European companies building or deploying AI systems face a collision of two powerful laws from two continents. The EU AI Act demands transparency, documentation, and data governance for AI systems operating in the EU market. The US CLOUD Act gives American authorities the power to access data held by US-controlled companies — regardless of where that data is stored.
When your AI compliance evidence sits on a US-owned cloud platform, these two laws are on a direct collision course.
This guide explains how the CLOUD Act works, why it matters for AI compliance, and what European companies should do about it.
What Is the US CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act is a US federal law passed in 2018. In short:
- US law enforcement can compel any US-headquartered company to hand over data — even if that data is stored outside the United States
- It applies to all “electronic communication service providers” or “remote computing service providers” subject to US jurisdiction
- It overrides the physical location of the data — a server in Frankfurt owned by a US company is still reachable
- There is no requirement to notify the data subject or the government where the data is stored
- Companies can challenge an order if it would violate the laws of a “qualifying foreign government” — but the EU does not yet have a qualifying agreement in place
Why This Matters for AI Compliance
The EU AI Act requires organisations to maintain extensive documentation, evidence, and data for their AI systems:
- Technical documentation (Annex IV) covering system design, training data, testing, and validation
- Risk management files documenting identified risks, mitigations, and residual risk
- Training, validation, and testing datasets with quality and governance records
- Compliance evidence across Living Compliance Binders
- Audit trails with timestamped records of all compliance activities
- Post-market monitoring data including performance metrics and incident logs
This documentation contains some of the most sensitive information a company holds: proprietary algorithms, training data details, risk assessments, internal governance decisions, and evidence of compliance gaps.
If this data sits on infrastructure controlled by a US-headquartered cloud provider, it is potentially accessible under the CLOUD Act — even without the company’s knowledge or consent.
The Legal Conflict: CLOUD Act vs GDPR and AI Act
| Dimension | US CLOUD Act | EU GDPR / AI Act |
|---|---|---|
| Jurisdiction | Applies to US-headquartered companies globally | Applies to anyone processing data in the EU or targeting EU users |
| Data location | Irrelevant — US authorities can reach data anywhere | Data residency in EU expected; transfers to third countries restricted |
| Legal basis for access | US court order or warrant | Lawful basis under GDPR required; Article 48 prohibits transfers based on foreign court orders without international agreement |
| Notification | No obligation to notify data subject or foreign government | Data subjects have right to be informed; breach notification mandatory |
| Consent | Not required from data subject | Consent or other lawful basis required for processing |
| Challenging access | Provider can challenge if it would violate “qualifying foreign government” law — EU has no qualifying agreement | GDPR Article 48 explicitly restricts recognition of foreign court orders |
| Penalties for non-compliance | Contempt of court, fines | GDPR: up to €20M or 4% of turnover; AI Act: up to €35M or 7% of turnover |
The core conflict: GDPR Article 48 explicitly states that any judgment of a third-country court requiring the transfer of personal data can only be recognised or enforceable if based on an international agreement. No such agreement exists between the EU and US for CLOUD Act requests.
A European company using a US cloud provider faces an impossible choice: comply with the CLOUD Act and violate the GDPR, or comply with the GDPR and risk US contempt of court.
The AI Act Amplifies the Problem
The CLOUD Act risk isn’t new. It’s been debated since 2018 in the context of GDPR. But the EU AI Act makes it significantly worse for three reasons:
1. The data is more sensitive. AI compliance documentation reveals how a company’s AI systems work, their weaknesses, their risk profiles, and their governance failures. This is competitive intelligence and regulatory vulnerability in one package.
2. The data must be retained longer. Article 18 of the AI Act requires technical documentation to be kept for the lifetime of the AI system plus 10 years. That’s a decade or more of compliance evidence sitting on infrastructure potentially subject to US access.
3. The data must be audit-ready. The AI Act requires documentation to be available to national competent authorities on request. If that documentation has been accessed or compromised by a foreign government, its integrity as audit evidence is undermined.
Who Is Affected by the US CLOUD Act?
Any European company that stores AI compliance data on infrastructure controlled by a US-headquartered company. This includes:
| Provider | Risk |
|---|---|
| AWS (Amazon) | US-headquartered; CLOUD Act applies regardless of EU region selection |
| Microsoft Azure | US-headquartered; despite EU Data Boundary initiative, CLOUD Act still applies |
| Google Cloud | US-headquartered; same jurisdictional exposure |
| US-owned SaaS tools | Any compliance, GRC, or documentation tool owned by a US entity (e.g., ServiceNow, OneTrust, Confluence) |
| US-owned AI platforms | MLflow, model registries, or AI governance tools under US corporate control |
Marketing terms like “EU Data Boundary,” “Sovereign Cloud,” or “EU-hosted” do not resolve the legal conflict. Data sovereignty is not about where the server is. It’s about who controls the infrastructure and which jurisdiction’s laws apply to the company operating it.
The EU-US Data Privacy Framework: Does It Help?
The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy mechanism for transatlantic data transfers. However:
- It addresses commercial data transfers, not law enforcement access under the CLOUD Act
- The CLOUD Act operates through a separate legal mechanism (court orders, not adequacy decisions)
- The DPF’s stability is already in question — in January 2025, the Trump administration removed all Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), leaving it without a quorum
- A future Schrems III challenge could invalidate the DPF, just as Schrems I and II invalidated Safe Harbor and Privacy Shield
The DPF does not eliminate CLOUD Act risk for AI compliance data.
What European Companies Should Do About US CLOUD Act
| Action | Why It Matters |
|---|---|
| Choose EU-headquartered cloud and compliance infrastructure | Eliminates CLOUD Act jurisdiction entirely — no US entity, no US legal reach |
| Implement client-side encryption with EU-held keys | Even if a provider is compelled to hand over data, encrypted data without keys is useless |
| Audit your AI compliance toolchain | Map every tool that touches compliance evidence — documentation, risk management, evidence storage, audit trails — and verify jurisdictional control |
| Include data sovereignty in vendor due diligence | Before selecting any compliance or cloud tool, confirm the entity’s incorporation jurisdiction, not just its server location |
| Contractualise sovereignty requirements | Require providers to notify you of any third-country government data requests and to challenge them on your behalf |
| Document your data sovereignty choices | Under the AI Act, demonstrating governance decisions is itself a compliance requirement — your choice of infrastructure is auditable evidence |
How This Connects to the EU’s Broader Digital Sovereignty Push
The CLOUD Act conflict is driving a wider European movement toward digital sovereignty:
- November 2025: France and Germany convened a Summit on European Digital Sovereignty, launching a joint task force reporting in 2026
- November 2025: EU member states adopted the Declaration for European Digital Sovereignty
- EU Cloud and AI Development Act (CADA): expected to establish EU-wide eligibility requirements for cloud service providers, potentially restricting participation by non-EU companies
- EU Cloud Services Certification Scheme (EUCS): under development by ENISA, with debate over whether to include a “sovereignty requirement” that would effectively exclude US hyperscalers from the highest certification tier
- Data Act (effective January 2025): mandates switching ease and interoperability between cloud providers, reducing vendor lock-in
- DORA (effective 2025): forces financial institutions to manage third-party ICT concentration risk — relying on a single US hyperscaler is now a regulatory concern
The direction of travel is clear: Europe is moving toward infrastructure autonomy, and companies that anticipate this shift will be better positioned.
How EYREACT Can Help
EYREACT is built in Europe, for Europe. Your AI compliance evidence — risk assessments, technical documentation, compliance binders, audit trails — stays on EU infrastructure, under EU jurisdiction, outside the reach of the CLOUD Act.
We don’t just help you comply with the AI Act. We help you comply without creating new data sovereignty risks in the process. Book a demo!
FAQ
Does the CLOUD Act apply if my data is stored in an EU data centre?
Yes. The CLOUD Act applies based on the provider’s corporate jurisdiction, not the data’s physical location. If the cloud provider is US-headquartered, US authorities can compel access to data stored anywhere in the world.
Can a US provider refuse a CLOUD Act request?
A provider can challenge an order if it would create a conflict with the laws of a “qualifying foreign government.” However, the EU does not currently have a qualifying agreement with the US under the CLOUD Act framework, limiting this protection.
Does the EU-US Data Privacy Framework solve this?
No. The DPF addresses commercial data transfers under GDPR, not law enforcement access under the CLOUD Act. These are separate legal mechanisms.
How does this affect my AI Act compliance specifically?
AI Act compliance generates highly sensitive documentation — technical specifications, risk assessments, training data details, governance decisions, and evidence of compliance gaps. If this data is accessible under the CLOUD Act, its integrity as regulatory evidence is compromised, and you may face GDPR violations for allowing third-country access to personal data contained in AI system documentation.
Is using a US cloud provider a GDPR violation?
Not automatically, but it creates unresolved legal risk. GDPR Article 48 prohibits data transfers based on foreign court orders without an international agreement. If a US provider complies with a CLOUD Act request involving EU personal data, that transfer likely violates GDPR.
What about “sovereign cloud” offerings from US providers?
Marketing terms like “EU Data Boundary” or “Sovereign Cloud” improve data residency but do not eliminate jurisdictional risk. As long as the provider is under US corporate control, the CLOUD Act applies. Sovereignty is about legal control, not server location.
What should I look for in an EU-based alternative?
An EU-headquartered company with no US parent, subsidiary, or corporate control structure. EU-hosted infrastructure with encryption keys held by the customer. Compliance with GDPR, and ideally certification under emerging EU frameworks like EUCS.
Does EYREACT address this risk?
Yes. EYREACT is a UK-registered company with an EU entity in Estonia and a Swiss office. Our platform is hosted on EU-based infrastructure with strict data residency within the EU. We are not subject to US jurisdiction. Your AI compliance evidence stays under European legal control.
This article is for informational purposes only and does not constitute legal advice. Organisations should seek qualified legal counsel for jurisdiction-specific compliance guidance.
