EmailConnect.eu - EU-compliant inbound email processing service

The illusion shattered

2025 was the year "sovereign cloud" marketing collided with legal reality. Microsoft admitted under oath they cannot protect EU data from US authorities. The ICC switched to European alternatives. Airbus announced migration off US hyperscalers. The question is no longer "if" but "how fast."

Published January 2026 · 8 min read

The admission that changed everything

In a French Senate hearing in 2025, Microsoft France president Anton Carniaux made a statement that European IT leaders had long suspected but rarely heard confirmed: Microsoft cannot guarantee that customer data will never be transferred to US authorities under the CLOUD Act.

This wasn't a leak or speculation. It was sworn testimony. And it crystallized what privacy advocates had been saying for years: "sovereign cloud" offerings from US hyperscalers are, at best, sovereignty theater.

What the CLOUD Act actually means

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed in 2018, gives US authorities the legal power to compel US-headquartered companies to hand over data—regardless of where that data is physically stored. EU data centers, European subsidiaries, contractual promises: none of these override US law.

The dominoes fell fast

Once Microsoft's admission became public, organizations that had been quietly concerned started acting publicly.

The International Criminal Court switches to OpenDesk

In November 2025, the ICC in The Hague announced it was replacing Microsoft Office with OpenDesk, an open-source office suite delivered by the German Centre for Digital Sovereignty (ZenDiS).

This wasn't just about software preferences. Earlier in the year, Microsoft had blocked the email account of ICC Chief Prosecutor Karim Khan following US sanctions imposed by President Trump. The world's premier international court had its communications infrastructure weaponized by a foreign government's policy decision.

The uncomfortable truth: If Microsoft can disable the International Criminal Court's email at the request of a foreign government, what protection does your business actually have?

Airbus commits to European cloud migration

In December 2025, Airbus announced plans to tender a major contract for migrating mission-critical workloads to a "digitally sovereign European cloud." This includes ERP systems, manufacturing execution, CRM, and product lifecycle management.

Catherine Jestin, Airbus's executive vice president of digital, explained the reasoning directly: "I need a sovereign cloud because part of the information is extremely sensitive from a national and European perspective."

When Europe's largest aerospace manufacturer—a company handling defense contracts and sensitive government data—publicly commits to leaving US cloud providers, it signals a fundamental shift in how enterprises evaluate infrastructure risk.

German states lead by example

Schleswig-Holstein completed the migration of 40,000 employee email accounts from Microsoft Exchange and Outlook to Open-Xchange and Mozilla Thunderbird. This wasn't a pilot program—it was a full state-government migration away from US email infrastructure.

The "sovereignty-washing" problem

As demand for sovereign solutions grew, so did marketing creativity. A new term emerged in 2025: "sovereignty-washing"—the practice of wrapping US-controlled infrastructure in European branding and compliance language.

Common sovereignty-washing tactics

Marketing claim	Legal reality
"EU data centers"	Physical location doesn't override CLOUD Act jurisdiction
"European subsidiary"	US parent company remains subject to US law
"Data residency guarantees"	Residency ≠ sovereignty; data can still be compelled
"GDPR compliant"	GDPR compliance doesn't prevent US legal access
"Encrypted at rest"	Provider holds keys; can be compelled to decrypt

The European Parliament's 2025 study on software and cyber dependencies put it bluntly: these initiatives represent "a more sophisticated version of the same tactic: co-opting the language of autonomy to entrench dependency."

What actual sovereignty requires

After 2025's revelations, the criteria for genuine digital sovereignty became clearer:

Sovereign infrastructure

EU-incorporated company (not subsidiary)
No US parent company or ownership
EU-only data processing and storage
European service chain (hosting, CDN, payments)
EU legal jurisdiction for disputes

Not sovereign (despite marketing)

US company with EU data centers
EU subsidiary of US parent
"European cloud" running on AWS/Azure/GCP
Encrypted data where provider holds keys
Contractual promises without legal backing

The market responds

2025 saw genuine European alternatives gain significant traction:

Cloud infrastructure

OVHcloud — French hosting, no US exposure
Hetzner — German infrastructure, competitive pricing
Scaleway — French cloud with strong privacy focus
Ionos — German hosting, enterprise-ready

Collaboration and productivity

OpenDesk — German government-backed office suite
Nextcloud — Self-hosted collaboration platform
Open-Xchange — Enterprise email and groupware
Cryptpad — End-to-end encrypted documents

Communication

Proton Mail — Swiss encrypted email
Tutanota — German encrypted email
Element/Matrix — Decentralized messaging

What this means for your business

The events of 2025 shifted digital sovereignty from "nice to have" compliance checkbox to genuine business continuity concern. Consider:

Questions every European business should ask

Continuity risk: Could a foreign government decision disable your critical systems tomorrow?
Data access: Can your cloud provider be legally compelled to hand over your data without your knowledge?
Vendor dependency: How quickly could you migrate if your current provider became unavailable?
Supply chain: Are your "European" vendors actually running on US infrastructure?

The path forward

2025 proved that digital sovereignty isn't paranoia—it's prudent risk management. The question isn't whether to evaluate your infrastructure dependencies, but how systematically to do it.

For most businesses, this doesn't mean ripping out everything overnight. It means:

Audit your stack — Map which services have US jurisdiction exposure
Prioritize by sensitivity — Start with email, documents, and customer data
Evaluate alternatives — European options exist for most enterprise needs
Plan migration paths — Reduce lock-in with portable formats and standards
Document decisions — GDPR requires demonstrating appropriate safeguards

How EmailConnect fits in

We built EmailConnect specifically for businesses that take digital sovereignty seriously. EU-incorporated, EU-hosted, zero US infrastructure dependencies. Your email automation stays entirely within European jurisdiction.

Our privacy commitment Jurisdiction deep-dive

Sources and further reading

The European Cloud Situation at the end of 2025 — Bert Hubert
Europe gets serious about cutting US digital umbilical cord — The Register
Airbus to migrate critical apps to a sovereign Euro cloud — The Register
European Software and Cyber Dependencies — European Parliament Study
Europe Tried to Take Control of Its Digital Stack in 2025 — TechPolicy.Press
Digital Sovereignty in 2025: Why It Matters for European Enterprises — Wire

Questions about digital sovereignty or your infrastructure setup? Reach out — happy to discuss, no sales pitch required.