Is EURO-3C Europe’s Path to Cloud Sovereignty?

Above the Internet, lasers and fire-starter phones that manufacturers were touting at the Mobile World Congress in Barcelona this month was a more nebulous but much larger announcement: a pan-European cloud called EURO-3C.

EURO-3C’s backers – Spanish telecommunications giant Telefónica, dozens of other European companies and the European Commission (EC) – aim to fill a gap. US-based cloud giants dominate in the EU, and European policymakers want their growing portfolio of digital government services to be hosted on a “sovereign cloud” under full EU control.

But the EU lacks a real equivalent like AWS or Microsoft Azure. Indeed, any effort to build one will inevitably run up against the same American cloud giants.

Just four US-based hyperscalers – AWS, Microsoft Azure, Google Cloud and IBM Cloud – together account for around 70% of EU cloud services. This is despite the fact that the US CLOUD Act of 2018 allows US federal law enforcement – ​​at least in theory – to force US-based companies to hand over data stored abroad.

But these hypothetical risks to digital services have become more real as transatlantic relations have deteriorated under the second Trump administration. The United States has openly threatened to invade an EU member state and sanctioned an EU commissioner for passing legislation the White House doesn’t like.

After the White House sanctioned the Netherlands-based International Criminal Court in February 2025, court staff claimed that Microsoft had excluded the court’s chief prosecutor from its email (Microsoft denied this). Around the same time, the United States reportedly threatened to cut off EU ally Ukraine’s access to crucial Starlink satellite internet as leverage during trade negotiations.

“Geopolitical risk is not just the most extreme form of an apocalyptic “kill switch” where Washington cuts off the Internet in Europe,” Stéfane Fermigier of EuroStack, an industry group that supports European digital independence. “This is a selective degradation of services and a total absence of means of retaliation. »

So what should the EU do? France offers an example. Even before 2025, France imposed severe restrictions on non-EU cloud computing providers in public services: providers must locate data in the EU, rely on EU-based staff and cannot have non-EU majority shareholders. Today, EU policymakers are following France’s lead.

In October 2025, the EC published a two-part framework for judging cloud providers bidding for public sector contracts. In the first part, the framework presents a sort of sovereignty scale. The more a supplier is subject to EU law, the higher its level of sovereignty on this scale. Any potential bidder must first reach a certain level, depending on the offer.

Qualified bidders then move on to the second part, where their “sovereignty” is noted in more detail. Using too much proprietary software; excessive reliance on supply chains outside the EU; have non-EU support staff; liability to non-EU laws like the CLOUD Act: all harm a bidder’s score.

The framework was created for a single tender, but observers say it sets a major precedent. Cloud providers bidding for public contracts across Europe may have to comply, and it could influence legislation at national and EU levels.

Who will receive high marks? At the moment, the answer is not simple. The EU cloud scene is quite fragmented. Many modest EU providers offer “sovereign cloud” services – such as Scaleway, OVHcloud and Deutsche Telekom’s T-Systems – but none are on the scale of AWS or Google Cloud.

Inertia is on the side of American cloud giants, who can invest in their infrastructure and services on a much larger scale than their European counterparts. Some U.S. providers now offer cloud services that they believe comply with the Commission’s “cloud sovereignty” requirements.

Some European observers, such as EuroStack, say such promises are empty as long as a provider’s parent company is subject to provisions such as the CLOUD Act, and loopholes in the Commission’s process remain open. An AWS spokesperson said Spectrum it had not disclosed any non-U.S. corporate or government data to the U.S. government under the CLOUD Act; A Google spokesperson said its most sensitive European offerings “are subject to local laws, not U.S. laws.”

Although a project like EURO-3C may offer a large-scale alternative, American cloud giants suffer from a different kind of inertia. Many developers – and many public buyers of their services – will need convincing to move away from familiar surroundings.

“If you look at AWS, you look at Google, they’ve created great technology. It’s very convenient, easy to use,” says Arnold Juffer, CEO of Netherlands-based cloud provider Nebul. “Once you’re on that platform, in that ecosystem, it’s very difficult to get off.”

Martyna Chmura, an analyst at the Bloomsbury Intelligence and Security Institute, a London-based think tank, believes some European developers are taking a mixed approach. “Many organizations are already moving toward multi-cloud setups, using European or sovereign providers for sensitive workloads while relying on hyperscalers for certain services,” she explains.

In this case, the EU’s top-down requirements could encourage developers to use European providers for sensitive applications – such as government services, transportation, autonomous vehicles and some industrial automation – even if this is impractical in the short term or if it leads to even greater fragmentation of the EU cloud scene. “Running systems on different platforms can increase integration costs and complicate data security and governance. In some cases, organizations could lose some of the efficiency and cost benefits of using large hyperscale platforms,” ​​says Chmura.

“Overall, the EU seems willing to accept some of these compromises,” says Chmura.