When Sovereignty Trumps Specs

In recent years, a quiet but consequential shift has been underway in Europe's approach to digital infrastructure. What once seemed like a purely technical decision — where to store data, which cloud provider to use, how to optimize performance — has become deeply entangled with geopolitics, legal jurisdiction, and institutional sovereignty. Nowhere is this shift more visible than in the growing willingness of European institutions to prioritize control over capability, even when it means adopting solutions that are, by traditional metrics, less advanced.

In April 2026, De Nederlandsche Bank — the Dutch central bank — signed a major cloud infrastructure contract with Schwarz Digits, the IT division of the Schwarz Group, the parent company of Lidl and Kaufland, Europe's largest discount supermarket chains. The announcement, made by Schwarz Digits sales director Bernd Wagner at the Hannover Messe industrial fair, is one of the most symbolically charged technology decisions in recent European institutional history: a central bank responsible for the stability of the Dutch financial system is moving its critical digital infrastructure away from Amazon, Google, and Microsoft and handing it to a company best known for selling budget groceries.

The decision only makes sense once you understand a fundamental question now reshaping European technology policy: Is European privacy safer for European institutions than American oversight? The answer, increasingly, is yes. But the reasoning behind that answer reveals a far more complex interplay of law, power, and risk than simple comparisons of privacy standards might suggest.

The Structural Problem: Jurisdiction, Not Technology

For decades, American cloud providers — Amazon Web Services, Microsoft Azure, and Google Cloud — have dominated the global market. Their advantages are clear: unmatched scale, cutting-edge innovation, and mature ecosystems of tools and services. By nearly every technical benchmark — uptime, performance, feature breadth — they remain industry leaders.

Yet Europe's concern is not about performance. It is about control.

The core issue is the US CLOUD Act, passed in 2018. This legislation grants American authorities the legal ability to compel US-based companies to provide access to data they control, regardless of where that data is physically stored. In practical terms, a European hospital, bank, or government agency can store every byte of its data in a data center in Frankfurt, managed by a European team, on European soil, and that data remains legally accessible to US authorities if the cloud provider is headquartered in the United States or has a US parent company. The CLOUD Act explicitly provides that providers must comply even when doing so conflicts with foreign law.

This creates a structural vulnerability that no amount of localized infrastructure can resolve. European institutions handling financial, legal, or governmental data must operate under the assumption that their information could be accessed by a foreign government. The issue is not whether such access is frequent — transparency reports suggest it is rare — but whether it is possible.

For central banks, regulators, and courts, "possible" is already too much risk.

When Risk Became Reality

Concerns about extraterritorial data access circulated in policy circles for years, but they remained largely theoretical until a series of incidents in 2025 brought them into sharp operational focus.

The most consequential involved the International Criminal Court, headquartered in The Hague. In February 2025, President Donald Trump signed an executive order sanctioning ICC chief prosecutor Karim Khan over the court's arrest warrants connected to alleged war crimes in Gaza. The order threatened fines and imprisonment for any person or organization providing Khan with financial, material, or technological support. Shortly afterward, Khan reportedly lost access to his official Microsoft email account. Microsoft's president Brad Smith denied the company had ceased services to the ICC, but the European Parliament took the matter seriously enough to submit formal questions to the European Commission, asking what legal measures existed to compel Microsoft to resume services and how the Commission assessed the risk to other European institutions.

The ICC confirmed in October 2025 that it was replacing Microsoft Office with openDesk, an open-source suite developed by ZenDiS, the German Centre for Digital Sovereignty of the Public Administration. The message was unambiguous: a European international institution, operating under European law, had its basic communications infrastructure disrupted by an American executive order because its email happened to be hosted by an American company.

This was not an isolated case. In May 2025, Microsoft abruptly cut services to Chinese universities and genomics firms under pressure from the Trump administration. European governments began coordinated migrations away from American secure messaging services. The Dutch digital minister, Willemijn Aerdts, articulated the emerging consensus: when technology is increasingly used as an instrument of power, dependence on platforms beyond your control poses an existential risk.

The debate was no longer about efficiency or cost. It was about sovereignty.

To understand why European law is increasingly seen as more favorable for European institutions, one must look at the architecture of EU data governance — not as a single regulation, but as an interlocking legal system designed around a fundamentally different premise than its American counterpart.

The cornerstone is the General Data Protection Regulation. GDPR Article 48 states that foreign court orders or administrative decisions requiring the transfer of personal data are only recognized if based on an international agreement — which the CLOUD Act is not. The European Court of Justice reinforced this position in its landmark Schrems II ruling, which invalidated the EU-US Privacy Shield framework on the grounds that US surveillance laws do not provide adequate protection for EU data. The European Data Protection Board subsequently identified customer-controlled encryption — where decryption keys are retained solely under European control — as the only technical measure capable of addressing US surveillance law exposure.

Beyond GDPR, a broader regulatory ecosystem reinforces this approach. The Digital Services Act governs platform accountability and transparency. The Digital Markets Act targets monopolistic behavior by large tech firms. The Data Governance Act and Data Act provide frameworks for the protection of non-personal data and include explicit provisions blocking unlawful third-country government access. The NIS2 Directive imposes cybersecurity obligations on operators of critical infrastructure. The EU Data Act, in force since January 2024 and applying from September 2025, requires providers to actively contest unlawful data demands from non-EU authorities — a direct legislative response to the CLOUD Act's jurisdictional reach.

Together, these laws create a system where data is treated as a sovereign asset, not merely a commodity. The fundamental asymmetry between the two legal architectures is this: European law treats data protection as a fundamental right, enshrined in the EU Charter of Fundamental Rights and enforced by independent data protection authorities with the power to levy fines of up to four percent of global annual turnover. American law treats cross-border data access as a law enforcement prerogative that overrides territorial boundaries.

These are not merely different priorities. They are incompatible legal architectures. And for European institutions, the incompatibility is not abstract — it is the difference between operational independence and structural vulnerability.

The Accidental Hyperscaler

Historically, Europe lacked credible alternatives to American cloud giants. That gap is now narrowing, and the most unlikely challenger illustrates why.

The Schwarz Group operates approximately 14,200 stores across 32 countries with 595,000 employees, generating €175.4 billion in annual revenue. The company could not responsibly route sensitive data from that operation — covering customers, employees, logistics, and financial systems — through American cloud providers subject to the CLOUD Act. So it built its own infrastructure.

The origin story parallels Amazon Web Services with striking precision. AWS began in the early 2000s because Amazon needed to solve its own massive-scale IT infrastructure problems, then realized it could sell that infrastructure externally. Two decades later, AWS generates more profit than Amazon's retail business. Schwarz Digits followed the same trajectory. Its cloud platform, Stackit, was developed internally, branded as entirely made in Germany, and quietly began accepting external clients in 2021.

The growth has been substantial. Schwarz Digits generated €1.9 billion in revenue in its most recent fiscal year. Its client roster now includes SAP, Bayern Munich, Deutsche Bahn, and Borussia Dortmund. It has partnered with CrowdStrike for sovereign cybersecurity, with Aleph Alpha for European AI development, and with the German Federal Office for Information Security for public-sector sovereign cloud solutions. In late 2024, the company announced an €11 billion investment in a new data center campus in Lübbenau, Brandenburg — a facility targeting 200 megawatts of capacity that positions Schwarz Digits as a credible European hyperscaler.

Bernd Wagner, Stackit's CEO, previously ran Google Cloud's operations in Germany — the man who used to sell Google's cloud to German companies now runs the operation trying to replace it. Schwarz Digits co-CEO Christian Müller told the Financial Times the company grew rapidly despite having no original commercial motivation. They accidentally became a billion-euro cloud provider by solving their own data sovereignty problem — exactly as Amazon did by solving its own scaling problem twenty years earlier.

But the strategic focus differs in a way that matters. Where AWS optimized for scale and feature breadth, Stackit optimizes for legal certainty and jurisdictional clarity. It offers a focused range of services — virtual machines, storage, networking, managed databases, Kubernetes — with an emphasis on reliability and long-term stability rather than the sprawling feature catalogs of AWS or Azure. This is the Lidl model transplanted into cloud computing: keep the offering tight, control the supply chain, eliminate unnecessary complexity, and make sure it works before you scale.

The American Response and Its Structural Limitation

US companies are not ignoring these developments. AWS has announced a €7.8 billion investment in an AWS European Sovereign Cloud, with its first region launching in Brandenburg, Germany. The offering features a dedicated corporate structure under EU law, EU-resident operational staff, and an independent advisory board. Amazon is spending nearly eight billion euros to fight off a supermarket chain.

But these solutions face a fundamental limitation that no amount of investment can resolve: they remain subject to US law. As long as AWS's parent company is headquartered in the United States, it is legally compelled to comply with US government data demands. Microsoft's own chief legal officer in France acknowledged under oath before the French Senate that the company cannot guarantee EU data is safe from US access requests.

This creates what critics describe as sovereignty in appearance but not in substance. The infrastructure may be local, the staff may be European, and the governance may be EU-compliant — but the legal chain of obligation still terminates in Washington.

Stackit faces no such constraint. It operates entirely under European law, with all data stored in Germany and Austria, and zero legal obligation to hand anything over to American authorities. An IPO is not on the table either — Wagner has stated that foreign investors would reintroduce external dependencies, so Stackit will remain wholly owned by the Schwarz Group.

The Trade-Off: Performance vs. Sovereignty

The central tension in this transition is real and openly acknowledged. European alternatives lag behind their American counterparts in features, maturity, and ecosystem integration.

DNB's own director, Steven Maijoor, admitted that the European cloud alternative is not yet as robust or high-quality as its American counterpart. The German state of Schleswig-Holstein has struggled with its migration from Microsoft to open-source alternatives, encountering significant operational disruption. Decoupling from American tech infrastructure is messy, expensive, and sometimes breaks things.

Yet institutions are moving forward anyway. In April 2026, the European Commission itself signed a €213 million contract with four European cloud providers — including Stackit — for sovereign cloud services across EU institutions, explicitly pitching the deal as a mechanism to boost European digital sovereignty.

The logic driving these decisions becomes clear once you understand the asymmetry of the trade-off: performance improvements are incremental, but sovereignty risks are binary. For a central bank, the ability to guarantee that financial data remains beyond foreign jurisdiction is more important than having access to the latest machine learning tools or the most advanced analytics dashboards. The same logic applies to healthcare systems, defense agencies, and judicial bodies.

The cost of technological inferiority is manageable. The cost of legal vulnerability is existential.

A Broader Geopolitical Shift

The implications extend well beyond cloud computing. Europe's push for digital sovereignty reflects a broader fragmentation of the global digital landscape, where data flows are increasingly shaped by national and regional interests rather than pure market dynamics.

The Gaia-X initiative has set the framework for what a European cloud ecosystem should look like — not by competing directly with hyperscalers on scale, but by establishing standards for sovereignty, transparency, and interoperability. This reflects a fundamental strategic insight: Europe is not trying to outbuild Silicon Valley. It is trying to out-govern it.

Countries and regions are beginning to treat digital infrastructure as a matter of strategic importance, akin to energy or defense. The localization of data storage and processing, the rise of regional technology ecosystems, and increasing regulatory divergence between jurisdictions are all accelerating. In this context, Europe's sovereign cloud push is part of a larger movement toward technological multipolarity — a world where the assumption that American infrastructure is the default is no longer operative.

Is European Privacy Safer?

Returning to the central question: from a strictly legal and institutional perspective, European privacy is safer for European institutions — but not because Europe is inherently more privacy-friendly in some philosophical sense.

It is because European law provides greater alignment between jurisdiction and control. Data governed by EU law is, in principle, insulated from external legal claims. This alignment reduces uncertainty and enhances predictability — two qualities essential for institutions managing critical systems.

The US framework, while justified within its own legal and security context, introduces a layer of extraterritorial reach that creates structural risk for foreign entities. The issue is not which system is better in absolute terms. It is which system offers greater security within a specific institutional context. For European institutions, the answer increasingly and decisively points inward.

The End of a Default Choice

For years, the dominance of American cloud providers made the choice of infrastructure almost automatic. Performance, reliability, and ecosystem advantages outweighed abstract concerns about jurisdiction.

That era is ending.

The Dutch central bank is choosing a grocery store's cloud over Amazon's, with clear eyes and full knowledge that the product is technically inferior — because the alternative is handing control of European financial infrastructure to a foreign power that has already demonstrated its willingness to use that access as leverage.

Lidl did not set out to build a cloud empire. It accidentally became one by refusing to hand its data to American companies. Now it is forcing Amazon to spend billions trying to catch up on a playing field where the rules themselves favor the European incumbent.

This shift does not signal the decline of American technology leadership. But it does mark the end of its uncontested reach. The future of cloud computing will not be defined solely by innovation — it will be shaped by law, geography, and power.

Sources: Techzine Global; GovInfoSecurity; The Register; European Parliament records; Exoscale Blog; CSIS (Center for Strategic and International Studies); JusticeInfo.net; EJIL:Talk!; Kiteworks; LexisNexis; AWS official announcements; Schwarz Group corporate communications; CrowdStrike press releases; Silicon Saxony; TechCrunch; CMS Law; House of El (YouTube).

Jonathan Brown for Border Cyber Group