DEV Community

Cover image for Amazon’s new European Sovereign Cloud - a strategic response to US Law and EU Data Privacy
AWS Community Builders profile image Simon Hanmer
Simon Hanmer for AWS Community Builders

Posted on

Amazon’s new European Sovereign Cloud - a strategic response to US Law and EU Data Privacy

#aws #privacy #eu

Organisations outside the US considering the use of Cloud services have been faced with a hard choice. All the major providers, including AWS, Azure, and Google, are based in the US and fall under US legal jurisdiction.

Companies in the EU or EU-adjacent locations (especially the UK) must consider GDPR and other data regulations. Typically, these regulations state that an organisation in one of these locations should limit the use of outside third parties unless those parties can guarantee parity with EU requirements. For simplicity, I'll refer to EU organisations for the rest of this article.

Working with US organisations, there have been attempts to simplify and reassure these parity requirements. Initially, we had the Safe Harbour agreements, which allowed US companies to self-certify that they could match EU data protection standards, allowing them to process data from the EU without the need for individual agreements between the EU and US companies. However, the European Court of Justice declared these agreements invalid in 2015 due to concerns raised by the Snowden leaks around US government monitoring.

After Safe Harbour, a new approach called the Privacy Shield agreement was put in place, where the EU commission provided a set of data privacy principles that US companies could attest they met, but this was invalidated in 2020 in what is known as the Schrems II ruling that the US surveillance programs were not proportionate to what the EU considered necessary, and that there was limited redress for EU citizens.

These concerns, where governmental data requests can override the guarantees from US companies, have continued, and indeed expanded, primarily because of legal instruments such as the US CLOUD (Clarifying Lawful Overseas Use of Data) Act, which states that the US government could compel US tech providers to hand over data, including that from EU/UK-based organisations.

Recently, Microsoft confirmed in a statement to a French Court that it could be forced by the US authorities to hand over data from EU organisations. AWS has stated that they could theoretically also be forced to hand over data, but was adamant that at this time, they have had no such requests, and that they would strongly resist to the best of their legal ability.

Options for an EU company when looking for a Cloud Provider

The simple fact is that any organisation operating in the EU, UK, or adjacent countries has a legal requirement to protect the data it stores and processes, and when considering the use of Cloud providers, with a data privacy focus, will need to choose from 3 options

  • Use the major US-based Cloud providers, but accept the concerns and try to put safeguards in place,
  • Use EU providers, although these are likely to have limited functionality compared to those in option 1, or
  • Try to build an in-house solution.

For many organisations, especially those that also operate outside the EU, the only realistic option was the first, leaving companies to juggle the balance between concerns around data access versus functionality.

Amazon's initial response

Amazon Web Services hosts an annual conference, called "re:Invent", where they announce new services or strategies. At the 2022 conference, AWS announced its Digital Sovereignty pledge, stating that it knew its customers needed to control how and where their data was stored and managed. At that time, though, it suggested that the capabilities in the standard AWS offerings, such as multiple geographical regions, encryption functionality, and the limited access that AWS had to customer data, met those needs.

Amazon believed that European customers could host data in European regions, such as Frankfurt, Paris, and Dublin, provided by AWS, and that, combined with the functionality mentioned above, would provide sufficient controls to reassure European data regulators. However, as was pointed out, even if the data was now hosted in European data centers, those centers still belonged to a US company, which could be compelled to provide data access via the CLOUD Act.

A new approach

However, in 2023, Amazon announced a change in direction, stating that it would create a new, independently managed entity in Europe, aiming to address the concerns of European and associated data regulators, located initially in Brandenburg, Germany.

Amazon's announcement of the new provider, Amazon Web Services EU, fundamentally changed how it would approach the problem of data sovereignty.

Firstly, the new provider would not be a sub-organisation of AWS US. It would be a new legal entity registered in the EU with no control from the parent organisation. It would have a completely separate board and staff, all of whom would be European residents, to mitigate the risk of US oversight. This was modified in August 2025, when it was announced that residency was no longer sufficient, and that it would be a requirement of the new organisation that all staff must be European citizens.

Not only would the legal location of the new organisation be in the EU, but all infrastructure would also be located in the EU and would be physically isolated from the AWS US infrastructure. This meant, for example, no data would flow over US networks from the AWS side, reducing the risk of mass surveillance. However, if data left the EU boundary, for example, for an organisation with US offices or regions, data could be exposed as it flowed from Amazon EU over the public Internet.

This would also mean a new approach to how Amazon runs some of its services. A small number of AWS services are not managed at a regional level, but globally. However, these global services are actually run from a US region, so a new approach to managing services such as IAM (Identity Access Management), ACM (Certificate Management), and Route53 (DNS) would be needed.

A new provider is born, but is still finding its feet

The promise finally came to fruition in January 2026, when Amazon announced that the new provider, the European Sovereign Cloud, or ESC, was now available to its customers.

So what does the new Cloud provide?

  • Legal isolation - the ESC is run by a new legal entity based in Germany, with German managing directors, and a board of EU citizens, including two independent third-party representatives, to provide additional oversight and expertise on sovereignty matters. Whilst the current workforce is all EU residents, new hiring conditions mean that only EU citizens will be hired in the future.
  • Physical Isolation - the new service is hosted on completely isolated hardware, meaning no access to AWS staff in the US and no data within the service traversing US networks.
  • New 'global' services - previously global services, such as IAM, Route53, and Certificate Management, are now delivered from within the sovereign cloud.
  • Access to 'global AWS' development resources - the source code that implements AWS services is available to the new region, allowing services to be deployed and updated.

There was also a new aspect that was confirmed on launch - whilst the new service is aimed at EU organisations, or those operating within the EU, it's actually available to customers located anywhere in the world, meaning that it may be of significant interest to those operating in an EU-adjacent manner, such as those in the UK.

So is all rosy with the new ESC?

Whilst the new provider is a significant step forward in delivering an EU-based service and reducing the data privacy issues, there are still some concerns:

  • Service parity - as with many new regions announced within the main AWS cloud, the ESC will need to catch up with services delivered in other regions. Whilst most services are available at launch, there are some significant missing pieces in the puzzle:
    • CloudFront - AWS's Content Delivery Network (CDN) is not currently available, although expected shortly. This may be of less concern due to the limited geographical market, but it does mean that organisations already deploying to the main AWS cloud may need to make some changes to their architectural designs.
    • Identity Centre - AWS generally recommends that its users use this service, allowing organisations to manage their user access to AWS via a centralised Identity Provider (IdP) such as Microsoft Azure.
    • Code 'star' services - AWS offers several services typically used in CI/CD deployments, such as repositories, pipelines, etc., which are not available in the European offering.
    • PrivateLink - one of Amazon's main security mitigations is the use of Virtual Private Clouds (VPCs). These can be used to isolate network traffic and access, either in public subnets that have access to the Public Internet, or in private subnets that have much more limited access. These private subnets may be impacted due to the lack of PrivateLink, which is used to provide access to AWS or organisational services without traversing the Public Internet.
    • A full list of services implemented in the ESC is available here.
  • Geographical resilience - within the main AWS cloud, users can mitigate the risk of losing services deployed in a region by deploying their services across multiple geographical regions. Currently, there is only a single region available in the ESC, although there are multiple availability zones, and more regions are expected shortly.
  • Changes to infrastructure naming - the new service is delivered via what AWS calls a new partition (similar to Gov Cloud, for example). This means that the internal identifiers for resources, known as Amazon Resource Numbers or ARNs, take a slightly different format. If users have assumed a particular format and hard-coded it in their Infrastructure as Code configurations, this will require some rework to deploy as is.
  • True legal independence - this is probably the biggest regulatory concern. The new provider is a completely separate legal organisation, but it remains a subsidiary of Amazon. There is concern that pressure could be placed on Amazon if a data request were made via the COURT Act, or if the US government imposed sanctions on the new organisation.

Conclusion

Whilst the new service is aimed at companies based or operating in Europe, its availability to those outside the EU will be attractive to other organisations, especially those with concerns around geopolitical stability.

However, the concerns listed above, especially the ownership of Amazon, mean that end users will still need to carefully consider the implications of using the new provider. However, global organisations operating in Europe now have a compliant path to delivering services within the EU, whilst still having access to most of the services available in the AWS ecosystem.

Top comments (0)