Scaleway 3: The CLOUD Act Problem — What It Means for Your AWS Data
Most European AWS users are broadly aware that US law can extend to US companies operating in Europe. Far fewer have read the CLOUD Act itself or looked closely at what it actually allows. This post explains what the law does, what it does not do, and what it means in practice for European businesses using AWS.
What the CLOUD Act Actually Says
The Clarifying Lawful Overseas Use of Data Act became US law in 2018. Its core provision is simple: American companies must comply with lawful US government demands for data, no matter where that data is stored.
Before the CLOUD Act, there was legal uncertainty around whether a US court order could force a company to hand over data stored on servers outside the United States. The CLOUD Act removed that uncertainty. The answer is yes, it can.
The CLOUD Act applies to any company incorporated in the US, along with its foreign subsidiaries. It does not require the data to belong to a US person, and it does not require the conduct under investigation to have taken place in the United States. The only requirement is that the company receiving the order is subject to US jurisdiction.
What This Means for AWS Customers in Europe
AWS is incorporated in the United States. Amazon Web Services EMEA SARL, the entity used for European contracts, is a subsidiary of Amazon.com, Inc. That means the CLOUD Act can reach data held by AWS regardless of which entity your contract is with or where your data is physically stored.
AWS’s Data Processing Addendum and GDPR commitments do not override US federal law. AWS has acknowledged, when pressed, that it is legally required to comply with valid US government orders. It cannot simply refuse.
From a GDPR point of view, that creates a conflict. GDPR restricts transfers of personal data to third countries unless certain safeguards are in place. If a CLOUD Act demand compels AWS to disclose EU personal data to US authorities, that would amount to a transfer to a third country, potentially without the safeguards GDPR requires. AWS cannot stop that from happening. At most, it can notify you if it is legally allowed to do so.
The Microsoft French Senate Testimony
In June 2025, the president of Microsoft’s French subsidiary appeared before the French Senate Commission to answer questions about cloud sovereignty. Under oath, he confirmed that Microsoft could not guarantee that data stored on its infrastructure, even data stored in France, on French servers, by a French subsidiary, would be protected from demands by US authorities. (Source: The Register, July 2025)
The testimony was clear. Microsoft France could not legally refuse a CLOUD Act order from US federal authorities. Even though the French subsidiary is a separate legal entity operating in France, it is ultimately controlled by a US parent company, and that is enough to bring it within the scope of the CLOUD Act.
The same principle applies to AWS. The legal structure is effectively the same.
Does AWS European Sovereign Cloud Fix This?
AWS launched the AWS European Sovereign Cloud, or ESC, in January 2026. It is a separate operational entity based in Germany, staffed by EU residents, with governance designed to keep EU data inside EU controlled infrastructure.
ESC is a serious attempt to address sovereignty concerns, and for many organisations it may be enough. But it does not change the underlying legal reality: it is still ultimately owned and controlled by Amazon.com, Inc., a US company. Whether the CLOUD Act can reach data held in ESC remains an open legal question. It has not been tested in a European court, and it has not been definitively answered by the US Department of Justice.
Organisations that need certainty rather than probability are choosing providers where that legal question does not come up at all.
What SEAL-3 Provides
The EU SEAL framework, or Sovereignty Effectiveness Assurance Levels, gives organisations a structured way to assess how protected a cloud provider is from non EU legal interference. SEAL 3 requires that the provider has no US parent company, no US domiciled controlling shareholders, and no contracts with US entities that could create exposure under the CLOUD Act.
A SEAL 3 provider cannot receive a CLOUD Act order because the CLOUD Act has no jurisdiction over it. The legal uncertainty that makes AWS ESC harder to assess simply does not apply.
Scaleway achieved SEAL 3 certification and was awarded part of the EU Commission’s €180 million sovereign cloud contract in April 2026. It is wholly owned by Iliad Group, a French company. No US ownership and no US legal exposure.
What This Means in Practice for Your Business
For most businesses, the immediate risk is not a knock on the door from US federal agents tomorrow. The more practical risk is regulatory and contractual. If your business processes EU personal data under GDPR, and your cloud provider can be compelled to disclose that data to non EU authorities, then you have a compliance exposure your legal team and DPO need to understand.
For businesses in regulated industries such as financial services, healthcare, legal, and the public sector, that risk feels more immediate. Regulators in these areas are increasingly asking questions about cloud sovereignty as part of audits and procurement processes.
Moving to a SEAL 3 provider like Scaleway resolves the CLOUD Act question clearly. It does not necessarily add complexity either. For most workloads, Scaleway’s services are direct equivalents of what you are already running on AWS.
The next post looks at the cost comparison.
Ready to Have a Conversation?
If you have read this series and recognised your organisation in it, the next step is simple. Get in touch. We will have a chat, ask a few questions, and give you an honest view of what is involved. No charge. No obligation.
Back to: Migrate from AWS to Stackit Series
