Several European businesses and governments have announced they will be moving away from US-owned software and cloud offerings due to data sovereignty concerns – but how practical is it, and what are the alternatives?

In the past, the where of “the cloud” was not so much of a factor, as it was seen as somewhat abstract, borderless – unless you work in a regulated sector at least. In 2026, we see a growing number of businesses, bodies, and even entire national governments asking more detailed questions – not least fuelled by an increase in cyber attacks: which country’s laws govern our data, and who can access it without our knowledge?

This is becoming a major concern, reshaping procurement decisions at banks, hospitals, manufacturers, and government departments — and the ripple effects are starting to reach SMEs too.

It’s Not About Where Your Data Sits – It’s Whose Laws Apply to It

Contrary to popular belief, data hosted in a European data centre, such as the AWS or Microsoft Azure region in Frankfurt or Dublin, is not necessarily protected by European law.

Under the US CLOUD Act, American authorities can compel any US-headquartered technology company to hand over data it controls, regardless of where in the world that data is physically stored. It doesn't matter if your Microsoft 365 tenant is pinned to an EU region. If the company answering the subpoena is American, US law can reach the data. Microsoft's own subsidiary confirmed as much under oath at a French Senate hearing in mid-2025, admitting it could not fully guarantee data sovereignty against US legal demands, even for a "sovereign" EU-marketed offering.

Sovereignty Is Now a Procurement Checklist Item

This compliance conversation is now becoming mainstream and driving real spending. Analysts at Gartner project European sovereign cloud spending will grow 83% year-on-year in 2026, and the European Commission has backed that shift with real teeth: in June 2026 it unveiled the a four-tier sovereignty framework for public sector procurement that effectively locks US hyperscalers out of the most sensitive government contracts, as American law makes true data independence structurally impossible for them to promise.

Sidenote: Speaking of the most sensitive government contracts: US firm Palantir, which deals with defence, policing, border enforcement, and enforcement work, entered the NHS during COVID to provide pandemic data tools – initially for a symbolic £1 contract, and later on for the Federated Data Platform (FDP), worth up to £330m over seven years. This has been heavily criticised due to the company’s background and dealing with sensitive – not even of its own country - patient data. We’ll address this in a different, dedicated blog post very soon.

What Companies in Europe Are Doing

As outlined in the introduction, a few examples of recent movements away from US-based infrastructure

None of this means US hyperscalers are being abandoned wholesale — the transition, by most estimates, will be measured in years, and cost and capability gaps remain real. But the direction of travel is unmistakable, and it's no longer confined to governments and giant enterprises.

Why This Should Matter to UK SMEs Too

Ever since the Brexit vote, the UK has been sitting in between the frontiers of the US and the EU in terms of regulation. Saying that, while we're now outside the EU regulatory framework driving much of this shift, UK GDPR remains closely aligned with its European counterpart, and UK businesses trading with EU customers or partners are increasingly being asked sovereignty-related questions in due diligence and supplier assessments. If your business — or your clients' businesses — handle EU personal data, hold public sector contracts, or operate in regulated sectors like finance or healthcare, "our data is in a UK or EU data centre" is no longer a complete answer to a sovereignty question.

There's also a more practical, less geopolitical argument for SMEs: concentration risk. Relying entirely on a single vendor, jurisdiction, or platform for your critical business systems is a real operational fragility. Outages, licensing changes, sudden price increases, or access restrictions tied to a vendor's home country — as seen in June 2026, when Anthropic had to suspend access to its newest AI models, Claude Fable 5 and Mythos 5, to comply with new US export control regulations, only restoring access once those controls were lifted a few weeks later — can all disrupt a business that has no fallback plan, independent from geopolitics.

Our Take-Away – Don’t Panic But Reassess

Unsurprisingly, deciding to move away from all US platforms instantly is neither practical nor logical, as it’s disproportionate and expensive.

What we recommend you’d rather do is classify your data and deal with them accordingly: understanding which data is genuinely sensitive (personal data, IP, regulated information) versus which is low-risk, and making deliberate decisions about where the sensitive stuff lives and under what legal protections.

For sensitive data, government organisations have long been relying on private clouds.

For SMEs without the internal resource to run that assessment themselves, this is exactly the kind of conversation a managed IT partner should be having with you.

If you’re interested in a conversation about what data strategy could work for you, why not schedule a free consultation with us?