AWS's autonomous European cloud is now live

AWS announces the availability of its autonomous European cloud: ensuring data control and operational autonomy. The first cloud “region” has been launched in the state of Brandenburg.The CSP is also introducing a new "sovereignty" framework for its customers and partners.

Amazon had earlier been targeted by European regulators for failing to comply with EU rules on competition and data privacy.

With the introduction of AWS European Sovereign Cloud and €7.8 billion of investment planned between now and 2040, Amazon is determined to comply with EU laws and regulations, including the launch of a new sovereignty framework.

Although AWS has not changed the name of its offering and continues to use of the insuitable term of “sovereign cloud,” its chief technology officer has made a significant move by referring to it as a strategic autonomous offering, combining the concepts of data control and operational autonomy. The key points to keep in mind are summarized below.

• The scope of the European Amazon cloud

• Autonomy by design on a proprietary stack

• The introduction of a new AWS sovereignty framework

• The choice of C5 certification over SecNumCloud

• Technology alliances vs. cloud natives

The new scope of the AWS European autonomous cloud

Amazon's cloud computing division has set up a new parent company and three subsidiaries in Germany to operate the new European sovereign cloud, to meet the requirement of locating its headquarters in the EU.

What matters here is not so much the legal structure itself but rather the physical location of the data and services operated.

With the launch of this new European autonomous cloud, AWS ensures that customers will be able to keep all metadata in the EU, including roles, permissions, resource tags, and configurations.

Located and operated in European data centers, AWS European Sovereign Cloud is physically and logically separated from existing AWS regions and have a dedicated European Security Operations Center (SOC).

The infrastructure offers its own identity management service (IAM) located in Europe.

In addition to an independent infrastructure, AWS confirms that they will be no operational control outside the EU.

Only AWS employees residing in the EU will control day-to-day operations, including data center access, technical support, and customer service for AWS's European sovereign cloud.

As for existing AWS regions, EU customers will have total control and assurance that Amazon won't access their data or may use it for any purpose without their consent.

The service will also have its own billing and usage measurement systems.

According to Max Peterson, Vice President of Sovereign Cloud at AWS. “For more than a decade, we have been working with governments and regulators across Europe to understand and respond to evolving needs in cybersecurity, data privacy and localization, and more recently, digital sovereignty.”

Autonomy by design.

The AWS cloud is autonomous by design. Customers who need more options to meet strict isolation and data localization requirements in their countries will be able to rely on existing offerings such as AWS Outposts or AWS Dedicated Local Zones.

The first availability zone is in Germany, and three more local zones are announced in Belgium, the Netherlands, and Portugal.

Each availability zone have its own independent power supply, cooling system, and physical security, and will be connected by redundant, ultra-low-latency networks.

To ensure that this infrastructure remains operational even in the event of a breakdown, European teams have independent access to the source code, for the operation, maintenance, and services updates.

To strengthen this notion of autonomy, AWS is promoting its (proprietary) Nitro stack, which relies on hardware and software mechanisms for security, encryption, and isolation of resources and instances.

Introduction of a new AWS sovereignty framework

As the saying goes, “if you want something done right, do it yourself.”

AWS took advantage of this launch to introduce its own sovereignty compliance framework to the European market: the ESF-SRF (European Sovereignty Reference Framework), in response to the European Commission's CSF-Cloud Sovereignty Framework, launched in October 2025.

This reference framework claims to harmonize sovereignty criteria in several areas, such as governance independence, operational control, data residency, and technical isolation.

The ESC-SRF was developed using customer feedback, European Union (EU) regulatory requirements, industry frameworks, AWS contractual commitments, and contributions from partners and customers using Amazon's European cloud.

It relies in particular on AWS's fundamental security features in terms of security (encryption, key management, access governance, Nitro-based isolation, internationally recognized compliance certifications).

It adds specific technical and operational governance measures, such as independent corporate structures in the EU, trust and certification services dedicated to the EU, operations conducted by AWS personnel residing in the EU, strict localization for customer data and metadata created by customers, separation from all other AWS regions, and incident response managed within the EU.

This framework claims to be “industry and sector independent,” but it is still designed for and by the AWS and has not been validated by an independent third party.

However, it does have the advantage of allowing the market (i.e customers and partners) to regain control of the sovereignty concept and to focus on defining cloud sovereignty measures tailored to customers objectives, regulatory requirements, and risk posture.

But its still presents only one version of the truth, that of AWS and its ecosystem, and a partial approach to the European sovereignty.

As it claims to be transparent, the framework yet requires a customer login to access via AWS Artifact.

Support from Germany and the BSI office

The BSI (German Federal Office for Information Security) is supporting this launch unconditionally. “AWS was the first cloud service provider to receive C5 certification.

In this respect, we are very pleased to support the local development of an AWS cloud, which will also contribute to the European sovereignty in terms of security” confirms Claudia Plattner, President of the BSI.

The BSI C5 (Catalog of Cloud Computing Compliance Criteria) has significantly shaped European cloud cybersecurity standards, so did the National French security agency (ANSSI) with its local SecNumCloud qualification.

While AWS already has the highest security certifications (C5, IS0 27001, 27017, 27018, SOC 1,2,3), it has still not decided on the merits of the French SecNumCloud qualification.

Markus Richter, Chief Information Officer of the German Federal Government, said he was “very pleased to collaborate with AWS to implement sovereignty in a practical and collaborative manner in accordance with the German administration’s cloud strategy and the EVB-IT Cloud contractual standard.”

According to Stefan Schnorr, State Secretary at the German Federal Ministry for Digital Economy and Transport: "The German and European economies are on the path to digitalization. Germany's powerful Mittelstand (SME sector), in particular needs a sovereign digital infrastructure that meets the highest standards in order to remain competitive in the global market. Ensuring our digital independence requires computing power to be generated locally in Germany and more investment to be made in the digitalization of the local economy. We therefore welcome AWS's announcement to establish the European cloud in Germany."

A highly welcomed support from other European countries

Germany is not the only country offering its unconditional support for this AWS European launch. Jarkko Levasma, Chief Information Officer for the Finnish government at the Ministry of Finance, says that “AWS's announcement of an independent European cloud will offer organizations facing the strictest regulations more choice in their digital sovereignty strategy.”

The same sentiment was echoed in the Czech Republic by Tomas Krejci, Deputy Director of the National Cyber and Information Security Agency (NÚKIB): “AWS's announcement of an independent European cloud is indeed the right decision at the right time, which will ultimately also strengthen transatlantic collaboration.”

Dan Cimpean, director of Romania's National Cybersecurity Directorate, welcomes this initiative, which “represents a long-term investment in security and cloud computing skills in Europe.”

We might have expected European cloud providers and operators such as T-Systems, Telefonica, and Telia to react more cautiously to this announcement, but this was not the case.

Technology alliances vs. sovereign clouds

Companies and public bodies are increasingly using data centers and US based technologies for public cloud services rather than building their own infrastructure. Microsoft, Orange, Cap Gemini ( with the Blue partnership), and Oracle have also launched their own “sovereign cloud” offerings for European government customers. The french CSP Thales has chosen to operate a cloud on a Google Cloud infrastructure (GCP) operated and secured in France.

Considering the investments made by hyperscalers to dominate the European sovereign cloud market, it will be increasingly difficult for medium-sized European players to gain market share, unless Europe decides to add a 100% European equity structure requirement to the existing requirements for the location of the parent company and data storage and processing.

With its European Confidence Index (GCTI), B2CLOUD already offers a framework and benchmark for accurately analyzing all 140 parameters, including a dedicated section covering financial governance.

The Eurostack initiative is also proposing a technically auditable framework to help policymakers distinguish real sovereignty from mere rhetoric.