Digital Sovereignty: Why European Law Firms Are Moving to EU Cloud
90% of EU data sits on US infrastructure. Why law firms are switching to EU cloud and on-premise, and what to evaluate when choosing.
Digital Sovereignty: The End of Naivety in Data Hosting
An uncomfortable fact: approximately 90% of data generated in the EU is processed and stored on infrastructure controlled by US providers. Amazon Web Services, Microsoft Azure, and Google Cloud dominate the European cloud market with a combined market share exceeding 70%. For general business data, that may be acceptable. For the most sensitive data a law firm handles - unpublished patent applications, invention secrets, litigation strategies - it is a problem.
2026 is the year European law firms are shedding that naivety. Not out of paranoia, but from regulatory necessity and strategic calculation.
The Problem: Cloud Act and FISA 702
The US CLOUD Act of 2018 gives US authorities the right to access data controlled by US companies - regardless of where the servers physically reside. A patent drafting tool running on Azure servers in Frankfurt but operated by Microsoft is subject to the Cloud Act. Full stop.
Section 702 of the Foreign Intelligence Surveillance Act (FISA) extends these access rights to the surveillance of communications by foreign persons. The renewal of FISA 702 in April 2024 even expanded the scope of application.
The European Court of Justice stated unambiguously in Schrems II (C-311/18) that the US data protection level does not match the European standard. The EU-US Data Privacy Framework of 2023 provides a legal basis for data transfers, but it does not address the fundamental access problem - US authorities retain their access rights.
For law firms subject to attorney-client privilege, this is not a theoretical concern. Access by US authorities to client data - even if technically possible but practically rare - constitutes a breach of professional secrecy that can carry disciplinary and liability consequences.
Sovereign Cloud: What the Market Offers
The answer to this problem is not retreat from the cloud, but choosing the right cloud. The market for sovereign cloud solutions has developed rapidly since 2024.
US providers with "sovereign" offerings: Microsoft has taken measures with Azure Confidential Computing and the "EU Data Boundary" to ensure EU data stays in the EU. AWS offers "European Sovereign Cloud" as a separate service. These offerings are technically solid but do not fundamentally resolve the Cloud Act issue - the operating entity remains American.
European alternatives: OVHcloud (France), IONOS (Germany), Hetzner (Germany), UpCloud (Finland), and others provide cloud infrastructure under full European control. These providers' capabilities have improved significantly in recent years, even if they cannot match the AWS or Azure ecosystem on every managed service.
Gaia-X and EUCS: European cloud certification initiatives are progressing. The European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) will establish the first unified European standard for cloud security. The final version is expected in 2026/2027.
Hybrid Cloud Strategies
In practice, the solution is rarely a binary either-or. Most firms will pursue a hybrid strategy:
Sensitive data on European or own infrastructure: Patent application drafts, client communications, strategy documents, invention disclosures. Everything that falls under attorney-client privilege and whose disclosure could cause commercial harm.
Less sensitive data on standard cloud: Public patent databases, general office applications, website hosting, marketing tools. Data that is either already public or whose compromise would not cause significant damage.
AI processing as a special case: AI tools process input data, generate intermediate results, and produce outputs. Each of these steps must be evaluated from a data protection perspective. A patent drafting tool that takes invention descriptions as input is potentially processing the most sensitive data in a firm. Here, an EU-based or on-premise solution is particularly important.
The hybrid strategy requires clear data classification. Firms must define which data falls under which protection level and which infrastructure is appropriate. This sounds labour-intensive but is a one-time definition process that then serves as a guideline for all IT decisions.
On-Premise: The Ultimate Sovereignty
For firms that want or need maximum control, on-premise operation remains the most consistent solution. Data never leaves the firm's own infrastructure. No cloud provider has access. No foreign law applies.
The counter-arguments - high costs, maintenance overhead, lack of scalability - have lost weight in recent years. Modern on-premise solutions are containerised, automated, and significantly easier to operate than the server racks of the 2010s. For AI applications in particular, optimised hardware (GPU servers) is now available that can be dimensioned specifically for firm operations.
On-premise is not the right solution for every firm. But for firms with more than 20 fee earners that regularly handle highly sensitive client work and already operate IT infrastructure, it is a serious option that is often more cost-effective than expected.
Evaluation Criteria for Infrastructure Choices
When evaluating infrastructure options for sensitive patent data, five criteria should guide the decision:
Legal control: Which jurisdiction governs the provider? Which authorities can demand access? Are there mechanisms that prevent or at least make such access transparent?
Technical control: Who manages the encryption keys? Does the provider have technical access to data in plaintext? Is encryption possible where only the firm holds the key (Bring Your Own Key / Hold Your Own Key)?
Availability and resilience: Redundant data centres, SLA guarantees, disaster recovery concepts. For time-sensitive patent filings in particular, uptime is business-critical.
Certifications: ISO 27001, SOC 2 Type II, BSI C5. These certifications are not a cure-all, but they provide an objective evaluation basis and simplify compliance documentation.
Exit strategy: How easy is it to switch providers? Is data exportable in portable formats? Are there lock-in effects? A sovereign infrastructure strategy must also account for changing providers.
Conclusion
Digital sovereignty is not a protectionist concept - it is the logical consequence of the obligation to protect client secrets, meet regulatory requirements, and future-proof infrastructure strategy.
The good news: the market for European and sovereign cloud solutions has never been better than in 2026. Alternatives are mature, costs are competitive, and migration paths are well documented. Those who act now gain control without sacrificing performance.