[{"data":1,"prerenderedAt":433},["ShallowReactive",2],{"navigation-docs_en":3,"/en/blog/cloud-act-2026-posts_en":51,"/en/blog/cloud-act-2026-surround-posts_en":423},[4],{"title":5,"path":6,"stem":7,"children":8,"page":25},"En","/en","en",[9],{"title":10,"path":11,"stem":12,"children":13,"page":25},"Docs","/en/docs","en/1.docs",[14,26],{"title":15,"path":16,"stem":17,"children":18,"icon":25},"Getting Started","/en/docs/getting-started","en/1.docs/1.getting-started/1.index",[19,21],{"title":20,"path":16,"stem":17,"children":-1},"Introduction",{"title":22,"path":23,"stem":24,"children":-1},"Migration Roadmap","/en/docs/getting-started/migration-fahrplan","en/1.docs/1.getting-started/2.migration-fahrplan",false,{"title":27,"path":28,"stem":29,"children":30,"page":25},"Technologies","/en/docs/technologies","en/1.docs/2.technologies",[31,35,39,43,47],{"title":32,"path":33,"stem":34,"children":-1},"Nextcloud","/en/docs/technologies/nextcloud","en/1.docs/2.technologies/1.nextcloud",{"title":36,"path":37,"stem":38,"children":-1},"Matrix / Element","/en/docs/technologies/matrix","en/1.docs/2.technologies/2.matrix",{"title":40,"path":41,"stem":42,"children":-1},"ONLYOFFICE","/en/docs/technologies/onlyoffice","en/1.docs/2.technologies/3.onlyoffice",{"title":44,"path":45,"stem":46,"children":-1},"Ubuntu Linux","/en/docs/technologies/ubuntu","en/1.docs/2.technologies/4.ubuntu",{"title":48,"path":49,"stem":50,"children":-1},"Keycloak","/en/docs/technologies/keycloak","en/1.docs/2.technologies/5.keycloak",{"id":52,"title":53,"authors":54,"badge":60,"body":62,"date":411,"description":412,"extension":413,"faq":414,"howto":414,"image":415,"meta":417,"navigation":418,"path":419,"seo":420,"stem":421,"__hash__":422},"posts_en/en/3.blog/4.cloud-act-2026.md","CLOUD Act 2026 – Why US Cloud Services Are No Longer Legally Tenable in the EU",[55],{"name":56,"to":57,"avatar":58},"europioneer Team","https://europioneer.io",{"src":59},"/favicon.svg",{"label":61},"Compliance",{"type":63,"value":64,"toc":396},"minimark",[65,69,82,85,90,95,98,102,109,113,141,145,148,224,231,235,277,288,292,295,332,346,350,356,370,376,380,391],[66,67,53],"h1",{"id":68},"cloud-act-2026-why-us-cloud-services-are-no-longer-legally-tenable-in-the-eu",[70,71,72,73,77,78,81],"p",{},"The ",[74,75,76],"strong",{},"CLOUD Act"," (Clarifying Lawful Overseas Use of Data Act) obligates US providers like Microsoft, Google, Amazon, Apple, and Meta to ",[74,79,80],{},"hand over their customers' data to US authorities globally"," — regardless of where the servers are physically located. Even if your data sits in Frankfurt, Dublin, or Amsterdam.",[70,83,84],{},"In 2026, the situation has escalated sharply.",[86,87,89],"h2",{"id":88},"what-changed-in-2026","What changed in 2026?",[91,92,94],"h3",{"id":93},"_1-new-us-executive-orders","1. New US Executive Orders",[70,96,97],{},"In its first 100 days, the second Trump administration signed several executive orders that effectively eliminate judicial oversight of CLOUD Act requests. The EU-US Data Privacy Framework (DPF) — which was already only a Commission adequacy decision — is politically obsolete, even if it formally remains.",[91,99,101],{"id":100},"_2-microsoft-admitted-it","2. Microsoft admitted it",[70,103,104,105,108],{},"In 2025, Anne Hoge, Chief Legal Counsel of Microsoft France, testified under oath before the French Senate: ",[74,106,107],{},"Microsoft cannot guarantee"," that data within its \"EU Data Boundary\" will never be disclosed to US authorities. That's the honest answer to the CLOUD Act — and it makes every Microsoft deployment in critical infrastructure legally vulnerable.",[91,110,112],{"id":111},"_3-schrems-iii-is-coming","3. Schrems III is coming",[70,114,115,116,121,122,126,127,130,131,135,136,140],{},"Max Schrems announced his third lawsuit in 2025. Schrems II killed Privacy Shield in 2020. ",[117,118,120],"a",{"href":119},"/en/blog/schrems-iii-cjeu-ruling","Schrems III"," targets the DPF — and most observers expect a third ruling in favour of the plaintiffs. Not a question of ",[123,124,125],"em",{},"if",", but ",[123,128,129],{},"when",". At the same time, the ",[117,132,134],{"href":133},"/en/blog/nis2-gdpr-microsoft-paradox","NIS2 Directive"," has bound around 29,000 German companies to strict information-security duties since 2026 — and Microsoft 365 is ",[117,137,139],{"href":138},"/en/blog/bsi-it-grundschutz-microsoft-365","structurally incompatible with BSI IT-Grundschutz"," requirements.",[86,142,144],{"id":143},"what-does-this-mean-for-you-concretely","What does this mean for you concretely?",[70,146,147],{},"If your company uses any of these tools today, you're affected:",[149,150,151,164],"table",{},[152,153,154],"thead",{},[155,156,157,161],"tr",{},[158,159,160],"th",{},"Tool",[158,162,163],{},"Risk Class",[165,166,167,178,187,196,206,215],"tbody",{},[155,168,169,173],{},[170,171,172],"td",{},"Microsoft 365 (Outlook, Teams, OneDrive, SharePoint)",[170,174,175],{},[74,176,177],{},"High",[155,179,180,183],{},[170,181,182],{},"Google Workspace (Gmail, Drive, Meet)",[170,184,185],{},[74,186,177],{},[155,188,189,192],{},[170,190,191],{},"Slack, Zoom, Dropbox",[170,193,194],{},[74,195,177],{},[155,197,198,201],{},[170,199,200],{},"Adobe Creative Cloud",[170,202,203],{},[74,204,205],{},"Medium",[155,207,208,211],{},[170,209,210],{},"GitHub (for personal-data code reviews)",[170,212,213],{},[74,214,205],{},[155,216,217,220],{},[170,218,219],{},"Apple iCloud (business accounts)",[170,221,222],{},[74,223,205],{},[70,225,226,227,230],{},"Each of these platforms is subject to the CLOUD Act. As soon as ",[74,228,229],{},"personal data"," is processed — which, given email addresses, phone numbers, and customer names, is almost always the case — GDPR compliance becomes questionable.",[86,232,234],{"id":233},"regulators-are-tightening","Regulators are tightening",[236,237,238,249,255,261,267],"ul",{},[239,240,241,244,245],"li",{},[74,242,243],{},"German Datenschutzkonferenz (DSK):"," Recommendation against ",[117,246,248],{"href":247},"/en/blog/microsoft-365-schools","Microsoft 365 in public schools",[239,250,251,254],{},[74,252,253],{},"Berlin DPA:"," Warning against Microsoft 365 in public administration",[239,256,257,260],{},[74,258,259],{},"Hesse DPA:"," Prohibition of Microsoft 365 in schools",[239,262,263,266],{},[74,264,265],{},"NRW, Lower Saxony, Baden-Württemberg:"," Active exit in agencies and schools",[239,268,269,272,273],{},[74,270,271],{},"EU Commission:"," ",[117,274,276],{"href":275},"/en/blog/eu-commission-matrix","Migrating internal communications to Matrix/Element",[70,278,279,280,283,284,287],{},"When public bodies migrate, it's a clear signal: their legal teams see the risks ",[74,281,282],{},"concretely"," and ",[74,285,286],{},"now",".",[86,289,291],{"id":290},"whats-the-alternative","What's the alternative?",[70,293,294],{},"Sovereign, EU-hosted open-source infrastructure. Specifically:",[236,296,297,302,307,312,317,322,327],{},[239,298,299],{},[74,300,301],{},"Microsoft 365 → Nextcloud + ONLYOFFICE + Element",[239,303,304],{},[74,305,306],{},"Outlook → mailcow / Stalwart Mail",[239,308,309],{},[74,310,311],{},"Teams → Matrix/Element + Element Call",[239,313,314],{},[74,315,316],{},"OneDrive / SharePoint → Nextcloud",[239,318,319],{},[74,320,321],{},"OneNote → Nextcloud Notes",[239,323,324],{},[74,325,326],{},"Active Directory → Keycloak",[239,328,329],{},[74,330,331],{},"LastPass / 1Password → Vaultwarden",[70,333,334,335,338,339,342,343,287],{},"All run on ",[74,336,337],{},"European servers"," (Hetzner, OVHcloud, Scaleway, IONOS), are ",[74,340,341],{},"fully GDPR-compliant",", and are ",[74,344,345],{},"not subject to the CLOUD Act",[86,347,349],{"id":348},"how-europioneer-helps","How europioneer helps",[70,351,352,353,287],{},"We migrate SMEs, schools, and public agencies in a matter of weeks — without data loss, without productivity disruption. You keep your email addresses, your files, your workflows. What changes is ",[74,354,355],{},"legal certainty",[236,357,358,361,364,367],{},[239,359,360],{},"Fixed price, transparent calculation",[239,362,363],{},"Hosting in Germany (Hetzner Falkenstein/Helsinki) or on-premise",[239,365,366],{},"Staff training included",[239,368,369],{},"24/7 support for critical systems",[70,371,372],{},[117,373,375],{"href":374},"/en/contact","Book a free initial consultation →",[86,377,379],{"id":378},"conclusion","Conclusion",[70,381,382,383,386,387,390],{},"The CLOUD Act isn't new — but in 2026 it has become ",[74,384,385],{},"unavoidable",". Anyone still relying on US cloud services without a migration plan is taking an ",[74,388,389],{},"avoidable compliance risk",". Europe's political climate could hardly be more favourable for the move.",[70,392,393],{},[74,394,395],{},"Sovereignty isn't ideology. It's risk management.",{"title":397,"searchDepth":398,"depth":398,"links":399},"",2,[400,406,407,408,409,410],{"id":88,"depth":398,"text":89,"children":401},[402,404,405],{"id":93,"depth":403,"text":94},3,{"id":100,"depth":403,"text":101},{"id":111,"depth":403,"text":112},{"id":143,"depth":398,"text":144},{"id":233,"depth":398,"text":234},{"id":290,"depth":398,"text":291},{"id":348,"depth":398,"text":349},{"id":378,"depth":398,"text":379},"2026-04-22T00:00:00.000Z","Trump-era executive orders, the upcoming Schrems III ruling, and Microsoft's own sworn testimony make Microsoft 365, Google Workspace, and AWS a compliance risk for European SMEs. Here's what you need to know in 2026.","md",null,{"src":416},"https://images.unsplash.com/photo-1639762681485-074b7f938ba0?w=1200&q=80",{},true,"/en/blog/cloud-act-2026",{"title":53,"description":412},"en/3.blog/4.cloud-act-2026","G39hpHx8_Pz8N4kaznlx00ZS2nvbhRuIJ54ApadvYrA",[424,428],{"title":425,"path":275,"stem":426,"description":427,"children":-1},"EU Commission and gematik Adopt Matrix – What This Means for German SMEs","en/3.blog/3.eu-commission-matrix","More and more European institutions are migrating to Matrix/Element for secure communication. A trend that should also guide German SMEs.",{"title":429,"path":430,"stem":431,"description":432,"children":-1},"EuroStack – Europe's 2026 Digital Sovereignty Strategy Explained","/en/blog/eurostack-digital-sovereignty","en/3.blog/5.eurostack-digital-sovereignty","The EU Commission, France, and Germany are pushing EuroStack — a full European tech infrastructure stack. Here's what the initiative means and why europioneer already delivers what policymakers are announcing.",1779405610621]