EU Cloud Patterns

AWS European Sovereign Cloud: What Four German GmbHs Can't Fix About the CLOUD Act

Sun, 12 Apr 2026 00:00:00 +0000

On January 15, 2026, AWS flipped the switch on the European Sovereign Cloud (ESC). Physically separate infrastructure in Brandenburg, Germany. Four dedicated German GmbH entities. Two managing directors who are EU citizens. An advisory board with independent members. A separate console at console.aws.eu. Separate root certificates. EU-resident-only operations.

AWS calls it “the only fully-featured, independently operated sovereign cloud.”

That’s a strong claim. And the engineering behind it is genuinely impressive. The question is whether it’s sovereignty or the most expensive compliance theater in European cloud history.

Translating EDPB's 2025 Guidance Into Cloud Architecture: A Compliance Roadmap

Thu, 09 Apr 2026 00:00:00 +0000

The European Data Protection Board published its 2025 annual report in April 2026, and the headline is reassuring: no new enforcement crackdowns on cloud. Instead, the EDPB is leaning into what it calls “enhanced clarity, support, and engagement” (the theme of its landmark Helsinki Statement from July 2025).

For cloud architects, this shift matters. It means the regulatory target has stopped moving. The EDPB’s guidance on what “compliant cloud” looks like is now stable enough to plan architectures around it. That’s rare in EU data protection. But it also means there’s no more excuse for vagueness: the expectations are now explicit, and enforcement will follow.

Cyber Resilience Act and Open Source: What EU Financial Cloud Teams Must Do Now

Tue, 07 Apr 2026 00:00:00 +0000

Ninety-six percent of software products contain open source components. That figure comes from the German Open Source Business Alliance, and it’s the one you should have in mind when you read the scope of Regulation (EU) 2024/2847, the Cyber Resilience Act. The CRA applies to any “product with digital elements” placed on the EU market. That’s almost everything. If your financial infrastructure runs on Kubernetes, Kafka, Vault, or PostgreSQL sourced from a commercial vendor, you have compliance questions to answer before September 2026.

ESMA Benchmark Supervision Extends to EEA: What It Means for Your Financial Data Stack

Tue, 07 Apr 2026 00:00:00 +0000

A Commission proposal published earlier this year would extend the direct supervisory authority of ESMA (the European Securities and Markets Authority, the EU’s financial markets regulator) over benchmark administrators into the EEA/EFTA zone (the European Economic Area, which extends EU single market rules to Norway, Iceland, and Liechtenstein via the EFTA states). On paper, CELEX:52026PC0143 is an administrative alignment exercise: the EU’s position in the EEA Joint Committee on amending Annex IX of the EEA Agreement. In practice, it signals something more significant for financial cloud architects.

Google Analytics to EU-Sovereign Analytics: A Migration Guide for Regulated Teams

Tue, 07 Apr 2026 00:00:00 +0000

Three European data protection authorities issued rulings against Google Analytics within six months of each other: Austria’s DSB in January 2022, France’s CNIL in February 2022, Italy’s Garante in June 2022. The rulings didn’t ban Google Analytics outright, but they established a clear position: routing personal data through Google’s US infrastructure, with its FISA and CLOUD Act exposure, is not compatible with GDPR.

Four years later, many EU regulated teams are still running GA4.

Migrating Transactional Email to EU-Sovereign Infrastructure

Sat, 04 Apr 2026 00:00:00 +0000

Your password reset emails are processing data in Virginia. Possibly the Carolinas too. Definitely in the United States.

If you’re using SendGrid, Mailgun, or Postmark to send transactional emails for an EU-facing service, that’s where the personal data goes: email addresses, message content, delivery metadata, everything. The email service provider’s infrastructure is headquartered and controlled from the US. Even if you select an “EU region” option, you’ve created a data routing problem under GDPR Article 44. The email provider processes the data as a controller’s processor, but the processor’s processor (their cloud vendor, backup systems, logging infrastructure) may be US-based.

Moving AI Inference to EU-Sovereign Infrastructure

Sat, 04 Apr 2026 00:00:00 +0000

Your document classification model is running on a GPU in Oregon. If that model is processing customer KYC documents or insurance claims, that’s a problem. You’re storing European personal data on US infrastructure subject to US jurisdiction, US surveillance law, and (most critically) no explicit audit rights or control over who can access the compute layer.

Most ML teams never question this. Lambda Labs, CoreWeave, Vast.ai are cheap, reliable, and have GPUs in stock when others are sold out. They’re also all US companies operating under US law. That matters more than it used to.

Multi-AZ Failed. Now DORA Does Too.

Sat, 04 Apr 2026 00:00:00 +0000

On March 1-2, 2026, Iranian drones and ballistic missiles struck AWS data center facilities in the United Arab Emirates and Bahrain. Two of three Availability Zones in AWS’s ME-CENTRAL-1 region went offline simultaneously. Within minutes, 60+ AWS core services failed. Dubai International Airport experienced operational disruptions. Abu Dhabi Commercial Bank’s platform and mobile app went dark. SadaPay, a fast-growing fintech, stopped processing payments.

But the real revelation came in the aftermath: customers running Multi-AZ architectures across a single region had zero resilience. Only those with active-active setups across multiple regions and multiple providers stayed online.

Why Hosting Location Still Matters Under GDPR

Sat, 04 Apr 2026 00:00:00 +0000

GDPR does not require you to host data in the EU. This is the first thing practitioners get wrong, and it creates a false sense of flexibility that evaporates the moment you need to scale, comply with DORA, or win a public-sector contract.

What GDPR actually does: it regulates how data leaves the European Economic Area. If you keep data inside the EEA, Chapter V of the GDPR (the international transfers section) doesn’t apply at all. Your compliance problem shrinks. But if you use a US cloud provider, even in an Irish data center, you’ve just triggered a different set of rules that most fintech teams are not equipped to manage.

ANSSI's Supervision Doctrine: What Your Cloud Architecture Needs Now

Fri, 03 Apr 2026 00:00:00 +0000

On May 7, ANSSI closes its public consultation on security supervision architectures for cloud-hosted systems. This matters more than it sounds. The guidance that emerges will reshape how EU financial services build detection and response infrastructure.

The tension ANSSI is trying to solve is real: you need sovereign oversight of your cloud environment, but you also can’t afford to run detection in isolation. Cloud logging alone generates terabytes of noise. You need a SOC. But if your SOC is in the US, you’ve lost sovereignty. If it’s a tiny French MSSP with no threat intelligence, you’ve lost operational maturity. ANSSI’s reference architectures are meant to show architects how to have both.

Cloud Contract Sovereignty After the VMware Lesson

Wed, 01 Apr 2026 00:00:00 +0000

In April 2024, Broadcom terminated the VMware Cloud Service Provider programme. Providers who had built multi-year businesses on VMware licensing (some with contracts signed a decade earlier) received notice periods measured in months, not years. Platforms migrated. Customers scrambled. In some cases, the contracts that were supposed to protect everyone turned out to protect no one.

Cloud contracts in EU financial services raise one question more often than you’d expect: “what does this agreement actually say?” The VCSP situation is worth applying to your own stack. Go back and reread the agreements covering your critical infrastructure. What you’ll typically find isn’t reassuring.

Privacy Notice

Wed, 01 Apr 2026 00:00:00 +0000

This site is about data sovereignty. It would be a bit embarrassing to run it on a surveillance stack. Here’s what happens (and what doesn’t) when you visit eucloudpatterns.eu.

Analytics

This site uses Plausible Analytics, an EU-based, open-source analytics tool. Plausible is incorporated in Estonia and processes data within the EU.

What Plausible does not do:

Set cookies on your device
Use localStorage, sessionStorage, or any other browser storage
Generate persistent identifiers that track you across sessions or across sites
Collect your IP address in any stored or identifiable form

What Plausible does do:

Sovereign by Default: Kubernetes Security for EU Finance

Wed, 01 Apr 2026 00:00:00 +0000

Here’s a configuration problem that shows up more often than it should: a team migrates to EU-sovereign Kubernetes infrastructure, ticks the compliance box, and continues pulling container images from docker.io. They’ve moved the control plane to OVHcloud. Their images are still transiting Docker Hub servers in the US. SEAL-3 infrastructure, SEAL-1 workloads.

This isn’t an edge case. Default Kubernetes configuration is US-centric because most of the tooling ecosystem was built for and by teams that didn’t need to think about jurisdiction. The image registry default is docker.io. The DNS resolver follows the node’s /etc/resolv.conf, which on a freshly provisioned cloud VM often points to the provider’s resolver, which can chain to 8.8.8.8. Admission webhooks run without egress restrictions. Monitoring gets wired to whatever SaaS tool the ops team already uses. Datadog and Grafana Cloud are the common defaults, both US-operated.

SEAL Assessment: Who Sees Your Security Telemetry?

Tue, 31 Mar 2026 00:00:00 +0000

There’s a sovereignty blindspot that shows up consistently in EU financial services, and it’s not in the cloud architecture. It’s in the security stack.

Teams spend considerable effort getting their cloud infrastructure to SEAL-3: EU-sovereign compute, EU-operated Kubernetes, encrypted secrets with EU-held keys. Then they wire the whole thing up to a US-headquartered SOC provider whose analysts have full access to security telemetry that includes customer transaction patterns, authentication events, and API call logs. The infrastructure is sovereign. The entity watching the infrastructure isn’t.

What DORA Actually Expects from Your Cloud Architecture

Sun, 29 Mar 2026 00:00:00 +0000

Your first Register of Information submission was supposed to be April 30, 2025. If you’re reading this in March 2026, you’ve had one set of supervisory questions from your national regulator about what you submitted. The ESAs designated 19 critical ICT third-party providers last November. That includes AWS, Azure, and Google Cloud. Which means someone at your regulator is now running formal examinations of how those providers operate, and more importantly, whether you’ve built an exit strategy that actually works if one of them becomes unavailable.

What SEAL Level Is Your Architecture Actually At?

Sun, 29 Mar 2026 00:00:00 +0000

In October 2025, the European Commission adopted SEAL (Sovereignty Effective Assurance Level) as its official Cloud Sovereignty Framework. Four levels. Eight measurable criteria. One simple question:

Whose legal system decides what happens to your data?

Finance teams often announce they’ve “gone sovereign” by moving workloads to a European region on AWS. The same conversation usually leads to the realisation that moving your data to Dublin doesn’t change the fact that the US government can compel Amazon to hand it over. Those are two very different things. SEAL exists to stop that confusion.

Geopolitical Risk Is Now a Cloud Architecture Problem

Sat, 28 Mar 2026 10:00:00 +0000

On 27 March 2026, the three European Supervisory Authorities (EBA, EIOPA, and ESMA) published their spring Joint Committee update on risks and vulnerabilities in the EU financial system. The top two risk areas: geopolitical pressures and rising private finance risks. If you read it as a macro risk report, it looks like the kind of document that gets circulated at the board level and filed away. Read it through a DORA lens, and it lands differently.

CISPE vs Broadcom: VMware and EU Cloud Sovereignty

Fri, 27 Mar 2026 10:00:00 +0000

On 19 March 2026, CISPE filed a formal competition complaint with the European Commission against Broadcom. The charge: Broadcom is using its $61 billion VMware acquisition to squeeze European cloud providers out of the market. If you’re running VMware anywhere in your stack, you should care about this. A lot.

What Actually Happened

Satellites Meet Solvency II: EIOPA's Sovereignty Play

Fri, 27 Mar 2026 00:00:00 +0000

The EU built a satellite programme that’s collected 50 petabytes of Earth observation data. Heading toward 100. EU-owned satellites. EU-operated cloud infrastructure. Entirely hosted on European territory. Free for anyone to use. It’s called Copernicus, and unless you work in Earth observation or regulatory tech, you’ve probably never heard of it.

Then in March 2026, something interesting happened. EIOPA, the EU’s insurance and pensions supervisor, quietly published a white paper with EUSPA. They explained how they plan to use this satellite data to supervise your industry. Specifically: they’ll match real-time flood imagery from Sentinel satellites against your Solvency II regulatory reporting to estimate what natural disasters will actually cost you. As the disasters happen.