The Sovereignty Illusion

Why Most European Organisations Have Lost Control of Their Data and Don't Know It

Introduction

France’s national Health Data Hub, centralising medical records from the 67-million-person SNDS database for research and public health policy, was built on Microsoft Azure.

The compliance team completed the Transfer Impact Assessment. The Data Processing Agreement was signed. The architecture was audited.

In October 2020, France’s data protection authority, the CNIL, ruled the hosting arrangement incompatible with European data protection principles and urged the Health Data Hub to stop transferring data to the United States, citing US government access risks under the CLOUD Act. The government promised migration to sovereign hosting within two years.

In 2024, a Microsoft executive testified under oath to the French Senate that Microsoft cannot guarantee European data sovereignty.

US law, the executive confirmed, overrides contractual commitments to European customers.

As this paper goes to publication, the data is still on Azure. France is still migrating.

Possession is nine-tenths of the law, and statute overrides everything beneath it. Contract sits at the bottom, enforceable only to the extent that it does not conflict with the layers above.

A data residency clause cannot override a lawful government order in the provider’s home jurisdiction, and no compliance certification can transform that legal reality into its opposite.

This is the condition our data operates under today.

The Health Data Hub had the contract and the audit, everything except sole control.

Most European organisations that believe they have achieved data sovereignty have achieved compliance, which is a different thing and a considerably less valuable one.

The Five-Position Framework

Data sovereignty is determined by two things: what you control and who you trust. Most frameworks treat sovereignty as binary. In practice, it is a spectrum. More control with less trust is stronger. The framework summarised in the table above categorises arrangements by who actually controls the data and what trust dependencies the arrangement carries. The sections that follow take each position in turn.

This framework addresses sovereignty: who controls the data and under which jurisdiction. Privacy, the question of who can see the data within a given jurisdiction, is a separate architectural property.

Sovereignty is the question of who can act on the data. Who can see the data within whatever jurisdiction holds it is a separate property, called privacy.

Without sovereignty, privacy-preserving technology is theatre.

Data flows through multiple layers: network, infrastructure, application platform, application logic, and client device. Each layer carries a position. The full vertical diagnostic is in Paper 2.

If any single layer sits at Position 4, the entire stack is contaminated. The effective position is determined by the least sovereign component.

Position 1

Position 1 is the strongest sovereignty arrangement available. Your nation-state alone has jurisdiction.

Every entity in the chain of custody is outside the jurisdictional reach of any foreign state with extraterritorial data access powers.

Infrastructure is nationally controlled. Providers are national entities.

Position 1 is achievable. What makes Position 1 strongest is the combination of maximum control with minimum trust. You trust one government, your own, and you have democratic and legal mechanisms to hold it accountable.

Position 1 does carry one trust dependency: your own state’s bilateral intelligence arrangements with foreign partners.

As documented below, that trust has not always been warranted. It remains the narrowest trust dependency on the spectrum.

Position 2

Position 2 is European infrastructure operated by European providers, with no entity in the chain subject to non-EU jurisdiction.

It is substantially stronger than Position 4 and represents the target for many European policy initiatives, including the EU Cloud and AI Development Act.

European-only providers and infrastructure exist, even if they are not yet at hyperscaler scale. Three US providers hold approximately 70 per cent of the European cloud market. European providers hold roughly 15 per cent.

That gap is the measure of the dependency, and sovereign cloud spending projected to triple between 2025 and 2027 is the measure of Europe’s recognition that it exists.

The trust surface is wider than Position 1: you are trusting 27 member states’ intelligence arrangements rather than one.

Position 2 is trust-free against non-EU commercial jurisdiction, but trust-dependent on the assumption that no EU member state is quietly providing infrastructure access to foreign agencies. As the evidence below demonstrates, that assumption has documented failures.

Position 3

In a distributed architecture, data fragments are held across multiple independent operators. Reconstruction requires consensus from a threshold of those operators, none of whom individually possesses the complete dataset.

No single entity has control. No single entity can be compelled to surrender the whole.

The architecture prevents any single actor from manipulating, censoring, or seizing the system unilaterally.

No foreign state can compel disclosure, because there is no single entity to compel and no single point of control to seize. But your own state’s control is also architecturally limited: regulatory access requires cooperation rather than a court order.

Position 3 differs from Positions 1 and 2 in kind. Where Positions 1 and 2 depend on institutional choices (a government respecting rights, a provider resisting a court order), Position 3 depends on mathematical properties that institutions cannot reverse.

That comes with a trade-off: mathematical sovereignty limits regulatory access. A bank that cannot demonstrate compliance access to its supervisor has a compliance problem no amount of cryptographic elegance solves.

Position 4

Position 4 is where most European organisations actually sit, regardless of what their compliance documentation says.

It is legally non-compliant with DORA concentration risk requirements, in breach of NIS2 supply-chain obligations, and falls short of GDPR adequacy standards under Schrems II.

Data is held by, or processed through, providers subject to foreign jurisdiction, typically US jurisdiction via the CLOUD Act or FISA Section 702. Your state has jurisdiction, but so does at least one other.

The critical difference is that Position 4 is entirely trust-dependent. Every protection relies on someone choosing to behave well.

The sharing of sovereignty is typically undisclosed to the data owner, obscured by marketing, and sustained by a compliance framework that fakes control.

The most sophisticated version of this misidentification arrived in January 2026, when Amazon Web Services launched its European Sovereign Cloud with a 7.8 billion euro investment, German legal entities, and a workforce restricted to EU residents.

By every visible metric the service appears to occupy Position 2 but the CLOUD Act applies to Amazon regardless of where its servers sit or which subsidiary operates them.

The parent company remains incorporated in Washington State, subject to FISA Section 702, and answerable to American courts.

The European Sovereign Cloud is Position 4 wearing Position 2’s clothing (Papers 2 and 3).

Position 5

Position 5 is Position 4 through the distributed ledger lens. The underlying problem is the same: your data is ultimately answerable to a foreign government or entity.

The difference is the delivery mechanism. Where Position 4 delivers foreign control through cloud contracts, sovereign labels, and EU subsidiaries, Position 5 delivers it through protocols, consensus mechanisms, and governance foundations.

European institutions that would never knowingly place critical infrastructure at Position 4 are building settlement and exchange systems on chains where the consensus, governance, and development authority sit under foreign jurisdiction.

Position 5 is decentralisation theatre. If the consensus layer, governance structure, or development authority of a nominally distributed system is controlled by entities answerable to a foreign jurisdiction, the system sits at Position 4, dressed in Position 3’s clothing (Paper 13).

Why You Are Probably at Position 4

The CLOUD Act compels any US-jurisdiction provider to disclose data regardless of where it is stored. FISA Section 702 authorises surveillance of non-US persons through those same providers, with a sunset date of April 2026.

The CJEU confirmed this in Schrems II, the most consequential data protection ruling of the decade.

The Court’s reasoning was direct: US surveillance laws do not provide protections essentially equivalent to those required under EU law.

What happened next makes the diagnosis more damning.

The EU-US Data Privacy Framework, adopted in July 2023, is the third attempt to create a legal basis for transatlantic data transfers, following Safe Harbor (invalidated 2015) and Privacy Shield (invalidated 2020).

The court declared the underlying US legal framework fundamentally incompatible. The response was to build a third framework on the same foundation.

The Data Protection Review Court derives its authority from an executive order that any sitting president can modify or revoke without legislative process.

The Privacy and Civil Liberties Oversight Board has already been effectively paralysed. If the Schrems II diagnosis was “this patient has a structural condition,” the DPF response was “we have applied a third bandage.”

The Six Trust Assumptions

Position 4 sovereignty depends on six things being true simultaneously.

The access happens through legal channels (CLOUD Act, FISA Section 702) and through extralegal ones (Operation Dunhammer, NSA Upstream cable taps, ECHELON).

Both routes have been exercised and documented. Both bypass what contract and compliance can offer.

Position 4 deserves closer examination, because it is where the illusion lives. What gets marketed as “shared sovereignty” is sovereignty contingent on six independent trust assumptions.

Every one of them has already failed at least once. To believe you are safe at Position 4, you must simultaneously trust all six.

1. The Foreign Government Will Exercise Its Powers With Restraint

The CLOUD Act and FISA Section 702 grant broad authority to access data held by US-jurisdiction providers. The assumption is that these powers will be exercised proportionately.

The Snowden disclosures of 2013 revealed that the NSA’s PRISM programme provided the intelligence community with access to data held by major US technology providers on a scale far exceeding what proportionate surveillance would require.

The programme was authorised, systematic, and industrial in scale.

The ECHELON signals intelligence network, operational since the 1960s, intercepted European commercial and diplomatic communications as a matter of routine, allies included.

2. The Foreign Government Will Stay Within Its Own Legal Framework

Even if you accept the legal framework at face value, you must also trust that intelligence agencies will confine themselves to it.

The NSA’s Upstream collection programme involved the direct tapping of fibre-optic cables carrying internet traffic, bypassing providers entirely and operating outside the warrant framework that was supposed to constrain it.

If the government can go around the provider, the provider’s compliance posture is irrelevant.

You are relying on the intelligence community’s voluntary decision to stay inside a framework it has already demonstrated a willingness to circumvent.

In 2013, it was revealed that the NSA had surveilled the personal mobile phone of German Chancellor Angela Merkel, an allied head of state.

3. You Will Be Informed When Your Data Is Accessed

Access requests under the CLOUD Act and FISA Section 702 routinely come with non-disclosure orders that prevent the provider from notifying you. Extralegal access, by definition, comes with no notification at all.

Ask your cloud provider how many government data requests they received last year concerning your organisation. They will not tell you, and in many cases they are legally prohibited from doing so.

Microsoft’s own transparency report for the first half of 2025 shows that 31 per cent of US law enforcement demands came with secrecy orders, nearly two thousand in six months, prohibiting the company from informing the customer.

FISA Section 702 orders are classified entirely. The provider cannot disclose that your data was accessed, cannot disclose that an order exists, and in many cases cannot disclose even the aggregate number of orders received.

Position 4 is sovereignty with a blindfold. You do not know when it has been breached, and the legal framework is specifically designed to ensure you do not find out.

4. The Legal Framework Will Remain Stable

The DPF is the third attempt. Safe Harbor lasted fifteen years before the CJEU struck it down in 2015. Privacy Shield lasted four before the same court struck it down in 2020.

Both failed for the same reason: the underlying US legal framework is fundamentally incompatible with EU data protection principles. The DPF was built on the same foundation.

The entire framework rests on Executive Order 14086, signed in October 2022. Any sitting president can modify or revoke it without congressional approval, without judicial review, and without notifying European partners.

The Data Protection Review Court, the independent body the European Commission cited as the key safeguard justifying the adequacy decision, derives its authority entirely from that executive order.

Every protection in the current framework depends on the continued goodwill of the government whose practices prompted the need for protections in the first place. None of it is legislated or architecturally guaranteed. All of it can be undone by a single signature.

5. Your Providers Will Resist Government Pressure on Your Behalf

The largest US technology companies derive substantial revenue from US government and defence contracts. The Joint Warfighting Cloud Capability contract alone is worth up to 9 billion dollars. Intelligence community programmes add further billions.

The conflict is structural. These companies are being asked to defy lawful orders from their own government, risk billions in defence revenue, and potentially face criminal liability, on behalf of a foreign customer whose contract is worth a fraction of what is at stake.

Providers are not bad actors. Position 4 places them in a conflict between their legal obligations and their customers’ interests, and then relies on them to resolve it in your favour.

As the French Health Data Hub case demonstrated, Microsoft confirmed under oath that US law will prevail over contractual commitments to European customers.

Position 4 cannot deliver sovereignty because the provider cannot deliver it, cannot promise it, and under oath will not claim to deliver it.

Even the most principled frontier AI companies have explicitly endorsed their models’ use for foreign intelligence collection against non-US persons, drawing their ethical boundaries at domestic surveillance of their own citizens.

For European data subjects, that boundary offers no protection whatsoever. Stronger sovereignty positions remove this conflict entirely.

If no single provider holds your complete data, no provider is forced to choose between their government and their customer.

6. The Geopolitical Relationship Will Remain Stable

Every protection at Position 4 assumes the relationship between Europe and the United States will remain cooperative enough that the legal powers described above will not be weaponised.

You are not trusting a law. You are trusting a relationship. And you are trusting it across every future administration, every future trade dispute, every future realignment.

You do not have to speculate about what this looks like.

In January 2026, the United States threatened tariffs on eight European NATO allies to coerce Denmark into ceding sovereign territory.

In January 2025, the administration dismissed the members of the Privacy and Civil Liberties Oversight Board, the independent body whose oversight the European Commission cited as a key safeguard underpinning the Data Privacy Framework.

The body that was supposed to guarantee the framework’s legitimacy has been deliberately paralysed. The alliance that was supposed to make the trust safe has been used to extract territorial concessions.

This is the current condition.

At Positions 1, 2, or 3, none of these six trust assumptions has to hold the same way. The architecture does the work that trust cannot.

The Forces Keeping You at Position 4

Position 4 is unsafe but that is only half the diagnosis. You also need to understand why you are being kept there. The US government is actively lobbying against the regulatory baseline that European citizens already have.

In February 2026, an internal State Department cable signed by Marco Rubio directed US diplomats worldwide to oppose foreign data sovereignty laws, naming the GDPR as “unnecessarily burdensome.”

In August 2025, the same office ordered diplomats to campaign against the Digital Services Act. The administration has announced plans for an online portal designed to help Europeans circumvent content moderation requirements.

These are offensive actions by a government that views European data sovereignty as a threat to American commercial and strategic interests.

If Position 4 were protective of European data, the US government would have no reason to spend diplomatic capital fighting European attempts to move beyond it. The intensity of the opposition is itself evidence of what is at stake (the architecture behind it is in Paper 6).

The EUCS cloud certification scheme has been deadlocked since 2019 over whether to exclude non-EU providers.

GAIA-X, launched as Europe’s answer to hyperscale dominance, welcomed the hyperscalers themselves, who shaped the standards to accommodate their existing architecture. Even GAIA-X’s own leadership admitted, in writing, that the highest sovereignty level “can only be provided by providers having their headquarters in Europe.”

They said this while maintaining standards that accommodated providers whose data remains under American legislation, under the CLOUD Act.

You cannot achieve sovereignty through frameworks that include the entities from whose jurisdiction you are trying to achieve sovereignty.

The Hidden Trust Assumption in National Sovereignty

The six trust assumptions above describe what you are trusting when your data is subject to foreign jurisdiction. But there is a trust dependency that most sovereignty frameworks ignore entirely, one that applies even to Positions 1 and 2.

You are trusting that your own state is not quietly sharing access through bilateral intelligence arrangements with foreign partners.

The evidence that this trust has been violated is documented, named, and Danish.

Operation Dunhammer was an internal Danish Defence Intelligence Service investigation, launched in 2014 following the Snowden revelations, completed in 2015, and surfaced publicly in May 2021 by a consortium of European media organisations.

The findings: the NSA had provided the Danish service with selectors targeting allied heads of state, including the German Chancellor and the Swedish and Norwegian prime ministers, alongside senior diplomats from Germany, France, Norway, and beyond. Denmark’s cable-tapping stations had become an NSA listening post beneath the entire Nordic region.

The NSA did not hack. It was invited.

The NSA used the access to surveil European defence contractors bidding against US companies for Denmark’s F-16 replacement. Eurofighter GmbH and Saab had their communications monitored by the allied state they were trying to sell to.

The US-made F-35 won.

Systematic, state-facilitated commercial espionage between allies (the full intelligence-cooperation argument is in Paper 19).

The 2015 internal report sat unanswered. Management did nothing. The abuse continued.

It was only when a whistleblower moved outside the hierarchy in 2019 that anything changed.

A whistleblower had to break the chain of command, journalists had to do what oversight boards would not, and the story had to become international news before anyone in power acknowledged it.

Denmark is not unique. Germany’s BND had a virtually identical cooperation with the NSA.

Every European state with significant intelligence capability maintains bilateral arrangements with American agencies.

The architecture created the conflict.

If Denmark’s cable-tapping infrastructure had not given the Danish service the technical ability to provide that access, the ally-against-ally choice would never have arisen.

Stronger sovereignty positions do not mean retreating from alliances. They mean restructuring the architecture so that trust relationships work as intended rather than creating conflicts of interest.

When Position 3 Is Really Position 5

Position 3 has its own set of assumptions, and when they fail, what you have is Position 5: decentralisation theatre. Five layers must each be independently verifiable:

Layer Verification Question

Consensus Who controls more than 50 per cent of validation or consensus power? If fewer than five entities, your distribution is nominal. Infrastructure Where do the nodes physically run, and under whose jurisdiction? If 70 per cent run on one provider, your jurisdictional distribution is fiction. Access How do users interact with the protocol, and who controls those gateways? If gateways are centralised, a single government can switch it off. Governance Who controls protocol upgrades, funding, and the foundation? If control is concentrated, your mathematical trust has an institutional backdoor. Cryptographic Are the cryptographic foundations independently audited, sound, and quantum-resilient?

The Canton Network is the canonical case. A blockchain built for institutional finance by Digital Asset Holdings (incorporated in New York), processing over 6 trillion dollars in tokenised assets, with BNP Paribas, HSBC, Deutsche Boerse, Goldman Sachs, JPMorgan, Euroclear, the London Stock Exchange Group, and Euronext all participating. Multiple Super Validators are US-jurisdiction entities. The Canton Foundation is in New York. The Global Synchronizer Foundation operates under the Linux Foundation in San Francisco.

The Republic of Slovenia’s sovereign debt was tokenised on this infrastructure.

The privacy Canton offers European institutions is the privacy the US chooses to allow. This is Position 4 with encryption (Paper 13).

A protocol that is decentralised at the consensus layer can still be switched off at the access layer, as the Tornado Cash sanctions demonstrated when RPC providers, code repositories, and frontends were shut down within days of a single government’s order.

Institutional sovereignty and mathematical sovereignty both carry dependencies. Six trust assumptions in one case, five verification layers in the other. Neither is inherently superior.

Every sovereignty position carries dependencies. The first step to managing them is knowing what they are.

Conclusion: Seeing What Is There

What most European organisations call data sovereignty is compliance: a box-ticking exercise that satisfies auditors while leaving the underlying jurisdictional reality unchanged.

Compliant on paper is not the same as compliant in practice. The gap between the two is a structural condition that Europe’s own courts have identified twice and that Europe’s own regulations implicitly require sovereign infrastructure to resolve.

This is a way of seeing what is there. Five positions, defined by who actually has the legal and practical ability to access and control the data, and how much trust is required for that control to hold.

This does not require abandoning cloud computing or retreating into technological isolationism. It requires honesty: stop pretending that contractual arrangements can override statutory reality, that operational separation creates jurisdictional separation, or that compliance certifications equal sovereignty.

An organisation reading its own compliance documentation at Position 4 can now ask a specific question: what would it take to move to Position 2? Applied to each layer of the stack, that question becomes a procurement specification (Paper 2).

The five-position framework is a procurement map. European organisations occupy Position 4 not by accident but through the operation of commercial, regulatory, and diplomatic forces documented above. Changing positions requires a matching force in the opposite direction: procurement (Paper 8).

Escape requires placing the order.

Most European organisations are at Position 4. They believe they are at Position 1 or 2. The architecture says one thing and the compliance documentation says another, and the architecture is the one with legal force.

Six trust assumptions, every one of which has already failed at least once, are what holds the illusion together. The architecture beneath them is what the framework is for, a way of seeing what is there without the certifications in the way.

The Emperor has no clothes.

CNIL (Commission Nationale de l’Informatique et des Libertés), October 2020 opinion on the Health Data Hub Microsoft Azure hosting, finding the arrangement incompatible with EU data protection principles and urging the platform to cease US-jurisdiction processing of French health data. The Conseil d’État (decision of 13 October 2020, no. 444937) subsequently declined to suspend the hosting on the basis of contractual safeguards in the September 2020 Microsoft amendment and the government’s commitment to migrate to sovereign hosting.

Microsoft executive testimony to the French Senate, June 2025, on US government data access authority under the CLOUD Act. The company stated under oath that US law overrides contractual data residency commitments to European customers and cannot provide guarantees of data sovereignty to EU organisations.

18 U.S.C. §2713: “A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”

The European Commission proposed the Cloud and AI Development Act (CADA) in Q1 2026, aimed at strengthening Europe’s cloud and AI infrastructure capacity while ensuring data remains within EU jurisdiction.

As of 2025, three US cloud providers (AWS, Microsoft Azure, Google Cloud) held approximately 70 per cent of the European market for cloud infrastructure services. European providers held approximately 15 per cent. See Synergy Research Group, European Cloud Market Share (2025).

Gartner estimates that European spending on sovereign cloud infrastructure will rise from $6.9 billion in 2025 to over $23.1 billion in 2027. See Gartner, ‘Worldwide Sovereign Cloud IaaS Spending Will Total $80 Billion in 2026’ (9 February 2026).

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was enacted on 23 March 2018. FISA Section 702, 50 U.S.C. §1881a, permits the targeting of non-US persons reasonably believed to be located outside the United States for foreign intelligence purposes. Reauthorised in April 2024 under the Reforming Intelligence and Securing America Act (RISAA) with a sunset date of 20 April 2026.

AWS announced the general availability of the AWS European Sovereign Cloud on 15 January 2026, with planned investments of more than €7.8 billion. The infrastructure is operated exclusively by EU residents through entities incorporated in Germany. See ‘AWS Launches AWS European Sovereign Cloud,’ Amazon Web Services (15 January 2026).

Section 702 of the Foreign Intelligence Surveillance Act, 50 U.S.C. §1881a. Reauthorised under the Reforming Intelligence and Securing America Act (RISAA), H.R. 7888, with a sunset date of 20 April 2026.

Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, CJEU, 16 July 2020.

The CJEU found that US surveillance laws lack “limitation on the power conferred to the implementation of certain US government surveillance programs, and also of sufficient guarantees for non-US persons that might be potentially targeted.” Case C-311/18, para. 184.

Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 on the adequate level of protection of personal data under the EU-US Data Privacy Framework.

Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities” (7 October 2022). The Data Protection Review Court derives its authority entirely from this executive order, which can be modified or revoked by any sitting president without congressional approval.

President Trump fired three Democratic members of the Privacy and Civil Liberties Oversight Board on 27 January 2025, eliminating the board’s quorum. See ‘Trump’s Sacking of PCLOB Members Threatens Data Privacy,’ Lawfare (3 February 2025).

The PRISM programme, disclosed by Edward Snowden in June 2013, provided the NSA with access to data held by major US technology providers. See Glenn Greenwald and Ewen MacAskill, “NSA Prism program taps in to user data of Apple, Google and others,” The Guardian (7 June 2013).

The ECHELON signals intelligence network, operated by the Five Eyes alliance (US, UK, Canada, Australia, New Zealand). The European Parliament’s 2001 report confirmed ECHELON’s existence and its use for intercepting European commercial and diplomatic communications.

The Upstream collection programme, disclosed in the Snowden documents, involved the NSA tapping fibre-optic cables at major junction points. See Barton Gellman and Ashkan Soltani, “NSA infiltrates links to Yahoo, Google data centers worldwide,” The Washington Post (30 October 2013).

In October 2013, Der Spiegel reported that the NSA had monitored German Chancellor Angela Merkel’s personal mobile phone. The German government confirmed the surveillance, with Merkel stating that “spying among friends is not acceptable.”

Microsoft received 6,288 legal demands for consumer data from U.S. law enforcement in H1 2025, of which 31 per cent (approximately 1,949) were accompanied by secrecy orders prohibiting customer notification. See Microsoft, Government Requests for Customer Data Report (H1 2025).

FISA Section 702 orders are classified. Prior to 2014, US technology providers were prohibited from reporting any information about national security demands. Following litigation by Microsoft and others, providers may now publish aggregate data about FISA orders only in broad bands of 500 and with a six-month delay.

Safe Harbor (Commission Decision 2000/520/EC) was invalidated by the CJEU in Case C-362/14 (Schrems I), 6 October 2015. Privacy Shield (Commission Decision (EU) 2016/1250) was invalidated in Case C-311/18 (Schrems II), 16 July 2020.

Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities” (7 October 2022), 87 Fed. Reg. 62283.

The Joint Warfighting Cloud Capability (JWCC) contract, awarded December 2022, is worth up to $9 billion across multiple cloud providers. Intelligence community commercial cloud programmes, including the CIA’s C2E contract, add further billions.

Microsoft executive testimony to the French Senate, June 2025. Under oath, the company confirmed that US law overrides contractual data residency commitments to European customers.

Anthropic CEO Dario Amodei stated in 2025 that the company supports the use of AI for lawful foreign intelligence and counterintelligence missions but that using AI for mass domestic surveillance is incompatible with democratic values. The ethical boundary is drawn at surveillance of the company’s own citizens, not at surveillance of non-US persons. In February 2026, the Pentagon terminated its $200 million contract with Anthropic after the company refused to remove these restrictions. See EFF, ‘The Anthropic-DOD Conflict’ (March 2026).

On 17 January 2026, President Trump announced 10 per cent tariffs (escalating to 25 per cent on 1 June) on imports from Denmark, Norway, Sweden, France, Germany, the United Kingdom, the Netherlands, and Finland. See ‘Trump announces tariffs on 8 NATO allies in latest push to acquire Greenland,’ Axios (17 January 2026).

President Trump fired three Democratic members of the Privacy and Civil Liberties Oversight Board on 27 January 2025, eliminating the board’s quorum and paralysing the oversight mechanism the European Commission cited in its DPF adequacy decision. See CDT, ‘What the PCLOB Firings Mean for the EU-US Data Privacy Framework’ (2025).

Internal State Department cable dated 18 February 2026, signed by US Secretary of State Marco Rubio, reported by Reuters on 25 February 2026. The cable ordered US diplomats to “counter unnecessarily burdensome regulations, such as data localization mandates” and specifically cited the GDPR.

State Department cable dated 4 August 2025, signed by Secretary of State Marco Rubio, directing U.S. embassies to lobby EU governments against the Digital Services Act. The administration developed an online portal, ‘freedom.gov,’ to help EU users access content moderated under the DSA. See Reuters (4 August 2025).

The EU Cybersecurity Certification Scheme for Cloud Services (EUCS) has been under negotiation since 2019. As of early 2026, no agreement has been reached on whether the highest certification levels should exclude non-EU providers.

GAIA-X CEO Ulrich Ahle stated at the Porto Summit in November 2025: ‘The highest level of sovereignty for European end customers can only be provided by providers having their headquarters in Europe.’

Ahle conceded that data stored by US providers in Europe ‘are still under American legislation, under the Cloud Act,’ while maintaining GAIA-X standards that accommodated those same providers.

Operation Dunhammer was an internal investigation by the Danish Defence Intelligence Service (FE), launched in 2014. The report was completed in 2015 and presented to FE management; no action was taken. A consortium of European media including DR, Sveriges Television, NRK, NDR, Süddeutsche Zeitung, and Le Monde published the findings on 30 May 2021.

The NSA used its access to Danish cable infrastructure to monitor communications related to Eurofighter GmbH and Saab, both bidding for Denmark’s F-16 replacement. The US-made Lockheed Martin F-35 won the contract. See DR News reporting (November 2020).

Germany’s BND had a similar cooperation with the NSA, exposed during the Bundestag investigation in 2015. The BND provided the NSA with selectors for European targets through joint operations at the Bad Aibling signals intelligence station.

The Canton Network was launched in 2023 by a consortium including BNP Paribas, Deutsche Börse, Goldman Sachs, and Digital Asset Holdings (New York). As of 2025, it processes over $6 trillion in tokenised assets. BNP Paribas issued the Republic of Slovenia’s first digital sovereign bond (€30 million) on Canton in July 2024; Euroclear launched collateral mobility for European government bonds on Canton in February 2025; the London Stock Exchange Group built its Digital Settlement House (DiSH) on Canton.

The Canton Network’s Global Synchronizer uses a two-thirds majority Byzantine Fault Tolerant (BFT) consensus protocol operated by Super Validators, including US-jurisdiction entities. The Canton Foundation is headqu