equally suitable.

In the UK, whilst there are certain organizations that will require a European/UK sovereign cloud solution, the data sovereignty debate is more muted, and linked with this, there is currently no government policy that directly prevents public sector organizations from storing or processing cloud-based data in any specific country. This aligns with the fact that UK data localization requirements are generally less commonplace at the moment, as compared with Europe.

What is the US CLOUD Act?

The US Clarifying Lawful Overseas Use of Data (CLOUD) Act came into force on March 23, 2018. Having been in force for almost eight years, this is not a new law, although it has recently received heightened levels of attention.

Its purpose is to help with investigations relating to serious crime (including terrorism, violent crime, the sexual exploitation of children, and cybercrime) by allowing the US government to demand data from electronic communications service providers and remote computing service providers. This includes email providers, mobile phone companies, social media platforms, and cloud storage service providers (together, CSPs).

The US CLOUD Act built on existing data access powers in the US Stored Communications Act (SCA) that applied to data within the US, and extended these powers to data in the possession, custody, or control of an in-scope CSP when the relevant data is located overseas.

Consequently, CSPs with US connections may be required, under the US CLOUD Act, to disclose data relating to European/UK customers (and their end-users) to the US Government.

It follows that there are some concerns that the US CLOUD Act is fundamentally at odds with the concept of European/UK data sovereignty. However, the reality is more nuanced. First, data demands under the US CLOUD Act are subject to certain limitations, and secondly, technical solutions are typically made available by providers to help concerned organizations protect their data and mitigate the risks.

Part A: Limitations under the US CLOUD Act

Are there any objective criteria that must be complied with before the US government can make a demand for data under the US CLOUD Act?

Yes, there are defined legal processes that must be followed. The rules are set out in the SCA, and pre-date the US CLOUD Act.

In particular, the SCA requires the US government to:

• Obtain a warrant if it seeks access from an electronic communications provider to the content of a communication that has been in electronic storage for up to 180 days. The warrant can only be obtained if the US government demonstrates “probable cause” that the communications sought will establish evidence of a crime. A warrant “may only permit searches of particular places for particular things.” In other words, it cannot be used to legitimatize the bulk or indiscriminate collection of data.
• Use a subpoena or court order if it seeks access to an electronic communication that has been stored for more than 180 days, or if the data is held or maintained by a provider of remote computing services. For a court order to be granted, the government must prove specific facts, showing that there are reasonable grounds to believe that the contents of the communication are relevant and material to an ongoing criminal investigation.

Access to non-content information and basic subscriber information (for example customer names, address, phone number, bank details) either requires a warrant, subpoena or a court order.

Can US CLOUD Act demands for data be resisted?

Yes. A CSP can apply to court for a US CLOUD Act demand for the provision of data to be quashed or modified in a conflicts of law situation if:

• the CSP reasonably believes the target of the demand is not a US person and that person does not reside in the United States; and
• the provider reasonably believes disclosure would create a material risk of violating an overseas nation’s law; and
• the overseas nation whose law may be violated has a data sharing agreement with the United States under the US CLOUD Act.

The order can be granted if these requirements are all met and the “interests of justice” dictate that the demand should be quashed or changed.

When considering if the CSP’s motion is in the “interests of justice” the court has to complete a comity analysis. This allows courts to excuse violations of US law, or moderate sanctions, when the violations are required due to overseas law.

The US CLOUD Act sets out various factors that courts should consider when determining whether comity principles support the quashing or modifying motion. These include: the interests of the US, the interests of the foreign government, and the likelihood and nature of penalties that the CSP may be exposed to if it breaches overseas law.

This quashing/modification process is dependent on the relevant foreign country having a relevant data sharing agreement in place with the US.

In the case of the UK, there is an agreement in place: the UK-USA agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, which came into force on October 3, 2022. This agreement provides a government-to-government mechanism to resolve disputes and can help de-escalate potential conflicts over data access requests. Such agreements typically have sovereignty provisions built-in which further mitigate these concerns.

The EU does not currently have a data sharing agreement with the US, but there may still be scope for CSPs to challenge a US CLOUD Act data request that would be contrary to EU law, on the basis of US common law comity principles. These principles allow US legal obligations to be avoided as a result of overseas law, when the person or entity in question acted in good faith to avoid a conflict, but there is still a likelihood of severe sanctions in the overseas country.

As far as we are aware, to date, cloud providers have not needed to test the comity principles in court. This is likely due to the fact that the US government has, up to now, avoided targeting European/UK based enterprise data. For instance, any time a US prosecutor seeks data held abroad, they must first obtain approval from the US Department of Justice’s Office of International Affairs, showing an effort to monitor requests and a sensitivity to diplomatic and sovereignty concerns here.

Can the US CLOUD Act mandate the decryption of encrypted customer data?

No. The US CLOUD Act is encryption neutral; it does not establish an authority permitting the US government to require service providers to decrypt communications and it does not require CSPs to be capable of decrypting customer data. This means that if the data is encrypted and the CSP does not have lawful access to the encryption key, it is likely that it cannot be obliged to share the data (as it cannot identify the relevant data requested and presumably a request for all data held would be disproportionate).

Are the data access rules set by the US CLOUD Act unique to the US?

No, these rules are not unique. There are similar rules in other jurisdictions.

UK: In 2019, the UK adopted the Crime (Overseas Production Orders) Act. This was against a backdrop where UK law enforcement agencies faced difficulties (similar to their US counterparts before the US CLOUD Act) in obtaining electronic data held overseas. The Act introduced a new power for the UK Crown Court to grant an order requiring a person based or operating outside of the UK to produce, or provide access to, electronic data (an OPO). An OPO can be used for the purposes of criminal investigations and prosecutions.

EU: A new EU e-evidence package consisting of a legal regulation and a legal directive (to be implemented into national laws), will apply across all EU Member States (except Denmark) from August 17, 2026.  The e-evidence package aims to make it easier and faster for EU Member State law enforcement agencies to obtain (via a European Production Order) electronic evidence from other EU Member States, in order to investigate criminal offences.

Importantly the package also sets out a requirement for service providers to designate an establishment or appoint a legal representative in the EU, to ensure that all providers that offer services in the EU are subject to the same obligations, even if their headquarters are overseas.

CANADA: The Ontario Courts have recently ruled that a Canadian subsidiary of a French organization (OVHcloud) should provide subscriber and account data linked to four IP addresses held on servers in France, the UK, and Australia, to the Royal Canadian Mounted Police, as part of a criminal investigation. This decision was made outside of the scope of Mutual Legal Assistance Treaties (MLAT) between Canada and France. The data demand originated with “Production Order” issued by the Ontario Court of Justice on April 19, 2024, to OVH’s Canadian subsidiary.

OVH argued that the Canadian subsidiary did not have access to the requested data, which was stored by its group entities outside of Canada, and that the disclosure would cause it to breach French law. However, on September 25, 2025, Ontario Court of Justice (Judge Heather Perkins-McVey) ruled that OVH must hand over the requested data. OVH has since made an application for judicial review, with the aim of challenging this decision. 

Part B: Technical and practical solutions

Is European/UK data residency the solution?

European/UK data residency may suit some organizations, particularly those subject to data localization requirements, however, this is not a “silver bullet” when it comes to avoiding the reach of the US CLOUD Act.

A cloud service provider may be able to offer a solution restricting its customer data handling to Europe/the UK only, under the supervision of a European or UK-registered entity within the provider’s organization. However, if the provider has a US parent company, the local entity will still be subject to the US CLOUD Act.

Similarly, a European or UK entity that sells products or services to customers in the US would still be caught. There is even some suggestion, in a paper published by the Dutch National Cyber Security Centre, that a European entity could be subject to US CLOUD Act data demands if it employs US nationals that have access to relevant data.

To what extent are cloud service providers supporting European and UK customers in the light of the US CLOUD Act?

Some cloud providers have committed to help minimize the impact of the US CLOUD Act on their customers. Whilst exact offerings vary between providers, examples of the sorts of pledges that we have seen incorporate both technical solutions and policy roll-outs designed to uphold European/UK laws, as follows:

• Customers may have the option to create a “lockbox” around their data by giving them the ability to review and approve data before it is accessed by the service provider within the cloud solution.
• Customers may be able to secure their data with encryption keys that they (not the provider) control (Bring Your Own Key).
• Providers may commit to examining and validating the legitimacy of data disclosure requests to verify that they comply with applicable law before sharing any customer data.
• Providers may offer just-in-time access, allowing access to an application or system only when strictly needed and only for as long as is necessary to complete tasks.
• Providers may commit to using reasonable efforts to redirect law enforcement authorities to the customer to gain access to the data directly.
• Providers may agree to notify the customer of a government disclosure request, where legally permitted.
• Providers may agree to take steps to defend customer data from unauthorized access, including potentially challenging demands in court and exhausting any available legal remedies before disclosing any data.
• Providers may agree to disclose only the minimum data required, if compelled after challenge.
• Providers may publish transparency reports for customers, setting out what data disclosure requests they have received from governments (to the extent that this information is permitted by law to be shared).
• Sovereign cloud solutions remain available where needed (as mentioned above).

There may also be opportunities for customers to capture some of the above in their contractual agreements with cloud providers, as part of a balanced approach to compliance, taking into account both the nature and sensitivity of the in-scope data, and the specific technical options that are available in the context. 

How does it work in practice? Are there many extraterritorial accesses granted?

Transparency reports from major cloud providers indicate that US authorities are rarely given access to enterprise content stored in Europe or the UK under the US CLOUD Act. For example:

• In the second half of 2024, Microsoft received 173 global law enforcement requests for enterprise cloud customer data. Out of these, Microsoft only produced content to US law enforcement for five non‑US enterprise customers whose data was stored outside the US, with none based in the EU/EFTA.
• Amazon reports that since it began tracking this statistic in 2020, there have been zero disclosures of Amazon Web Services enterprise or government customer content stored outside the US to the US Government.

Will the EU Digital Omnibus soon make it easier for cloud providers to offer solutions that are compliant with EU laws?

Data processed within the scope of European laws is subject to a proliferation of regulation (particularly in the EU), including the GDPR, the Data Act, NIS2, DORA, eIDAS, the AI Act, and more. Whilst the EU Digital Omnibus Regulation Proposal, published on November 20, 2025, aims to simplify and consolidate this legal landscape, some commentators have suggested that the impact may instead be to supplement it with layers of complexity. 

Challenges could arise in connection with roll-out of the 160-page initiative, unless clear guidance and templates are put in place, given that several of the impacted laws are already in force, or are in the process of being implemented.

However, publication of this proposal is only the first step of a long journey for the EU Digital Omnibus, which is scheduled for stress-testing and refinement into 2029. As such, there is still potential for the European Commission to succeed in its aim of allowing businesses to “spend less time on administrative work and compliance and more time innovating and scaling-up.” If it does achieve this in the end, the tangible rewards may be €5 billion ($5.96 billion) in business administrative cost savings by 2029, plus €1 billion ($1.19 billion) for public authorities.

The Digital Omnibus also does not mark the end of the current regulatory drive. In this respect, the EU never seems to stop. In January 2026, another set of digital regulations were published: among others the draft DNA, the CRA, and NIS2 amendment proposals.

What steps do we recommend for organizations?

• Classify work types by sovereignty criticality. By creating tiers, you would be able to determine, if, at all, any sovereignty concerns or needs arise.
• Use a checklist aligned to sovereignty dimensions, covering aspects such as: jurisdictional requirements; technical controls (for example customer-held encryption keys); operational requirements (EU/UK-based support options); clear portability and exit avenues; and/or supply chain transparency and external assurance considerations (for example independent audits and certifications).
• Contract for sovereignty. Add clauses and evidence requirements that cover matters included in the checklist above.

The reemergence of data sovereignty is a policy issue, similar to privacy and cyber security – but more exposed to geopolitics. The US CLOUD Act should not be seen as strikingly different from EU and UK enforcement regimes. Its regulatory limitations as well as very low real enforcement to date, coupled with practical steps regarding clear sovereignty tiers, enforceable controls, and credible exit readiness, backed by evidence, should prove much more helpful than “all-or-nothing localization.”