A censorship probe in Washington just handed Europe the cleanest argument it has ever had for digital sovereignty

For most of the past decade, the case against running European institutions on American infrastructure was an argument made in the future tense. It lived in risk registers and impact assessments, in the conditional clauses of procurement lawyers, in the phrase "could in theory be compelled." Officials nodded at it, filed it, and renewed the Microsoft contract anyway. The vulnerability was structural and therefore abstract, and abstraction is the easiest thing in the world for a public administration to tolerate. It survives reorganisations. It outlasts ministers. It grows quietly behind the words "digital autonomy" on a slide that no one acts on.

What changes an abstraction into a decision is a name. Not a category of risk, not a class of data, but an actual person, with an actual job, whose ordinary administrative traces have ended up somewhere they were never supposed to be. That is what happened to the Netherlands in May 2026, and it is why a debate that had been conducted in the future tense for ten years suddenly acquired a past tense and a list of casualties.

The shift now underway across European institutions is not, fundamentally, about technology. It is about the realisation that the question was never whether a foreign government would reach into European systems, but whether it could — and that for a certain class of institution, the gap between those two words is the entire ballgame.

The Document Nobody Redacted

On 22 May 2026, the Dutch news magazine Vrij Nederland reported that Microsoft had handed the names of Dutch civil servants to the United States House of Representatives. Not anonymised, not aggregated, not summarised. The company produced emails, meeting minutes, and calendar invitations with the officials' identifying information fully intact. Meta was named in the same reporting.

The civil servants worked for two bodies: the Authority for Consumers and Markets (ACM) and the Dutch Data Protection Authority (the Autoriteit Persoonsgegevens, or AP). Their job was the implementation of the Digital Services Act, the EU regulation that obliges large platforms to act against illegal content, child sexual abuse material, and disinformation. The recipient was the House Judiciary Committee, which has spent more than a year characterising precisely that enforcement work as foreign censorship of American speech.

Read the sentence slowly, because the shape of it is the story. An American company delivered, to a foreign legislature that has publicly declared this category of regulator hostile, an unredacted roster of the European officials who regulate it — including the staff of the national authority whose specific statutory purpose is the protection of personal data. The data protection regulator had its own people's data exposed. The Dutch cabinet described the situation as extremely worrying and noted the obvious downstream consequence: the named officials could now face United States travel bans or personal sanctions for doing their jobs on European soil enforcing European law.

State Secretary Willemijn Aerdts, who holds the digital economy and sovereignty portfolio, raised it directly with the US ambassador, Joe Popolo. Disputes over policy, she said, should be fought out in Europe, "not against the backs of civil servants." Her colleague at Interior, Eric van der Burg, called Microsoft's conduct worrisome and demanded to know exactly which documents had gone to Washington, and to whom.

The Question, Stated Plainly

The incident sharpens a question European institutions have circled for years, and answers it in the same motion: is data held by an American company ever genuinely beyond the reach of the American state, regardless of where the servers sit or which European law nominally governs it? The reflexive answer of a thousand vendor presentations has been yes, your data is protected, it stays in the EU. The Dutch leak is the answer in the other direction, with names attached.

And it raises a second question, sharper and less comfortable, that goes to the heart of the transatlantic argument over platform regulation. The United States has spent eighteen months framing the EU's content rules as illegitimate state coercion of private companies. The mechanism by which it learned the names of the Dutch regulators was itself an act of state coercion of private companies. Both of those things are true at once. The remainder of this piece is an attempt to hold them in the same frame without flinching.

The Mechanism: A Subpoena, Not a Hack

It is worth being precise about how the data moved, because the precision is what makes the case so damaging — and because the simple version, the one that says "the CLOUD Act struck again," is not quite right.

This was not a clandestine intelligence operation. It was a congressional document subpoena, issued in the open. In February 2025, House Judiciary Committee Chairman Jim Jordan sent subpoenas to eight technology companies — Alphabet, Amazon, Apple, Meta, Microsoft, Rumble, TikTok, and X — demanding their communications with foreign governments, the European Commission and EU member states explicitly included, regarding content moderation. The roster later grew to ten, adding OpenAI in November 2025 and xAI. In July 2025 the committee published a report arguing that the Commission weaponises the Digital Services Act to impose global censorship on lawful political speech, humour, and satire. A second instalment followed in February 2026. By March, the committee was writing to all ten companies to remind them that the subpoenas were "continuing in nature," citing reporting that the Commission's own DSA enforcement chief, Prabhat Agarwal, had told colleagues to switch to an encrypted app with auto-deleting messages, the deletion timers getting shorter. The companies, the committee noted with evident satisfaction, had already produced thousands of documents.

Microsoft's defence rests on this distinction. The company has said it complied with an order from a US congressional committee, and that the material in question concerned its own corporate data — its communications — rather than customer data held in trust. On its face that is a meaningful point, and a fair piece deals with it rather than waving it away.

It deals with it by observing that the distinction makes the problem worse, not better.

The CLOUD Act of 2018 — the instrument that European risk officers have rehearsed for years — compels US-headquartered providers to produce data they control regardless of where it is stored. Most sovereignty planning treats customer data sitting in an EU data centre as the asset to defend, and builds the moat there: keep the bytes in Frankfurt, keep the staff European, keep the keys local. The Dutch leak slipped past that moat entirely, because the exposed material was not customer data behind the moat. It was Microsoft's record of its own dealings with European regulators, and that record happened to be full of European names. The surface that American legal compulsion can reach, in other words, is larger than the surface most European institutions have been defending. A subpoena does not need to touch your tenant to turn your regulators into entries on a foreign committee's spreadsheet.

The European response to all of this is not improvised. It rests on a body of law built, deliberately, on a premise opposite to the American one.

The cornerstone is the General Data Protection Regulation, whose Article 48 provides that a foreign court or administrative order requiring the transfer of personal data is recognised only where it rests on an international agreement — a mutual legal assistance treaty or the like. A unilateral congressional subpoena is not such an agreement. The Court of Justice of the European Union reinforced the underlying logic in Schrems II, striking down the EU–US Privacy Shield on the ground that American surveillance law offered EU data no adequate protection and no effective redress. The EU Data Act went further still, requiring cloud providers to actively contest unlawful access demands from non-EU authorities rather than simply comply — a provision written, in as many words, against the CLOUD Act's reach.

Around that core sits a system rather than a list: the Digital Services Act on platform accountability, the Digital Markets Act on gatekeeper power, the Data Governance Act and the NIS2 Directive on the handling and security of data and critical infrastructure. The pieces interlock around a single idea — that data is a sovereign concern, enforceable by independent authorities wielding fines of up to four percent of global turnover, and grounded in the Charter of Fundamental Rights.

The American architecture begins somewhere else entirely. It treats cross-border access to data held by its companies as a law-enforcement and oversight prerogative that follows the company, not the data, and that overrides foreign territorial claims by design. These are not two settings on the same dial. They are two incompatible answers to the question of who, ultimately, may compel a company to open its files. For a European institution caught between them, the incompatibility is not a seminar topic. It is the difference between operating independently and operating on sufferance.

When the Abstraction Acquired Names

The Dutch case did not arrive without warning. It arrived as the third act of a sequence that had been escalating for more than a year.

The first act was the International Criminal Court. In February 2025, President Trump signed an executive order sanctioning the ICC's chief prosecutor, Karim Khan, over the court's arrest warrants connected to the war in Gaza, including one for the Israeli prime minister. Shortly afterward Khan lost access to his Microsoft email. The mechanism was the same one that would later expose the Dutch regulators: an American legal instrument reaching an American company, with a European institution's communications as the collateral. By October 2025 the ICC had confirmed it was migrating off Microsoft Office to openDesk, the open-source suite built by Germany's ZenDiS. An international court, operating under international law, had its basic correspondence interrupted because it ran on an American platform.

The second act was the steady accumulation of the DSA enforcement record that so enrages Washington — the record that the House subpoenas exist to investigate. In December 2025 the European Commission issued its first DSA fine, €120 million against X, for a verification system the Commission deemed deceptive and for failures around its advertising repository and researcher data access; TikTok avoided a parallel fine only by accepting binding commitments. Two months earlier the Commission had put Meta and TikTok on notice with preliminary findings carrying potential penalties of up to six percent of global turnover. To Brussels this is law enforcement. To the House Judiciary Committee it is a censorship campaign. The Dutch officials whose names ended up in Washington were the people doing the enforcing.

The third act was the leak itself — the point at which the warning became a casualty list.

The Exit Was Already Built

Here the story turns, because the Netherlands did not respond to the leak by commissioning a taskforce. It responded by accelerating an exit it had already constructed.

Five weeks earlier, on 24 April 2026, the Dutch government — through SLM Rijk, the central procurement body for the Ministry of Justice and Security — had signed a framework agreement with STACKIT, the cloud platform of Schwarz Digits. Schwarz Digits is the IT division of the Schwarz Group, the German retail conglomerate whose better-known businesses are the discount supermarkets Lidl and Kaufland. A grocery company's cloud, in other words, is now an officially sanctioned home for Dutch government workloads.

The terms read like a direct rebuttal to everything the Microsoft incident would shortly demonstrate. All data must remain within the European Economic Area. The government retains audit rights to verify compliance. And the contract contains an explicit clause permitting the Netherlands to amend or terminate it should STACKIT itself ever pass into non-European ownership — a safeguard against precisely the kind of jurisdictional capture now haunting Solvinity, the Dutch firm running the DigiD national identity system, whose pending acquisition by the American group Kyndryl prompted a Logius privacy adviser to warn that detailed records on everyone in the Netherlands could fall within reach of US authorities. Parliament has called for that contract to end if the takeover proceeds.

STACKIT runs its own data centres in Germany and Austria, with a fifth under construction at Lübbenau. It is not the only piece of the Dutch hedge: KPN and Thales are jointly building a sovereign military cloud for the armed forces, run from a defence-operated facility with no foreign access. The Dutch central bank, De Nederlandsche Bank, signed its own STACKIT agreement in April, and the European Commission has named the company among four providers in a sovereign-cloud framework worth roughly €180 million over six years. The accidental hyperscaler that grew out of Lidl's need to keep its own retail data out of American hands is becoming the continent's default answer to a question it never set out to ask.

The leak did not create any of this. It validated it. State Secretary Aerdts had framed the rationale weeks before, in language that now reads as prophecy rather than policy: digital autonomy, she said, means the freedom to choose your provider rather than depend on a single one. The cabinet was already moving. Washington simply handed it the photograph that makes the case unanswerable.

Microsoft's Defence

The American technology sector is not standing still, and honesty requires saying so. AWS has committed billions to a European Sovereign Cloud with an EU-resident corporate structure, EU-based staff, and an independent advisory board. Microsoft continues to insist, as it did when France announced its own migration, that it respects the security and digital trust requirements of European public institutions. These are real investments and real assurances, made by serious companies that would prefer not to lose the European public sector.

They run into the same wall every time, and the wall is not technical. Microsoft's own most senior French legal officer acknowledged under oath before the French Senate that the company cannot guarantee European data against US access requests. The Dutch leak is that admission rendered in the indicative mood. As long as the parent company answers to a US court or a US congressional committee, the legal chain of obligation terminates in Washington no matter how European the data centre's postcode. Local infrastructure, local staff, local governance — sovereignty in appearance, with the substance held elsewhere.

Microsoft's defence that this was its own data, not its customers', is the proof rather than the rebuttal. The company is telling its European clients, accurately, that even the corporate records about them — who met whom, which regulator raised which concern, whose name appeared on which invitation — are reachable. There is no version of that reassurance that reassures.

The Trade-Off, Named Honestly

None of this means the European alternatives are as good. They are not, and pretending otherwise would be its own kind of dishonesty. STACKIT offers a deliberately narrow menu — compute, storage, networking, managed databases, Kubernetes — against the vast feature catalogues of AWS and Azure. Migrations hurt. Germany's Schleswig-Holstein, the most committed open-source mover at the state level, has moved tens of thousands of mailboxes off Microsoft and onto Nextcloud while absorbing real operational friction. France is replacing Teams and Zoom for 2.5 million civil servants by 2027 with the homegrown Visio, and ordering its ministries off Windows, knowing perfectly well that the homegrown stack lags the incumbent it replaces. Decoupling is expensive, it is slow, and it occasionally breaks things people rely on.

Institutions are proceeding anyway, and the reason is an asymmetry in the shape of the two risks. Performance disadvantages are incremental and improvable: a missing analytics feature this year is a roadmap item next year, and the gap narrows with every quarter of investment. Sovereignty exposure is binary. The question a central bank or a data-protection authority has to answer is not how much foreign access is likely, but whether it is possible at all — and for those institutions, "rare" is not a passing grade. The cost of technological inferiority can be budgeted. The cost of legal exposure, as the Dutch regulators discovered, is measured in the names of your own staff appearing on a foreign committee's list.

Out-Governing Rather Than Out-Building

Zoom out and the Dutch episode resolves into a single data point in a larger reorganisation of the digital world. Europe is not attempting to out-build Silicon Valley; it has neither the capital concentration nor the appetite for that race. It is attempting to out-govern it — to make the legal and jurisdictional terrain itself the competitive advantage, so that a tightly-scoped European provider operating cleanly under EU law beats a vastly more capable American one that cannot escape its own home jurisdiction. The Gaia-X framework codifies the ambition; the STACKIT contracts, the French migrations, the Austrian military's move to open-source office software, and the ICC's flight to openDesk are the ambition in execution.

The backdrop is a transatlantic relationship that has curdled. The same administration whose committee subpoenaed the names framed the DSA as censorship, aligned with X against the Commission's enforcement, and adopted a posture toward the continent — the friction over Greenland not least — that has made the once-theoretical prospect of an American provider being ordered to cut off a European institution feel like a scheduling matter rather than a hypothetical. In that climate, dependence on infrastructure you do not control stops looking like prudent procurement and starts looking like an unhedged position on the goodwill of a foreign government.

The Closing Inversion

Return to the image at the top, the one that seemed merely embarrassing and now reads as definitive. A data protection authority exists for one purpose: to protect personal data. The Dutch Data Protection Authority could not protect the personal data of its own employees, because that data lived inside an American company, and an American company is reachable by American law in ways no European statute can fully block. The watchdog could not guard its own gate. There is no more complete demonstration of the sovereignty problem than a privacy regulator whose privacy was breached through the very dependency it was created to police.

That is why the grocery cloud, the supermarket's data centres, the contract that can be torn up the moment its owner stops being European — all of it stops looking eccentric and starts looking like the only arrangement that actually answers the question. The Netherlands had built the door before the fire. The fire merely proved the door was necessary, and persuaded everyone still hesitating in the corridor to walk through it.

American cloud dominance is not ending. The companies remain larger, faster, and more capable, and they will keep most of the market that does not carry sovereignty stakes. What ended in The Hague in May 2026 is the assumption that the choice could be made on capability alone. For the institutions that hold a nation's money, its courts, its secrets, and its regulators, the spec sheet is no longer the document that matters. The document that matters is the one that says whose law you live under — and who, in the end, can demand to read your files.

Sources: Vrij Nederland; NL Times; DutchNews.nl; Cybernews; Techzine Global; The Register; IAPP; TechPolicy.Press; Euronews; The Next Web; Associated Press; U.S. House Committee on the Judiciary press releases and subpoena correspondence; Reuters; STACKIT / Schwarz Digits corporate communications; Dutch Digital Government (nldigitalgovernment.nl); Ministry of Economic Affairs and Climate; Xinhua.

Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, buy us a coffee! https://bordercybergroup.com/#/portal/support