My recent blog post about AWS European Sovereign Cloud generated more backlash than I anticipated. The core criticism was simple and sharp: AWS is still a US company. No matter how many legal structures you build, no matter how much you isolate the infrastructure, that fundamental fact doesn't change.
The critics are right. And they're also missing the point.
This isn't a defence of AWS. It's a reckoning with how we got here and what our actual options are. Because the uncomfortable truth is that we're having this conversation decades too late. We're trying to solve a sovereignty problem we created by failing to invest in European alternatives when it mattered.
Europe's missed opportunity
Let's talk about the European cloud providers we do have. StackIt, built by Schwarz Group (the people behind Lidl), represents a serious attempt at European cloud infrastructure. OVHCloud, a French company, has been building data centres and cloud services for years. These aren't trivial efforts. They're substantial businesses run by capable people.
But let's also be honest about where they are. Neither offers the breadth of services you get from AWS. Neither has the global infrastructure. Neither has the innovation velocity. If you want managed machine learning services, serverless computing at scale, or cutting-edge database technologies, you're not going to find AWS-equivalent offerings there.
This isn't their fault.
StackIt and OVHCloud are working with a fraction of the resources that built AWS, Azure and Google Cloud. They're competing against companies that had decades of investment, massive customer bases funding continuous innovation and entire ecosystems of partners and developers.
AWS didn't become AWS overnight. It had Amazon's cash flow behind it. It had early enterprise customers willing to take risks. It had a US market that was culturally more comfortable with cloud adoption. Most importantly, it had sustained, massive investment year after year.
European cloud providers never had that. European governments didn't pour billions into cloud infrastructure development. European venture capital didn't fund cloud startups at the same scale. European enterprises didn't commit to home-grown providers the way they needed to for those providers to achieve the scale required to compete.
We chose convenience over sovereignty. We chose proven solutions over supporting nascent European alternatives. We chose AWS, Azure and Google Cloud because they were better, faster and more complete. And every time we made that choice, we widened the gap.
Even when we tried to address this, we couldn't get it right. Gaia-X launched in 2020 as a Franco-German initiative to build European cloud infrastructure. The timing was perfect. The ambition was right. It started with the explicit goal of creating a genuine alternative to US cloud providers.
What happened? It became mired in governance discussions, competing national interests and endless committee meetings. The vision diluted from "build a European cloud" to "create standards for federated cloud services." That's not nothing, but it's not what we needed. Gaia-X transformed from a potential competitor to US clouds into another standards body. The initial momentum evaporated in European bureaucracy and lack of genuine collaboration.
This is the pattern. Good intentions, fragmented execution. Every major European country wants digital sovereignty, but nobody wants to subordinate their national champion to a truly European effort. Germany protects German interests. France protects French interests. We talk about European solidarity whilst ensuring our own providers get preferential treatment.
I'm not saying we should have chosen inferior technology out of principle. But we should have invested enough in European alternatives so that choice wasn't necessary. We should have been willing to collaborate across borders on the scale needed to compete. We didn't. And now we're living with the consequences.
The result is that when organisations need genuine sovereignty today, their options are limited. They can choose European providers that can't match the capability they need. Or they can choose US providers with sovereignty bolt-ons. Neither is ideal. Both are consequences of decisions we made (or didn't make) over the past 15 years.
AWS changed their story
When AWS first started talking about European Sovereign Cloud, their messaging was confident. The infrastructure would be completely isolated. European customers would have total protection. The implication was clear: this solves the sovereignty problem.
I had questions. Lots of them.
The infrastructure might be isolated, but what about the legal connection to Amazon LLC? How independent can it really be when the parent company is subject to US law? What happens if US authorities invoke the CLOUD Act? How do you guarantee that future geopolitical pressures won't create access requirements? Who actually controls the kill switch?
To AWS's credit, they engaged with these questions. But their answers evolved. The messaging shifted from "completely isolated" to something more nuanced: "we've done our utmost best to make it as hard as possible for the US to gain control."
That shift matters. It's the difference between claiming you've solved a problem and acknowledging you've mitigated it as much as practically possible.
The new framing is more honest. Yes, there's a German legal entity. Yes, European staff only. Yes, all the hardware designs and software code are available for the red button scenario. But no, we can't guarantee that geopolitical pressure could never create a situation where US authorities demand access.
I actually respect this evolution. The initial messaging was too confident. The revised messaging acknowledges constraints whilst explaining the mitigations. That's more useful than false certainty.
But it also reveals something important: there are limits to what any US company can promise about sovereignty, no matter how much they isolate the infrastructure. The parent company's jurisdiction creates inherent constraints. Legal structures and operational controls can make those constraints harder to exploit, but they can't eliminate them entirely.
This isn't unique to AWS. Microsoft and Google would face the same issues. Any US cloud provider trying to offer a truly sovereign European service would hit the same walls. The question isn't whether these constraints exist. It's whether the mitigations are sufficient for your specific risk tolerance.
No silver bullets, just trade-offs
Here's what I wish more people understood about sovereignty: there is no perfect solution. Every option involves trade-offs. The question isn't "which solution is flawless?" but rather "which trade-offs can I live with?"
Pure European cloud providers give you stronger sovereignty guarantees. But you sacrifice innovation velocity and service breadth. You might wait years for capabilities that AWS ships next quarter. That delay has real business cost.
AWS ESC gives you innovation and capability. But you accept that the parent company is American and subject to US jurisdiction. You're trusting legal structures and operational controls to create meaningful barriers, whilst knowing those barriers aren't absolute.
For some organisations, ESC makes complete sense. Regulated industries that need specific compliance guarantees. Government agencies handling sensitive data. Critical infrastructure operators. Companies in sectors where geopolitical risk is material. If you're in these categories and you need cloud capabilities that European providers can't yet deliver, ESC is a pragmatic choice.
For others, it might not be. If you're a startup optimising for speed and cost, the additional sovereignty layer might be unnecessary overhead. If you're not handling particularly sensitive data, standard AWS regions might be sufficient. If you can wait for European providers to mature, supporting them might align with your values.
The key is being honest about what you're getting and what you're giving up. ESC isn't "AWS but completely safe from US influence." It's "AWS with significant additional barriers to US influence, which might be sufficient depending on your threat model."
That's less satisfying than a simple answer. But it's accurate.
What happens next
We're having the wrong conversation when we argue about whether ESC is "good enough." The real conversation should be about why we're in this position in the first place.
European organisations need cloud capabilities. That's not optional anymore. Digital transformation, data analytics, machine learning – these aren't nice-to-haves. They're foundational to remaining competitive.
We also need sovereignty over critical digital infrastructure. Recent years have made that abundantly clear. Geopolitical stability we took for granted has proven fragile. Supply chains we thought were permanent have become negotiating chips. Digital infrastructure that seemed neutral has become caught up in power politics.
The fact that we have to choose between capability and sovereignty is a policy failure. We should have invested in European cloud providers a decade ago. We should have committed government workloads to them to help them achieve scale. We should have funded the research and development needed to compete with US innovation.
We didn't. And now we're retrofitting sovereignty onto US infrastructure because that's the best available option for many use cases.
ESC is a response to a problem we created. It's not a perfect response. But given where we are, it's a reasonable one for organisations that need both capability and sovereignty.
What would be better? Actually investing in European alternatives now, before the gap becomes completely unbridgeable. Government cloud programmes that commit to European providers. Investment in open-source cloud infrastructure. Support for European companies building cloud-native services.
Will that happen? I don't know. Europe tends to regulate American technology rather than build alternatives to it. GDPR was easier than creating European competitors to Google and Facebook. Arguing about ESC's sovereignty guarantees is easier than funding European cloud providers properly.
But if we want genuine digital sovereignty in 10 years, we need to start building it now. ESC can be part of the bridge to that future. But it can't be the destination.
Living with imperfection
I still think ESC is valuable for organisations that need it. The supply chain transparency, legal independence and operational controls are meaningful improvements over standard AWS regions. For entities handling sensitive data or operating critical infrastructure, those improvements matter.
But I'm not going to pretend it's a complete solution to European digital sovereignty. It's a US company's answer to European sovereignty concerns. That comes with inherent limitations.
The critics who say "AWS is still American" are correct. My response is: yes, and what's your alternative? If you need cloud capabilities that European providers can't deliver yet, what do you actually do? Wait and hope? Build everything yourself? Accept higher risk in standard regions?
ESC exists because European organisations need a pragmatic answer to that question. It's not the answer I wish we had. I wish we had European cloud providers with AWS-equivalent capabilities. But we don't, because we didn't invest in building them.
So we work with what we have. We push AWS to be as transparent and accountable as possible. We use ESC where it makes sense. We support European alternatives where they can meet our needs. And hopefully, we start investing seriously in building the digital infrastructure we should have built 15 years ago.
That's not a satisfying conclusion. But it's an honest one. And right now, honesty about our constraints seems more valuable than pretending we have perfect solutions.
Top comments (0)