Sovereignty as a Service: The AWS European Sovereign Cloud is Live

Jano Barnard R&D Engineer

April 22, 2026

AWS partner dedicated to startups

• 2000+ Clients
• 5+ Years of Experience
• $10M+ saved on AWS

On January 15, 2026, AWS officially “flipped the switch” on the AWS European Sovereign Cloud (ESC). Announced back in 2023, the infrastructure is now generally available, with its first region live in Brandenburg, Germany.

As a European company, we at Cloudvisor know this isn’t just another region launch. For European companies wrestling with data sovereignty, GDPR fallout, the US CLOUD Act, and the ever-shifting EU-US data transfer landscape, this is one of the most significant cloud announcements of the year.

But beneath the headlines, decision-makers are asking: How is it different from the EU regions you’re already using (Frankfurt, Ireland, Stockholm, Paris, Milan, Zurich, Spain)? And does it actually solve the sovereignty problem, or is it sophisticated marketing?

This post is our attempt at an honest, practical explainer. We’ll walk through what’s driving the demand for sovereign cloud in Europe, what the ESC actually is at a technical level, how it stacks up against alternatives from Microsoft, Google, Oracle, and European-native providers, and, most importantly: who should and shouldn’t be looking at it.

TL;DR: Executive Summary

• What launched: AWS flipped the switch on the European Sovereign Cloud (ESC) on 15 January 2026 – a separate, EU-operated AWS partition (aws-eusc) with its first region in Brandenburg, Germany.
• Why it matters: EU regulations (DORA, NIS2, EU Data Act) and the shaky status of EU-US data transfers have pushed cloud sovereignty from a compliance checkbox to a board-level question.
• What’s different: The ESC is structurally isolated from global AWS – separate legal entity under German law, EU-resident-only operations, independent IAM, billing, DNS, and certificate authority. It’s a partition, not a region.
• The trade-offs: ~15% pricing premium, around 90 services (vs 240+ in commercial EU regions), only two AZs at launch, and missing key services like CloudFront, GPU instances, and most Bedrock models.
• How it compares: Microsoft and Google went for locally-owned partner clouds (Bleu, S3NS) that offer stronger legal insulation in specific countries. Oracle has first-mover advantage but a smaller ecosystem. European-born providers (OVHcloud, Scaleway) remain the only fully US-jurisdiction-free option. The ESC’s edge is pan-European reach plus deep AWS integration.
• Who it’s for: Public sector, regulated industries (financial, healthcare, defense), and anyone with contractual sovereignty obligations. Most startups and general workloads don’t need it – standard EU regions with strong controls are still the pragmatic default.
• The honest catch: AWS European Sovereign Cloud GmbH is still 100% owned by a US corporation. The technical isolation is genuine, but the CLOUD Act exposure never fully goes away. It’s a risk-mitigation tool, not a sovereignty silver bullet.

Why Sovereign Cloud is Suddenly a “Board-Level” Priority

European demand for sovereign cloud isn’t driven by any single regulation. It’s the cumulative weight of an entire regulatory stack that has matured rapidly since 2020, layered on top of geopolitical uncertainty about US-EU relations.

Let us take a quick summarized tour of the pressure points – it’s a lot to digest, but it sets the stage for the necessity of the European Sovereign Cloud.

1. GDPR: The Floor, Not the Ceiling

The General Data Protection Regulation (GDPR) was a massive milestone for privacy, but it doesn’t solve everything.

• The Gap: While GDPR protects your personal data, it doesn’t address “operational sovereignty” – who controls the hardware and who can look at the data.
• The Conflict: If your data is in a German data center but the provider is a US-headquartered company, that data is still technically subject to US law.
• Non-Personal Data: GDPR also doesn’t cover industrial secrets, trade data, or the “metadata” (the data about your data) that businesses need to keep private.

2. The “Schrems” Legal Rollercoaster

You may have heard of “Schrems II” or “Schrems III”. These are names for major court battles at the Court of Justice of the European Union (CJEU) – the highest court in the EU.

• Schrems II (2020): This ruling essentially blew up the “Privacy Shield”, the legal agreement that allowed data to flow easily between the EU and the US. The court found that US surveillance laws were too broad and didn’t give EU citizens enough protection.
• The Data Privacy Framework (DPF): This is the current “replacement” deal established in 2023. However, it is considered very fragile because it relies on a US Executive Order that any future US President could cancel with a signature.
• Schrems III: A new legal challenge is already on the horizon. Experts warn that the current framework provides only “temporary legal certainty” and another court case could challenge it.

3. The “Long Arm” of US Surveillance

Two specific US laws are at the heart of the sovereignty debate:

• The US CLOUD Act: This law allows US law enforcement to demand data from any US-controlled company, regardless of where in the world that data is physically stored. This creates a direct legal conflict because following the US law might mean breaking EU law.
• FISA 702: This is a US foreign intelligence law that allows for the surveillance of non-US persons. Recent updates to this law have expanded its reach, potentially covering more cloud data centers than ever before.

4. The “Regulatory Triple Threat”

Three recent EU regulations have significantly raised the stakes for critical industries:

• DORA (Digital Operational Resilience Act): As of early 2025, banks and financial institutions must have total visibility and control over their technology providers to ensure they don’t go offline or lose data during a crisis.
• NIS2: This directive forces 18 “critical” sectors – including energy, water, and healthcare – to follow strict new cybersecurity rules. Cloud providers are now explicitly included in this oversight.
• The EU Data Act: It requires cloud providers to put measures in place to stop foreign governments from compelling access to non-personal data (like industrial secrets) stored in the EU.

5. Local Sovereignty Standards

Individual European countries are also setting their own “gold standards” that are hard for standard clouds to meet:

• France (SecNumCloud): This is the strictest standard in Europe. It requires the cloud provider to be majority European-owned and totally immune to foreign laws – effectively shutting out standard US cloud services.
• Germany (BSI C5): This is a mandatory security certification for any cloud provider handling German healthcare data.

This is the world AWS is launching the European Sovereign Cloud into.

What is the European Sovereign Cloud (ESC)?

The AWS European Sovereign Cloud is not just another AWS region in Europe. It’s a separate AWS partition – architecturally isolated from the global AWS cloud the same way AWS GovCloud (US) and AWS China are. The partition identifier is “aws-eusc”, and the first region is “eusc-de-east-1” in Brandenburg, Germany, with two Availability Zones at launch. For the technical stakeholder reading this – ARNs of resources created in the ESC start with arn:aws-eusc: not arn:aws:.

Separate legal entity under German law. The ESC is operated by AWS European Sovereign Cloud GmbH and three subsidiaries, all incorporated in Germany. Managing directors Stéphane Israël and Stefan Hoechbauer are both EU citizens. An independent advisory board of EU citizens (with two third-party representatives) provides oversight.

EU-resident operations only. Day-to-day operations, technical support, and customer service are performed exclusively by EU residents located in the EU. AWS is gradually transitioning toward EU-citizen-only operations.

Independent infrastructure stack. The ESC has its own dedicated IAM, billing, DNS (Route 53 with European TLDs only), and certificate authority. Technical controls prevent access from outside the EU, and AWS states the infrastructure has no critical dependencies on non-EU personnel or systems. The region is designed to operate continuously even if connectivity to the rest of the world is severed.

Separate accounts and APIs. You can’t extend an existing AWS Organization into the ESC. You create new accounts at a dedicated console (console.amazonaws-eusc.eu) with API endpoints on *.amazonaws.eu. Contracting goes through Amazon Web Services EMEA SARL, with billing in euros.

Service availability at launch. Around 90 services are available, including EC2, Lambda, S3, EBS, Aurora, DynamoDB, RDS, EKS, ECS, VPC, KMS, CloudHSM, GuardDuty, SageMaker, and Amazon Bedrock. AWS has been adding services steadily – IAM Identity Center and AWS Network Firewall both landed in March 2026.

Compliance. Within its first few months, the ESC has already cleared the most difficult legal hurdles required for highly regulated industries. This includes achieving BSI C5 (Germany’s “gold standard” security benchmark for cloud services), SOC 2 (a comprehensive third-party audit report that proves their security controls actually work), and seven global ISO certifications that cover everything from basic data protection (ISO 27001) to specific cloud privacy standards (ISO 27018). While it currently holds “Type 1” status (meaning the security design is officially approved) AWS is already working toward “Type 2” to prove these controls remain effective and reliable over the long term.

Pricing. Independent analysis (tecRacer) found a consistent ~15% premium over standard EU regions across EC2, S3, RDS, and Lambda. There is no Free Tier in the ESC. For context: AWS GovCloud carries a ~20% premium, Microsoft Delos and Google S3NS sit in the 15-20% range, and Oracle’s EU Sovereign Cloud charges no premium at all.

That wraps up what is on offer as of April 2026. Recreating a public cloud from scratch doesn’t come without trade-offs, even if some trade-offs are only temporary.

What’s Missing (For Now)

Being honest about the limitations matters more than listing the features, especially for those already using the standard AWS offering. At launch, the ESC is missing:

• CloudFront (planned late 2026)
• CI/CD services like CodePipeline and CodeBuild (planned 2027)
• GPU instances (no p-type or g-type)
• Advanced security tools like Inspector and Macie
• Most Bedrock models – only Amazon Nova Lite and Nova Pro are available; no Claude, Mistral, or Llama
• A third Availability Zone – two AZs falls short of the three-AZ standard most enterprises expect for mission-critical workloads

There’s also an operational reality to be honest about. The AWS GovCloud (US government AWS partition) took seven years to get a second region and still doesn’t have full service parity with commercial AWS more than a decade later. The ESC could follow a similar trajectory (or not). If ESC uptake is good, perhaps it is motivation to achieve full parity with the public AWS partition.

How the European Sovereign Cloud Compares to Alternatives

The ESC isn’t launching into an empty market. Every major hyperscaler has a sovereignty story, and European-native providers offer something no US-owned cloud can structurally match.

Microsoft has the broadest stack: the EU Data Boundary (no extra cost, fully implemented February 2025), the rebranded Microsoft Sovereign Cloud, and national partner clouds – Bleu (Orange/Capgemini operating Azure for the French public sector, targeting SecNumCloud) and Delos (SAP subsidiary running Azure for the German government, with productive use from January 2026 at a 10-20% premium). Microsoft uniquely covers productivity software (Microsoft 365) under sovereign controls.

Microsoft’s sovereignty credibility took a public hit in July 2025, when its chief legal officer in France, appearing before the French Senate about a deal involving sensitive public sector data, was unable to clearly confirm that Microsoft would never hand over EU data to US authorities without consent – a moment that crystallized the limits of technical and contractual safeguards when US jurisdiction still applies.

Google Cloud has arguably achieved the strongest structural sovereignty among US hyperscalers. Its partner-operated S3NS (a Thales joint venture in France) achieved SecNumCloud 3.2 qualification in December 2025 – a milestone no other US hyperscaler has matched. S3NS is structurally outside US jurisdiction and deployments can survive up to a year without Google connectivity. However, S3NS is a France-specific offering, not a pan-European sovereign cloud like the ESC – Google has similar but separate partnerships in Germany (T-Systems, STACKIT) and Spain (Minsait), but no unified European sovereign infrastructure.

Oracle has first-mover advantage, having launched its EU Sovereign Cloud in June 2023 – over two years before the ESC. It offers two separate sovereign regions (Frankfurt and Madrid), the full OCI service catalog, EU-resident operators, and no pricing premium. That said, OCI’s overall market share in Europe is a fraction of AWS’s, and its sovereign cloud is most compelling for organizations already invested in the Oracle ecosystem rather than those building cloud-native on AWS services.

European-born providers like OVHcloud, Scaleway, IONOS, and STACKIT offer something none of the US giants structurally can: because they’re European-owned companies with no US parent, they fall entirely outside the reach of laws like the CLOUD Act. That legal clarity is why OVHcloud and Scaleway – not AWS, Azure, or Google – were selected to build the infrastructure for the ECB’s digital euro project. The trade-off is that these providers offer fewer services and far less mature AI and machine learning tooling than the hyperscalers. And despite the sovereignty advantages, US cloud providers still hold roughly 70% of the European cloud market.

Then there’s Gaia-X, the Franco-German initiative launched to build a framework for European cloud sovereignty. It’s still active, but has largely underdelivered on its original ambitions. Scaleway has already withdrawn its membership. At this point, Gaia-X’s contribution is mostly interoperability standards and governance frameworks rather than actual cloud infrastructure you can deploy workloads on.

What sets the ESC apart is the depth of the isolation – not just data residency controls layered onto existing infrastructure, but a completely separate software stack with independent IAM, billing, DNS, certificate authority, and operations. This goes further than Microsoft’s EU Data Boundary or Google’s Assured Workloads. The trade-off is fewer services, a single region, and a less mature ecosystem, but that all can change going forward.

Is the European Sovereign Cloud for Me?

Here’s where we’ll be direct: most European companies do not need the ESC today. The ESC is designed for organizations where regulatory mandates, national security concerns, or contractual obligations make standard EU regions insufficient. This doesn’t mean you should not consider the ESC, but there are some clear cases where it definitely is worth the trade-offs.

Cases where the ESC is a strong fit:

• Public sector agencies subject to national cloud-first or sovereignty mandates
• Financial institutions navigating DORA’s ICT risk management requirements
• Healthcare organizations under Germany’s mandatory BSI C5 regime
• Defense, aerospace, and intelligence-adjacent organizations
• Critical infrastructure operators in scope of NIS2
• Companies with contractual sovereignty obligations to their own customers (e.g., serving the public sector)

Situations where the ESC should be carefully considered and is not necessarily the right fit:

• General SaaS, e-commerce, content, and consumer applications
• Startups and scale-ups optimizing for cost and time-to-market
• Workloads dependent on services not yet in the ESC (CloudFront, GPU instances, full Bedrock model catalog, mature CI/CD)
• Anything requiring three or more AZs for resilience SLAs

For most workloads, AWS’s own recommendation is sound: start with existing EU regions plus enhanced sovereignty controls (data residency configurations, customer-managed KMS keys, AWS Nitro System guarantees) and migrate to the ESC only if a specific regulatory requirement demands it. Standard EU regions give you 240+ services, three or more AZs, mature tooling, and no pricing premium.

If you do migrate, treat it as a cross-cloud migration, not a region-to-region move. New accounts. Recreated IAM. Separate Organizations. Redeployed apps. Partition-aware Terraform/CDK/CloudFormation. And the isolation goes deeper than most teams initially expect: there’s no cross-partition IAM role assumption (so developers need two separate sets of credentials, typically federated through an external IdP like Okta or Azure AD), no VPC peering between partitions, and no cross-partition ECR access (container images have to be pushed to ESC’s ECR or pulled from public registries, not from your existing eu-central-1 repos). Cross-partition networking happens over the internet, VPN, or Direct Connect – there’s no native AWS interconnect between partitions.

For most organizations, a selective dual-partition strategy makes sense: keep general workloads in commercial EU regions, place only sovereignty-sensitive workloads in the ESC.

The “Sovereignty Washing” Debate

The ESC faces one fundamental criticism that no amount of technical isolation can fully resolve: AWS European Sovereign Cloud GmbH is 100% owned by Amazon.com, Inc., a US corporation subject to the CLOUD Act and FISA Section 702.

Critics have not been gentle. Alexander Windbichler, CEO of Austrian provider Anexia, called the ESC “a classic smokescreen – not genuine digital sovereignty.” The European Cloud initiative scored the ESC poorly on strategic and legal sovereignty. Independent commentators have asked, fairly, whether a US-owned cloud can ever be truly sovereign, regardless of how many German GmbHs sit between Amazon and the customer.

AWS’s defence is multi-layered: separate German legal entities, EU-resident operations, independent infrastructure with no critical non-EU dependencies, customer-controlled encryption via KMS and CloudHSM, and source code replicas accessible to EU-resident employees in extreme circumstances. Perhaps most compelling is the hardware argument: the ESC runs exclusively on AWS’s Nitro System, which was designed from the ground up with zero operator access – there is no SSH into the hypervisor, no console access, no mechanism for any AWS employee to access EC2 instance memory or customer data on encrypted storage. This isn’t a policy promise that can be overridden under legal pressure; it’s a constraint enforced at the silicon level, independently audited by NCC Group.

The honest answer is that this is a spectrum, not a binary. The CLOUD Act has never been publicly used to compel access to data in a sovereign partition, and the legal and technical barriers AWS has erected would make such a demand costly to enforce and likely subject to legal challenge under German law. For many organizations, this level of risk mitigation – combined with the ESC’s service breadth and the broader AWS ecosystem – will be sufficient. For organizations subject to SecNumCloud-level requirements or operating in defence, intelligence, or against state-level threat models, it might not.

The right answer depends on your organization’s specific regulatory obligations, risk tolerance, and threat model. It’s a risk assessment, not a marketing decision.

How We Think About This at Cloudvisor

As a European AWS Advanced Tier Services Partner, we get this question constantly: “Should we move to the European Sovereign Cloud”? Our honest answer is almost always: “Let’s first figure out whether you actually need to”.

For the vast majority of the startups and scale-ups we work with, the answer is no – at least not yet. Standard EU regions with strong KMS policies, well-architected landing zones, and sensible data classification get you most of the way. The ESC’s 15% premium, two-AZ footprint, missing services, and operational complexity are real costs, and they only make sense when there’s a real regulatory or contractual driver to justify them.

For the organizations that do need it – public sector, regulated industries, anyone serving European governments or large enterprises with strict sovereignty clauses – the ESC is genuinely good news. It’s the most technically ambitious sovereign cloud offering from a US hyperscaler, with a credible service portfolio and a modest premium. The questions that really matter are:

1. Does your regulatory or contractual situation actually require ESC-level sovereignty, or are enhanced controls in standard EU regions enough?
2. Which of your workloads are sovereignty-sensitive, and which aren’t?
3. What’s your dual-partition operational model going to look like?
4. Do the services you depend on exist in the ESC today, or do you need to wait?

These are the conversations we’re having with customers right now. If you’re working through them yourself, get in touch – we’re happy to help you think it through, whether that ends with the ESC, a hardened standard EU region, or somewhere in between.

The Bottom Line

The AWS European Sovereign Cloud is the most serious sovereign cloud offering yet from a US hyperscaler. It addresses a real and rapidly growing market need driven by a converging stack of EU regulations and the structural fragility of EU-US data transfer mechanisms. The technical isolation is genuine, the 15% premium is reasonable and the service catalog will grow.

It also can’t fully resolve the structural tension at its core: US corporate ownership means US jurisdictional exposure persists, regardless of how many layers of operational separation sit on top. For some organizations that’s an acceptable trade-off. For others it isn’t.

The ESC is a tool, not a verdict. With Gartner projecting European sovereign cloud spend to hit $23.1 billion by 2027, every European technology leader is going to face this decision in some form over the next two years. The work now is figuring out, honestly and specifically, whether your organization is one of the ones that needs it.