The European Commission just awarded four cloud providers with €180 million to strengthen the bloc’s digital independence. One of the winners, however, leverages Google Cloud technology, raising questions about its sovereignty.
This tender will enable European Union (EU) institutions, bodies, offices, and agencies to procure sovereign cloud services for up to €180 million ($210 million) over 6 years.
The move is widely considered a milestone in Europe’s efforts to secure its digital sovereignty from foreign vendors, especially from the US, as three American giants – Google, Amazon Web Services (AWS), and Microsoft – control about 70% of the cloud market.
Four European companies were awarded with the sovereignty funds. However, questions arose about one of the winners, Proximus. The Luxembourg-based company partners with S3NS, a joint venture of the French defense company Thales and the US’s Google Cloud.
The decision to award Promixus was criticized by Cloud Infrastructure Service Providers in Europe (CISPE), a trade association uniting 38 of the region’s cloud firms.
“Recognizing S3NS, which leverages Google’s cloud technology, as ‘sovereign’ is clearly an own goal and threatens to institutionalize sovereignty washing at the highest levels,” CISPE Secretary General Francisco Mingorance told the Registry.
Sovereignty washing refers to cloud providers labeling their services as sovereign, although the companies remain subject to US law, such as the Cloud Act, which compels them to provide data requested by American law enforcement even if it is stored elsewhere.
The risk of a “kill switch”
Tobias Bacherle, researcher with Future of the Technology Institute (FOTI), says S3NS is significantly insulated from the reach of the US Cloud Act. However, he notes that the partnership carries the risk of a sanctions-based “kill switch,” as well as the end of support and updates.
This is a hypothetical situation in which the US government orders American companies to shut down or disable devices and services for European users.
Bacherle says the FOTI’s analysis suggests that the Proximus partnership shows signs of hidden dependencies on US cloud providers. In their recent research, such cases have been classified as medium risk of exposure to a US “kill switch.”
He tells Cybernews, “In a kill switch scenario, the US providers could refuse software updates or other necessary services and disrupt even nominally sovereign clouds from running safely.”
Such a scenario is increasingly discussed in Europe amid worsening relations with the Donald Trump administration, though many experts say it remains highly unlikely, as it would hurt US companies' interests in the lucrative European market.
Meanwhile, US cloud providers offering sovereign solutions to Europeans claim that they prioritize data privacy. AWS says it hasn’t disclosed any data stored outside the US to the US government since 2020, when it began collecting statistics.
Proximus told Cybernews that S3NS is a French company that is majority-owned and entirely controlled by Thales.
In addition, S3NS received the SecNumCloud 3.2 qualification from the French National Agency for the Security of Information Systems (ANSSI), the highest sovereignty standard in Europe.
“This framework provides a ‘triple lock’ ensuring full immunity from non-European extraterritorial laws like the US CLOUD Act,” the company’s spokesperson said.
Because S3NS operates as a European entity outside US jurisdiction with Google’s shareholding strictly capped below 24%, the infrastructure is completely isolated – both operationally and technically – from Google’s network and managed exclusively by cleared European personnel.
According to the company, S3NS and Thales retain absolute control over encryption keys, telemetry, and software updates, the data remains strictly inaccessible to any third party, including Google. Consequently, it says the US CLOUD Act cannot apply.
Promixus says utilization of Google’s air-gapped Distributed Cloud technology, which ensures full autonomy, allows the company to continue providing services in a scenario of a “kill switch.”
“It is designed to operate in a completely disconnected mode. Therefore, even in the highly unlikely event of such a scenario, Proximus and Clarence possess the capability to maintain uninterrupted service for our European clients,” the spokesperson told Cybernews.
Focus on EU control
According to the Commission’s press release, the awarded providers were selected based on their alignment with the Cloud Sovereignty Framework.
The framework measures sovereignty across strategic, legal, operational, and environmental considerations, as well as supply chain transparency, technological openness, security, and compliance with EU laws.
“To be eligible, the providers had to reach rigorous assurance levels ensuring that non-EU third parties have limited control over the technologies the providers use, or services they provide,” the statement reads.
Barbara Cresti, a founder of StratEdge, explained in a LinkedIn post that the tender results reflect changes in the understanding of sovereignty.
She wrote, “AWS, Microsoft, and Google still control 70% of the EU cloud market. The EU Commission is targeting this dependency by shifting the rule from origin to control under EU law.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked