Data hosted in Europe by a US company: is it truly sovereign?

What is sovereign cloud?

Today, plenty of cloud providers market themselves as “sovereign”. Behind that label, the reality is often quite different. Your data may be physically stored in Switzerland or Europe, and remain perfectly accessible from the United States. Here is why data sovereignty is a strategic issue, and how to avoid the pitfalls when choosing your cloud provider.

This article draws on the talk given by Léopold Jacquot, Principal Engineer at Infomaniak, at Swiss Cyber Security Days 2026.

Data localisation: why “hosted in Switzerland/Europe” is not enough

Start with the most widespread illusion: geography.

Léopold Jacquot has been Principal Engineer at Infomaniak for nine years. At Swiss Cyber Security Days 2026, he summed up the problem with a single image:

Picture a safe physically located in Zurich — Swiss steel, Swiss lock. Except the key is held by a company in San Francisco. The safe is Swiss. Its contents are not.

That is precisely what happens to your data when the company operating the server is subject to foreign legislation. The CLOUD Act, a US law in force since 2018, compels American technology companies to hand over data to the authorities, even when that data is stored abroad.

In practice: it does not matter whether the data centre is in Berne, Frankfurt, or Paris. If the company managing it is American or owned by an American group, your data is legally accessible from the United States.

For the technically minded, Léopold Jacquot goes a step further: what really matters is who holds the encryption keys.

Your data may be encrypted in AES-256, hosted in a European data centre, with a rock-solid SLA. But if the keys are managed by a service operated by AWS, Azure, or Google Cloud, it is the equivalent of encrypting your data and posting the key to the United States.

The software layer that changes everything (and creates dependency)

Geography is not the only false promise.

Take an application built by a European company, sold as “100% local”. Under the bonnet, it runs on a system whose licence belongs to a foreign publisher, with licence servers in the United States. Everything works perfectly well — until the day that publisher changes its terms, raises its prices by 300%, or simply decides to cut access.

Some “sovereign cloud” offerings rest entirely on foreign technologies. The local operator is a front, while the layer that actually touches your data is controlled from abroad. You see it everywhere in Europe: partnerships between European cloud players and American hyperscalers, presented as “sovereign”. Scratch the surface, and the foundational layer is still controlled from overseas.

The myth of the watertight contract

Then there is the contract. The thinking goes:

Our lawyers negotiated a solid confidentiality clause — we are protected.

Except that a commercial contract is an agreement between two private parties. It does not hold up against a legal demand from a state. In the face of a US court order, confidentiality clauses change nothing. They operate at fundamentally different levels of protection.

And this logic does not apply only to servers or messaging services. It applies to everything we entrust to an American service, including the prompts your teams send every day to Anthropic’s Claude, ChatGPT, Microsoft’s Copilot, or Google’s Gemini. The “enterprise” contract for those services is a commercial contract. It carries no weight against a state injunction.

CLOUD Act, GDPR, extraterritorial laws: what the law actually says

• The CLOUD Act obliges any US-incorporated company to provide authorities with the data it holds, including data stored outside the United States.
• The GDPR strictly governs transfers of personal data to third countries.
• The problem is that these two texts are in direct conflict. The Schrems II ruling of the Court of Justice of the European Union (2020) recognised that US legislation does not offer an equivalent level of protection to that of the EU.

The concrete consequence for a European company that entrusts its data to a CLOUD Act-subject provider: it is exposed to the risk of GDPR non-compliance, with fines of up to 4% of global annual turnover.

That risk materialised in 2025. On 6 February, a US presidential executive order placed Karim Khan, prosecutor of the International Criminal Court, under personal sanctions. Within weeks, he lost access to his Microsoft mailbox and switched to a Swiss alternative. On 20 August, US sanctions were extended to several ICC officials, including French judge Nicolas Guillou, whose Visa and Mastercard cards were blocked and whose access to several American platforms (Amazon, Airbnb, Booking.com, Expedia) was cut. On 31 October, the ICC announced it would replace Microsoft 365 with openDesk — an open-source suite developed by the German public body ZenDiS — across its 1,800 workstations.

A chain of events that demonstrated, in under a year, what no commercial argument had managed to establish:

A provider subject to a foreign jurisdiction can be compelled to cut access to its services — including to an international magistrate.

On 10 June 2025, before the French Senate inquiry committee on public procurement, Anton Carniaux, Director of Public and Legal Affairs at Microsoft France, was questioned under oath: could he guarantee that French citizens’ data would never be transmitted to US authorities without the agreement of French authorities? His response:

No, I cannot guarantee that, but it has never happened yet.

An answer that, in practice, closes the debate on the real scope of contractual commitments in the face of a state injunction.

Infomaniak’s vision: three pillars of genuine sovereignty

If sovereignty does not rest on geography, contracts, or marketing, where does real digital sovereignty actually lie? For Léopold Jacquot, sovereignty is first and foremost a matter of architecture, not location. At Infomaniak, that conviction translates into three concrete pillars.

1. Control the software, the data centres, and the know-how

Back to the safe analogy. For it to be genuinely sovereign, it is not enough for it to be in Switzerland.

The safe, the lock, the key, and the company that makes them must all fall under the same jurisdiction, and none of them must depend on a foreign actor.

That is the logic Infomaniak applies to every layer of its infrastructure. The company designs, operates, and runs its own data centres in Switzerland, with its own teams. Software is developed in-house, on open-source foundations such as OpenStack, Ceph, and Kubernetes. The network is configured by in-house engineers. No strategic dependency on foreign hyperscalers: no AWS underneath, no Azure as a subcontractor, no Google Cloud tucked away in a corner.

René Luria, Infomaniak’s CTO, sums up the approach in three words:

We build. We own. We operate.

For a developer, that level of control makes a tangible difference day to day.

When a client asks which path their data takes, we can answer precisely: not “somewhere in the cloud,” but “on this server, in this data centre, on this switch.” If we need to trace a network packet end to end to solve a problem, we can — because it is our network, not someone else’s.

This logic extends to energy. As Boris Siegenthaler, founder of Infomaniak, puts it:

Infrastructure that depends on external or unstable energy sources remains vulnerable. Infomaniak owns its own solar power plants in Switzerland and aims for 50% self-production by 2030.

The D4 — an Infomaniak data centre inaugurated in January 2025 in Geneva, is the most fully realised expression of this approach. Built underground within a co-operative eco-district, it deploys 1,800 m² of server rooms and runs on 100% renewable energy. Its defining feature: all the heat produced by the servers and components is captured and fed into the district heating network of the Services Industriels de Genève.

At full capacity, the D4 will inject 1.7 MW (i.e. 14.9 GWh per year) into the heat network — the equivalent of heating 6,000 homes in winter and providing 20,000 five-minute showers in summer. Without this system, Geneva would need to burn 3,600 tonnes of CO₂-equivalent natural gas (or 5,500 tonnes of wood pellets) to produce the same heat each year.

The project received the Swiss Ethics Prize and the Canton of Geneva Sustainable Development Prize. Its energy design is documented and freely shared on d4project.org, so that other operators can replicate it.

2. Use sovereign AI services without exposing your data

Picture a law firm using an AI assistant to summarise a client file containing sensitive data covered by professional privilege. The summary is relevant, the time saving real. Except that file has just passed through servers located in the United States, operated by a company subject to the CLOUD Act. The confidential information has left the safe.

Artificial intelligence has become a blind spot in digital sovereignty. Under the terms of use of most AI assistants, queries can be retained and used to improve the model.

What you send can feed the system, and tomorrow a third party might indirectly benefit from it. Researchers have also demonstrated that it is possible to extract training data from these models using targeted attacks.

It is to address this issue that Infomaniak developed Euria, its AI assistant, and AI Services for businesses. The models — built on open-source foundations such as Mistral, Qwen, and Apertus — run on Infomaniak’s own GPUs, in Switzerland. No query is retained after processing: what you send is processed, then forgotten.

No prompt logging, no retraining on your data. The lifecycle of your information amounts to: input, processing, output, deletion.

The integration is consistent with the kSuite collaborative environment: Euria works with Infomaniak Mail, kChat, and kDrive, without your data ever leaving the sovereign ecosystem.

These models are not the most powerful on the market, and that is not the goal:

For common professional tasks — summarising a document, translating a text, analysing a file, transcribing audio — you do not need the most sophisticated model on the planet. You need a reliable model that respects your data.

3. A business model that does not monetise data

Last but not least: when a service is free, how is it financed? In most cases, by exploiting users’ data. That is not an accusation — it is a business model. And it directly determines what is done with your information.

At Infomaniak, the model is different: you pay for a service, and that is that.

Every feature is designed to collect the bare minimum of data needed for it to function. No advertising tracking, no analytics tools transmitting your behaviour to third parties, no fingerprinting.

Infomaniak’s independence is structurally protected. The reference shareholder is a Swiss public-interest foundation, which holds the majority of voting rights in the form of non-transferable special shares. A hostile takeover or a non-European acquisition is technically impossible. No investor can impose short-term thinking or pressure the company to monetise data in search of margin growth. Infomaniak’s strategic decisions remain governed by the values enshrined in the Participation Charter.

That independence is also reflected in the code. A growing share of Infomaniak’s service components is open-sourced on GitHub, where anyone can inspect, verify, and contribute to improving the code. To further strengthen security, Infomaniak runs a bug bounty programme that rewards cybersecurity researchers who report vulnerabilities. No hidden dependencies, no backdoors.

These commitments are verifiable. Infomaniak holds B Corp certification — a demanding label based on regular independent audits — along with ISO 14001 for environmental management and ISO 50001 for energy performance. Carbon emissions are offset at 200%, and server lifespans are extended to up to 15 years, compared to the industry norm of 3 to 5.

How to choose a sovereign cloud: five questions to ask

The usual criteria — hosted in Europe, GDPR-compliant, confidentiality clause included — are no longer sufficient.

As Marc Oehler, CEO of Infomaniak, points out, you need to look beyond standard procurement checklists.

Here are five concrete questions, drawn from Léopold Jacquot’s keynote, that cut through the labels:

1. Who actually controls your data? Which company, in which country, has access to your data and your encryption keys — beyond the location of storage?
2. Is the entire technical chain under your control? Software, network, servers, energy. A single link dependent on a foreign actor is enough to compromise the whole.
3. Are the technologies used verifiable? A provider that relies on open-source software offers a level of transparency that proprietary solutions cannot match.
4. What happens if the provider is acquired? In the event of a change of ownership, do your data follow? Is there a clear procedure for retrieving them and moving elsewhere?
5. Can the provider resist legal pressure from foreign states? The hardest question to ask — and the most important.

Digital sovereignty is not a marketing argument. It is a series of technical, economic, and legal choices that determine, in practice, who controls your data and your infrastructure.

Data sovereignty does not come down to a geographical address. The right question is not “where is my data?” — it is “who can access it, and under what conditions?”

Léopold Jacquot’s talk at Swiss Cyber Security Days 2026

Sovereign cloud: the questions we are asked most

Does the CLOUD Act apply to European companies?

The CLOUD Act targets US-incorporated companies, but the moment a European company entrusts its data to an American provider (Microsoft, Google, AWS) or to one of their European subsidiaries, it is exposed. As a developer, I would put it this way: it is not the server’s address that matters — it is the jurisdiction of the entity that controls the stack and the software processing the data. And it is the European company, as data controller, that bears the GDPR risk. That is why choosing an independent European cloud is becoming a strategic decision.

Is data hosted in Switzerland protected from the CLOUD Act?

It depends entirely on who actually operates the service, and what technologies are used to do so. If the provider is a Swiss company incorporated under Swiss law, with no subsidiary or structure in the United States, the CLOUD Act does not apply to the entity itself. That is our situation at Infomaniak: a Swiss company under Swiss law, with data centres in Switzerland, teams in Switzerland, and no legal entity across the Atlantic. But that alone is not enough. If the software stack relies on American proprietary components — a hypervisor, a managed database, an encryption key management service operated by AWS, Azure, or Google Cloud — the dependency remains. One blocked update, one revoked licence, and the Swiss operator no longer has control. The geography of the data centre does not make sovereignty. Nor does the software layer, if it depends on a foreign publisher.

There is one further angle that is often overlooked: the potential acquisition of the provider. A Swiss company today can fall under a foreign jurisdiction tomorrow, overnight, with no recourse for you. Your data will follow. That is precisely why Infomaniak operates under the aegis of a public-interest foundation that guarantees its long-term independence.

What is the difference between sovereign cloud, trusted cloud, SecNumCloud, and the hyperscalers’ sovereign clouds?

The fundamental question to ask is: “Which jurisdiction governs the parent company of the entity operating my service?” The CLOUD Act looks neither at where the data is, nor at who presses the buttons. It looks at the legal nationality of the group.

With that filter, the landscape becomes legible:

• The “sovereign clouds” of the hyperscalers (Microsoft, AWS, Google) are operated by European subsidiaries of American groups. Whatever the quality of the technical isolation, the parent company remains under US law. US jurisdiction remains enforceable.
• Trusted cloud is a French label that does not require technological independence. Labelled offerings such as Bleu (Orange-Capgemini, Microsoft technology) or S3NS (Thales, Google technology) rest on components licensed from American hyperscalers. These are “hybrid clouds”.
• SecNumCloud, the qualification issued by ANSSI, goes much further: it requires immunity from extraterritorial laws, guaranteed by European capital control. It is currently the only French framework that structurally excludes the CLOUD Act. No equivalent exists at European level yet.
• Sovereign cloud, finally, is not a label — it has no single legal definition. That is precisely why everyone claims it, from genuinely independent operators to hyperscaler subsidiaries.

In short: a service can be hosted in Europe, operated by Europeans, certified by European bodies, and still be legally accessible from Washington. The right question to ask your provider is not “are you sovereign?” — it is “who owns the parent company, and under which jurisdiction?”

Can my cloud provider be acquired by a foreign entity?

This is the most structurally important question for the long term. A European company today can fall under a foreign jurisdiction tomorrow — overnight, with no way for you to prevent it. Your data will follow.

Three things to check before signing:

• The capital structure. Who holds the shares? A listed company, an investment fund, or a holding with open capital can be acquired. A public-interest foundation as majority shareholder cannot — its statutes legally prevent it.
• The registered jurisdiction of the parent company. A French or Swiss provider majority-owned by an American group is already, in practice, under US jurisdiction.
• The provider’s history. Has it already been acquired, merged, or restructured? What written commitments does it make regarding its capital stability?

At Infomaniak, the Infomaniak Foundation holds majority voting rights as reference shareholder. That structure makes a hostile takeover or a non-European acquisition legally impossible, regardless of the wishes of management. It is a structural lock — not a contractual promise.

Is GDPR enough to protect me from the CLOUD Act?

No — and that is the most widespread misconception among IT directors.

• The GDPR prohibits unframed data transfers,
• the CLOUD Act compels them.

The two texts are in direct conflict, and the Schrems II ruling confirmed that in 2020. When your provider is subject to both, it ultimately applies US law. Microsoft France acknowledged as much to the Senate in June 2025. The GDPR is a protective text, but it does not create a technical shield. The only real shield is not depending on an entity subject to extraterritorial jurisdiction.

Does an SME really need sovereign cloud?

The right criterion is the nature of the data. If a business processes client data, strategic information, intellectual property, or health data, the GDPR risk is exactly the same as for a large corporation.

For very standard uses — a brochure website, a public newsletter — a public cloud may be sufficient. But the moment you handle sensitive data, sovereign cloud is no longer a luxury; it is a rational architectural choice. And contrary to a common misconception, it is not more expensive: at Infomaniak, for equivalent services, we are generally cheaper than AWS, Azure, or Google Cloud — and without the egress fees that inflate bills at the end of the month.

What certifications does Infomaniak hold?

Infomaniak holds a combination of independent certifications — ISO 27001, ISO 14001, ISO 50001, ISO 9001, and B Corp — covering security, the environment, and governance.

In addition, carbon offsetting is verified at 200% by myclimate. Further certifications are in progress to meet the growing requirements of regulated sectors.

Learn more

• Learn more about Infomaniak’s vision of digital sovereignty
• Discover Infomaniak’s impact report
• Learn more about Infomaniak