About the next webinar

Why is European cloud suddenly a topic in 2026?

July 15, 2026

Why is European cloud suddenly a topic in 2026?

Sakif Surur

By:

Sakif Surur

Updated on:

July 15, 2026

For most of the past decade, "European cloud" was a phrase you heard from government procurement officers and one or two consultants. In 2026 it has moved into boardroom conversations, customer security questionnaires, and the headlines of mainstream IT media.

This article walks through what European cloud actually means, why this is happening now, who the providers are, and what the regulatory pressure is going to do over the next eighteen months.

What is European cloud?

The phrase gets used to mean four different things, and the differences matter before any conversation about strategy.

EU-based data centres. AWS, Azure and GCP all qualify. Frankfurt, Dublin, Amsterdam, Stockholm. Physical EU presence. This is the weakest definition and the one hyperscaler marketing leans on. The data sits in Europe; the company operating it does not.

EU-owned company. OVHcloud (France, listed in Paris), Scaleway (France, Iliad group), Hetzner (Germany, privately held), Ionos (Germany, listed in Frankfurt) and StackIT (Germany, Schwarz Gruppe, the group behind Lidl and Kaufland) all clear this bar.

EU-jurisdiction with no CLOUD Act exposure. The US CLOUD Act allows US authorities to compel data disclosure from US-incorporated companies regardless of where the data sits. An EU subsidiary of a US company is in scope. Only a fully EU-incorporated provider with no US parent is outside.

EU-controlled metadata. Even when data sits in an EU region, the control plane, billing systems, telemetry pipelines and support tickets often route through US infrastructure. A provider can claim EU residency for customer data while metadata about that data travels across the Atlantic.

For the rest of this article, "European cloud" means definitions 2 and 3 combined: the provider is EU-incorporated and not legally reachable under the CLOUD Act.

Is sovereign cloud the same thing?

No. Sovereign cloud is a stricter category that sits inside European cloud.

A European cloud is a cloud provided by an EU-incorporated company on EU infrastructure. A sovereign cloud adds three more requirements: certified independence from non-EU jurisdictions through national audits (SecNumCloud in France, C5 in Germany, BIO 2 in the Netherlands), sovereign operations (EU-only staff with the keys), and sovereign-grade security certification beyond ISO 27001.

Every sovereign cloud is European. Not every European cloud is sovereign. Hetzner is European but does not hold sovereign-grade certification. OVHcloud has a SecNumCloud-qualified tier separate from its general public cloud. StackIT positions itself as sovereignty-ready for German and Dutch regulated work.

The practical implication: if your customer or regulator says "European cloud", any EU-incorporated provider qualifies. If they say "sovereign cloud", the shortlist narrows to certified offerings and the price climbs.

Why is this a 2026 topic?

Five things happened in roughly nine months that moved European cloud from background topic to boardroom question.

AWS European Sovereign Cloud went live (15 January 2026). In Brandenburg, with a legally separated operating entity, EU-only staff, and EU-controlled metadata. AWS's response to a contested CLOUD Act question. The launch dignified the sovereignty conversation by acknowledging it.

AWS broke its 20-year price-down streak (January 2026). EC2 ML Capacity Block prices rose 15% over a weekend, the first AWS price increase in two decades. Corey Quinn described it as a precedent shift. Pricing risk on AWS became a real budget input, not a hypothetical.

De Nederlandsche Bank picked StackIT (April 2026). A 200-year-old institution with an army of compliance lawyers chose a German cloud (and a discount-supermarket-affiliated one, which became the headline) over the available alternatives. Every Dutch CTO got the same question from their board within forty-eight hours.

The EU Commission awarded a €180m sovereign cloud framework (April 2026). OVHcloud, StackIT, Scaleway and Proximus won the institutional contract. Symbolic legitimacy for European providers in EU institutional procurement.

The Open Cloud Alliantie published its manifesto (April 2026). Seven Dutch providers (KPN, Centric, Info Support, Intermax, Nebul, Previder, Uniserver) plus DINL and TNO. The argument: Dutch public-sector workloads belong on Dutch infrastructure.

Two more things shaped the context. The Cyberbeveiligingswet, the Dutch implementation of EU directive NIS2, takes effect on 1 July 2026. And the EU Data Act prohibits cloud switching charges from 12 January 2027, removing the egress lock-in that has historically kept workloads on whichever hyperscaler they started on.

Add the political backdrop (Trump tariff threats against several EU member states in early 2026, sustained geopolitical pressure on US-EU trade relationships) and the question "where does our data sit, and whose jurisdiction is it in" moved from abstract to operational.

Who are the European providers?

Five companies dominate the conversation, plus AWS's response, plus the Dutch coalition.

Hetzner.

Germany, privately held. Compute and bandwidth specialist. Strong on price for predictable workloads. Limited managed services. The cheapest option for the right shape of workload.

Scaleway.

France, Iliad group. Strongest EU-native serverless offering (Functions, Containers, Jobs). S3-compatible storage with known SDK quirks. The provider with the broadest catalogue if you have a Lambda-shaped workload.

OVHcloud.

France, listed in Paris. Broad service catalogue. Bare-metal specialist. SecNumCloud-qualified tier available for French regulated work.

StackIT.

Germany, Schwarz Gruppe. New, regulated-customer-friendly. The April 2026 DNB selection anchored its credibility for Dutch financial workloads. Higher prices than Hetzner or OVH; easier procurement story.

Ionos.

Germany, listed in Frankfurt. Tiered enterprise support. Closest-to-Azure operational model. Good fit for SAP and Microsoft-shaped estates.

Open Cloud Alliantie.

A coalition of seven Dutch providers (KPN, Centric, Info Support, Intermax, Nebul, Previder, Uniserver). Smaller individual catalogues than the five majors; stronger Dutch jurisdictional story; hands-on operational model.

AWS European Sovereign Cloud.

Launched 15 January 2026. EU-incorporated operating entity owned by US-incorporated Amazon Web Services Inc. Marketed as sovereign; the CLOUD Act exposure through the parent-subsidiary structure is contested in legal opinion. The test case has not happened.

What does the CLOUD Act actually do?

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US authorities to compel US-incorporated companies to disclose data they control, regardless of where the data physically sits.

The mechanism follows corporate jurisdiction, not geography. AWS US Inc., Microsoft, Google, Apple, Meta and several thousand smaller US-incorporated cloud and SaaS providers are in scope. EU subsidiaries of those companies are in scope. EU data centres operated by those companies are in scope.

What encryption can and cannot do here: encryption with provider-managed keys does not solve the problem because the provider holds the keys and can be compelled to decrypt. Customer-held keys (BYOK / HYOK) help, but require careful architecture and have edge cases (key rotation through the provider's API can re-expose the data).

In NL business practice, the CLOUD Act exposure question has moved from an interesting argument in DPAs to a documented audit finding under NIS2 (transposed into Dutch law via the Cyberbeveiligingswet), DORA (binding on financial entities since 17 January 2025), and the BIO 2 framework for Dutch public sector. Customer auditors, not only regulators, ask the question in writing.

What does the EU Data Act change?

Regulation (EU) 2023/2854, in force since 12 September 2025, with the cloud-switching provisions taking full effect on 12 January 2027.

After that date, cloud providers may only charge "directly incurred" costs for switching to another provider. The Dutch Cloud Community reads this as "nihil in practice". Egress fees on a migration go to near-zero. Providers must give 30-day exit windows and provide data back in machine-readable form.

The regulation doesn't mandate technical interoperability between cloud services. Architectural lock-in remains: if your stack depends on AWS Lambda or DynamoDB, the rewrite cost still exists. What changes is the commercial barrier. The egress and switching-fee mechanism that has historically kept workloads in place dissolves.

For four out of five typical use cases, the date is a planning anchor rather than a starting gun. The companies that get the most out of 12 January 2027 are the ones who treat the date as the moment to execute a plan, not the moment to start one.

What does the Cyberbeveiligingswet add?

The Cyberbeveiligingswet (Cbw), in force from 1 July 2026, implements EU directive NIS2 in Dutch law. It broadens cybersecurity obligations across most critical and important sectors.

For most Dutch scale-up SaaS, the law does not apply directly (the threshold is 50 FTE + €10M turnover, in a critical sector). But Article 21(2)(d) of the directive requires in-scope customers to vet their direct ICT suppliers. In practice, that pressure arrives as supplier security questionnaires from banks, hospitals, logistics operators and larger regulated companies, asking how the supplier handles access, encryption, backups, incidents, and subprocessors.

Cloud provider jurisdiction is now line item 4 or 5 in most of those questionnaires. The "is your data in Frankfurt" answer that satisfied auditors in 2023 stopped working in 2025 and stopped being acceptable in 2026.

What's coming next

The pressure is not easing.

1 July 2026. Cyberbeveiligingswet enters into force. Supplier questionnaires from NIS2-covered customers start scaling through the second half of 2026.

12 January 2027. EU Data Act switching costs become prohibited. France went first with a 9 January 2026 decree banning excessive egress; Germany and several other member states are expected to follow ahead of the EU deadline.

Through 2026 and 2027. More banks, more pension funds, more public sector entities making sovereignty-driven choices. DNB to StackIT was first; it will not be the last. AWS expanding planned Local Zones for AWS European Sovereign Cloud to Belgium, the Netherlands and Portugal. Open Cloud Alliantie members targeting first migrations in 2026.

Long-term. EU institutional procurement is expected to keep tilting toward EU-incorporated providers. Customer-driven audits will keep outpacing regulator investigations for smaller suppliers.

Three things to know this week

Three short observations that capture what is and is not changing.

One. "European cloud" is not a single thing. Hetzner, OVH, Scaleway, StackIT and Ionos are five different products at five different price points serving different customer profiles. Treating the category as one product means picking the wrong provider.

Two. Sovereignty and cost are now usually the same conversation. The CTO who used to talk about "should we move off AWS for cost" is now having the same conversation under the heading of "should we move off AWS because of CLOUD Act exposure", with the same workload-shape questions deciding the answer.

Three. The 12 January 2027 deadline lowers the cost of moving; it does not lower the cost of having to move. Companies that pre-modelled in 2026 have a smooth Q1 2027. Companies that start modelling on the deadline have a six-month delay before they can act.

Frequently asked questions

Is European cloud the same as sovereign cloud?


No. European cloud means an EU-incorporated provider on EU infrastructure. Sovereign cloud adds national security certifications (SecNumCloud in France, C5 in Germany, BIO 2 in the Netherlands) and sovereign operations. Every sovereign cloud is European; not every European cloud is sovereign.

Does AWS European Sovereign Cloud count as a European cloud?

For data residency, yes. For full CLOUD Act independence, the answer is contested. AWS ESC is owned by US-incorporated Amazon Web Services Inc. Legal analysts disagree on whether the parent-subsidiary structure still creates CLOUD Act exposure. For sovereignty-strict requirements, a fully EU-incorporated provider is a clearer answer.

What is the CLOUD Act in plain terms?


A US law from 2018 that allows US authorities to compel US-incorporated companies to disclose data they control, regardless of where the data physically sits. The jurisdiction follows the company, not the data centre.

Does encryption solve the CLOUD Act problem?


Encryption with provider-managed keys does not solve it (the provider can be compelled to decrypt). Customer-held keys help but require careful architecture.

Why is everyone talking about this now?

Five news events in the first half of 2026 (AWS European Sovereign Cloud GA, AWS first price increase in twenty years, DNB to StackIT, EU Commission €180m sovereign cloud framework, Open Cloud Alliantie manifesto), plus two regulatory deadlines (Cyberbeveiligingswet 1 July 2026 and EU Data Act 12 January 2027).

Will my customers actually ask about this?

If you sell B2B to companies in regulated sectors (banking, healthcare, energy, public administration, larger logistics), yes, increasingly through 2026 and 2027 as those customers come under their own compliance pressure. If you sell consumer-facing products to non-regulated end-customers, less so.

Key takeaways

  • European cloud means EU-incorporated, not just EU-located. The four definitions (data centres, ownership, jurisdiction, metadata) matter.
  • Sovereign cloud is a stricter category inside European cloud, with national security certifications layered on top.
  • Five events in the first half of 2026 moved European cloud from background topic to boardroom question: AWS European Sovereign Cloud GA, AWS price increase, DNB to StackIT, EU Commission €180m award, Open Cloud Alliantie manifesto.
  • Five major European providers (Hetzner, Scaleway, OVHcloud, StackIT, Ionos) plus the Dutch Open Cloud Alliantie coalition plus AWS ESC are the realistic options.
  • The CLOUD Act follows corporate jurisdiction, not data location. Frankfurt does not solve it for US-incorporated providers.
  • Two 2026/2027 regulatory deadlines shape the conversation: Cyberbeveiligingswet (1 July 2026) and EU Data Act switching-cost prohibition (12 January 2027).
  • Pre-modelling the move in 2026 is the cheapest way to act on 12 January 2027.

European cloud is a real option, not yet a default

For most Dutch companies, the right answer in 2026 is still some version of "stay or hybrid, with a plan for what to do if the customer roster shifts". European cloud is no longer a niche conversation. It is also not a one-size-fits-all answer.

Blackbird helps companies work through what their workload, customer roster and contract calendar say about this decision. If you want to walk through your specific situation, we are running a webinar in late September on the broader EU cloud and migration question: https://blackbird-cloud.webinargeek.com/overstappen-naar-een-europese-cloud

Why is European cloud suddenly a topic in 2026?

Who should attend

This session is tailored for:

Key takeaways

About the bird

We are the allrounder for complex cloud application with a specific focus on cloud development. We make reliable cloud solutions and integrations so that your cloud is always in order. We love AWS, but also work with Google and Azure.

Meet the team

Joeri Malmberg

Senior Cloud Engineer

Sakif Surur

Lead developer

Thom Bogers

Senior Software Engineer

Melvin Stans

Senior Software Engineer

Lets’s fly together! Contact us
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.