// Blog / Security
06.08.2025

Dependency by design: Why the CLOUD Act poses a real risk to European companies

Despite a rapidly growing number of alternatives, increasing mistrust in international data traffic, and stricter compliance requirements, many European companies continue to rely on foreign IT providers. The goal of digital sovereignty – i.e., the self-determined and independent selection and use of IT applications – is still a long way off, while dependence – especially on US providers – remains high. The CLOUD Act in particular has long been considered a major risk to data security. In this article, we explain how much truth lies behind these concerns, why the CLOUD Act constitutes a foreseeable risk, and how companies can become more independent.

What is the CLOUD Act?
“CLOUD Act” stands for “Clarifying Lawful Overseas Use of Data Act” and is a US law passed in 2018 in response to a legal dispute between Microsoft and the US government. The case revolved around whether US authorities were allowed to access data stored by a US provider but located on servers outside the US – e.g., in Europe. At the time, Microsoft refused to hand over such data. Since the CLOUD Act was passed, US providers such as Microsoft, Amazon, and Google have been required to hand over personal data at the request of US authorities, regardless of where it is stored.

This means that even data stored in European data centers can be accessed by US authorities if managed by a US provider. Particularly critical is the fact that affected companies or users are often not informed when their data has been disclosed – the CLOUD Act allows for so-called confidentiality obligations. Although a court order is usually required, the CLOUD Act remains in clear conflict with the European General Data Protection Regulation (GDPR).

How do Microsoft, Google, and others respond?
It’s not only data protection advocates who have long criticized the legislation and the extensive access rights it grants – especially to US authorities. Microsoft itself has repeatedly opposed government attempts to exert influence. For the companies concerned, however, it is less about data protection and more about maintaining customer trust – and ultimately, their business.

Access by US authorities: Myth or reality?
It is undisputed that foreign authorities could, in principle, access data stored in Europe. This was confirmed during a recent hearing in France by Microsoft’s chief legal officer Anton Carniaux, who admitted that Microsoft could not rule out being forced to disclose data – even if stored in Europe. From the US perspective, compliance with European regulations such as the GDPR takes a back seat to national law.

Microsoft’s transparency reports show that data is regularly handed over in response to official requests – even though this (still) rarely involves European business data. In fact, there are no documented cases of US authorities accessing data from European companies in the EU – for example, via Microsoft, AWS, or Google. However, this may be due to confidentiality requirements: under the CLOUD Act, companies are often not allowed to disclose that they have handed over data.

The question is therefore not whether authorities can access such data – but when, and under what conditions. For industries and business areas handling sensitive information, this alone should be reason enough to look for secure alternatives.

What alternatives are there?
The CLOUD Act does not only apply to Microsoft, Google, or AWS. Any company headquartered in or storing data in the US falls under its scope. Moreover, other countries also exert broad legal influence over local providers and data – including Russia, China, the UK, India, and Australia. This is often due to anti-terrorism laws or broader geopolitical interests. Just recently, Apple withdrew its end-to-end encryption for iCloud data in the UK after the government demanded a technical backdoor. Against the backdrop of global tensions, such developments represent growing risks – not just to privacy, but also in terms of attack surface and potential data leaks.

This highlights a frequently underestimated issue: the threat is not just about privacy, but about the overall security of business-critical information – such as internal project plans, research documents, production data, contracts, and trade secrets. Much of this information is not covered by the GDPR, but is essential to business success. In sensitive industries, compliance guidelines and sector-specific regulations define protective standards.

The European economy is especially vulnerable here: much of its IT infrastructure depends on US-based services. The need for action is therefore acute. In regulated sectors like finance and healthcare, the demands on demonstrably compliant processes are growing constantly – driven by general laws like NIS-2, or industry-specific regulations such as DORA and TISAX.

What you can do
When evaluating IT providers, look beyond the surface. Although Europe – and Germany in particular – has some of the world’s strictest data protection laws, a “Made in Germany” label alone is no guarantee of real security or independence. Especially with cloud services, legal ownership and control matter just as much as server location.

German data room provider Dracoon, for example, has been part of US-based Kiteworks Group since 2023. This places Dracoon within the scope of the CLOUD Act – despite German headquarters and hosting. Control over data doesn’t end at the server – it starts with ownership.

Initiatives like “Software Made in Europe” offer valuable guidance. There, you’ll find a growing selection of European alternatives for many digital services.

When choosing a provider, consider:

  • Ownership structure, legal jurisdiction, and data hosting location

  • Support quality and responsiveness in critical situations

  • Fail-safety and clearly defined backup strategies

  • Independent certifications and regular audits

  • Strong security and encryption measures

  • User-friendliness and integration capabilities

Not all criteria weigh equally for every business. But one question always matters:
What happens if the chosen provider suddenly becomes no longer sufficiently secure? Are there exit strategies? Is business continuity ensured? Or does your entire operation hang by a thread? 

netfiles: Independent from US providers
If you want to play it safe, consider providers like netfiles – fully developed, hosted, and managed in Germany. netfiles was built to combine security, compliance, and usability in one sovereign platform. As an owner-managed company with zero reliance on US infrastructure or Microsoft 365, netfiles stands by the principle: “Owned, made & hosted in Germany”.

Key advantages include:

  • Regular audits and pentests by independent experts

  • Certification under national and international standards – suitable even for regulated sectors

  • Efficient, device-independent work directly in the browser

  • Integrated tools like OnlyOffice, file viewers, and video conferencing – without ties to foreign cloud ecosystems

  • Personal, qualified support – directly from Germany

netfiles meets the highest standards in data protection and information security, providing a reliable foundation for legally compliant processes – even in sensitive and regulated business environments.

Secure data exchange: We’re here to help
The CLOUD Act creates ongoing legal uncertainty – in conflict with Europe’s idea of data sovereignty. But there are alternatives: netfiles is 100% German-owned and operated.

We’re happy to advise you on how to exchange data securely and in full compliance using a netfiles data room – and what features are available to support your business. Get in touch – we look forward to hearing from you!