European data-sovereignty advisory · Amsterdam

Your data is European.
Its jurisdiction may not be.

Most European organisations run on infrastructure that a foreign government can compel — regardless of where the servers sit. We are an independent Dutch advisory that maps that exposure, designs the way out, and gets you to EU jurisdiction without theatre or lock-in.

Request a sovereignty briefing See the exposure
~70%
of Europe's cloud infrastructure market is held by three US companies1
€264bn
flows out of the EU each year to foreign cloud and software vendors — ~1.5% of GDP2
15%
European providers' share of their own market, down from about 29% in 20171

The dependency

A continent renting its digital backbone.

European software runs on American foundations. That is not a moral failing — it is an architecture choice that quietly transferred control. Here is the shape of it.

European cloud infrastructure market, by provider origin 2025
AWS ~30% · Azure ~20% · Google ~13% All European providers combined

29% → 15%

European providers' share of the European market fell between 2017 and 2024, even as their revenue grew — the market simply grew faster around them. Dependence deepened by default.1

60%

of Western-European IT leaders now want to increase their use of local cloud providers. The will is there; the plan usually isn't.1

€56bn → €100bn

projected growth of Europe's sovereign-cloud market, 2025 to 2031. The exit is being built — the question is who guides you through it.1

The law

Server location is not legal sovereignty.

"Our data is in the Frankfurt region" is the most expensive misunderstanding in European IT. Jurisdiction follows who controls the company — not where the disk spins.

Where your data physically lives Whose law can compel it
AWS Frankfurt · Azure Germany · Google Belgium
EU data centres, EU staff, EU billing United States. A US-controlled parent can be ordered to produce the data under the CLOUD Act & FISA 702 — wherever it sits.
A provider controlled in the EU
EU ownership, EU jurisdiction, EU-held keys The European Union. No foreign parent to compel. GDPR Article 48 governs without a standing conflict.

// the reach

CLOUD Act + FISA 702

Two US statutes let American authorities compel any US-controlled provider to hand over data anywhere in the world — often under gag orders that forbid telling you it happened. Jurisdiction follows corporate ownership, not the map.

// the conflict

GDPR Article 48 & Schrems II

EU law forbids handing personal data to foreign authorities without a treaty basis. Schrems II struck down Privacy Shield and demanded real technical safeguards — keys held in the EEA, not promises. Austrian, French and Italian regulators have already ruled certain US arrangements unlawful.

// the fragile bridge

The Data Privacy Framework

Transatlantic transfers currently rest on the 2023 adequacy decision — which leans on a US oversight board (the PCLOB) that the current administration has stripped of its quorum. Safe Harbor fell. Privacy Shield fell. Building on the third bridge is a risk, not a strategy.

Evidence · not hypothetical

The off-switch has already been used.

Sovereignty stops being abstract the day someone abroad decides your access is a foreign-policy lever. It has happened — on European soil.

  1. May 2025 · The Hague

    The ICC prosecutor's email went dark

    After US sanctions, the Chief Prosecutor of the International Criminal Court lost access to his Microsoft email. The court moved to Swiss-hosted Proton Mail, later dropped Microsoft Office for OpenDesk, and the Dutch government began reassessing its dependence on US tech.3

  2. 2019 · Venezuela

    A country lost its design files overnight

    Complying with a US executive order, Adobe disabled Venezuelan accounts. Companies and freelancers lost access to their own work in the cloud — without warning, without recourse.

  3. 2022 · GitHub

    Source code, frozen by sanction

    GitHub suspended accounts of sanctioned Russian developers and entities. Proprietary repositories and commit history were locked. "Open source," hosted on a US platform, is not the same as sovereign.

  4. 2025 · Washington

    The safeguard lost its quorum

    The US privacy-oversight board that Europe's adequacy decision relies on was stripped of members and its ability to function — quietly weakening the legal basis for every transatlantic data transfer.4

What we do

From exposure to EU jurisdiction.

We are engineers and advisors, not a cloud reseller. We have nothing to sell you but a defensible plan and the build to deliver it.

01

Sovereignty exposure assessment

We map where every workload and dataset actually lives, who controls it in law, and your concrete CLOUD Act / FISA 702 exposure. You get a ranked register your DPO and board can act on — in weeks, not quarters.

02

Architecture & migration strategy

EU-jurisdiction reference architectures, encryption-key custody held in the EEA, and a staged exit from hyperscaler lock-in — sequenced so the critical and the feasible come first.

03

Vendor & "sovereignty-washing" review

We cut through "EU sovereign cloud" marketing and tell you which offers genuinely escape foreign jurisdiction and which are a relabelled dependency. Gaia-X-aware, vendor-neutral.

04

Governance & procurement

Transfer Impact Assessments, GDPR Article 48 alignment, sovereignty clauses for tenders, and board-level reporting that survives a regulator's questions.

05

Build & re-platform

When the plan calls for code, we deliver it: re-platforming and new builds onto sovereign infrastructure, run end to end from our Dutch entity. One European counterparty, accountable in NL law.

Not sure where you stand?

Start with a fixed-scope exposure assessment. If we conclude you're already in good shape, we'll tell you that.

Start an assessment

Approach

Autonomy, not isolationism.

Nobody leaves the hyperscalers in a single weekend, and we won't pretend otherwise. Sovereignty is a staged strategy that buys back control where it matters most, first.

  1. 01MapInventory data and workloads by sensitivity and by the law that governs them. Name the real exposure.
  2. 02DecideRank by risk and feasibility. Some workloads move now; some stay, consciously, with eyes open and keys held in the EEA.
  3. 03MigrateRe-platform the critical assets onto EU-jurisdiction infrastructure, in sequence, with rollback and without a big-bang outage.
  4. 04GovernLock the gains into procurement, contracts and an audit trail, so the next purchase doesn't quietly rebuild the dependency.

Why us

One European counterparty. No vendor in our pocket.

Impossible Labs is a Dutch company based in Amsterdam, founder-led and engineering-literate. We sell no cloud, resell no licences, and take no kickbacks — so the advice you get is the advice you'd give yourself if you had the time and the map. We contract under Netherlands law, before Netherlands courts, as a single accountable party for assessment, strategy and build.

Our position is plain: the goal is European autonomy, not anti-Americanism or a return to on-premise nostalgia. We help you decide what must be sovereign, and make it so — defensibly.

Book an intro call

Find out what a foreign court could reach.

A focused briefing on your exposure — and the shortest credible path to EU jurisdiction.

Request a sovereignty briefing