Thought Leadership
Amazon’s EU cloud has received its first compliance certifications. Critics, however, question whether true digital sovereignty is even possible with a US provider.
The AWS European Sovereign Cloud has reached an initial compliance milestone. According to Amazon, SOC 2 and C5 Type 1 reports are now available, along with seven ISO certifications covering 69 AWS services. The cloud region, which launched in January 2026, is physically and logically separated from all other AWS regions and operated exclusively by staff residing in the EU.
C5 and SOC 2: the basics are covered
The C5 Type 1 attestation, based on Germany’s BSI criteria catalog, is particularly relevant for the German market. AWS says it has met both the basic and supplementary criteria. The SOC 2 report was additionally mapped to the company’s own Sovereign Reference Framework, which defines requirements around governance independence, data residency, and technical isolation. Seven ISO certifications round out the package, spanning information security (27001) through quality management (9001). Independent auditors validated the controls, and the reports are accessible through AWS Artifact.
AWS acknowledges that compliance is not a destination but an ongoing journey. The current reports represent the beginning of their certification portfolio. The more rigorous Type 2 audits, which verify the operational effectiveness of controls over an extended period, are still to come.
The perennial question
Whether these certifications will satisfy critics is another matter. Voices across the European IT industry, data protection community, and political sphere regularly argue that genuine digital sovereignty is structurally impossible with a US provider. The CLOUD Act, they point out, can compel American companies to hand over data even when it is stored on servers within the EU. Neither EU staffing requirements nor logical separation change that fundamental issue, critics contend.
AWS counters that the European Sovereign Cloud, through independent EU corporate structures, strict data residency, and technical isolation, offers a level of protection that goes beyond mere questions of server location.
A dilemma for European customers
In practice, European agencies and enterprises face a familiar trade-off. Purely European alternatives such as OVHcloud, IONOS, or T Systems’ Public Cloud offer greater legal independence but often cannot match AWS in terms of features and ecosystem breadth. Organizations that want to run complex workloads under sovereign conditions today must make compromises, one way or the other.
AWS emphasizes that the current certifications are just the start of a growing compliance portfolio. Whether that will be enough to dispel concerns about US providers in Europe’s sovereignty debate is likely to remain contested.
