sovereignty 8 min read

Why European Data Sovereignty Matters More Than Ever

The CLOUD Act, FISA 702, and Schrems II have fundamentally changed the risk calculus for European enterprises using US cloud services. Here's what you need to know.

LM

Lukas Müller

15 November 2025

The landscape of data privacy has shifted dramatically in recent years. For European enterprises, the question is no longer whether to pursue digital sovereignty — it’s how quickly they can achieve it.

When the Court of Justice of the European Union struck down the Privacy Shield framework in its landmark Schrems II ruling in July 2020, it exposed a fundamental truth: US surveillance law and EU data protection law are fundamentally incompatible.

The CLOUD Act, enacted in 2018, gives US law enforcement the power to compel American technology companies to hand over data stored anywhere in the world. This includes data stored on servers physically located in the European Union.

What This Means for Your Organisation

If your organisation uses Microsoft 365, Google Workspace, or any cloud service from a US-headquartered provider, your data is potentially accessible to US authorities — regardless of where it’s physically stored.

This isn’t a theoretical risk. It’s the law.

The Key Regulations

  1. CLOUD Act (2018): US authorities can demand data from US companies regardless of where it’s stored
  2. FISA Section 702: Authorises mass surveillance of non-US persons using US-based services
  3. Executive Order 12333: Permits warrantless collection of data in transit between data centres

The EU-US Data Privacy Framework: A Fragile Solution

The current EU-US Data Privacy Framework, adopted in July 2023, is widely expected to face legal challenges. Privacy advocate Max Schrems has already indicated that a “Schrems III” challenge is likely.

Building your data strategy on a legal framework that could be invalidated at any moment is not a sound enterprise decision.

The Path Forward

European enterprises need productivity tools that are sovereign by design — not just by policy. This means:

  • European ownership: No US parent company with CLOUD Act obligations
  • European infrastructure: Servers, networks, and staff entirely within EU jurisdiction
  • European engineering: Development and operations teams based in the EU
  • Customer-controlled encryption: Keys managed by you, not the service provider

Making the Switch

The good news is that sovereign alternatives now exist. Modern European enterprise suites offer the same productivity features as Microsoft 365 — email, collaboration, security, endpoint management — without any US jurisdiction exposure.

The migration path is well-established, and thousands of European enterprises have already made the transition. The question isn’t whether your organisation should follow — it’s whether you can afford to wait.

UnionStack provides a complete Microsoft 365 alternative built and hosted entirely in Europe. Learn more about our sovereignty guarantees or request a demo.