US tech companies are currently fighting for their image and trying to retain EU customers with promises of sovereignty. As is often the case, appearances are more important than reality. In this case it can even be called false labeling and sovereignty washing.
US technology companies – and in particular large platform operators such as Microsoft, AWS, and others – have spent a lot of energy in recent months trying to keep their tentacles in European businesses. Apart from the fact that businesses cannot switch to European providers so quickly, the call for German and European digital sovereignty has clearly caught on.
Blackout via killswitch
And rightly so, as two decisive events in 2025 made clear.
In February, Microsoft suspended the account of Karim Khan, chief prosecutor of the International Criminal Court (ICC). Additionally, his bank froze his UK accounts. The reason for these radical measures was not criminal activity on Khan's part, but Donald Trump's will. Trump had sanctioned the ICC for issuing arrest warrants against Israeli Prime Minister Netanyahu and his former defense minister Gallant. Microsoft swiftly bowed to the will of the new US government.
A month later, the chief legal officer of Microsoft France confirmed under oath that data from EU customers on EU servers is not inherently protected from access by US authorities. Microsoft—whether in the US or as a subsidiary in the EU—is subject to the US Cloud Act and the Foreign Intelligence Surveillance Act (FISA). Section 702 of the FISA in particular allows US intelligence agencies to access the communications data of foreign nationals, regardless of the location in the world where the data is stored and processed.
The Emperor's New Clothes
Since then, advertising has been running on a large scale with new wording and all the spins, diversionary tactics, and selective information that budget-heavy marketing has in its arsenal.
In its white paper “Recognizing Sovereignty Washing in Cloud Services”3, published in August 2025, the German Center for Digital Sovereignty in Public Administration (ZenDiS) explicitly refers to this as false labeling. The authors state: “[The response of non-EU companies] to Europe's quest for greater digital sovereignty is new products that promise sovereignty – but do not actually deliver it.”
In addition to legal risks in data protection, ZenDiS rightly mentions the risk of vendor lock-in through proprietary system architecture – and thus into long-term dependency, because switching providers later would be economic and organizational suicide. Digital sovereignty is therefore not just a question of the GDPR, but also includes interchangeability, data control, transparency, and customizability.
Currently, US technology companies (in particular) are trying to convince their EU customers by way of four clever spins:
- A special data protection promise with so-called “data boundaries,” which, however, has no legal validity under US (and certainly also Chinese) jurisdiction.
- Own data centers on EU soil, which, however, may also be “visited” by US authorities under FISA 702.
- Claims that digital sovereignty is not precisely defined – and that one should therefore believe the definition of US tech lobbyists.
- Cooperation with European companies that fall under the category of “old wine in new bottles.”
The fourth strategy is particularly tempting, as it actually enhances the individual aspect of data protection. For example, SAP offers the Delos Cloud in cooperation with Microsoft and, as a German company, can enforce data protection in accordance with the GDPR. However, the entire cloud is based on proprietary Microsoft architecture. If the US company receives a call from the US president at some point, it may happen that it will no longer provide security and feature updates overnight. According to Delos co-CEO Georges Welz, the Delos Cloud would then only be able to continue operating for a few months. Digital sovereignty certainly looks different.
Convenience or sovereignty?
Of course, these aspects do not only apply to cloud providers and hyperscalers. Companies (as well as private individuals) must fundamentally and fully examine how they want to remain efficient in the digital world in the long term while remaining independent of political and monopoly arbitrariness. This will be challenging, because it means we have to say goodbye to the convenience that US tech platforms have pampered us with for the past 20 years.
But what good is an intrusion detection system that leaves the door open for allied intelligence agencies or suddenly stops working? The world experienced the fallout from the authorities' hunger for access and data just under ten years ago. In 2016, NSA's self-developed exploit “EternalBlue” was stolen. The agency had kept the corresponding vulnerability in the Microsoft operating system secret for over five years and exploited it for its own purposes. In 2017, the WannaCry ransomware conquered the world, with “EternalBlue” as its master key.
That is why OT Security Made in Europe or even Germany should also apply to OT security.
