When a German Landkreis migrates its administrative systems to Microsoft Azure, it does not simply change its software provider. It transfers operational control of public records — tax files, social welfare assessments, planning applications, school enrolment data — to a foreign company subject to the US CLOUD Act.[1] That law, passed in 2018, grants American federal authorities the right to compel US-based firms to produce data stored on servers anywhere in the world, without requiring a European court order or notifying the data subject. The servers being in Frankfurt changes nothing.

This is not an obscure legal technicality. It is the operating condition of the European public sector in 2026. A significant portion of the digital infrastructure used by municipal governments, regional health services, public universities, and national ministries runs on platforms owned by three American companies: Microsoft, Amazon, and Google.[2] The market consolidation happened gradually, over ten years of procurement decisions made by individual institutions, each choosing the path of least resistance. Collectively, those decisions created a structural dependency that no single administration can now undo on its own.

A school choosing Google Workspace is not making a technical decision. It is choosing which foreign jurisdiction governs its pupils’ data.

The legal framework that was supposed to prevent this — the General Data Protection Regulation — has proven insufficient on its own. The GDPR prohibits transferring personal data to third countries without adequate protections, but the adequacy arrangements it relies on have been legally fragile. The Privacy Shield framework was invalidated by the Court of Justice of the European Union in 2020.[3] Its replacement, the EU-US Data Privacy Framework, was adopted in 2023 and is already subject to legal challenges. The cycle is predictable: a transfer mechanism is negotiated, it is challenged, it falls. In the meantime, the transfers continue.

Several cities have begun to take the question seriously. Cologne announced in 2023 that it was auditing all cloud contracts for CLOUD Act exposure and piloting a migration of internal communications to a self-hosted alternative.[4] Barcelona has spent several years building its digital sovereignty framework, including a procurement policy that gives preference to open-source solutions and local hosting.[5] Grenoble has been part of a French national initiative, Lagrange, developing shared sovereign infrastructure for public research institutions.[6] These are real projects. They are also slow, expensive, and technically difficult.

The difficulty is not primarily technical. Mature, production-ready alternatives exist for most of what municipalities use cloud platforms for: document storage, email, video conferencing, identity management, collaborative editing. The difficulty is organisational and political. Procurement frameworks reward familiarity. IT departments lack the in-house capacity to run self-hosted services. Elected officials find it hard to justify the short-term cost of migration against an abstract long-term risk.

What changes this calculation is enforcement. When a data protection authority issues a binding order requiring a public body to cease a specific cloud transfer, the abstract risk becomes concrete. In July 2023, the Danish data protection authority did exactly that, ordering a municipality to stop transferring student data to Google servers outside the EU.[7] Similar proceedings have been initiated in Finland, France, and Sweden. The pattern is consistent: a complaint is filed, an investigation follows, an order is issued, and the institution faces a choice it should have made years earlier.

The infrastructure question and the AI question are increasingly the same question. The large language models now being evaluated for public sector use — to assist with benefits processing, document summarisation, citizen enquiries — run on the same cloud platforms and are owned by the same companies. Adopting them deepens the dependency. Auditing them requires access to infrastructure that European institutions do not control.

Sovereignty is not a rhetorical position. It is an operational requirement. The municipalities that understand this earliest will be in the better position. The rest will continue to negotiate, one contract renewal at a time, with companies whose legal obligations run to Washington, not to their citizens.