Your Stack Has a Sovereignty Problem
In today's geopolitical climate, strategic dependencies have become strategic vulnerabilities. 92% of Western data sits on US infrastructure, subject to foreign jurisdiction.
Europe's Digital Dependency
Critical infrastructure controlled by foreign jurisdictions creates strategic vulnerability
of EU digital services from third countries
of EU cloud controlled by US providers
EU cloud market held by European providers
of Western data on US infrastructure
“A 90-plus-percent dependency on US cloud infrastructure is a single-shock-event security nightmare waiting to rupture the EU's digital stability.”
Why It Matters
Two perspectives on the same problem
For Your Business
Service Disruption
Geopolitical tensions can restrict access to services overnight. Trade disputes affect availability.
Legal Exposure
CLOUD Act and FISA create direct conflicts with GDPR. Using US services means navigating both.
Data Jurisdiction
Your data is subject to the laws of the jurisdiction the service operates under.
Vendor Lock-in
Three companies control 65% of the market. Concentrated power means limited negotiating leverage.
For Europe
Strategic Autonomy
Digital sovereignty enables political and economic independence from foreign tech powers.
Innovation Capacity
A strong European tech ecosystem drives competitiveness and creates high-value jobs.
Democratic Values
Data protection as a fundamental right, not a product feature to be traded away.
Critical Infrastructure
Essential services should run on infrastructure under democratic oversight and local control.
Six Reasons to Go EU-Native
Not ideology. Risk management.
Data Stays Under EU Law
Services under US jurisdiction must comply with the CLOUD Act, which compels disclosure of data stored anywhere in the world. Services under EU jurisdiction face no such obligation. This isn't a compliance detail - it's a fundamental difference in who can access your data.
GDPR Without Complexity
No adequacy decisions to worry about. No Standard Contractual Clauses to manage. No transfer impact assessments. When your infrastructure is EU-native, GDPR compliance simplifies dramatically.
Geopolitical Resilience
In 2025, US-EU tech tensions escalated. Services can be restricted, pricing can change, and features can be gated by geography. EU infrastructure means you're not a variable in someone else's trade policy.
No Foreign Surveillance Exposure
The CLOUD Act allows US authorities to demand data from US companies regardless of where it's stored. FISA Section 702 enables mass surveillance of non-US persons. EU services are subject to neither.
Invest in Your Ecosystem
Every euro spent on EU infrastructure funds European jobs, R&D, and competitiveness. This isn't charity - it's investment in the ecosystem your business depends on.
Regulatory Certainty
Schrems I invalidated Safe Harbor. Schrems II invalidated Privacy Shield. The current Data Privacy Framework faces the same legal challenges. EU-native infrastructure doesn't depend on fragile international agreements.
The Legal Reality
Specific laws create specific risks
The CLOUD Act Problem
The US CLOUD Act (2018) is unambiguous: US companies must provide data to US authorities on request, regardless of where that data is stored.
This creates an impossible conflict:
- •GDPR says you cannot transfer data to inadequate jurisdictions
- •CLOUD Act says US companies must transfer data when requested
- •Both carry significant penalties for non-compliance
“Microsoft cannot guarantee that customer data would never be transferred to US authorities under the CLOUD Act.”
— Microsoft France president, French Senate testimony (2025)
The Transfer Problem
In 2020, the Court of Justice of the European Union ruled that US surveillance laws fundamentally conflict with EU privacy rights. This invalidated the Privacy Shield framework overnight.
The pattern is clear:
EU-native infrastructure doesn't depend on international agreements that have failed twice.
NIS2 and DORA: The New Requirements
New EU regulations impose strict requirements on infrastructure dependencies:
NIS2 Directive
Network and Information Security requirements for essential and important entities. Requires assessment of supply chain risks, including third-country dependencies.
DORA Regulation
Digital Operational Resilience Act for financial services. Mandates ICT risk management including concentration risk from critical third-party providers.
This Isn't Hypothetical
Recent events that demonstrate the risks
France bans Microsoft Teams, Zoom, and Webex from government; mandates French-made Visio platform by 2027
US threatens tariffs on 8 European countries before backing down; transatlantic tensions reach post-Cold War low
Trump repeatedly threatens military force to take Greenland; Denmark announces $14B Arctic rearmament
EU considers activating anti-coercion instrument against US; suspends trade deal approval
The ACI allows the EU to ban foreign services, suspend business licenses, and restrict market access to the Eurozone. Learn more
Airbus tenders EUR 50M decade-long contract to migrate to sovereign European cloud
International Criminal Court replaces Microsoft with OpenDesk after US sanctions ICC officials
Microsoft admits to French Senate it cannot guarantee EU data is safe from US access requests
German Army signs 7-year contract with ZenDiS for OpenDesk; Schleswig-Holstein cancels 70% of Microsoft licenses
France, Germany, Italy, Netherlands establish European Digital Infrastructure Consortium
Schrems II invalidates Privacy Shield; current Data Privacy Framework faces same legal challenges
We Use What We Recommend
100% EU-controlled infrastructure
Star Stack runs entirely on European infrastructure. We've done the migration ourselves, and we document exactly how we did it so you can too.
Server
Hetzner Cloud
PaaS
Coolify
self-hostedFramework
Next.js
self-hosted
Database
PostgreSQL
self-hosted
Analytics
Plausible
Scaleway TEM
CDN
Bunny CDN
AI
Mistral AI
Git
Codeberg
Start Your Sovereignty Audit
You know what services you use. But do you know their jurisdictions? Their ownership? Their legal exposure? Star Stack can tell you in minutes.
Audit your stack
Add services or import templates
See your score
Understand EU dependency
Find alternatives
Matched to your use cases
Plan migration
Realistic coverage assessments
References & Further Reading
Legal Framework
- Schrems II (Case C-311/18)
The 2020 ruling that invalidated Privacy Shield
- US CLOUD Act (H.R.4943)
The law that creates the jurisdiction conflict
- NIS2 Directive (EU 2022/2555)
Network and Information Security requirements
- DORA (EU 2022/2554)
Digital Operational Resilience Act
- GDPR (EU 2016/679)
General Data Protection Regulation