Can the US government access EU data stored in an EU data centre?

Summary Yes — potentially. If the cloud provider is subject to US jurisdiction or control, US authorities can compel it to produce data under laws such as the CLOUD Act (and surveillance authorities such as FISA), regardless of where the servers physically sit. Keeping data inside an EU data centre does not, on its own, stop this. The proposed Cloud and AI Development Act (CADA) makes the point directly (recital 48) and would mitigate the risk through four Union assurance levels (Article 16); the higher levels would require freedom from coercive third-country control, which providers subject to such US laws would struggle to meet. CADA is a proposal and not yet in force.

Detail

Whether US authorities can reach data in a European data centre is central to the digital-sovereignty debate. The short answer is that they can — but the legal route and likelihood depend on who controls the provider, not just where the servers are.

The CLOUD Act and extraterritorial reach

The key instrument is the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act). Its core provision, 18 U.S.C. § 2713, requires a provider of electronic communication service or remote computing service to preserve, back up or disclose the contents of communications and records "within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

So if a provider is a US company — or is controlled by a US entity — US legal process can reach data even if it is stored in Frankfurt, Paris or Dublin. The data's location does not defeat the obligation; the provider's jurisdiction is what matters.

Why "EU data residency" is not enough

Many public bodies assume an EU data centre is sufficient protection. CADA addresses this assumption head-on. Recital 48 states: "Cloud computing service providers have launched tailored versions of their service offerings in response to the Union's growing concerns over sovereignty. However, those versions do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service."

In other words, a hyperscaler's "sovereign" edition promising EU residency does not, by itself, shield data from the CLOUD Act: because the provider remains subject to US law, US authorities can still compel access. Providers subject to US jurisdiction may also be reached through surveillance authorities such as FISA Section 702.

This is not just a theoretical mismatch. The explanatory memorandum notes that EU enterprises are forced "to route critical workloads through foreign hyperscaler infrastructure", and that those incumbents "are subject to third-country jurisdictions where laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks." So the access risk and the dependence reinforce each other: the more EU public bodies rely on foreign-controlled providers, the wider the surface for extraterritorial access — which is exactly the pattern CADA's graduated framework is meant to reverse for the public sector.

CADA's answer: Union assurance levels

CADA would establish a Union cloud computing sovereignty framework of four assurance levels (Article 16), with criteria in Annex II that tighten cumulatively.

Level 1

The baseline. The provider must be established in the Union, with infrastructure and assets in the Union unless the public sector body explicitly requires otherwise. It does not strictly prohibit third-country control: a US-controlled provider running an EU subsidiary could potentially meet level 1 if it guarantees that no third-country law forces early reporting of software vulnerabilities to that country's authorities (Annex II, 1.1(g)). Level 1 does not fully block the extraterritorial reach of laws like the CLOUD Act.

Level 2

Independent audits and stricter criteria, including: infrastructure, assets and personnel in the Union; personnel screening and Union-citizenship requirements if the public sector body determines they are necessary; a ban on using service data to train or fine-tune third-country-operated AI systems; and, where the provider is under third-country control, measures preventing that control from accessing data or disrupting continuity.

Level 3

For sensitive activities. Personnel involved in the service, including subcontractors' personnel, must be Union citizens (Annex II, 3.1(d)). The provider and subcontractors must in principle not be under third-country control. There is a narrow derogation for designated associated third countries (see below), but generally a US-controlled entity could not meet this level. Support must be performed within the Union by Union residents not under third-country control.

Level 4

The highest tier, for the most critical public-order activities. It mirrors level 3 and adds a "high" European cybersecurity certificate and a requirement to show that no third country holds effective control over the design, development, maintenance and evolution of software components. There is no third-country-control derogation at level 4.

Associated third countries (Article 18)

CADA recognises that some partners may have sufficient safeguards. Under Article 18, the Commission may identify "associated third countries" whose providers may be audited for level 3, provided the country meets cumulative conditions, including:

1. it is covered by a relevant adequacy decision under Article 45 of the GDPR;
2. it has no measures enabling control over the provider in a way that conflicts with the lawful-access rules for non-personal data in Article 32(2)–(3) of Regulation (EU) 2023/2854 (the Data Act);
3. it has no measures to compel the provider to degrade or disrupt service continuity; and
4. it grants equivalent access to its public-procurement procedures for Union providers.

On the face of these conditions, a country whose laws allow compelled access of the CLOUD Act / FISA kind would not qualify, so providers controlled from such a country would, as proposed, be effectively unable to reach level 3 or 4. (This is an assessment of how the criteria would apply, not a designation the proposal itself makes.)

Risk assessments and procurement

Under Article 29, Member States and Union entities would run risk assessments — weighing the sensitivity and criticality of the data, the risk of unlawful third-country access, and the risk of service disruption — to set the appropriate level. Article 30 would then require: at least level 1 for activities not relevant to public order (Article 30(2)); and only levels 2, 3 or 4 for public-order activities in NIS2 sectors or fields such as national security, defence and justice (Article 30(3)).

What this means for you

For public-sector buyers:

1. Residency is not sovereignty. Do not treat "data stored in the EU" as "sovereign". Buying from a US hyperscaler leaves data exposed to the CLOUD Act whatever the data-centre location.
2. Run the risk assessment. Identify which of your services are public-order relevant (Article 29); those would legally require higher levels.
3. Plan for higher levels. Public-order activities would require level 2, 3 or 4 — likely excluding major US-controlled providers from those specific contracts. Begin evaluating providers that can meet the ownership and personnel criteria.
4. Check recognition. Confirm a provider's recognised level in the Commission's central repository (Article 22).
5. Consider multi-cloud. Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate, especially where a provider is under third-country jurisdiction. Recital 65 explains the goal: enhancing resilience and limiting dependency on any single provider, based on a context-specific risk assessment.
6. Remember the baseline. Even for everyday services not tied to public order, CADA would set a Union-wide minimum of level 1 (Article 30(2)). Recital 64 describes this baseline as a way to reduce public-sector exposure "to third country access to Union data and disruption of services" — a floor under residency, not a ceiling.

Common misconceptions

• "If the data is in Europe, the US can't touch it." Incorrect. The CLOUD Act (§ 2713) reaches data in the "possession, custody, or control" of a provider subject to US jurisdiction, regardless of location. Recital 48 confirms that residency does not solve the core problem.
• "US 'sovereign cloud' editions are safe." Recital 48 notes these tailored versions "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws." Improved residency does not remove the US parent's legal obligations.
• "GDPR adequacy means my data is safe from US access." Adequacy and the EU–US Data Privacy Framework address transfer standards for personal data; they do not remove government-access risk under laws like the CLOUD Act or FISA. CADA treats sovereignty as distinct from data-protection compliance.
• "I can use any provider for government services." Under Article 30, public-order activities would require levels 2, 3 or 4. Many US-controlled providers could not meet levels 3 and 4, which exclude coercive third-country control.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why data residency is not enough for cloud sovereignty under CADA
• Why the EU-US Data Privacy Framework doesn't solve CADA sovereignty
• Why can't GDPR deliver cloud sovereignty? CADA and the gap
• Lawful vs. Unlawful Access: Why 'Lawful' Foreign Orders Threaten EU Cloud Sovereignty under CADA
• Data residency vs data sovereignty: the difference under CADA

This is general information about a draft EU regulation, not legal advice.