Your Cloud Is in Europe, But Under Which Law Do Your Data Live?

Aire held its first session of Clear Your Cloud on 07/08/2026, a series of meetings designed to clarify the technical, legal, and economic decisions surrounding digital infrastructure. Zigor Gaubeca, CIO of Aire, and David Aibar Carretero, Head of Sales, focused the webinar on a question that many companies still cannot answer: where are their data, who can exercise authority over them, and how long would it take to move their loads if conditions changed. The full recording is available on Aire’s LinkedIn profile.

The Key to Cloud Sovereignty in 20 Seconds

  • Hosting information in a European data center doesn’t mean it’s solely subject to European legislation.
  • The nationality, corporate structure, and effective control of the provider also determine legal exposure.
  • The U.S. CLOUD Act allows certain providers to be compelled to disclose data under their possession, custody, or control, even if stored outside the U.S.
  • This does not entail arbitrary access to any company: it requires a legal process targeting specific information and includes mechanisms for contesting requests.
  • The European Cloud and AI Development Act, known as CADA, proposed in June 2026, is still under negotiation.
  • The Data Act already requires facilitating portability and better preparing for exit from a cloud provider.
  • Sovereignty doesn’t mean abandoning hyperscalers but rather avoiding dependence on a single provider for all business continuity.
  • The first practical step is classifying data and testing an exit plan before it’s needed.

The starting point of the meeting was the complex regulatory framework forming around the cloud. GDPR, Data Act, NIS2, AI Regulation, and the upcoming CADA are not isolated pieces. Together, they compel companies and administrations to better understand their dependencies, the countries from which their services are provided, and the conditions for regaining control of their data.

During the session, Gaubeca and Aibar emphasized that digital sovereignty should not be viewed as a theoretical debate or a choice between “Europe” and “public cloud.” It’s a matter of risk management: understanding what would happen if a provider changed prices, modified licenses, received an order from a foreign authority, or ceased providing an essential service.

Server Location Is Just One Part of the Answer

For years, many cloud decisions boiled down to a seemingly simple question: which region are the data hosted in? Choosing Madrid, Paris, Frankfurt, or Dublin was considered enough to keep information within Europe.

Physical location is important but doesn’t resolve jurisdictional issues by itself. You also need to understand who controls the contracted company, what corporate entities are involved, who can manage the platform, and which foreign laws can compel action.

The CLOUD Act, enacted in the U.S. in March 2018, states that providers subject to its jurisdiction must produce, via legal procedures, data under their possession, custody, or control, even if stored abroad. Therefore, a service deployed in a European region is not automatically outside its reach.

This needs an important clarification: the CLOUD Act does not allow any U.S. judge to request indiscriminately all data of a company for an unrelated investigation. Requests must refer to specific information and rely on valid orders or legal instruments. Providers also have channels to contest certain requests when they conflict with foreign rights.

The real risk is not an open door without controls but the overlap of two legal frameworks. A European company could be bound by GDPR while depending on a provider obliged to answer to a U.S. authority. This tension was highlighted by European data protection authorities shortly after the law’s adoption.

Hence, the phrase “data is in Europe” is insufficient. To understand the actual exposure, ask more: who controls the encryption keys? From where is support provided? Which subcontractors are involved? Can the parent company technically access systems? What does the provider say about government requests? Is there a truly independent European entity?

Encryption reduces risk but isn’t a universal solution. When the provider controls keys or needs to access plaintext content, an order could still affect data. Guarantees increase when clients keep exclusive control of keys and the design prevents operators from reconstructing them, though this isn’t viable for all applications.

Europe Aims to Make Sovereignty a Measurable Condition

On 06/03/2026, the European Commission introduced a package to reduce external technological dependencies. One component is the Cloud and AI Development Act, CADA, aimed at strengthening Europe’s capabilities in cloud computing, artificial intelligence, and data centers.

CADA is not yet law. It must be negotiated with the European Parliament and Council before finalizing. This detail is significant for companies: currently, there are no directly enforceable obligations under the new proposal, but its direction indicates where public procurement and critical infrastructure are heading.

The proposal features sovereignty criteria for services used in sensitive sectors and public contracts. Data residency remains important, but so do applicable legislation, corporate control, technology used, and the risk of foreign authorities interrupting services or accessing data.

The Commission has voiced concerns about so-called kill switches: the risk that a foreign company or government could suspend a technology relied upon by hospitals, energy grids, administrations, or financial services. The debate now extends beyond privacy to include continuity, industrial capacity, and systemic autonomy during crises.

Gaubeca explained that this framework joins GDPR, the AI Regulation, and NIS2. Each addresses different risks, but all increase companies’ responsibilities over their providers, data flows, and resilience processes.

NIS2 expands cybersecurity obligations across more sectors, including cloud providers, data centers, and managed service companies, forming a risk assessment, protection, and incident notification chain. Spain was still completing transposition when the webinar took place.

The AI Regulation adds another layer: when a company moves data to a generative tool, it must consider not only infrastructure location but also what information employees input, whether there’s a legal basis for processing, how data leaks are prevented, and which secondary providers are involved.

A contract ensuring the model won’t train on corporate data is useful but doesn’t replace controls like data loss prevention, classification, permissions, and transparency. Business AI use increases the volume of sensitive info leaving traditional systems, sometimes just by copying text into a chat window.

Exiting Must No Longer Be Optional

One of the most practical messages was the need to design exit strategies before entering the cloud. Adit Aibar used the analogy of renting an office: the occupant must plan not only the move-in and rent but also what it costs to leave and return the property in original condition.

With cloud, it’s often different. Companies budget for initial migration, computing resources, and monthly costs, but rarely reserve funds for data extraction, application transformation, and service rebuilds with another provider.

Problems arise when exit becomes involuntary. Price hikes, license changes, M&A, regulatory decisions, or geopolitical conflicts can turn an affordable architecture into a dependency that’s hard to sustain.

The European Data Act aims to lower some of these barriers. Key provisions, effective from 09/12/2025, require providers to include clear conditions for switching to other services or returning to in-house infrastructure.

The regulation generally establishes a maximum 30-day transitional period after contractual notice to complete the switch. If the provider shows that the timeframe isn’t feasible, they can propose alternatives up to seven months. They must also cooperate, maintain continuity, and specify which data and digital assets can be exported.

It also mandates providers to disclose jurisdictional information and measures to prevent international government access conflicting with European law. Transparency here directly relates to Aire’s question: under which law do the data truly fall?

Fees linked to switching, including certain exit costs, should be limited during the transition. From 01/12/2027, providers can’t charge for mandatory switch activities, though additional services, third-party costs, and contractual penalties outside that scope may still apply.

Removing a fee doesn’t automatically make an app portable. A platform built on proprietary services, managed databases, serverless functions, and exclusive tools may require months of development to run elsewhere.

The most difficult barrier isn’t always contractual; it can be architectural.

Sovereignty Doesn’t Mean Renouncing Hyperscalers

The discussion avoided framing AWS, Microsoft Azure, or Google Cloud as enemies. Their platforms offer scale, advanced services, and rapid innovation that are hard to replicate. They remain a reasonable choice for many workloads.

Operational sovereignty is about maintaining the ability to decide what runs where and ensuring one provider doesn’t dominate all critical functions. A company can use a hyperscaler for global services or innovation and reserve a European cloud, private infrastructure, or secondary provider for sensitive data, backups, and resilience.

Aibar recalled a well-known software development principle: low coupling and high cohesion. For decades, programmers have been taught to avoid components that condition entire applications. Yet many organizations have built infrastructures heavily dependent on a single platform.

Diversification shouldn’t be mistaken for unplanned load distribution. Improvised multicloud strategies increase complexity, duplicate tools, and complicate security. Organizations should define which risks they want to mitigate and which applications truly justify alternative solutions.

The conversation should start with classification of data. Public data, internal apps, medical records, credentials, proprietary algorithms, and backups all require different levels of protection.

A possible approach groups three categories: data with no sensitive info that can stay where it’s most efficient; critical systems designed to operate in hybrid environments; and sensitive data that could threaten business continuity if lost, accessed, or disrupted, thus requiring maximum legal, technical, and operational control.

Four Tasks a Company Should Start Before 2027

AreaQuestion to AnswerRecommended Action
JurisdictionWhat countries and companies can exert control over the service?Create a map of providers, parent companies, subcontractors, locations, admin staff, and applicable legislation
ClassificationWhich data supports the business, and which can move with less risk?Classify information and loads by sensitivity, dependency, RTO, RPO, and regulatory impact
Exit StrategyHow much would it cost and how long to switch providers?Document formats, volumes, bandwidth, tools, transformations, staff, and migration costs
Technical TestingDoes the plan work outside of a document?Perform exports, restores, and periodic startups on an alternative infrastructure

The plan must go beyond a contractual clause. It’s necessary to know how many terabytes need transfer, the duration given the available bandwidth, and which services cannot be reproduced outside the original provider.

Copies must also be recoverable in a different environment. A backup stored with the same provider and dependent on their tools doesn’t protect against commercial, legal, or technical lock-in.

The contract should specify what data can be exported, in which formats, with what support, within what timeframe, and at what cost. It should also address post-migration deletion, log availability, key return, and transition assistance.

The final step is testing. An organization doesn’t truly know if it is sovereign just because the provider claims so; it knows when it can restore an app, rebuild a network, and continue services elsewhere within a known timeframe.

That was the core message of the first Clear Your Cloud session: sovereignty isn’t a marketing label or a location on a map. It’s the ability to maintain control when laws, contracts, prices, or geopolitical contexts change.

The webinar recording with Zigor Gaubeca and David Aibar Carretero is available on Aire’s LinkedIn profile. The session begins a conversation that, in the coming months, will extend beyond legal departments. CADA, the Data Act, NIS2, and AI growth will bring jurisdiction, portability, and exit plans to the agenda of every technology and continuity leader.

Frequently Asked Questions

Does hosting servers in Europe guarantee that the CLOUD Act doesn’t apply?
No. Physical location is only one factor. It’s also crucial whether the provider is subject to U.S. jurisdiction and if they possess, control, or can access the requested data.

Can the U.S. freely access any data stored with a U.S.-based provider?
No. Valid legal procedures must target specific information. Providers can contest certain requests, though extraterritorial scope may lead to conflicts with European laws.

Does CADA already require companies to use European cloud providers?
Not yet. The Cloud and AI Development Act was proposed in June 2026 and must go through the European legislative process.

What should a company concerned about cloud sovereignty do first?
Inventory providers and jurisdictions, classify critical data, and estimate costs for each load’s transition. Then, conduct an actual exit test.

Scroll to Top