Microsoft handed Dutch civil servants’ names to the U.S. House of Representatives. No court order. No judicial review on European soil. Just a statute that overrides every contractual assurance you’ve ever been sold.
Last month, Vrij Nederland broke a story that should be circulating in every CISO briefing room in Europe. Microsoft, compelled by a U.S. House of Representatives investigation, handed over emails, minutes, and meeting invitations belonging to Dutch civil servants working at the ACM (Authority for Consumers and Markets) and the AP (Dutch Data Protection Authority). Their names were not redacted. They were working on Digital Services Act enforcement. The U.S. government considers that work censorship. And so it demanded — and received — the data.
No Dutch court was involved. No European regulator gave sign-off. No data processing agreement clause protected anyone. The CLOUD Act simply applied, and Microsoft complied.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act — signed into U.S. law in 2018 — requires any U.S.-incorporated technology provider to hand over data stored anywhere in the world when the U.S. government demands it. Jurisdiction follows the provider, not the server.
The Safe Harbor problem
When European organisations procure U.S. cloud services, they are routinely assured of compliance with EU data protection law. Data Processing Agreements. Standard Contractual Clauses. EU data residency options. “Your data stays in Europe.” All of it is technically accurate — and all of it is beside the point.
The CLOUD Act does not care where the data sits. It does not recognise SCCs. It is not constrained by GDPR. It reaches through every contractual wrapper and attaches directly to the provider’s U.S. corporate identity. If the provider is American, the data is reachable — regardless of geography, regardless of encryption commitments, regardless of the sovereign cloud marketing language on the product page.
The Dutch case is blunt proof. The civil servants affected weren’t storing sensitive personal data in a consumer app. They were EU regulatory professionals, working on EU law enforcement, whose names appeared in work emails and calendar invitations. That metadata — banal, routine — became a surveillance instrument the moment it touched a U.S.-incorporated platform.
This is not a hypothetical for Ireland
Ireland hosts the European headquarters of most major U.S. cloud and technology providers. The Central Bank, as DORA’s domestic supervisor for financial entities, expects ICT risk management — including supply chain and third-party concentration risk — to be demonstrably addressed. NIS2, now transposed into Irish law via the 2024 Network and Information Security Regulations, places binding obligations on operators of essential services. The CyFun framework referenced by the NCSC gives you a maturity model. None of it resolves the CLOUD Act problem.
If your backup, your email, your collaboration tooling, or your document management system runs on a U.S.-incorporated platform, the jurisdictional exposure is real. The HSE ransomware attack in 2021 laid bare what happens when resilience is assumed rather than engineered. The December 2025 Office of the Ombudsman incident showed that the attack surface remains live. The Dutch story adds a different dimension: the threat is not only ransomware. It is quiet, lawful, unilateral access by a foreign government with its own interests.
What true data sovereignty requires
True data sovereignty is not a data centre postcode. It is jurisdictional independence. It means the entity operating your infrastructure is not subject to extraterritorial legal compulsion from a foreign power — and that you have the contractual, technical, and operational controls to verify that claim.
In practice, that means asking harder questions about your cloud and backup providers than most procurement processes currently require:
Is your provider incorporated in the EU — and only in the EU? Do your contracts contain notification clauses obliging disclosure if a foreign government demands your data? Is your backup environment — including metadata — stored on infrastructure that is genuinely outside U.S. jurisdiction? Can you demonstrate this to your regulator, your insurer, and your board?
Backup deserves specific attention here. Backup data is, by definition, a comprehensive copy of your operational environment. It contains everything — files, emails, calendar data, user metadata, configuration. If your primary environment is scoped to EU-sovereign infrastructure but your backup replicates into a U.S.-incorporated cloud, the sovereign posture of your primary environment is academic.
The regulatory clock is running
DORA’s ICT third-party risk requirements include supply chain mapping, concentration risk assessment, and exit planning. NIS2 requires a proportionate, demonstrable approach to supply chain security. GDPR’s Chapter V restrictions on international transfers have not gone away — and “we use an American provider with EU data residency” has always been a weaker argument than its proponents acknowledged.
The Dutch incident gives every European DPO, CISO, and board member a concrete, newsworthy example of what the abstract regulatory language actually describes. Use it. The conversation about jurisdictional risk is no longer theoretical — it happened, in May 2026, to the regulator responsible for enforcing data protection law.
State Secretary Aerdts told the U.S. Ambassador directly: “If you have a problem, fight it out with us — not against the backs of civil servants.” That is the right instinct. But instincts don’t protect data. Architecture does.
The Netherlands is now actively pursuing digital sovereignty — deals with European cloud providers, university-government partnerships to reduce Big Tech dependency. Ireland should be watching closely. The question is not whether this can happen to Irish public sector or regulated private sector data. The question is whether it already has, and whether anyone would know.
What to do now
Audit your third-party and backup providers for U.S. incorporation status. Review your DPAs for foreign government access notification clauses. Map your backup data flows with the same rigour you apply to your primary environment. Brief your board on CLOUD Act exposure as a named risk — not as a vendor footnote, but as a boardroom item. And if your current architecture cannot support a credible answer to “could a foreign government access this data without our knowledge?”, treat that as a gap that needs closing before your next regulatory engagement.
Safe Harbor was struck down once before — in Schrems I, in 2015 — precisely because European courts found it could not protect against U.S. surveillance law. The CLOUD Act is a newer instrument, but the structural problem is identical. Contractual frameworks cannot override statute. Geography is not jurisdiction. And vendor assurances are not the same as verified, auditable sovereign control.
Build accordingly.