You use Microsoft 365 for your business email. SharePoint for documents. Maybe Azure for your applications. The servers are in a data centre in the Netherlands or Ireland. All neatly within the EU. Right?
Technically, yes. Legally, it's more complicated. Because Microsoft is an American company. And that means your data falls under American legislation, regardless of where the servers physically stand. The law that makes this possible: the CLOUD Act.
What exactly is the CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act was passed by the US Congress in March 2018. The law gives American authorities the right to request data from companies under American jurisdiction, even if that data is stored outside the US.
The trigger was a legal battle between Microsoft and the US Department of Justice. Microsoft refused to hand over email data stored on servers in Ireland. The case went all the way to the Supreme Court, but was overtaken by the CLOUD Act, which simply regulated the matter by law: data location is not relevant, jurisdiction over the company is.
In practical terms, this means: if an American judge issues an order to Microsoft, Google, Amazon or any other American company, that company must deliver the requested data. Whether that data is in Virginia or Amsterdam.
How does it work in practice?
The CLOUD Act is not a blank cheque. There are conditions. A data request must be based on a valid search warrant or subpoena, linked to a specific criminal investigation. This typically involves terrorism, child abuse, cybercrime or drug trafficking.
The numbers confirm this. Microsoft's transparency report for the first half of 2025 shows that the company received 168 requests for business customer data from law enforcement agencies worldwide. In 57% of those cases, the request was rejected, withdrawn, or the agency was redirected to the customer. In 27 cases, Microsoft actually had to hand over substantive data, of which 23 went to American law enforcement.
AWS says that as of June 2025, there has not been a single request where enterprise or government data outside the US was provided to the American government.
That sounds reassuring. But it's not the whole story.
Why the numbers don't tell everything
First: the CLOUD Act is not the only law through which American authorities can access data. FISA Section 702 gives intelligence agencies the ability to collect data from non-Americans without a court order. Those requests don't appear in company transparency reports because they're classified.
Second: the fact that there are few requests doesn't mean the risk is small. It's about the possibility. If your organisation becomes the subject of an American investigation tomorrow, there is nothing that makes your Dutch hosting contract legally outweigh an American court order.
Third: the CLOUD Act provides for so-called executive agreements, bilateral treaties between the US and other countries. The United Kingdom was the first country to sign such a treaty (active since October 2022), followed by Australia. Through these treaties, non-American law enforcement agencies can also request data from American providers, with fewer procedural steps than through the traditional MLAT system (Mutual Legal Assistance Treaty).
The EU does not yet have an executive agreement with the US under the CLOUD Act. But the direction is clear: the network of countries that can directly request data from American tech companies is growing.
How a CLOUD Act request works
Source: CLOUD Act Section 2713, 18 U.S.C. · Microsoft Transparency Report H1 2025
CLOUD Act versus GDPR: a legal conflict without a solution
This is where it gets tricky. The GDPR states in Article 48 that a court ruling from a country outside the EU is not automatically a valid basis for transferring personal data. That is only permitted on the basis of an international treaty, such as an MLAT. The CLOUD Act bypasses the MLAT system.
This puts companies in an impossible position. Comply with the American order, and you may violate the GDPR. Refuse, and you risk sanctions in the US. The European Data Protection Board (EDPB) is clear: a CLOUD Act request is not in itself a valid legal basis for data transfer under the GDPR.
The Data Privacy Framework that the EU and US concluded in 2023 doesn't solve this. The DPF addresses the conditions under which personal data may be transferred to the US. It does not stand in the way of a CLOUD Act order, because that runs through a different legal track.
The Dutch Court of Audit raises the alarm
In January 2025, the Dutch Court of Audit (Algemene Rekenkamer) published the report "The Government in the Cloud: Dark Clouds Gathering". The conclusions were not mild. The Dutch government has limited visibility into its cloud services. Of the 1,588 reported cloud services at ministries, for more than a quarter it's not even known what type of cloud is involved.
More than half of the most important public cloud services are purchased from American companies: Amazon, Microsoft and Google. For 67% of those services, no strategic risk assessment has been made. The Court of Audit states that the national government has "thoughtlessly" started working in the cloud, and that the potential damage "could disrupt our society".
State Secretary Zsolt Szabó (Digitalisation) shared the main conclusion and acknowledged that more governance and oversight is needed. But concrete steps are still pending.
"Sovereign cloud": marketing or reality?
Microsoft offers an "EU Data Boundary". Amazon has a "European Sovereign Cloud". Google has "Sovereign Controls". The names suggest complete control. But sovereignty is not about where data is located. It's about who has authority over it.
As long as the provider is an American company, the CLOUD Act applies. The European subsidiaries and data centre locations don't change that. It's jurisdiction-by-ownership, not jurisdiction-by-location.
That doesn't mean these products are worthless. The additional encryption layers, key management options and access controls they include offer real protection. But they don't solve the fundamental legal problem: if the American government comes knocking at the parent company, that parent company is legally obliged to cooperate.
Protection levels against foreign data access
Protection increases from top to bottom. The legal risk determines the level, not the technical configuration alone.
What can you do as a business?
1. Map out which providers are American
Not just your primary cloud provider, but also the services around it. Do you use Slack for communication? Salesforce for CRM? Those are American companies that fall under the CLOUD Act. Make an inventory of your entire chain.
2. Classify your data
Not everything is equally sensitive. A marketing website has different requirements than a patient file or personnel administration. Determine which data you want to host with a European provider and where the risk is acceptable.
3. Use encryption with your own key management
If you stay with an American provider, make sure you use customer-managed encryption keys (CMEK). The CLOUD Act does not require providers to decrypt data that they technically cannot decrypt. If you manage the key, the provider cannot transfer the data in readable form.
All major providers offer this: Microsoft via Azure Key Vault, AWS via KMS with CloudHSM, Google via Cloud KMS with External Key Manager.
4. Evaluate European alternatives
For sensitive workloads, there are European alternatives that do not fall under American jurisdiction. Dutch providers with their own data centres offer full GDPR compliance without the CLOUD Act risk. This is not about a quality difference, but a jurisdiction difference. Cloud.nl offers private cloud and hybrid cloud solutions where data, infrastructure and legal control all remain entirely in the Netherlands.
5. Document your choices
With NIS2 (the Cybersecurity Act, expected Q2 2026), supply chain considerations become mandatory. Directors become personally liable. Document why you choose certain providers, what risks you accept, and what measures you have taken.
The bottom line
The CLOUD Act is not a mass surveillance law. The number of requests is limited, providers regularly challenge requests, and there are judicial safeguards in the process. Those are facts.
But it is also a law that breaks the principle of territorial data protection. If your provider is American, the American government can access your data, regardless of where it is stored, regardless of what your Dutch contract says, and in some cases without your knowledge.
For some organisations, that risk is acceptable. For others, particularly in healthcare, government, the financial sector or when processing sensitive personal data, it is not. The question is not whether the CLOUD Act affects you. The question is whether you know how, and whether you deal with it consciously.