If you’ve been sleeping soundly, confident that hosting your precious European data with a French cloud provider keeps it safely tucked away from foreign intelligence agencies, I have uncomfortable news. Grab a coffee. This is going to hurt.

When Sovereignty Meets Reality

In November 2025, a Canadian court ordered OVHcloud — the French cloud provider, the crown jewel of European digital sovereignty, the one that was supposed to be different — to hand over customer data stored on servers in France, the UK, and Australia. The Royal Canadian Mounted Police didn’t bother with those quaint Mutual Legal Assistance Treaties that exist precisely for such situations. They simply went through OVH’s Canadian subsidiary.[1]

OVH now faces an impossible choice: comply and violate French law (penalties include €90,000 fines and six months imprisonment), or refuse and face contempt charges in Canada.[1] The French government’s SISSE (Service de l’information stratégique et de la sécurité économiques) sent two official letters warning that any direct disclosure to the RCMP would be illegal and would constitute a violation of French sovereignty.[2]

Last August, OVH was crowing about Microsoft admitting it couldn’t guarantee data sovereignty.[1] The irony is exquisite.

Let that sink in. A French company. French servers. European data. Gone because someone had a subsidiary somewhere.

The CLOUD Act: It’s Worse Than You Think

Here’s where it gets really fun. The US CLOUD Act applies to “all electronic communication service or remote computing service providers that operate or have a legal presence in the U.S.” This isn’t about American companies. It’s about any company with US operations.[3]

AWS, in their own compliance documentation, helpfully points out that “the CLOUD Act is also applicable to a cloud service provider that is headquartered in the EU and has operations in the United States.” They even name-drop OVHcloud specifically: “OVHcloud, a French headquartered cloud services provider that operates in the U.S., notes in its CLOUD Act FAQ page that ‘OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that can include data stored outside of the United States.’”[3]

Thanks, OVH. Very reassuring.

But wait, there’s more. The CLOUD Act applies to data under a company’s “possession, custody, or control.” Courts have consistently found that parent companies can be compelled to produce data held by subsidiaries.[4] A US subsidiary of a European company? Subject to the CLOUD Act. A European company doing meaningful business in the US? Potentially subject to US jurisdiction under the “minimum contacts” doctrine.[4]

The law also reaches foreign subsidiaries of US companies. As one legal analysis explains: “The CLOUD Act applies to data entrusted to foreign subsidiaries of companies registered in the US, either because the data is in reality under the parent company’s control, according to US authorities, or because, in any case, the CLOUD Act applies to every company under US jurisdiction.”[5]

Your Datacenter Is Full of American Dependencies

Here’s the part nobody wants to talk about. That shiny “sovereign European datacenter” you’re so proud of? Take a walk inside. Count the Cisco switches. The Dell or HP servers. The Intel or AMD processors. The Nvidia GPUs. The Microsoft software stack.

Every single one of these manufacturers has significant US operations and is subject to American jurisdiction. The CLOUD Act explicitly covers any provider with “a legal presence in the U.S.” — and that presence extends through corporate structures and supply chains in ways that European sovereignty claims conveniently ignore.

Digital sovereignty theatre at its finest.

The Real Threats Aren’t Technical

Let’s be brutally honest about threat modeling. If a sophisticated adversary wants your confidential data, they’re not going to waste time crafting elaborate exploits against your VLANs and firewalls. They’re going to:

1. Phish your employees. That finance director with access to everything? One well-crafted email.

2. Bribe someone. Are you running background checks? Criminal record reviews? Lifestyle audits?

3. Compromise your supply chain. Your managed service provider. Your auditors. Your cleaning company. Your Cisco boxes [9].

The fantasy that geography is your primary security control is precisely that — a fantasy. Meanwhile, your “sovereign” setup has dozens of people with privileged access and infrequent access log reviews.

The Only Real Answer: Encryption

If you’re genuinely worried about extraterritorial data access — and you should be — there’s exactly one technical control that actually works: customer-managed encryption keys.

When your data is encrypted with keys that you control, stored in Hardware Security Modules that you operate, the cloud provider literally cannot comply with a data request even if they wanted to. They can hand over encrypted blobs all day long. Good luck to whoever receives them.

BYOK vs HYOK: A Critical Distinction

But here’s where many enterprises get burned. Not all “customer-managed keys” are equal, and the acronyms matter enormously.

BYOK (Bring Your Own Key) sounds reassuring. You generate encryption keys in your own environment and upload them to the cloud provider’s key management service — AWS KMS, Azure Key Vault, Google Cloud KMS. Your keys, right?

Here’s where it gets subtle. Cloud providers store BYOK keys inside FIPS 140-3 validated HSMs. AWS is explicit that “no one, including AWS employees, can retrieve your plaintext KMS keys from the service” — the key material never leaves the HSM boundary in plaintext.[7] That’s genuinely true. They cannot extract your key.

But they can use it.

When you call KMS to decrypt data, the HSM uses your key internally and returns the plaintext result. The key stays inside the HSM; the decrypted data comes out. Under a CLOUD Act order, law enforcement doesn’t need your key — they need your data. AWS can be legally compelled to perform decryption operations using your BYOK key and hand over the plaintext results.[7] The key remains “secure” inside the HSM while your data walks out the door.

BYOK protects against key theft. It does not protect against lawful compulsion to decrypt.

HYOK (Hold Your Own Key) is fundamentally different. Your encryption keys never leave infrastructure you control — typically on-premises HSMs or a key management system operated entirely outside the cloud provider’s environment. The cloud provider’s systems call out to your HSM when they need to encrypt or decrypt. Your keys never touch their infrastructure.

AWS’s External Key Store (XKS) is a HYOK implementation. When you configure XKS, you replace AWS’s key hierarchy with an external root of trust. Your keys are generated and stored inside HSMs that you operate, outside AWS datacenters. AWS KMS calls your external key store proxy to perform cryptographic operations. Critically, AWS never sees the keys.[8]

This architecture creates what security vendors accurately call a “kill switch.” Disconnect your external key store, and all encryption and decryption operations using those keys immediately cease. AWS can hand over encrypted data all day long — without your keys, it’s indistinguishable from random noise.[8]

The CLOUD Act becomes irrelevant when the service provider never possesses your encryption keys. Law enforcement can compel the provider to hand over data, but the provider can only hand over ciphertext. The legal fight shifts to compelling you directly — a different battle entirely, with different jurisdictional protections.

Is HYOK more expensive? Substantially. More complex to operate? Yes — you’re taking responsibility for HSM availability, network connectivity, and key lifecycle management. But it’s the only control that actually addresses the threat model. Everything else is sovereignty theatre.

Confidential computing and secure enclaves help, but remember: the infrastructure owner can be legally compelled to modify the environment. Updates happen. Firmware gets patched. As one security analysis noted: “Technologies like AWS Nitro Enclaves or Azure Confidential Computing protect against some threat vectors but cannot prevent the infrastructure owner from being legally compelled to modify the environment.”[6]

The encryption keys are the only thing that matters. Control them or accept the risk.

The Bottom Line

European cloud sovereignty, as currently marketed, is a comforting fiction. The OVHcloud case proves that having a subsidiary anywhere creates jurisdiction everywhere. The CLOUD Act’s reach extends to any company with US operations — which includes essentially every hardware and software vendor in your “sovereign” stack.

If you want actual protection:

1. Implement HYOK, not BYOK. External key stores with HSMs you operate. It’s expensive. It’s complex. It’s the only thing that actually works.

2. Stop pretending geography is a security control. Invest in access management, employee security, and supply chain verification instead.

3. Accept the velocity trade-off consciously. If you choose a slower sovereign option, know exactly what you’re buying and why. Most of the time, you’re buying paperwork compliance, not actual security.

4. Be honest about your threat model. If you’re worried about foreign intelligence services, HYOK everything sensitive. If you’re worried about compliance checkbox auditors, European hosting might be enough. Know the difference.

Your data either has technical protections that work, or it has political promises that don’t. Choose wisely.

Sources

[1]: “Canadian data order risks blowing a hole in EU sovereignty,” The Register, November 27, 2025.

[2]: “Canadian Court: OVHcloud from France must hand over user data,” Heise Online, November 2025.

[3]: “CLOUD Act,” Amazon Web Services Compliance.

[4]: “Reaching for the CLOUD,” Inside Privacy, July 14, 2021.

[5]: “The CLOUD Act: Unveiling European Powerlessness,” Groupe d’Etudes Géopolitiques.

[6]: “The Sovereignty Illusion: Why AWS’s European Cloud Cannot Escape US Jurisdiction,” Eliatra, June 2025.

[7]: “Customer-Owned vs. Customer-Managed Encryption Keys,” Kiteworks, November 2025; AWS states plaintext keys “never leave the HSM security boundary” but providers can still “be legally compelled to provide access to data.” See also “Data protection in AWS Key Management Service,” AWS Documentation.

[8]: “Announcing AWS KMS External Key Store (XKS),” AWS News Blog, May 2023.

[9]: “Here’s how the NSA spied on Cisco firewalls for years”, Engadget, August 2016.

The views expressed here are my own and do not represent any current or former employer.