security 6 min read

The CLOUD Act Explained: What European Businesses Need to Know

A comprehensive guide to the US CLOUD Act and its implications for European enterprises using American cloud services.

TB

Thomas Berg

22 October 2025

The Clarifying Lawful Overseas Use of Data Act — better known as the CLOUD Act — was signed into US law on 23 March 2018. Its implications for European businesses are profound and widely misunderstood.

What the CLOUD Act Actually Says

At its core, the CLOUD Act does two things:

  1. It compels US-based service providers to disclose data in their “possession, custody, or control” — regardless of where that data is stored
  2. It establishes a framework for bilateral agreements between the US and other countries for cross-border data access

The first provision is the one that matters most for European enterprises.

The “Possession, Custody, or Control” Problem

If your organisation uses Microsoft 365, your data is in Microsoft’s “possession, custody, or control” — even if it’s stored on servers in Frankfurt or Amsterdam. Under the CLOUD Act, a US court order can compel Microsoft to hand over that data.

Microsoft itself has acknowledged this reality. While they have committed to challenging overly broad requests, they are ultimately bound by US law.

Common Misconceptions

”Our data is stored in EU data centres”

The physical location of data is irrelevant under the CLOUD Act. What matters is the nationality of the service provider.

”Our provider has a local EU subsidiary”

If the US parent company has access to the data, the CLOUD Act applies. A European subsidiary doesn’t provide legal isolation.

”We have a Data Processing Agreement”

A DPA governs the relationship between you and your provider under GDPR. It doesn’t override US law obligations that apply to your provider.

The Risk in Numbers

According to the US Department of Justice, thousands of CLOUD Act requests are processed annually. The exact number affecting European businesses is not publicly disclosed.

What You Can Do

The most effective mitigation is straightforward: use a service provider that is not subject to US jurisdiction.

This means:

  • A provider incorporated in the EU with no US parent entity
  • Infrastructure operated entirely within EU borders
  • No US employees with administrative access to customer data

This is not about anti-American sentiment. It’s about legal reality and risk management.

UnionStack is a German GmbH with no US parent entity, operating entirely on EU infrastructure. Learn more about our security architecture.