Is Your Data Still Stafe?

This widespread reliance on U.S.-based platforms comes with real and often overlooked risks, particularly regarding data sovereignty and control. In this blog post, we will explain why this is a problem, how serious the threat is, and what alternatives exist, with a particular focus on data platforms.

What Is the Problem?

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018 in the United States, allows U.S. law enforcement to compel American technology companies to provide data stored on their servers, even if that data is located outside the U.S., including in the Netherlands or elsewhere in Europe.

This means:

• U.S. authorities can legally request access to your data stored in AWS, Azure, or Google Cloud, even if the data never leaves the EU.
• These providers are obligated to comply, often without informing the data owner.
• In some situations, U.S. authorities could also pressure cloud providers to restrict access to data or services.

This directly undermines European data protection principles, including the GDPR’s emphasis on user consent, transparency, and data residency.

Already in 2022, the Dutch National Cyber Security Centre (NCSC) warned about the risks of the CLOUD Act and its extraterritorial reach, even for data stored entirely within Europe. Since then, growing geopolitical tensions have brought the issue more into the spotlight. The topic has been covered in Dutch national news and even featured in the TV program “Lubach”, raising public awareness about how foreign laws can quietly undermine European digital sovereignty.

How Big Is the Threat?

Some may argue: Sure, they can block your access — but would they?

Unfortunately, yes.

In April 2022, Amsterdam Trade Bank, a Dutch subsidiary of Russia’s Alfa Bank, was declared bankrupt. While the bank was financially stable, it became entangled in geopolitical tensions following the Russian invasion of Ukraine. U.S. and UK sanctions targeted Russian oligarchs associated with Alfa Bank, leading to significant operational challenges for ATB.

Key events include:

• Cloud Service Lockouts: Both Microsoft and Amazon Web Services (AWS) suspended ATB’s access to critical cloud services, citing compliance with U.S. sanctions. This action effectively paralyzed the bank’s operations, preventing access to essential data and systems.
• Legal Intervention: The curators overseeing ATB’s bankruptcy proceedings were unable to access necessary data due to the cloud service lockouts. A Dutch court subsequently ordered Microsoft to restore access, imposing potential fines of up to €100 million for non-compliance.

While one could argue that the sanctions against a Russian-owned bank were justified in the context of international conflict, the case of Amsterdam Trade Bank reveals a far more unsettling reality: if access to critical infrastructure can be unilaterally revoked based on political decisions, then no Dutch company or institution is truly safe.

Who decides who is “on the wrong side”? In the current geopolitical climate, and with U.S. cloud providers operating under the legal and political influence of Washington, there is no guarantee that future actions will be clear-cut or justified. The levers of control are not in European hands. Whether you are a hospital, a research institution, a government agency, or a court, your ability to function could depend on the political mood in a foreign capital.

This is not just about Russian banks. It’s about digital sovereignty, and whether we can continue to entrust core parts of our democratic and economic infrastructure to actors beyond our jurisdiction.

How Big Is the Problem? Dutch Cloud Dependency

While there’s no comprehensive public registry detailing every company’s cloud provider choices, several indicators highlight the Netherlands’ significant reliance on U.S.-based cloud services:

• Enterprise Usage: According to the Central Bureau of Statistics (CBS), 80% of Dutch companies with more than 250 employees use cloud services, which underscores how deeply integrated cloud infrastructure is in Dutch business operations.
• Cloud Provider Market Share: Data from Webmaster Tips shows that the vast majority of cloud infrastructure used by Dutch websites is provided by U.S. companies, with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure dominating the market.
• Financial Institutions: The president of De Nederlandsche Bank, Klaas Knot, recently warned that Dutch financial institutions are highly dependent on U.S. cloud infrastructure. He emphasized that this dependency poses serious risks in light of growing geopolitical and economic instability.

This widespread reliance means that a substantial portion of sensitive, proprietary, and even regulated data is stored on infrastructure ultimately controlled by foreign entities. In a worst-case scenario, Dutch businesses and institutions could lose access to their own systems, either temporarily or permanently, and without due process under EU law. This risk is especially serious for data platforms, which often serve as the central hub for collecting, processing, and analyzing critical data.

What Technologies Are Used For Data Platforms?

To understand the depth of Dutch data platform dependency on U.S. cloud infrastructure, it’s important to look beyond basic cloud service usage and explore which data storage and data platforms are most commonly adopted.

Data Storage Solutions:

• The most commonly used storage solutions are object storage services like Amazon S3, Google Cloud Storage, and Azure Blob Storage, which provide scalable, durable, and cost-effective storage for large datasets. These platforms serve as the foundation for storing raw data, backups, and processed outputs.

Data Warehouses and Analytics Platforms:

• For analytical workloads and structured data management, services such as Google BigQuery, Amazon Redshift, and Azure Synapse Analytics are popular choices. These platforms enable efficient querying and reporting on large datasets through SQL-like interfaces, often integrated with business intelligence tools. Behind the scenes, they store the actual data in the object storage systems of their respective cloud providers.

Modern Data Platforms — Snowflake and Databricks:

• Snowflake and Databricks are widely adopted in the Netherlands for their flexibility and advanced data processing capabilities. Both platforms are using either AWS, Azure or GCP as cloud provider and primarily rely on object storage for storing data. As a result, even when organizations use Snowflake or Databricks, their data is ultimately stored on U.S.-based cloud infrastructure.

Efforts to Reduce Dependency on U.S. Cloud Services

Recognizing the risks of relying heavily on U.S.-based cloud infrastructure, several Dutch institutions and experts are taking steps to regain control over their data:

Scientists Moving Data Back to Dutch Storage:

• Some Dutch researchers have quietly started transferring their research data out of U.S. cloud platforms to local Dutch data centers. This shift is driven by concerns over potential restricted access or surveillance of their data if it remains hosted on American servers. By relocating data closer to home, these scientists aim to maintain uninterrupted and secure access to their valuable research datasets.

Calls for EU-Based Data Storage and Government Initiatives:

• Experts widely agree that sensitive and critical data should be stored within the European Union to ensure compliance with EU privacy laws and reduce geopolitical risks. Although there are government-led initiatives aiming to develop more autonomous digital infrastructure within the EU, progress so far has been slow. The dependency on American internet services remains high, and the call for a concrete “Plan B” to reduce this reliance grows louder among policymakers and digital strategists.

Progress toward digital sovereignty has been limited, and we cannot afford to wait for governments to solve this issue. Many companies are searching for alternatives to foreign cloud providers, but these are still hard to find. It is up to us to take the lead. We need to act now and build European solutions that are secure, reliable, and truly under our control.

What Can You Do?

Switching from a U.S. cloud provider to a European alternative is not a decision that can be implemented overnight. Modern data platforms are complex systems with many dependencies, and migrating them requires careful planning and execution. However, there are different scenarios and practical steps you can take depending on your concerns:

Concerned about data access by the U.S. government?

• Ensure that your data is encrypted with encryption keys that are managed independently. This adds a critical layer of protection even when your data is stored in U.S.-controlled infrastructure.

Worried about losing access to your data due to geopolitical restrictions?

• Regularly back up your data to a European storage provider. This way, even in a worst-case scenario, you retain control and access to your critical information.

Looking to move away from U.S. cloud providers entirely?

• Consider gradually rebuilding your data platform on a European-based cloud. While it’s not a small task, it is increasingly feasible thanks to maturing open-source tools and growing support from the European cloud ecosystem. 

If you’re exploring European cloud or storage alternatives, a helpful directory can be found at european-alternatives.eu.

Of course, building your own sovereign data platform is a significant undertaking — Rome wasn’t built in a day. But it’s possible, and we’re here to help. In our next post, we’ll dive into how to build an open data platform on a European cloud step by step.