The U.S. CLOUD Act, a U.S. federal law enacted in 2018, grants U.S. law enforcement extraterritorial data access to compel U.S.-based cloud providers to disclose data, regardless of where it's stored. This presents significant data privacy and GDPR compliance risks for EU companies utilizing U.S. cloud hosting services, even with data centers in Europe. The potential for conflict with GDPR Article 48, which restricts cross-border data transfer based on foreign laws without a formal international agreement, is a primary concern for EU businesses. The stability of the EU-U.S. Data Privacy Framework is also under scrutiny, raising questions about its long-term viability as a legal basis for data transfers.

Recent political developments in the U.S. amplify these concerns, introducing fears of business continuity disruptions and potential instrumentalization of US hyperscalers for U.S. interests, further highlighting the urgency for digital sovereignty in Europe. To mitigate these cloud security risks, non-U.S. companies and EU companies are advised to prioritize European cloud providers, adopt federated sovereign cloud frameworks like Gaia-X, and implement strong client-side encryption with customer-managed keys. Ensuring data portability and engaging in EUCS certification are also crucial recommendations to maintain GDPR compliance and secure operations amidst evolving geopolitical shifts.