EU Tendered 'Sovereign' Cloud Contracts May Still Face US Legal Reach
Several EU 'sovereign' cloud providers awarded contracts rely on US-linked partners, risking US data access.
Why it matters: Legal teams overseeing transatlantic data must reckon with the persistent US CLOUD Act risk, even when using EU-certified 'sovereign' cloud services. This complicates compliance and increases scrutiny of vendor arrangements.
- April 17, 2026: European Commission awards a €80M sovereign cloud tender to four EU provider groups.
- Proximus's lineup includes S3NS, a Thales-Google Cloud joint venture using Google Cloud infrastructure.
- US CLOUD Act can compel US-headquartered tech firms to provide data held anywhere, including in EU-certified clouds.
- SEAL-3 status promises strong EU jurisdiction; S3NS awarded SEAL-2, involving less technical segregation from US partners.
The European Commission is advancing its push for digital autonomy by awarding a €80 million, six-year 'sovereign' cloud contract to four provider groups: Post Telecom (with CleverCloud and OVHcloud), STACKIT, Scaleway, and Proximus (with S3NS, Clarence, and Mistral).
These contracts require compliance with the Cloud Sovereignty Framework, setting high operational and legal standards for protecting European data. Providers attaining SEAL-3 status are expected to prevent non-EU supply chain intrusion and demonstrate strong safeguards. However, Proximus's group, including S3NS, a Thales-Google Cloud joint venture, achieved SEAL-2. This standard enforces compliance with EU law but does not require full technical separation from US infrastructure.
Independent analysts and industry experts note that US-based cloud providers—such as Google Cloud, integral to S3NS—can still be compelled under the US CLOUD Act to surrender customer data, even if physically stored in the EU. S3NS has earned French SecNumCloud 3.2 certification, indicating strong local compliance and certain controls; however, legal practitioners underscore that certification does not necessarily insulate data from conflicting US legal claims.
For GCs and privacy leads, the core challenge is navigating the hidden exposures present even in certified EU frameworks. As the regulatory and legal landscape shifts, lawyers must scrutinize both contract terms and technical architecture—especially for providers with ties to the US—to assess genuine sovereignty and risk of extraterritorial legal orders.
- Commission press announcement (April 2026)
- The Next Web industry analysis
- Politico coverage on EU sovereign cloud risks
By the numbers:
- €80M — Value of new EU cloud procurement contract over six years.
- 4 — Number of European provider groups awarded under the sovereign framework.
Yes, but: SecNumCloud 3.2 certification offers meaningful assurance, but does not close all loopholes for US data access.
What's next: Legal reviews and potential technical upgrades are expected as the Commission and providers refine sovereignty safeguards.