6 min read

The real risks of the US cloud – and how to mitigate them

Posted by Rick Goud on 24th June 2025

The real risks of the US cloud – and how to mitigate them image

The demand for data sovereignty is growing stronger. Especially among government agencies, semi-public institutions, and privacy-sensitive sectors, concerns are rising about the reliance on American cloud providers like Microsoft, Google, and Amazon. Understandably so. But if you listen closely, much of the debate remains vague, caught up in abstract terms like "digital autonomy" or "control over data." 

What’s missing is a concrete understanding of the actual risks — and, more importantly, the right strategies to mitigate them. In this blog, we aim to clarify:

  • The two core risks associated with the U.S. cloud

  • What does and doesn't help to mitigate them

  • How Zivver offers practical solutions that truly enable data sovereignty

Why the U.S. Cloud Became the Standard  

The rise of American cloud providers didn't happen by accident. They were - and often still are - ahead of the curve in terms of ease of use, security-by-default, scalability, and the breadth of their ecosystems. Their platforms offer deep integrations, rapid innovation, and globally organized support. 

For many organizations, migrating to the U.S. cloud was a rational decision: it enabled rapid digitalization, stronger security, and faster collaboration. European alternatives simply couldn't compete at the time. 

This makes the current push for data sovereignty a complex balancing act. Moving back to Europe isn’t just about geography - unless you have a solution that offers the benefits of the U.S. cloud while granting full control over your data. 

Risk 1: Access by the U.S. Government via the CLOUD Act 

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) requires U.S.-based cloud providers to grant access to customer data upon legal request — regardless of where that data is stored. Even if your data resides in a Microsoft or Google data center within the EU, the CLOUD Act still applies. It’s not about the data’s location, but about who controls the infrastructure. 

This risk is especially significant for sensitive communications: emails, documents in collaboration platforms, or files shared via cloud-based tools. These data types are often the most vulnerable. 

How to mitigate the risk of access by US government under CLOUD Act 

1. Zero-access or end-to-end encryption
This ensures that: 

  • Data is stored in encrypted form in the cloud

  • Only the customer controls the encryption keys

This means that the provider — and by extension, the U.S. government — cannot access the content. Without the key, the data is unintelligible. These approaches are known as zero-access encryption (server-side) and end-to-end encryption (client-to-client). 

Important caveat: The technology must be both technically sound and operationally practical. Many providers offer "Bring Your Own Key" or "Double Key Encryption," but these often fall short: 

  • They are limited in scope (e.g., Microsoft DKE is only available for E5 licenses, does not support email, and is incompatible with many common workflows)

  • Or they are too complex for organizations to implement and maintain effectively

2. On-premise or private cloud hosting
Another powerful option is to host your data in an environment you fully control, completely independent from U.S. cloud infrastructure: 

  • You run the software yourself (on-premise or in a European private cloud)

  • You manage all access and encryption keys

  • The provider, regardless of origin, has no access to your infrastructure or data

In this setup, the CLOUD Act simply cannot be enforced, as the vendor has no technical means to access your data. 

Note: The origin of the software provider matters far less if:

  • You control hosting and key management
  • The software has no hidden dependencies (e.g., remote access, forced updates, or traffic to U.S.-based APIs)

However, this shifts the risk from unauthorized access to technical vulnerability. You are now responsible for:

  • Server hardening

  • Patch management

  • Monitoring and alerting

  • Auditability

  • Secure configurations  

Using outdated software, insecure open-source stacks, or poorly maintained platforms increases the risk of misconfigurations, bugs, or even backdoors. Sovereignty requires not just control, but also expertise. 

Risk 2: U.S.-Mandated Service Disruptions 

A second, and fundamentally different, risk is that U.S. vendors may be compelled to halt services to specific organizations — even without requesting access to data. 

This was long considered a theoretical scenario. That changed when Microsoft, under pressure from the U.S. government, blocked email access for members of the International Criminal Court (ICC). To this day, the scope of the disruption remains unclear. Similarly, in 2022, Microsoft and Amazon cut off the Amsterdam Trade Bank from their services due to sanctions. 

How to mitigate the risk of U.S.-Mandated Service Disruptions 

The only way to protect against forced service interruptions is full operational independence from U.S. providers. In practice: 

  • Run the software on your own infrastructure (on-premise or in a sovereign private cloud)

  • Avoid reliance on U.S.-controlled licensing systems, identity services, or logging APIs

Self-hosting: Not a Silver Bullet, But Effective If Done Right

Self-hosting is a powerful way to neutralize both risks described above. But success depends on doing it right:

  • Use secure-by-design software with minimal external dependencies

  • Ensure the solution meets high security standards (e.g., SOC 2, independent pen tests, bug bounty programs)

  • Have the right in-house expertise or trusted external support

If you meet these conditions, the origin of the vendor becomes secondary. You retain full control over your infrastructure, encryption keys, and how the software operates.

But remember: self-hosting comes with responsibilities. You must invest in: 

  • Network segmentation

  • Encryption key management

  • Continuous monitoring and alerting

  • Logging and auditing

  • Reliable backup and disaster recovery 

Without these measures, you may escape the CLOUD Act but remain vulnerable in other ways. 

What This Means for Zivver

Zivver was built around the principle of zero-access encryption. Customers manage their own keys. Neither Zivver nor our cloud partners (e.g., AWS) have access to the data, and we ensure that even platforms like Microsoft and Google are technically excluded from accessing sensitive messages or files. 

This approach fully mitigates Risk 1. To our knowledge, Zivver is the only European solution capable of doing this at scale. 

That’s why critical institutions such as the Dutch Judiciary, several Ministries, and other sensitive organizations have chosen Zivver. We are the only solution in the Netherlands officially authorized for the digital transmission of information classified as Secret. 

Until recently, Zivver offered only secure email — and not an option for full self-hosting. That has now changed. 

What We Now Offer Thanks to Our Partnership with Kiteworks 

True data sovereignty requires more than encryption or hosting within EU borders. Many organizations seek full autonomy: independence from U.S. infrastructure without compromising on collaboration functionality. That’s why Zivver has entered into a strategic partnership with Kiteworks. 

Together, we now offer a fully sovereign communication and collaboration platform that extends beyond secure email. Organizations can now: 

  • Send secure emails

  • Share sensitive files (MFT)

  • Collaborate on documents;

  • Deploy secure web forms

...all hosted either on a private cloud or fully on-premise, with: 

  • Zero-access encryption where only the customer holds the keys

  • Full control over data, infrastructure, and access

  • Compliance with standards like NIS2, BIO, and ISO 27001

  • The intuitive user experience of a modern SaaS platform

Thanks to this collaboration, we now offer a truly sovereign solution within the Private Data Network (PDN): one platform for secure digital communication, fully managed by the public sector or trusted European partners — without any functional or legal dependency on U.S. vendors. 

Data sovereignty is no longer a vision. It is a practical, proven alternative. 

The Bottom Line: Real Sovereignty Requires More Than Location or Labels

Storing data in the EU is not enough. Encryption is only meaningful if the keys are truly yours. Self-hosting is only secure if paired with the right technology and operational discipline. 

With the partnership between Zivver and Kiteworks, organizations finally have access to a platform that combines: 

  • Full control

  • Robust encryption

  • Sovereign hosting

  • Enterprise-grade usability and compliance

Whether you need secure email, file sharing, web forms, or document collaboration — you can now operate entirely on your own terms. 

No third-party access. No dependency on American infrastructure. 

Want to explore what this could look like for your organization or PDN? We’d be happy to share a demo or discuss the possibilities.
Rick Goud avatar

Rick Goud

CIO & Founder

Published: 24th June 2025

Subscribe to our newsletter
Share this

Enjoy this article? Share the knowledge

Previous

Back to all

Stay informed with Zivver

Subscribe to get more email security tips straight to your inbox.