Out of the US Cloud: What
4 min Read Time
Geopolitical developments are compelling midsize companies to act. Trump’s tariffs, the CLOUD Act, and the EU Data Act – which becomes fully applicable in September 2025 – are driving a wave of migration away from US-based cloud providers. According to a Lünendonk study, digital sovereignty has become a top priority for 78 percent of surveyed CIOs. Yet 43 percent of midsize companies still lack an exit strategy for their US cloud dependencies. The time to act is now – because migrating to another cloud typically takes six to eighteen months.
The Key Takeaways
- 78 percent of CIOs prioritize digital sovereignty: Geopolitical tensions, Trump’s tariffs, and the CLOUD Act are driving decoupling from US providers (Lünendonk Study, 2025).
- 43 percent without exit strategy: Nearly every second midsize company has no documented exit option for their US cloud dependencies. This is becoming a risk.
- EU Data Act vs. CLOUD Act unresolved: Fully applicable since September 2025, but the legal conflict with the US CLOUD Act persists. European data on US servers remains vulnerable.
- European alternatives maturing: STACKIT (Schwarz Group), Open Telekom Cloud, Hetzner, and OVHcloud offer increasingly competitive infrastructure with EU legal frameworks.
- 6 to 18 months for a cloud migration: Migration is not a sprint. Those who don’t start planning in 2026 will act in 2028 under regulatory and political pressure.
Why the Sovereignty Question Escalates in 2026
The debate around cloud sovereignty is not new. What has changed in 2026 is the urgency. Three developments are converging simultaneously, making waiting a risky strategy.
First: The EU Data Act has been fully applicable since September 2025. It gives European companies the right to data portability and obliges cloud providers to technically enable switching to another provider. This reduces lock-in risk but does not replace the strategic decision of whether a switch makes sense.
Second: The US CLOUD Act of 2018 continues to allow US authorities access to data stored by US companies, regardless of server location. An EU data center does not protect against a US court order as long as the operator is a US company. Microsoft, Amazon, and Google are US companies. This risk has existed for eight years but is becoming more tangible in 2026 due to the geopolitical situation.
Third: The Trump administration imposed tariffs on EU products in 2025 and 2026 and threatened further measures. In this climate, awareness is growing that digital dependencies are also political dependencies. The EU Commission announced an initiative for sovereign cloud and AI infrastructure in March 2026 to strengthen European alternatives.
There’s also a concrete economic factor: The EU Commission estimates that European companies spend over 100 billion euros annually on cloud services from US providers. Money that largely flows to the US and finances innovation capacity there. European cloud providers cannot use this capital for their own research and development. The strategic disadvantage reinforces itself.
For midsize companies, this means an uncomfortable truth: The cheapest and functionally best cloud services currently come from the US. But the costs of a data protection incident or a forced provider switch under time pressure exceed the price difference many times over. Forward-looking action is cheaper than crisis management.
“Digital sovereignty is becoming a top priority due to high dependencies on IT and cloud providers as well as geopolitical risks.”
– Lünendonk Study Digital Sovereignty, 2025
What Midsize Companies Really Depend on in the Cloud
Most midsize companies don’t use one cloud, but three to five cloud services simultaneously: Microsoft 365 for productivity, AWS or Azure for infrastructure, Salesforce for CRM, perhaps SAP in the cloud for ERP. Each of these services runs with a US provider.
The dependency is not evenly distributed. Replacing Microsoft 365 affects every employee and is a change management project of twelve to eighteen months. Migrating an AWS S3 bucket to a European object store, on the other hand, takes days. The strategic question is therefore not whether, but where a switch brings the greatest sovereignty gain at reasonable effort.
A pragmatic prioritization: Migrate highly sensitive data such as financial data, personnel data, and intellectual property to European providers first. Productivity tools like email and Office can be switched last because the effort is highest and the CLOUD Act risk is lowest there. No one will obtain a court order because of Excel spreadsheets.
A frequently overlooked aspect: Even seemingly harmless cloud services create dependencies. Companies that conduct all their corporate communication via Microsoft Teams, store their documents in SharePoint, and manage their identities via Azure AD have created a single source of failure. If Microsoft decides to change the license structure, restrict the service in certain regions, or break API compatibility, the company has little negotiating power.
European Alternatives: What the Market Offers
The European cloud market has evolved significantly over the past two years. STACKIT (Schwarz Group), Open Telekom Cloud (T-Systems), Hetzner Cloud, OVHcloud, and IONOS Cloud offer IaaS and PaaS services sufficient for most midsize business applications. The gap to AWS and Azure exists mainly in managed services, AI platforms, and the ecosystem of third-party integrations.
For SAP workloads, SAP itself (with the Sovereign Cloud via Bleu in France and planned in Germany) as well as T-Systems offer certified sovereign cloud solutions. For Kubernetes-based applications, Hetzner and IONOS are price-attractive and technically mature. For highly regulated industries such as financial services or healthcare, there are specialized providers like plusserver (BSI C5-certified) or IONOS (ISO 27001).
The honest assessment: A complete switch away from all US cloud services is neither realistic nor necessary for most midsize companies. The goal is not autarky, but choice. Companies that operate their most critical data on European infrastructure and have documented risk assessments for the rest are strategically well positioned.
What a Cloud Migration Really Costs
Cloud migration costs are systematically underestimated. Pure infrastructure costs (compute, storage, networking) are often comparable or even cheaper with European providers than with US hyperscalers. The hidden costs lie elsewhere.
First, migration effort: Databases, applications, and interfaces must be adapted. The more an application uses proprietary cloud services (AWS Lambda, Azure Functions, Google BigQuery), the more complex the migration. Second, training: Teams that have worked with AWS for years need time and training for new platforms. Third, parallel costs: During migration, both environments run in parallel, temporarily doubling cloud expenses.
As a rule of thumb: Migrating ten production workloads from AWS to a European IaaS provider typically costs 80,000 to 200,000 euros and takes six to twelve months. For complex environments with managed services and AI platforms, it can be significantly more.
A calculation example: A midsize mechanical engineering company with 300 employees operates its ERP environment on AWS, uses Microsoft 365 for productivity, and stores design data in an S3 bucket. Migrating the ERP environment to Open Telekom Cloud is estimated at 120,000 euros and takes nine months. Migrating the design data to Hetzner Storage takes two days and costs under 1,000 euros. Replacing Microsoft 365, on the other hand, is a two-year project. The prioritization is clear: data first, infrastructure second, productivity tools last.
The decision should therefore not be rushed, but made in a timely manner. The longer the dependency grows, the more expensive the later switch becomes.
Checklist: Five Steps Toward Cloud Sovereignty
1. Create a cloud inventory. Where does which data reside? Which services use which provider? Especially important: identify personal data and trade secrets.
2. Conduct risk assessment. For each cloud service: What happens with CLOUD Act access? What about sanctions or trade conflicts? The result is a prioritized list of the most critical dependencies.
3. Document exit strategy. Define a Plan B for each critical cloud service: Which alternative provider comes into question? How long does migration take? What does it cost?
4. Start pilot project. Migrate a non-critical workload to a European platform. Gather experience, validate costs and effort before larger migrations follow.
5. Review contract clauses. Check existing cloud contracts for termination periods, data portability, and data protection clauses. The EU Data Act strengthens the customer’s position here.
6. Create emergency plan. What happens if a US cloud provider is suddenly unavailable, whether through sanctions, technical failures, or contract terminations? A documented emergency plan with concrete fallback scenarios is part of responsible data governance.
Conclusion
The question is no longer whether midsize companies need to rethink their cloud strategy. The question is how quickly. The EU Data Act gives companies new rights. The geopolitical situation gives them new reasons. And the growing European cloud market gives them real alternatives for the first time.
Those who start with a structured risk analysis now and prioritize their most critical data avoid the time pressure under which others will act in two years. Cloud sovereignty is not a project with a deadline. It is a strategic attitude that pays off with every migrated workload.
Frequently Asked Questions
Do I need to completely abandon US cloud providers?
No. The goal is not autarky, but choice. Critical data on European infrastructure, documented risk assessment for the rest. A hybrid model is the most pragmatic path for most midsize companies.
Does an EU data center protect against the CLOUD Act?
No. The CLOUD Act applies to US companies regardless of server location. An AWS data center in Frankfurt is subject to US jurisdiction. Only a non-US provider with headquarters and infrastructure in the EU is CLOUD Act-free.
How much does a cloud migration cost?
Rule of thumb: 80,000 to 200,000 euros for ten production workloads, six to twelve months project duration. Costs vary greatly depending on complexity and use of proprietary services.
Are there European alternatives to Microsoft 365?
Yes, such as Nextcloud (file management), Open-Xchange (email), OnlyOffice or Collabora (office suite). However, functional parity with Microsoft 365 has not yet been fully achieved, especially for Teams and SharePoint.
What does the EU Data Act mean for cloud customers?
It gives companies the right to data portability and obliges cloud providers to technically enable provider switching. Switching fees will be banned from 2027. This significantly strengthens the negotiating position.
Which European cloud providers are BSI C5-certified?
Among others plusserver, STACKIT, T-Systems Open Telekom Cloud, and SAP. The BSI C5 certificates are publicly accessible and are considered the strictest cloud security standard in Europe.
Editor’s Reading Recommendations
More from the MBF Media Network
- cloudmagazin – Cloud, SaaS and IT Infrastructure for Decision-Makers
- Digital Chiefs – Leadership, Transformation and C-Level Perspectives
- SecurityToday – Cybersecurity, Compliance and Data Protection
Further Reading
Cyber Resilience Act: What Manufacturers Must Do Now
AI Act from August 2026: High-Risk AI in Midsize Companies
Exit, Succession or Acquisition: M&A in Midsize Companies 2026
Header Image Source: Anete Lusina / Pexels
