US authorities are listening in: Why servers in Frankfurt don't protect your company data – Image: Xpert.Digital
The big cloud misconception: Why having servers in Germany is a data protection trap
CLOUD Act beats GDPR: The dangerous myth of the secure US cloud server
Data sovereignty at risk: The true price for Microsoft, AWS and Google in Germany
Many German companies are lulled into a false sense of security: they believe their sensitive data is protected from unauthorized access as long as the server is located in Frankfurt or Munich. But this supposed protection is a dangerous misconception. The US CLOUD Act compels American tech giants like Microsoft, AWS, and Google to hand over data to US authorities—regardless of where in the world it is physically stored. This leads to an irreconcilable conflict with the European GDPR. Given the significantly tightened regulatory requirements imposed by the NIS-2 Act and the DORA Regulation, data sovereignty will transform from an abstract IT issue into a strict compliance obligation by 2026. This article examines the legal pitfalls of US clouds, explains the ongoing Schrems Dilemma, and shows which genuine German and European alternatives companies should now utilize to remain strategically competitive.
Related to this:
Server location in Germany: Why that alone doesn't protect against US access
The common misconception: A German data center and a US provider – that's not protection, that's a trap
In German companies, government agencies, and public administrations, a widespread belief exists: if our data is stored on a server in Frankfurt or Munich, then it is safe from foreign access, GDPR-compliant, and legally sound. This belief is understandable. It is also dangerously wrong. Because it confuses the physical storage location with legal jurisdiction – and this very confusion is the gateway to one of the most complex data protection problems of our digital age.
The US CLOUD Act of 2018 – the Clarifying Lawful Overseas Use of Data Act – authorizes US authorities to demand that any company based in the US hand over data in its possession, custody, or control, regardless of where that data is physically stored. A data center in Frankfurt, for example, legally belongs to AWS, Microsoft Azure, or Google Cloud – all US companies. A court order in the US can compel the release of this data without necessarily informing the affected European data controller.
Related to this:
CLOUD Act versus GDPR: An irresolvable conflict
The conflict between the US CLOUD Act and the EU's General Data Protection Regulation (GDPR) is not merely an abstract legal question. It is a direct collision course between two legal systems that adhere to different fundamental values. The GDPR stipulates that personal data of EU citizens may only be transferred to third countries under strict conditions. The CLOUD Act allows US authorities to obtain precisely this data – without the need for EU mutual legal assistance treaties.
The companies affected are caught in a dilemma: If they comply with a US subpoena, they risk violating the GDPR. If they don't, they face legal consequences in the US. The European Data Protection Board has made it unequivocally clear that cloud services may not transfer data solely on the basis of the CLOUD Act. A legal opinion from the University of Cologne, commissioned by the German Federal Ministry of the Interior, succinctly summarizes the practical implications: The ability of US authorities to obtain data "cannot be reliably ruled out"—not even through technical or organizational measures.
The Schrems Dilemma and its Aftermath
The history of transatlantic data privacy disputes is a history of failed compromises. Safe Harbor was struck down in 2015 by the European Court of Justice's (ECJ) Schrems I ruling. Privacy Shield followed in 2020 with the Schrems II ruling. In each case, the ECJ found that US laws such as FISA Section 702 and the CLOUD Act prevented effective protection of European data. The current Trans-Atlantic Data Privacy Framework (TADPF/DPF) was adopted in July 2023 and provisionally upheld by the European Court of Justice in September 2025. However, an appeal to the ECJ is possible – and, given the precedents, not unlikely.
Even if the DPF were to stand up in court, it wouldn't change the fundamental problem: Executive Order 14086, on which the DPF is based, is a presidential decree – and can be suspended or amended by a US president at any time. Anyone building their data protection strategy on this politically unstable mechanism is therefore building on sand. Microsoft has now openly admitted that the company cannot guarantee that European data is safe from access by US authorities.
What server location really means
Technically, there are approaches that reduce the risk. Microsoft's so-called EU data boundary promises exclusive processing within the EU, support by EU personnel, and control over encryption keys. AWS and Google Cloud offer similar sovereign cloud concepts. However, access from the US still exists in some cases, as the parent company is subject to US law. The crucial difference, which is often overlooked, is that it's not just the location of the server that matters, but also the jurisdiction of the company that owns the server. Only if the provider and data center are fully subject to German and European law does the CLOUD Act not apply.
Idgard puts it succinctly: A US company that acquires a German cloud provider also inherits the CLOUD Act – regardless of where the servers are located. This scenario is not theoretical. In recent years, US technology companies have aggressively acquired European cloud providers or integrated them as strategic partners. Anyone who doesn't regularly check their provider's ownership structure can become a victim of this trend without even realizing it.
🎯🎯🎯 Data-driven B2B industry hub as a quasi-in-house solution
The quasi-in-house solution: How Xpert.Digital closes operational gaps in B2B marketing and sales – Smart Content-Driven Business - Image: Xpert.Digital
Xpert.Digital is a data-driven B2B industry hub led by Konrad Wolfenstein . The company acts as an external, quasi-in-house solution for industrial partners, closing operational gaps in marketing, content, and sales – without requiring additional resources on the client side.
More information here:
Why German cloud computing is now becoming a procurement obligation: solutions, providers, recommendations for action
The German and European alternatives
There is a clear solution: using cloud providers that not only operate their data centers in Germany but also have their headquarters here and are therefore subject exclusively to German and European law. These providers exist – in growing numbers and with increasingly sophisticated service portfolios.
In the segment of large infrastructure providers, IONOS Cloud is one of the most prominent examples. Headquartered in Montabaur, IONOS operates all its services under German jurisdiction, is certified according to BSI C5 and ISO 27001, and offers full GDPR compliance. The data center interfaces are secured by European data protection law, and foreign intelligence agencies have no legal basis for data access requests.
Another significant player is plusserver from Cologne, which specializes in hybrid cloud scenarios and data sovereignty. With German providers like plusserver, all data processing is subject exclusively to German and European law – no access by foreign authorities, no uncertainty due to the US CLOUD Act. Hetzner Cloud from Gunzenhausen is known for its excellent price-performance ratio and operates data centers exclusively in Germany and the EU. Stakit, the cloud subsidiary of the Schwarz Group, headquartered in Neckarsulm – known for Lidl and Kaufland – offers sovereign cloud solutions for businesses and public administration.
In the end-user and team solutions segment, German providers with strong data protection profiles are also available. Deutsche Telekom's MagentaCLOUD stores data in highly secure German data centers. STRATO HiDrive is a widely used online storage service from Berlin-based Strato AG. TeamDrive from Hamburg specializes in highly secure, end-to-end encrypted collaboration. luckycloud, also from Berlin, focuses on security and flexible pricing models. Storage solutions from GMX, WEB.DE, and mail.com, all part of the United Internet Group headquartered in Karlsruhe and Montabaur, complete the range of options for consumers and small teams.
Related to this:
Regulatory pressure is increasing
2026 marks a turning point in this regard. The regulatory landscape has changed significantly, creating new obligations that considerably increase the pressure to use sovereign cloud providers. The NIS II Implementation Act came into force on December 5, 2025, and entails a fundamental revision of the BSI Act. Cybersecurity requirements have been significantly expanded and now also affect large segments of small and medium-sized enterprises (SMEs) – with binding risk management requirements, stricter reporting obligations, and revenue-based fine systems.
The Digital Operational Resilience Act (DORA), which will be fully applicable from January 17, 2025, is particularly relevant for financial institutions and operators of critical infrastructure. It obliges these companies to reassess their entire third-party ICT risk strategy – including the question of whether US cloud providers still comply with legal requirements in light of the CLOUD Act. The Cologne legal opinion commissioned by the German Federal Ministry of the Interior (BMI) provides an unequivocal answer. According to an analysis by Manage IT, from 2026 onwards, sovereignty will no longer be a buzzword, but will become a procurement obligation. Public authorities and critical industries will only be permitted to choose providers that are fully under EU control.
GAIA-X and the EU Data Act as a structural turning point
At the European level, there is a long-term initiative that aims to politically and technically enshrine the framework for digital sovereignty: the GAIA-X project. Launched in 2019, this initiative seeks to create platforms and services for a European data infrastructure where companies can precisely define and technically enforce the uses of their data. GAIA-X is neither a cloud provider nor a European hyperscaler – it is a framework for interoperable, sovereign data spaces.
In parallel, the EU Data Act creates new obligations for cloud providers: improved data portability, interoperability, and fair contract terms. Customer switching rights are strengthened, which structurally benefits European providers and reduces vendor lock-in with US hyperscalers. The EU is also working on the Cloud and AI Development Act, which could establish binding sovereignty criteria for cloud services. These regulatory developments are changing the incentive structure: using US cloud providers is becoming more expensive and risky, while switching to European alternatives is becoming easier.
Related to this:
Practical implementation: What companies should do now
The realization that a server location in Germany alone is insufficient presents many companies with operational questions. What does this mean in concrete terms? First, existing cloud contracts must be reviewed regarding the provider's ownership structure. If the provider or its parent company is based in the USA, there is a CLOUD Act risk, regardless of the server location. This step is not trivial – especially with complex corporate structures and white-label offerings.
Next, data should be classified: Which data requires particular protection? Personal data as defined by the GDPR, but also trade secrets, patent information, and strategic planning documents. This data should preferably be stored with providers operating under German or EU law. Less sensitive data and non-personal information can be handled more flexibly. A complete migration to German providers is neither feasible in the short term nor always economically viable for many companies. A smart hybrid strategy that transfers sensitive data to a sovereign infrastructure and leaves less critical systems in multi-cloud scenarios is the pragmatic approach for most organizations.
Data sovereignty as a strategic corporate characteristic
Data sovereignty is not just an IT issue. It's a strategic business issue. Companies that lose control over their data—whether through regulatory failure, access by US authorities, or structural dependence on a single provider—also lose strategic agility. Customer data, development data, supplier data: these are the raw materials for future competitive advantages. Their uncontrolled exposure to foreign legal systems is not a calculable risk, but a structural vulnerability.
The good news is: the alternatives exist, they are maturing rapidly technologically, and the regulatory environment is making their use increasingly attractive. IONOS Cloud, plusserver, Hetzner, Stakit, TeamDrive, and their competitors now offer a range of services sufficient for the vast majority of business needs. Perhaps the decisive advantage: they offer legal planning certainty. And in a world where the transatlantic data protection regime has to be renegotiated every few years, planning certainty is a value that cannot be measured in terabytes – but certainly in trust, compliance, and strategic autonomy.
Your global marketing and business development partner
☑️ Our business language is English or German
☑️ NEW: Correspondence in your native language!
Konrad Wolfenstein
I and my team are happy to be available to you as your personal advisor.
You can contact me by filling out the contact form here wolfenstein@xpert.digital:or simply call me at +49 7348 4088 965. My email address is
I'm looking forward to our joint project.
