Digital sovereignty in companies: Making cloud and AI use legally compliant

Today, the digital value creation of German companies is largely based on infrastructures and services provided by a small number of global technology providers. Cloud storage, collaboration platforms, ERP systems, AI applications, and cybersecurity solutions often come from US providers such as Amazon Web Services, Microsoft, or Google. This concentration creates efficiency and speed of innovation, but at the same time leads to legal and strategic dependencies, for example with regard to data access from third countries, regulatory conflicts, or limited options for switching providers. At least since the discussions about the US CLOUD Act, transatlantic data transfers, and stricter cybersecurity requirements, digital sovereignty is no longer an abstract political ideal, but a concrete governance and risk issue for companies. This article examines the legal classification of these dependencies, the current transatlantic situation, and European initiatives and options for action for corporate practice.

I. Background: Current situation for German companies

From a corporate perspective, digital sovereignty describes the ability to use digital infrastructures, data, and applications in such a way that legal requirements can be met, economic dependencies can be managed, and strategic risks can be controlled. This does not mean complete technological self-sufficiency, but rather a robust ability to control and make decisions about central IT resources, in particular cloud services, data flows, and AI systems.

In practice, many German companies rely on infrastructure (IaaS), platform services (PaaS), or software solutions (SaaS) from major US providers, in particular Amazon Web Services, Microsoft, and Google. These providers offer powerful, scalable, and economically attractive solutions and are often deeply integrated into existing IT architectures.

However, the downside of this market concentration is legal and factual dependency. Companies are often unable to fully control where data is physically processed, nor can they rule out the possibility that foreign authorities may demand access to stored information under certain circumstances.

1. CLOUD Act and GDPR

The discussion about the digital sovereignty of German companies has been significantly influenced by the CLOUD Act, which was passed in 2018. The law obliges providers of electronic communications and cloud services based in the US to hand over data in their "possession, custody, or control" upon request by US law enforcement authorities. The decisive factor here is not the physical location of the data, but the company's legal access to it. Even data stored on servers within the European Union can therefore be subject to this law if it is managed by a US company or a company controlled by a US company.

For German companies that use cloud infrastructures or software solutions from Amazon Web Services, Microsoft, or Google, for example, this creates a structural conflict with European data protection law. While the General Data Protection Regulation imposes high requirements on third-country transfers and government access powers, the CLOUD Act is based solely on the US jurisdiction of the provider. Even if data is processed exclusively in European data centers, a US parent company may be required to disclose it. The legal assessment depends largely on the specific corporate structure, contractual control rights, and actual influence over data processing.

Against this backdrop, several US providers have developed so-called "sovereign cloud" models. Prominent examples include European cloud variants from Microsoft and partnership models from Google with European operators. These concepts regularly stipulate that data is stored exclusively in the EU, that operations are carried out by a European company, and that particularly sensitive administrative access is restricted or technically secured. In some cases, a separate legal entity based in an EU member state is established to offer the service and exercise certain control rights.

However, the decisive legal question is whether such structures actually exclude the applicability of the CLOUD Act or at least substantially reduce it. The decisive factor is whether the US parent company continues to have de facto or legal control over the data or the European operating company. If a controlling relationship exists or if data can be made indirectly accessible, it cannot be ruled out that US authorities could assert claims for disclosure. The mere localisation of data within the EU or a contractual assurance of "European sovereignty" is therefore not necessarily sufficient to rule out the risk of extraterritorial access.

2. Role of the EU-US Data Privacy Framework

Against the backdrop of this tension, the EU-US Data Privacy Framework (DPF) is of central importance (we reported on this in Data Protection Update No. 206 and No. 219). Since July 2023, transatlantic data traffic has been based on the European Commission's adequacy decision pursuant to Art. 45 GDPR. For German companies, this means that personal data may generally be transferred to US service providers certified under the DPF without additional safeguards such as standard contractual clauses.

This represents a significant operational relief, especially for companies that make extensive use of cloud and SaaS services from Amazon Web Services, Microsoft, or Google. The use of globally integrated IT architectures thus remains manageable in terms of data protection law without requiring a separate risk assessment for each transfer in accordance with the "Schrems II" ruling.

However, the legal stability of this construct was controversial from the outset. In its judgment of September 3, 2025, the General Court of the European Union (GCEU) dismissed the action for annulment (T-553/23) brought against the adequacy decision, thereby confirming the validity of the DPF. After a substantive review, the court concluded that the reform measures introduced by the US, in particular Executive Order 14086, the two-tier appeal mechanism via the Civil Liberties Protection Officer (CLPO) and the Data Protection Review Court (DPRC), and expanded control mechanisms in the area of FISA 702 orders, meet the standard of "essentially equivalent" protection developed by the ECJ in "Schrems II."

In practice, this means that as long as the adequacy decision remains in force, supervisory authorities are bound by it; fines for DPF-based transfers are not an option. The decision thus provides companies with considerable, albeit possibly only temporary, legal certainty.

Nevertheless, the issue of digital sovereignty has not been conclusively resolved, as the DPF addresses only the admissibility of data transfers under data protection law. It does not eliminate the structural dependence on non-European providers subject to the CLOUD Act, nor does it resolve issues of vendor lock-in, technical interoperability, or the strategic resilience of IT infrastructures. Digital sovereignty is therefore not exhausted by the formal use of an adequacy decision.

II. EU initiatives

The European Union is responding to the dependencies described above not only politically, but also with an increasingly dense regulatory and structural framework. Digital sovereignty is particularly relevant for companies on two levels: the regulatory framework and the development of European data and infrastructure ecosystems.

1. Regulatory framework

With the NIS 2 Directive, the EU has significantly tightened cybersecurity requirements for companies. It no longer covers only traditional critical infrastructure operators, but a significantly expanded group of "essential" and "important" entities, including cloud providers, data centers, digital infrastructure service providers, and numerous industrial companies. The directive requires comprehensive risk management measures, incident reporting, supply chain controls, and active involvement of senior management. Digital sovereignty is effectively becoming a compliance requirement here, as companies must systematically identify and manage risks arising from IT dependencies.

For the financial sector, the Digital Operational Resilience Act (DORA) further specifies these requirements. It obliges banks, insurance companies, and other financial enterprises to implement structured ICT risk management, comprehensive testing requirements, and special controls for "critical" third-party IT service providers. Cloud providers can be directly subject to European supervision. DORA thus directly interferes with freedom of contract and procurement, forcing companies to think ahead contractually and organizationally about exit strategies, substitution options, and concentration risks.

This framework is flanked by other digital legislation, such as the Data Act or sector-specific security requirements, which are intended to strengthen interoperability, portability, and data access. Taken as a whole, these regulations aim to reduce unilateral dependencies, improve switching options, and make technical and organizational resilience mandatory. Digital sovereignty is thus not only demanded politically, but also operationalized legally.

2. EU data spaces

In addition to regulation, the EU is focusing on building its own data ecosystems (we reported on this in Data Protection Update No. 231). A key project is GAIA-X, a European initiative to develop federated, interoperable cloud and data infrastructures. The goal is not to create a single "European hyperscaler," but to establish common standards for transparency, data control, and interoperability. Providers, including those outside Europe, can participate as long as they meet the defined governance and compliance requirements.

In addition, sectoral European data spaces are emerging, for example in the industrial, mobility, and energy sectors. The planned European Health Data Space (EHDS) is particularly advanced. It is intended to enable the cross-border exchange of health data for care, research, and innovation, while at the same time standardizing strict access and security requirements. This creates new market opportunities for companies in the life sciences and digital health sectors, but also complex compliance requirements.

III. Recommendations for action for companies

Digital sovereignty is not a political buzzword, but a question of concrete governance decisions. Companies should approach the issue in a structured manner and integrate it into existing compliance, IT, and risk management processes.

1. Systematically record IT and data dependencies

The starting point for any sovereignty strategy is transparency. Companies should comprehensively record which cloud, platform, and SaaS services are used, which data categories are affected, and which jurisdictions the respective providers are subject to. It is important to consider not only the immediate contractual partner, but also the subprocessor chain.

Only on this basis can it be assessed whether particularly sensitive data such as research, health, defense, or employee data could be covered by non-European legal systems and what regulatory risks this entails.

2. Strengthen contract and exit strategies

Digital sovereignty is often determined in the contract. Companies should ensure that cloud and IT contracts contain clear provisions on data localization, audit rights, information obligations in the event of requests from authorities, and technical security measures.

Equally important are robust exit clauses. Data portability, interoperability, and migration support should be contractually guaranteed. Especially in light of NIS 2 and DORA requirements, it is essential to be able to simulate a change of provider, at least theoretically and organizationally. Vendor lock-in is not only an economic risk, but increasingly a regulatory risk as well.

3. Increase technical resilience through architectural decisions

Digital sovereignty is not just a legal issue, but also a question of system architecture. Multi-cloud strategies, hybrid models, or the deliberate separation of particularly sensitive workloads can reduce dependencies.

In addition, companies should examine whether client-side encryption with their own key sovereignty can be implemented. Where possible, a clear separation between personal and non-personal data can create additional flexibility. Compliance and IT departments should work closely together here; purely "paper solutions" are not sufficient.

4. Designing resilient transfer governance

Even though the EU-US Data Privacy Framework is currently in force, companies should not rely exclusively on it for their transfer mechanisms. It is advisable to have standard contractual clauses available as a fallback, to regularly update transfer impact assessments, and to actively monitor regulatory developments.

In this context, digital sovereignty means planning for regulatory volatility. Those who are prepared organizationally and contractually can respond to a possible reassessment by the ECJ without risking operational disruptions.

5. Anchoring digital sovereignty as a board-level issue

With NIS-2 and DORA, at the latest, management is being explicitly held accountable. IT dependencies, cloud concentration risks, and third-country access are part of company-wide risk management.

Companies should therefore not treat digital sovereignty in isolation in the IT department, but rather understand it as part of compliance, ESG, M&A due diligence, and strategic corporate planning. In transactions or collaborations, dependence on certain platforms should be examined as well as financial or antitrust risks.

IV. Outlook and conclusion

For German companies, digital sovereignty is neither a political buzzword nor a short-term trend, but rather an expression of a permanently changed regulatory and geopolitical framework. Dependence on global IT and cloud providers remains economically sensible and practically unavoidable in many cases. However, it can be managed legally and organizationally, provided that companies analyze their IT structures, contractual relationships, and data flows transparently and integrate them into their compliance and risk management.

Developments in EU law, from the confirmation of the EU-US Data Privacy Framework by the General Court to NIS-2, DORA, and sectoral data spaces, create legal certainty on the one hand, but also increase the requirements for documentation, resilience, and governance on the other. At the same time, the transatlantic legal situation is not static, and judicial reviews and political developments may necessitate adjustments.

Against this backdrop, a pragmatic approach is recommended. Digital sovereignty should be understood as an integral part of proper corporate organization. Those who are aware of dependencies, address them contractually, and secure them technically are not only acting in line with regulatory expectations, but also strengthening their own ability to act in an increasingly complex digital environment.

This article was created in collaboration with our student employee Emily Bernklau.