Choosing an EU region on AWS, Google, or Azure doesn’t protect your data from US government access.
The US CLOUD Act allows American authorities to demand data from US companies, regardless of where their servers are located.
Dutch and EU regulators now require proof of jurisdictional control.
Split your architecture: use hyperscalers for non-sensitive workloads, move regulated data to sovereign European providers.
Core answer:
- Data residency (where servers sit) differs from data sovereignty (which government controls access)
- THE US CLOUD Act applies to American cloud providers operating in Europe.
- DORA and NIS2 regulations require documented jurisdictional control
- Hyperscaler concentration creates operational and legal risk.
- Solution: split architecture uniting hyperscalers for non-sensitive work with sovereign providers for regulated data
Dutch founders keep making the same mistake with cloud infrastructure.
They picked the Amsterdam region on AWS. They think their data stays under Dutch law. They’re wrong.
The mechanism they miss is jurisdictional control. Ignoring this is getting expensive.
What is the difference between data residency and data sovereignty?
Most small business owners in the Netherlands miss this gap:
Where your data sits physically isn’t the same as which government has legal access to it.
You host everything in Frankfurt, Paris, or Amsterdam. If your provider is a US company, the US CLOUD Act allows US authorities to demand access to the data. No notification to you. No notification to any EU supervisory authority.
Microsoft’s chief legal officer stated this directly before the French Senate: Microsoft can’t guarantee EU customer data is safe from US government access.
This isn’t a technical problem. This is a legal structure problem.
Bottom line: Physical server location doesn’t determine legal jurisdiction. US companies operating EU data centers remain subject to US law.
Why Dutch small businesses need to care about geopatriation now
Gartner named geopatriation as a Top Strategic Technology Trend for 2026. Geopatriation is the relocation of cloud workloads to jurisdictionally controlled environments.
Regulatory pressure is the driver.
DORA entered full enforcement in January 2025. It targets financial entities and mandates specific exit strategies and supply chain sovereignty obligations.
NIS2 applies to essential services, including energy, healthcare, and transport. These regulations create de facto sovereignty requirements for organizations in scope.
Your Dutch business might not fall directly under DORA or NIS2 today. The enforcement pattern remains clear: regulators expect you to prove jurisdictional control beyond vendor assurances.
The Autoriteit Persoonsgegevens and De Nederlandsche Bank won’t accept “we use AWS Amsterdam region” as sufficient evidence anymore.
Bottom line: Dutch and EU regulators expect documented proof of jurisdictional control. Vendor assurances won’t cut it.
What concentration risk do hyperscalers create?
In November 2025, European regulators designated 19 critical ICT third-party providers for direct supervisory oversight under DORA. The list includes AWS, Google, and Microsoft.
These three companies control roughly 70% of the European cloud market. All three are US entities subject to the CLOUD Act.
The combined share of EU providers falls to around 13%.
This creates structural vulnerability.
The AWS outage on October 20, 2025, lasted 15 hours. Over 3,500 companies across more than 60 countries were affected. Organizations with applications architected to run in European regions discovered their infrastructure still depended on a control plane in Northern Virginia.
The Microsoft Azure outage on October 29, 2025, caused an estimated economic loss between €4.5 billion and €15 billion. The disruption lasted 8 hours.
Two hyperscalers failed in the same month. Cloud diversification stopped being theoretical.
For small businesses in the Netherlands, this creates dual exposure:
Operational risk: A single point of failure means lost revenue during downtime.
Jurisdictional risk: Critical data becomes inaccessible or falls under foreign jurisdiction during an incident.
Bottom line: Three US companies control 70% of European cloud infrastructure. This creates both operational vulnerability and legal exposure.
Does a sovereign cloud alternative exist in Europe?
Airbus is preparing a €50 million+ tender to migrate mission-critical workloads to a digitally sovereign European cloud, launching in early January 2026.
Catherine Jestin, Airbus’s executive vice president of digital, stated: “I need a sovereign cloud because part of the information is extremely sensitive from a national and European perspective.”
She estimates only an 80% chance of finding a suitable European provider.
This tells you where the market is. Demand is rising faster than supply.
For Dutch entrepreneurs, this means sovereign alternatives exist—Deutsche Telekom’s T Cloud, France’s Bleu partnership between Capgemini and Orange, and independent European providers pursuing Dutch or EU certification standards.
The market is still developing. Regulatory pressure is not waiting.
Bottom line: European sovereign cloud providers exist, but the market is still maturing. Demand surpasses supply.
How to implement geopatriation in your business
Geopatriation doesn’t imply abandoning hyperscalers entirely.
The practical route forward is a split architecture:
Use hyperscalers for non-sensitive workloads. Marketing automation, development environments, and rapid experimentation. Anything where global scale helps, and you don’t have regulatory or jurisdictional concerns.
Move regulated, sensitive, or mission-critical data to sovereign environments. Client financial data, personal information under AVG/GDPR, and anything subject to Dutch regulatory requirements from Belastingdienst, UWV, or sector-specific authorities.
For a Dutch small business, this might look like:
- Marketing automation stays on AWS.
- Client financial records move to a Netherlands-based provider.
- Development and testing remain on hyperscalers.
- Production databases handling personal data shift to an EU-sovereign environment.
The split structure reduces jurisdictional exposure without sacrificing functional flexibility.
Bottom line: Split your architecture. Keep hyperscalers for speed and scale. Move regulated data to sovereign environments.
What controls should you install right now?
Start by auditing where your business data actually resides.
Not just primary storage. Backups, logs, and copies created by SaaS tools.
Identify which data falls under Dutch or EU regulatory requirements:
- Personal data pursuant to AVG/GDPR
- Financial records under the Belastingdienst rules
- Sector-specific regulations from Dutch authorities
Map workloads to jurisdictions. For each system or dataset, document which legal framework applies and which provider controls access.
Ensure business continuance within chosen boundaries. If you’re relying on a hyperscaler for key operations, document your exit plan. When geopolitical tensions escalate or regulations change, you’ll need to quickly move workloads.
Test exit plans under realistic failure scenarios. Vendor lock-in is a jurisdictional risk, not a technical one. Architect systems with portability in mind from the start. Use containerization, skip proprietary services where possible, and maintain documented migration procedures.
Bottom line: Audit data locations. Map workloads to jurisdictions. Document exit plans. Test portability before you need it.
What question should your board be asking?
The shift in cloud strategy isn’t technical. It’s governance.
The question isn’t “are we compliant?”
The question is: “Will we have control and the ability to move workloads when geopolitics demands it?”
For small business owners in the Netherlands, this means treating cloud provider selection with the same strategic importance as choosing a bank or legal structure.
The regulatory setting is evolving. Dutch and EU authorities expect documented evidence of jurisdictional control. Hyperscaler concentration creates both operational and legal exposure.
You don’t need to solve this overnight. But you need to understand the mechanism and install the controls before the letter arrives.
Structure is cheaper than recovery.
Frequently Asked Questions
Does selecting an EU region on AWS or Azure mean my data is sovereign?
No. Data residency (physical location) differs from data sovereignty (legal jurisdiction). US companies operating EU data centers remain subject to the US CLOUD Act. American authorities request data from US providers without notifying you or the EU regulators.
What is the US CLOUD Act, and why does it matter for Dutch businesses?
The US CLOUD Act allows American law enforcement to demand data from US companies, regardless of where the data is stored physically. This means your data in Amsterdam on AWS is still accessible to US authorities without your knowledge or consent.
Do DORA and NIS2 apply to my small business in the Netherlands?
DORA targets financial entities. NIS2 addresses essential services like energy, healthcare, and transport. If you don’t fall under these regulations today, the enforcement pattern still matters. Dutch regulators increasingly expect proof of jurisdictional control from all businesses handling sensitive data.
What alternatives exist to AWS, Google Cloud, and Azure for sovereign hosting?
European alternatives include Deutsche Telekom’s T Cloud, France’s Bleu partnership between Capgemini and Orange, and independent Dutch or EU-certified providers. The market is maturing, but demand currently surpasses supply.
How do I know which data needs sovereign hosting?
Audit your data storage locations, including backups, logs, and copies of SaaS tools. Identify data under Dutch or EU regulatory requirements: personal information under AVG/GDPR, financial records under Belastingdienst rules, or sector-specific regulations. Move this data to sovereign environments.
What is a split architecture approach to cloud sovereignty?
Split architecture means using hyperscalers for non-sensitive workloads (marketing automation, development environments) while moving regulated, sensitive, or mission-critical data to sovereign European providers. This balances functional flexibility with jurisdictional control.
How do I prepare for potential vendor lock-in with hyperscalers?
Document exit plans now. Architect systems with portability in mind from the start. Use containerization, skip proprietary services where possible, and maintain documented migration procedures. Test exit plans under realistic failure scenarios before you need them.
What evidence do Dutch regulators expect for jurisdictional control?
Dutch and EU authorities expect documented evidence showing which legal framework pertains to each system or dataset, which provider controls access, and your ability to move workloads when regulations change. Verbal assurances from vendors are insufficient.
Key Takeaways
- Physical server location in Europe doesn’t equal legal jurisdiction. THE US CLOUD Act applies to American companies operating EU data centers.
- DORA and NIS2 regulations require documented proof of jurisdictional control. Dutch regulators won’t accept vendor assurances alone.
- Three US hyperscalers control 70% of European cloud infrastructure. This concentration creates operational vulnerability and legal exposure.
- European sovereign cloud alternatives exist, but supply lags demand. Plan your transition strategy now.
- Implement a split architecture: use hyperscalers for non-sensitive workloads and move regulated data to sovereign environments.
- Audit data locations, map workloads to jurisdictions, document exit plans, and test portability before geopolitical or regulatory pressure forces rapid migration.
- Cloud provider selection is a governance decision with the same strategic weight as choosing a bank or legal structure.
