I'm seeking insights from EU companies using AWS regarding the exposure created by the CLOUD Act, which allows US authorities to access data irrespective of its physical location. We've been using AWS Frankfurt for two years, assuming we met GDPR obligations. However, our legal team flagged that using a US provider poses risks due to potential data access by US authorities. I want to know what others are doing in response to this exposure:
- Have you switched to a European cloud provider like Hetzner or OVHcloud? How was the migration?
- Are you sticking with AWS but enhancing your encryption and key management strategies?
- Is your legal team concerned about these issues, or do they consider it a theoretical risk?
- Anyone here dealing with regulated work, such as in healthcare or fintech, how are you managing this?
I'm also curious about the actual cost differences—some claim up to 70% savings switching to EU providers, but I wonder if that's realistic.
5 Answers
We made the switch to OVH, and it’s been fantastic. We cut costs by about 12%, but the best perk has been a happier tech team. They enjoyed getting back to straightforward SysAdmin tasks instead of dealing with convoluted AWS interfaces. It's been a win-win situation for us!
Agreed! The satisfaction of your tech team with the switch is priceless. It's great to see them enjoying their work again.
For us, we decided to host with a European cloud provider. We implemented strong encryption and manage our keys to maintain data privacy, but even then, there's a risk with service interruptions from US providers—like what happened with the ICC in The Hague when they moved from Microsoft 365. It's definitely a risk that needs to be factored into any cloud decision.
Do you know what provider the ICC switched to in the end?
That's a solid point! Are there any specific encryption methods you'd recommend?
I understand the hesitation, but there's a strong case for using AWS European Sovereign Cloud, although it still operates under US ownership. But some organizations are looking at partnerships with EU companies for local instances to reduce exposure to US regulations. While there are potential downsides, this could be something to consider.
Isn't that just a way of putting up a facade? The underlying issue remains since it’s still linked to AWS.
But if their operations truly reflect local laws, couldn't it still offer a layer of security?
We've consulted with several clients on this. The answer really hinges on what you’re hosting. If you deal with sensitive data, moving to an EU provider is often necessary. We found that splitting workloads between regulated data on EU servers and everything else on AWS made sense for several clients—it’s a compact workaround without diving entirely into migration, which can be costly.
This splitting approach is what we landed on too—it feels like a practical solution without all the hassle.
Exactly. We’ve seen savings when focusing on the regulated data tier; the AWS tooling for non-sensitive operations is just so much better.
Honestly, most companies just seem to ignore this issue. It's a risk until it becomes a serious problem, which is a gamble for many. We primarily handle internal tools, so we decided the risk is manageable for now, but anything involving healthcare data is a whole different story—it’s becoming a crucial part of vendor requirements in RFPs.
That makes sense. The CLOUD Act can catch you off guard since they don't even have to inform you of an access request.
Yes! We're starting to see RFPs specifically calling for EU sovereignty, and it shifts the risk balance significantly.
That’s interesting! I've heard some pretty extreme cost-saving stories—62% is a lot! Was your migration process complex?