When Amazon Web Services (AWS) went down globally in October 2025, millions of users were abruptly reminded how invisible yet indispensable cloud technology has become.
From banks and hospitals to airlines and retail platforms, entire sectors slowed or came to a standstill. The disruption followed a separate catastrophe earlier in July 2024, when CrowdStrike’s software update grounded operations around the world.
Different companies. Different causes. Yet both events exposed the same uncomfortable truth: the world’s digital infrastructure, the networks, servers and software that underpin nearly every modern service, is far more fragile than we like to believe.
Technically, these were very different failures, but the similarity lies in how quickly they cascaded. A single error in a single company rippled across global systems that had no direct relationship to that company at all.
The illusion of resilience
For years, cloud providers have marketed themselves as the answer to such fragility. Distributed computing, automated backup, and redundant systems are supposed to keep data and services online even when local components fail. However, the cloud model depends heavily on network connectivity and can introduce latency and other vulnerabilities, that mitigates certain failures, but does not eliminate fragility entirely.
As both the AWS and CrowdStrike incidents show, redundancy on paper doesn’t always mean resilience in practice. Many organisations that rely on AWS for critical services also use AWS for their backup, monitoring or authentication. When a core network fails, so do the fail-over mechanisms designed to prevent downtime. In other words, “diversification” often exists only within the same provider’s ecosystem, a classic case of putting all eggs in one digital basket.
At the heart of the issue is cloud concentration. A small number of companies, primarily AWS, Microsoft and Google, now host the majority of the world’s digital infrastructure. Even more when, cloud computing has become the backbone of modern AI by relying on large, centralized data centers that offer substantial processing power and scalability.
Governments, universities, hospitals and even competitors run their critical services on these same platforms. The convenience and cost efficiency are undeniable. But this consolidation has created a structural vulnerability. A single misconfiguration or software flaw in one of these providers can have global consequences, similar to how a major bank failure can destabilise the financial system.
The situation is further complicated by opacity: cloud providers rarely disclose full details of their interdependencies or internal resilience practices. Customers often have no clear map of how their services are distributed, where their data resides, or which other systems they rely on indirectly. When outages happen, even identifying who’s responsible can be a challenge.
Europe’s dependence and ‘digital sovereignty’
What makes these incidents particularly concerning is that they involve private companies running public infrastructure. AWS and CrowdStrike aren’t just serving commercial clients, they underpin hospitals, airports, energy grids and government systems. When they fail, entire ecosystems fail, not just their direct customers. Yet oversight of these critical dependencies remains minimal.
For Europe, these outages turned an abstract “digital sovereignty” debate into a very concrete dependency problem.
Digital sovereignty is about the capacity to ensure that critical data, infrastructure, and AI systems operate under EU rules and remain controllable in crises. This sovereignty framing ties outages to broader issues of jurisdiction (US access to data), trade power, and strategic autonomy for critical sectors, like finance, health, and public administration.
Politically, it responds to dependence on a handful of US hyperscalers who hold over 70% of the European cloud market and are also subject to US laws like the CLOUD Act. On the CLOUD Act side, explanations by EU‑focused providers and analysts emphasise that US‑headquartered cloud firms (including AWS, Microsoft, Google) are subject to the Clarifying Lawful Overseas Use of Data Act, which can compel disclosure of data stored in European data centers.
Cloud and AI sovereignty frameworks address where and under which law sensitive data and workloads run, and how easily European users can exit, port, or reconfigure in the face of outages or geopolitical shocks.
Recent European initiatives explicitly treat hyperscalers and major Information and Communication Technology (ICT) providers as systemic infrastructure, not just vendors.
Under the Digital Operational Resilience Act (DORA), in force since 2025, EU financial regulators can designate “critical third party ICT service providers” and subject them to direct oversight to reduce systemic risk.
EU debates on cloud now emphasise exit, portability, and multi‑cloud architectures, arguing that resilience depends less on “more providers” and more on avoiding structural lock‑in that makes switching or redundancy impossible in practice. DORA addresses who runs critical digital infrastructure for finance and how the European Union can oversee and stress test them as systemic actors.
Guaranteeing cybersecurity across Europe
The Cyber Resilience Act (CRA), in force since December 2024, is the EU’s way of hard wiring “resilience by design” into the entire stack of connected hardware and software that underpins Europe’s digital infrastructure.
CRA addresses what characteristics all networked digital products must have so they do not import unmanageable cyber risk or opaque vulnerability handling into the EU.
The NIS2 (Directive (EU) 2022/2555 came into effect in January 2023 and required transposition into national law by October 2024, expanding from NIS1’s narrow scope to cover medium/large entities in energy, transport, health, finance, digital infrastructure (including cloud), public administration, manufacturing, and more. NIS2 operationalises sovereignty at the entity level: critical operators must align their practices with EU standards, even when relying on non-EU providers, creating a harmonised resilience baseline across the single market. It integrates with CRA, DORA, and cloud initiatives by requiring entities to demand equivalent resilience from suppliers, closing gaps in the dependency chain.
Beyond regulations, the Commission is building practical sovereignty tools around cloud and AI.
A “Cloud Sovereignty Framework” tender (up to €180 million for 6 years), launched in 2025 and awarded in April 2026 to Luxembourg’s Post Telecom, Germany’s StackIT, French Iliad’s data centre unit Scaleway and Belgium’s Proximus, sets concrete sovereignty criteria, strategic, legal, operational, environmental, supply chain transparency, openness, security, and EU law compliance, for cloud services procured by EU institutions.
A weekly e-mail in English featuring expertise from scholars and researchers. It provides an introduction to the diversity of research coming out of the continent and considers some of the key issues facing European countries. Get the newsletter!
