Extraterritorial laws override server location. True sovereignty requires European ownership, not only hosting.
A Munich law firm uploads due diligence files to a Frankfurt data center. A Paris investment bank stores M&A documents on servers in Amsterdam. Both assume their data remains European. Yet both remain exposed to American surveillance laws.
The assumption that hosting data within EU borders shields it from foreign access has become one of corporate Europe's most dangerous misconceptions. Under the US CLOUD Act of 2018 and FISA Section 702, American authorities can compel US-owned companies to surrender data regardless of its physical location. The laws follow ownership, not geography. Microsoft acknowledged this reality in testimony before the French Senate earlier this year, unable to guarantee that customer data stored in European data centers would never be transferred to US authorities.
This jurisdictional tension has turned critical for the European M&A market, where document security determines deal outcomes. The continent processed 9,800 M&A transactions in 2023, a 12 percent increase over the prior year according to LSEG Data & Analytics. Each involved thousands of confidential documents cycling through virtual data rooms. A single compliance breach carries penalties reaching 20 million euros or 4 percent of global revenue under GDPR. More damaging still is the reputational cost when sensitive transaction details surface through foreign surveillance channels.
The technical response from American hyperscalers has been predictable. Microsoft, Amazon, and Google now market "sovereign cloud" solutions featuring European data centers and local partnerships. Critics call this "sovereignty washing." As Cristina Caffarra, a Brussels-based competition economist, explained to The Register: "A company subject to the extraterritorial laws of the United States cannot be considered sovereign for Europe. That simply doesn't work." The parent company's American domicile ensures continued CLOUD Act jurisdiction, regardless of subsidiary structures or contractual promises.
Genuine sovereignty requires European ownership, not merely European hosting. French cloud provider Scaleway operates under this principle, with data centers in Paris, Amsterdam, and Warsaw controlled entirely by French parent company Iliad Group. No American parent company means no CLOUD Act exposure. The distinction matters operationally.
When Entropia, a virtual data room provider built by former Google engineers, evaluated infrastructure partners for its M&A platform, ownership structure determined the shortlist. The company's MCP server integration allows clients to access AI platforms like Claude and ChatGPT while maintaining document access controls, but the underlying infrastructure must remain immune to non-EU legal frameworks. Partnering with Scaleway solved the jurisdictional problem without compromising technical capabilities.
The shift is measurable. Germany's Schleswig-Holstein completed migration of 24,000 civil servants from Microsoft products to open-source alternatives in 2024. The International Criminal Court switched to European collaboration tools after chief prosecutor Karim Khan was temporarily locked from his Outlook account. France TV, GENCI, and the French National Center for Scientific Research signed partnerships with Scaleway rather than hyperscalers for infrastructure requiring full sovereign control. Corporate legal departments report similar patterns, with 67 percent experiencing deal delays due to cross-border compliance verification, according to the European Confederation of Directors' Associations.
The FISA Section 702 renewal in April 2024 sharpened these concerns. The law now covers "any business with internet-linked infrastructure," expanding surveillance reach beyond traditional communications providers to encompass cloud services and data centers. The expansion came despite European Data Protection Board warnings that existing US surveillance laws already fell short of GDPR adequacy standards. Privacy advocates expect the EU-US Data Privacy Framework, which replaced the invalidated Privacy Shield agreement, to face judicial challenge within two years.
For M&A practitioners, the implications are straightforward. Due diligence materials, financial projections, and transaction structures constitute precisely the sensitive commercial information that foreign intelligence agencies target for economic advantage.
The theoretical risk of CLOUD Act access during a transaction may be small, but the consequences of exposure are catastrophic. European alternatives eliminate the possibility entirely by removing the jurisdictional vulnerability at its source.
This does not mean European companies must abandon all American cloud services. Hybrid strategies work for many organizations, using global platforms for general computing while routing sensitive transactions through sovereign infrastructure. The key is understanding which workloads demand jurisdictional control. M&A documents, intellectual property repositories, and regulated financial data belong in infrastructure that answers exclusively to European law. Generic collaboration tools and development environments can tolerate broader exposure.
The virtual data room market reflects this calculus. European VDR revenue reached 860 million dollars in 2024 and is projected to quadruple by 2033, driven by regulatory compliance and cross-border transaction complexity. Providers emphasizing European ownership and ISO 27001 certification capture premium pricing from clients prioritizing sovereignty over convenience. The market dynamic suggests that compliance-conscious organizations increasingly view ownership as a security feature rather than a procurement detail.
Perhaps inevitably, the American hyperscalers will continue marketing sovereignty solutions. Their scale, innovation velocity, and ecosystem integrations remain formidable competitive advantages. Yet as long as CLOUD Act jurisdiction follows corporate parentage, these offerings cannot deliver true legal independence. The technical capabilities may be identical, but the legal architecture fundamentally differs. For European organizations handling sensitive M&A transactions, that distinction determines where the data lives.
CLOUD, in CLOUD Act, is capitalized because it means: “Clarifying Lawful Overseas Use of Data” Act.
Image credit: Scaleway