As Europe doubles down on efforts to move its infrastructure to a sovereign cloud, warnings emerge about providers’ reliance on American processors.
Reducing dependence on American cloud providers is at the center of the European digital sovereignty bid, fueled by concerns over US laws such as the 2018 Cloud Act, which compel American companies to hand over data to US law enforcement even if it is stored elsewhere.
Just last month, the European Commission awarded 4 local providers a €180 million ($240 million) tender. Brussels hopes it will allow EU institutions, bodies, offices, and agencies to procure sovereign cloud services.
The upcoming “Tech Sovereignty Package” would restrict member governments’ use of US cloud providers to handle sensitive data, sources tell CNBC.
However, The Register suggests that American processors may hinder European efforts to achieve an actual sovereign cloud.
The publication argues that most data enters and qualified cloud operators still rely heavily on processors produced by American companies Intel or AMD.
Inside those processors sits “a computer beneath the computer,” called the Management Engine (ME), which runs below the operating system.
This means MEs are outside the control of host security software, and are persistent even when the machine appears to be powered off.
On Intel processors, it is called the Converged Security and Management Engine (CSME), and Platform Security Processor (PSP) on AMD.
Because ME can share the host’s MAC and IP addresses, “any traffic it generates is indistinguishable from the host’s own traffic to the firewall,” experts tell The Register.
While European regulators are well aware of the risks posed by legislation such as the US Cloud Act, the Reforming Intelligence and Securing America Act (RISAA 2024) is less well known.
RISAA 2024 expands and modifies Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows the US government to conduct electronic surveillance of non-US persons abroad.
RISAA amended FISA’s definition of “electronic communications service provider,” which now includes hardware manufacturers.
Therefore, the publication suggests, US intelligence can compel Intel and AMD to cooperate via secret orders with gag clauses, and ME could be a mechanism through which that access could be gained.
On April 30th, 2026, the US Congress passed a 45-day renewal of FISA, which critics say also allows mass surveillance of American citizens.
Three American providers, Google, Amazon, and Microsoft, currently account for about 70% of the European cloud market. This makes European agencies and enterprises vulnerable not only to sensitive data flowing to the US, but also to a “kill switch” scenario.
In this scenario, the US government would order American companies to shut down or disable devices and services for European users.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked