The Dutch Central Bank has dropped Amazon Web Services in favour of STACKIT, a cloud platform owned by the retail giant behind Lidl and Kaufland. The move is the latest sign of European institutions distancing themselves from US providers bound by American surveillance law. But is the supermarket group really the cloud champion Europe has been waiting for?
On April 23, De Nederlandsche Bank signed a framework agreement with STACKIT, the cloud division of Germany’s Schwarz Group, the retail conglomerate that owns the grocery stores Lidl and Kaufland. The deal followed a public commitment by DNB Governor Steven Maijoor last October to “set a good example” and move to a European cloud provider.
Last year, DNB and the Netherlands Authority for the Financial Markets warned that the Dutch financial sector had grown dangerously dependent on American tech providers, an assessment that included themselves. In The Hague, prosecutor Karim Khan at the International Criminal Court (ICC) found the Trump administration had suspended his Microsoft account, also leading the ICC to switch away from American systems. Microsoft denied suspending the account.
“Cloud procurement is no longer just a technical or commercial decision,” says Antonio Calcara, Head of the Technology and Economic Statecraft programme at the Centre for Security, Diplomacy and Strategy. “It has become part of the broader debate on digital sovereignty,” he added.
You might be interested
An American backdoor to European data?
At the forefront of the European digital sovereignty agenda is the fear of three pieces of US legislation: the Cloud Act, FISA 702, and Executive Order 12333. Together they technically allow US authorities to compel American cloud providers to hand over data stored on servers in Europe, or anywhere for that matter.
The Cloud Act requires American cloud providers to hand over data stored anywhere in the world when served with a warrant; FISA 702 authorises the mass collection of foreign communications data (when an American is in the loop) without individual warrants; and Executive Order 12333 permits sweeping intelligence gathering on non-US persons abroad, with virtually no judicial oversight.
You can either conflict or violate EU law and comply with the US, or you violate US law and comply with the EU — but you cannot be right twice.
— Kristina Irion, Associate Professor, Institute for Information Law, University of Amsterdam
“You can either conflict or violate EU law and comply with the US, or you violate US law and comply with the EU — but you cannot be right twice,” said Kristina Irion, Associate Professor at the Institute for Information Law at the University of Amsterdam.
All three laws exist in direct tension with the GDPR, which requires that data transfers to foreign governments be based on established international agreements between countries. Where companies are exposed to US oversight, the Cloud Act bypasses that process entirely, compelling providers directly. Naturally, “US companies are more likely to be loyal towards the US government than to the EU,” said Ms Irion.
The argument for security
When contacted, Amazon provided materials arguing that the company poses no real privacy risk. Their primary argument: since Amazon began tracking disclosures in 2020, there have been zero disclosures of enterprise or government customer content stored outside the US to the US government.
But Ms Irion identifies a structural problem with that claim. Warrants under US law frequently arrive with a companion gag order. In practice, it means that if such orders were ever issued, there is the chance it would go unreported.
AWS also points to customer-managed encryption keys as a technical safeguard. But keys only protect data at rest. The moment data is actively being used—a state it increasingly finds itself in as AI drives near-constant processing—be it processed by an AI model, edited in a shared document, or run through a business application, the provider needs to read it.
“Encryption is a solution, it is an important solution,” Ms Irion said, “but it is not the only solution to this problem,” she added. AWS’s own defence acknowledges the limit. For certain core infrastructure services, it claims to have built systems where even its own engineers cannot access customer data. But that zero-access architecture applies only to specific layers. Move up the stack into managed services or collaborative tools and the claim loses its hold.
Bad precedent
European courts have twice torn up the frameworks governing EU–US data transfers—Safe Harbour in 2015 and Privacy Shield in 2020—each time finding that US surveillance law made the arrangement incompatible with European fundamental rights.
In 2013, Microsoft challenged a US warrant seeking emails stored on its servers in Ireland. It argued American warrants could not reach data on foreign soil. The case reached the US Supreme Court, but before it could rule, Congress passed the Cloud Act in 2018. It clarified that US law enforcement could compel American companies to produce data regardless of where it was stored. Microsoft subsequently dropped the case.
No, I cannot guarantee that — but again, it has never happened before.
— Anton Carniaux, director of public and legal affairs, Microsoft France
At a French Senate inquiry last June into public procurement and digital sovereignty, Anton Carniaux, Microsoft France’s director of public and legal affairs, was asked whether he could guarantee under oath that French citizen data would never be passed to US authorities without French government consent. His answer: “No, I cannot guarantee that — but again, it has never happened before.”
Sovereign Cloud?
Amazon, Microsoft, and Google have all launched digital sovereignty programmes in Europe between 2022 and 2023 in an effort to get ahead of these concerns, a trend that Mr Calcara sees continuing. “US hyperscalers will probably try to preserve their position in Europe by combining their technological superiority and pricing power with new forms of localisation,” he said.
But European legal experts are not convinced. Academic researchers Rafael Grohmann and Alexandre Costa Barbosa, writing in Media, Culture & Society, describe the result as ‘sovereignty-as-a-service’. In short, a co-option, a process by which the political concept is hollowed out and replaced with a commercial product. Rather than sovereignty being exercised over platforms, it is now granted by them, on their terms.
“In our academic work, we say that this is a marketing trick,” said Ms Irion. “They are overselling the aspect that it is stored in Europe as a big safeguard. The place of storage is only one aspect of this whole story.”
Her central concern is that any company operating in the United States — American or European — is exposed to the US Cloud Act. And this type of risk extends well beyond the United States.
In September 2025, a Canadian court ordered French company OVHcloud to hand over data stored in France, the UK, and Australia to police. It bypassed mutual legal assistance processes entirely. OVH argued its Canadian subsidiary had no access to the data and that disclosure would breach French law. The court ordered it anyway, with the ruling currently under judicial review.
A Schwarz Digits solution?
“The framework agreement with SLM Rijk — the Dutch government’s central procurement agency — is a major milestone in Schwarz Digits’ international expansion strategy, aimed at making Europe more digitally independent,” the company said.
The company also announced an €11bn investment in a new data centre in Lübbenau, Germany. Already, its public cloud has attracted SAP and Bayern Munich as clients. The potential for a European champion is considerable. The European cloud market is projected to reach $550bn by 2030, a market currently dominated 70 per cent by American providers.
But Mr Calcara is measured about what to expect from Schwarz Digits. “STACKIT looks more like a part of a broader European sovereignty ecosystem than a future standalone European cloud champion,” he said.
The technical gap is hard to ignore. Even the DNB director acknowledged that the decision to move to STACKIT meant choosing a provider that “is not yet as robust or high-quality as the one from the US”.
“The decisive factor,” Mr Calcara said, “will be whether European governments—and especially large European corporations—are willing to prioritise sovereignty over efficiency, accepting potentially higher costs, lower performance, or reduced flexibility in exchange for greater geopolitical control. I am not sure Europe has reached that point yet.” DNB, at least, has made its choice.
