Protection from the CLOUD Act – Moving away from US clouds: Airbus plans to withdraw and pulls the plug on sensitive data

Europe's answer to Amazon & Co.: Airbus ventures into the cloud experiment

While government agencies often remain hesitant about digitalization or continue to rely heavily on US hyperscalers, Europe's largest aerospace company is currently undergoing a strategic about-face. Airbus has recognized that in times of geopolitical tensions and industrial espionage, data sovereignty is not just a buzzword, but a matter of survival.

The company is currently preparing a massive migration to remove its most critical assets – from aircraft blueprints to internal technological know-how – from the reach of the American CLOUD Act. With a planned tender worth over €50 million, Airbus is now seeking a path to a "sovereign cloud" made in Europe. But this bold move is not without risk: Even the Airbus board estimates the chance of finding a technologically capable European provider at only 80 percent – ​​an alarming indication that Europe's IT infrastructure still lags behind the needs of its own industry.

Suitable for:

• European design expertise instead of technological dependence – The French cloud model as an economic strategy

Digital sovereignty: Between rhetoric and reality: The illusion of no alternative – Why Europe's companies and authorities are sabotaging themselves

The paradox: When decision-makers ignore their own principles

For years, European industrial policy has proclaimed the necessity of digital sovereignty. The European Commission has defined clear criteria with its Cloud Sovereignty Framework, the EU Data Act obliges providers to transparency and data access, and the entire political elite regularly emphasizes that technological dependency poses a major security risk. Yet, in practice, the exact opposite is happening: states like Bavaria are planning billion-euro contracts with Microsoft without tendering processes, cities like Lucerne are migrating sensitive citizen data to the Azure cloud, and dozens of public authorities worldwide are following the same pattern. This is not a technical problem, but a problem of will and responsibility.

The case of Bavaria is particularly telling, revealing a symptomatic failure of European decision-makers. The Free State of Bavaria plans to spend nearly one billion euros on Microsoft 365 over a five-year period – for 270,000 employees in its public administration. This is happening without a public tender, without a genuine evaluation of European alternatives, and at a time when digital infrastructures have been recognized as strategically critical. Criticism from open-source communities, IT associations, and medium-sized IT companies was massive and systematic, but it followed a predetermined path: the Microsoft contract was signed nonetheless. This decision is not based on economic considerations, but rather on habit – the same habit that has eroded European technological independence for the past two decades.

The contrasting view is that of Airbus, Europe's largest aerospace company. Unlike government agencies, Airbus has recognized that sensitive data—aircraft designs, production processes, technological know-how—should not fall into the hands of US corporations subject to the American CLOUD Act. Airbus is currently preparing a tender for the migration of critical applications to a European sovereign cloud, with a contract worth over €50 million. This is a deliberate, risk-based decision by a strategically important company. But even here, doubts exist: Airbus's board of directors estimates the probability of finding a suitable European provider at only about 80 percent. This is not a sign of impossibility, but rather a sign of insufficient European capacity development.

The CLOUD Act as a silent weapon: The legal time bomb among European data

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) was passed in 2018 and regulates US authorities' access to corporate data. On paper, this sounds reasonable: national authorities should be able to access data that falls under their jurisdiction. But the practical implications of the CLOUD Act are far more serious than many European companies and authorities seem to realize.

The CLOUD Act doesn't just apply to data stored in the US. It allows US authorities to access any data managed by US companies or their subsidiaries – regardless of where that data is physically hosted. Specifically, this means that if your data is located in a Microsoft data center in Germany, US authorities can request access under the CLOUD Act. Microsoft is obligated to comply with this request and is also subject to gag orders, meaning it cannot inform affected companies that their data has been requested.

Microsoft itself admitted in a French court case in July 2025 that it could not guarantee data protection under the CLOUD Act. This is a remarkable admission from Europe's largest cloud provider. Despite this, government agencies and businesses continue their migration to Microsoft services. It's like a citizen having a house built while the contractor openly states that the roof will leak—and then moving in anyway.

The situation is further exacerbated by geopolitical developments. The return of the Trump administration in January 2025 fundamentally destabilized transatlantic data privacy relations. Trump dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB)—the very body that is supposed to monitor compliance with data privacy standards and the oversight of US intelligence agencies. This renders the PCLOB unable to make decisions. This undermines the Transatlantic Data Privacy Framework (TADPF), which was only recently negotiated and is based on executive orders that can be revoked at any time. Experts are openly warning that the entire framework is at risk.

History reveals a pattern: The US views data access as a strategic tool and uses cloud providers as leverage. The case of ICC Chief Prosecutor Karim Khan is symptomatic: Following sanctions by the Trump administration, Khan lost access to his Microsoft email account. Microsoft claims this was not a suspension of ICC services, but the episode highlights the vulnerability of organizations that rely on US infrastructure. If the US can flip a "digital switch" in a crisis or trade dispute, European infrastructures are crippled.

Suitable for:

• Why the US Cloud Act is a problem and risk for Europe and the rest of the world: a law with far -reaching consequences

Economic rationality or institutional inertia: The illusion of no alternative

A common argument is: There are no European alternatives. This is factually incorrect. There are European cloud providers that are technically competent and offer data sovereignty. The reason they don't dominate is not technological, but economic and institutional.

The market is highly concentrated: AWS, Microsoft Azure, and Google Cloud control approximately 65 percent of the global IaaS market. European providers such as IONOS, OVH, Stackit, Plusserver, and the Open Telekom Cloud (T-Systems) fall into the "Other" category—they are technically mature, but not dominant. Why? Because network effects and vendor lock-in are extremely strong in cloud services. Once you're working with AWS, you can't simply switch to IONOS without incurring significant migration costs. New applications are built on AWS because it offers the best tools, the largest ecosystem, and the most qualified developers.

This is a classic case of market failure: solutions exist, but these solutions are not globally dominant, therefore they are not used. Government agencies and companies orient themselves towards market leaders, not towards macroeconomic optimums.

However, the EuroCloud Pulse Check 2025 reveals a trend reversal: The proportion of companies that consider digital sovereignty crucial has risen from 25 percent to 47 percent in five years. 83 percent of all companies now rate sovereignty and resilience as central to their cloud strategy. Even more significantly, 57 percent have concrete concerns about current US policy and its unpredictability. This is not ideology, but rather a sound economic risk assessment.

The areas where European providers are competitive are concentrated in sensitive and regulated sectors: backup and disaster recovery (66 percent of deployments), Kubernetes and container solutions (64 percent), and compliance and data residency requirements (64 percent). These are precisely the areas where data criticality is highest.

Cost arguments are often made in favor of US providers. This is partly justified – Microsoft and AWS have scalability advantages. However, this advantage is often short-term. The Bavarian case illustrates this: The annual cost for M365 E5 is €59.70 per employee per month. This is a list price without any real negotiation. European providers could be significantly cheaper for comparable services if their capacity were expanded. Furthermore, when one factors in the risks of the CLOUD Act, potential geopolitical sanctions, and resilience, Microsoft's true costs are not transparent.

Our EU and Germany expertise in business development, sales and marketing - Image: Xpert.Digital

Industry focus: B2B, digitalization (from AI to XR), mechanical engineering, logistics, renewable energies and industry

More about it here:

• Xpert Business Hub

A topic hub with insights and expertise:

• Knowledge platform on the global and regional economy, innovation and industry-specific trends
• Collection of analyses, impulses and background information from our focus areas
• A place for expertise and information on current developments in business and technology
• Topic hub for companies that want to learn about markets, digitalization and industry innovations

The Gaia-X disappointment: Why European initiatives fail

Gaia-X was launched with great fanfare in 2019. The project aimed to build a decentralized, secure, open, and transparent European data infrastructure. Major players participated in the initiative: SAP, Bosch, Siemens, Telekom, Festo, and Schunk. The goal was to break the dependence on AWS, Azure, and Google.

Six years later, Gaia-X hasn't failed, but it hasn't achieved market dominance either. In the spring of 2025, doubts were publicly raised as to whether the project goals were even achievable. Why? Because Gaia-X illustrates a classic problem of European coordination: decentralization and coordination are contradictory. If you operate in a truly decentralized manner and every cloud provider can be a node, then there is no clear responsibility, no dynamic scaling, and no strategic focus. If you coordinate centrally, you lose the advantages of decentralization.

Gaia-X has another problem: it's too focused on technology. But the problem isn't primarily technological. European cloud providers can technically compete with the big players. The problem is trust, scalability, and market power. A startup entrepreneur trusts AWS because AWS is large and won't fail. A European provider, even if technically superior, isn't perceived as a secure choice.

Gaia-X needed: genuine financial incentives (subsidies for European companies switching to Gaia-X services), legal requirements (government data must be stored on European servers), and a clear governance structure. Instead, it became a forum for technical standards and best practices. Important, but not sufficient.

Suitable for:

• Industry-X: Promoting European and global logistics and supply chains through industry initiatives Catena-X and Gaia-X

Institutional incoherence: What Lucerne and Bavaria show us

The cases in Lucerne and Bavaria reveal another pattern: institutional incoherence. Swiss and German authorities have data protection officers who explicitly warn that storing sensitive and particularly protected personal data in Microsoft 365 is not compliant with data protection regulations. The cantonal data protection officer in Lucerne warned that data classified as "confidential" in the Microsoft cloud violates data protection law. Despite this, citizens' data was transferred there.

Bavaria is planning a billion-euro contract without putting it out to tender, despite fundamental objections from the German Informatics Society (Gesellschaft für Informatik), the OSBA (Ostfriesischer Landesverband Bayern – Bavarian State Association for Cloud Services), and the local IT industry. Their demand was clear: apply the EU criteria for sovereign clouds. The response was ultimately ignorance. The decision was not based on careful analysis, but on convenience and path dependency.

This isn't stupidity, it's structure. Larger organizations are inert. The IT department knows Microsoft, all systems are geared towards it, and switching would mean retraining, migrations, and risks. Individual decision-makers have no incentive to go through that pain. The budget comes from various sources, and responsibility is diffuse. The data protection officer warns, but has no veto power. In the end, the path of least resistance is chosen.

What's particularly problematic is that this is happening with government agencies that operate with public funds. The Free State of Bavaria spends taxpayers' money. If these funds were invested in European cloud providers, the European ecosystem would be strengthened. Instead, German taxpayers are implicitly subsidizing Microsoft's market position. This is a form of silent technological rent.

The Airbus model: What true sovereignty looks like

Airbus presents a different picture. The company has recognized that sensitive data – aircraft designs, manufacturing technologies, strategic knowledge – must remain under European control. Therefore, Airbus is preparing a tender for the migration of applications such as Enterprise Resource Planning (ERP), Manufacturing Execution Systems, Customer Relationship Management, and Product Lifecycle Management to a European sovereign cloud.

The contract is worth over €50 million and is designed to run for up to ten years. This is a serious investment. Airbus is sending a clear signal to the European market: We need you, and we're paying for it. This isn't a theoretical commitment, but a concrete business model.

But Airbus also has its doubts. Executive Vice President of Digital, Catherine Jestin, estimates there's only an 80/20 chance of finding a suitable European provider. This isn't an unfair criticism of European providers, but rather an observation: European cloud providers aren't yet large and established enough to bear the risk that Airbus is taking with this migration.

That's the core problem. Gaia-X, European providers, EU regulation – all of that is important. But they need to scale. European cloud providers not only need to be technically compliant, but also build the trust that they can operate at the scale of Airbus. That requires capital, time, and market share.

The EU Data Act as a turning point

The EU Data Act, which came into force in September 2025, marks a regulatory shift. It obliges cloud providers to give companies access to their data and metadata, provide better APIs, and facilitate switching to other providers. These are steps against vendor lock-in.

In theory, this should help European providers. If switching becomes more cost-effective, European providers can more easily gain market share. But the EU Data Act is just a tool. It reduces barriers but doesn't create new incentives for European solutions.

What is truly needed is for authorities and large companies to consciously decide to prioritize European solutions, even if this means additional costs or adjustments in the short term. This is a political decision, not a technical one.

Conclusion: Digital sovereignty lives not on words, but on decisions

The key finding is this: there is no "natural constant" that dictates there is no alternative to US clouds. Alternatives do exist. They are technically mature, regulatory vetted, and economically viable. What's lacking is the collective will.

As long as Bavaria pays billions to Microsoft instead of supporting European providers, as long as Lucerne stores citizens' data in Azure despite data protection warnings, as long as most European companies follow the standard route and don't bother to examine alternatives – the market power structure will not shift.

Airbus understands this. That's why the company is preparing a €50 million bet on European sovereignty. Other large European companies should do the same. Not out of ideology, but out of strategy and risk management.

The geopolitical situation has changed. The unpredictability of American politics under Trump, the ability to weaponize data, the potential introduction of tariffs on digital services – these are no longer theoretical scenarios. They are real.

Digital sovereignty is not something to be demanded, but something to be lived. This means: foregoing short-term convenience, investing in capacity building, establishing clear regulations stipulating that critical data must be subject to European jurisdictions, and above all: making decisions that meet this requirement. Industry, government, and cloud providers are all equally called upon to act. Those who fail to understand this or ignore it are jeopardizing Europe's technological future.

☑️ Our business language is English or German

☑️ NEW: Correspondence in your national language!

Konrad Wolfenstein

I would be happy to serve you and my team as a personal advisor.

You can contact me by filling out the contact form or simply call me on +49 89 89 674 804 (Munich) . My email address is: wolfenstein ∂ xpert.digital

I'm looking forward to our joint project.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the digital strategy and digitalization

☑️ Expansion and optimization of international sales processes

☑️ Global & Digital B2B trading platforms

☑️ Pioneer Business Development / Marketing / PR / Trade Fairs

Benefit from Xpert.Digital's extensive, fivefold expertise in a comprehensive service package | R&D, XR, PR & Digital Visibility Optimization - Image: Xpert.Digital

Xpert.Digital has in-depth knowledge of various industries. This allows us to develop tailor-made strategies that are tailored precisely to the requirements and challenges of your specific market segment. By continually analyzing market trends and following industry developments, we can act with foresight and offer innovative solutions. Through the combination of experience and knowledge, we generate added value and give our customers a decisive competitive advantage.

More about it here:

• Use the 5x expertise of Xpert.Digital in one package - starting at just €500/month