notes for future use

european clouds

Feb 28, 2025

Found myself reading It is no longer safe to move our governments and societies to US clouds

People also fool themselves that special keys and “servers in the EU” will get you a safe space within the American cloud. It won’t.

The problem isn’t sneaky backdoors, but that the president of the United State can order big players to shut that thing down and they will have no choice but to comply. We’ve seen this power exercised with increasing frequency in recent years, from trade restrictions to executive orders targeting specific technologies and companies.

In France there is s3ns.io which is a Google/Thales partnership where Thales owns 90% of the company, providing the data centers and Google the software. But what happens if Google is no longer allowed to provide software updates due to trade restrictions, sanctions or executive orders?

The concern is not new. I’ve been involved in a European project that considered moving to AWS. Whenever the possibility of switching to a US-based provider was discussed, the focus inevitably shifted to the risks associated with using managed data services. Part of the risk evaluation involved assessing the potential fallout if the US government turned adversarial — a risk that was assumed as high impact yet extremely unlikely. In hindsight, it seems that assessment may have been off.

However, European companies are so deeply entrenched in American software ecosystem. It’s no mistake China banned foreign companies with infinite money from setting up shop there.

The EU’s GAIA-X initiative was supposed to address this, but has been criticized for its slow progress and for allowing too much influence from the very US cloud giants it was meant to provide alternatives to. Four years after its announcement, we’re still waiting for meaningful implementation.


Often there are proprietary solution to proprietary problems you would otherwise not have in the first place

Vendor lock-in is a real-problem: even if there are no political issues, it is a business risk because they can charge you whatever they want. People building vendor locked applications are making a short-sighted decision - it benefits developers more than businesses.
A well-built application should run seamlessly on any Linux-based system wihtout unecessary dependencies on proprietary ecosystems.

It was never safe for any government to move any secrets to any cloud. The fact that the US government is okay with doing this with its own secrets surprises me to this day. You have no secrets from the person who owns your hardware. This fact conveys information. Namely, how tightly bound these supposedly independent services like AWS are with the government itself. There are already european alternatives it might be time to step up the game. Europe has done this before. Airbus did not exist but now it is the best aircraft maker since Boeing decided to retire all their senion engineers in favor of quick profits. Europe created Airbus, they can do the same with a new Cloud provider.

Other developed countries are less comfortable because all the major cloud providers are US-owned companies and the NSA has a very, very long history of using US companies as information security weapons. Same for the German cloud, it’s Azure Stack but operated by a subsidiary of Deutsche Telekom.

data residency is not data sovereignty

This distinction matters tremendously. Having your data physically stored in European data centers means little if the software stack, encryption keys, and administrative controls remain vulnerable to foreign influence.

For true sovereignty, Europe needs to invest in the entire technology stack - from hardware to operating systems to application platforms. Until then, we’ll continue to face this uncomfortable dependence on systems we cannot fully control.

In the meantime, those of us building critical infrastructure need to prioritize open protocols, containerization, and Infrastructure-as-Code practices that maintain portability. It’s more work upfront, but provides the flexibility to migrate when better alternatives emerge.