← All posts

April 29, 2026 · 4 min read

Why EU teams scrutinize US cloud providers beyond GDPR paperwork

data-sovereigntygdpreu-techinfrastructurevendor-lock-in

The Hook

Everyone assumes it's about GDPR alone.

GDPR is what lands in board decks. In engineering discussions, three other forces keep appearing: control, unit economics, and transfer-law uncertainty.

Below is a framing that matches public regulatory facts plus patterns that show up when EU infrastructure choices are debated openly—not invented interviews.

Pattern 1: Control, not only compliance

Compliance artifacts satisfy auditors.

The engineering conversation—especially for data-heavy products—is often about operational control:

  • Where data physically resides
  • Which legal entity can compel access
  • What happens if transatlantic rules shift again

Treating "we tick GDPR boxes" as identical to "we control our risk" is where strategies diverge.

Pattern 2: The margin math got louder

Hyperscale clouds remain excellent for many workloads. EU and EU-adjacent providers also publish aggressive price points for raw compute and bandwidth—Hetzner, Scaleway, OVHcloud, Infomaniak, and others routinely compete on published list prices.

Teams compare fully loaded cost (compute + egress + managed services + surprise metered lines) against regional alternatives. When the gap is large enough, "worth it for one pane of glass" becomes a finance conversation, not a religion.

This isn't anti-US-cloud dogma—it's margin and forecastability.

Pattern 3: Schrems II and what came after (verifiable timeline)

This section is public legal record, not opinion.

Milestone Fact
16 July 2020 Court of Justice of the EU, case C-311/18 (Schrems II)—invalidated EU-US Privacy Shield for transfers; Standard Contractual Clauses remained usable subject to assessment.
10 July 2023 European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (DPF)—the third chapter after Safe Harbor (invalidated 2015) and Privacy Shield (invalidated 2020).
Ongoing Civil society organizations—including NOYB, founded by privacy activist Max Schrems—signaled intent to challenge the DPF before the CJEU. Whether DPF survives another round is legally uncertain as of this writing.

For a CTO planning a multi-year architecture, "adequate today, challenged tomorrow" is materially different from "settled for the decade."

Pattern 4: Migrations stay quiet

Large exits from a given cloud rarely arrive as press releases titled "We left Vendor X."

They surface later—in engineering blogs, conference talks, hiring posts, or latency improvements after changing origin—rather than as front-page vendor news. The directional signal is still useful: teams sequence workloads when economics or governance bite.

What teams optimizing for EU sovereignty typically emphasize in public RFP language:

  • EU-owned infrastructure providers where contractually relevant
  • Governance under EU legal frameworks for the control plane
  • Data paths without undisclosed third-country processing—often stricter than "region = eu-central-1"

Even EU regions of US hyperscalers may not satisfy the last bullet if vendor headquarters and legal exposure remain non-EU—that's a procurement/legal distinction, not a performance claim.

The pattern

Preferencing regional control for critical infrastructure is geopolitically normal—the same logic shows up whenever governments constrain foreign cloud for sensitive workloads.

The question

If you're in the EU: all-in on US hyperscale, hybrid, or actively repatriating certain workloads?

If you're elsewhere: are your EU customers asking for documentation you didn't need three years ago?

Wooven is designed sovereign-by-default: EU-controlled control plane, bring-your-own-server compute—including European providers.

Sources

  1. CJEU judgment in Case C-311/18 (Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems) — Curia summary.
  2. European Commission — EU-U.S. Data Privacy Framework / adequacy decision materials.
  3. Reuters — "EU seals new US data transfer pact, challenge likely" (10 July 2023)—journalistic context on immediate challenge expectations.
  4. NOYB — ongoing advocacy and litigation context around EU-US transfers; see noyb.eu for their filings and positions.

Not legal advice—consult qualified counsel for transfer mechanisms.