In early April, I already wrote about exit plans and how they are the latest burning platform.
Now, nearing the end of May, we have both Microsoft and Google reassuring European clients about their sovereign cloud solutions. There are even air-gapped options for military applications. These messages come as a result of the trade war between the US and the rest of the world.
There is also the other, more mundane example of over-reliance on a single vendor: the Bloomberg-terminal outage of May 21st, 2025. That global outage severely disrupted financial markets. It caused traders to lose access to real-time data, analytics, and pricing information for approximately 90 minutes. This widespread system failure delayed critical government bond auctions in the UK, Portugal, Sweden, and the EU.
It serves as a reminder of the heavy reliance on the Bloomberg Terminal, which is considered an industry standard despite its high annual cost. While some Bloomberg services like instant messaging remained functional, allowing limited communication among traders, the core disruption led to significant frustration and slowed down trading activities.
You want to think about this for a moment. Bloomberg is, just like Google and Microsoft are, cornerstones in their respective industries. MS, Google, and Amazon even in many more industries.
So the issue goes beyond the “panic of the day.” Every day, there will be some announcement that sends markets reeling and companies fearing. Granted, the period we go through today can have grave consequences, but at the same time, it may be over in the coming months or years.
Let's take a step back and see if we can locate the larger issue at stake. I dare to say that the underlying issue is trust. We are losing trust in one another at a fast pace. Not between business partners, meaning companies who are, in a transaction or relationship, are more or less equal. Regardless of their geolocation, people are keen to do business together in a predictable, mutually beneficial way. And as long as that situation is stable, there is little need, beyond compliance and normal sound practices, to start to distrust each other.
Trouble brews when other factors come into play. I want to focus on two of them in this article.
The past few years have seen a large increase in power of the cloud computing platforms. The pandemic of 2019 through to 2023 changed our way of working and gave a big boost to these platforms. Of course, they were already establishing their dominance in the early 2010s.
Amazon launched SQS in 2004 with S3 (storage) and EC2 (compute) in 2006. Azure launched in 2008 as a PaaS platform for .NET developers, and became really available in 2010. Since then, it grew into the IaaS (infrastructure as a service) platform we know today. Google's Cloud Platform (GCP) launched in 2008 and added components such as BigQuery, Compute Engine and Storage in the 2010s.
Since the pandemic, we've seen another boost to their popularity. These platforms solidified their lead through several vectors:
Companies made decisions on these premises. A prime example is the use of native cloud functions. These make life easier for developers. Native functions allow for serverless functionality to be made available to clients, and to do so in a non-infra-based way. It gives the impression of less complexity to the management. They are also easily scalable.
This comes at a cost, however. The cost is vendor lock-in. And with vendor lock-in, comes increased pricing power for the vendor.
For a long time, it seems EU companies' attitude was: “It won't be such an issue, after all, there are multiple cloud vendors and if all else fails, we just go back.” The reality is much starker, I suspect that cloud providers with this level of market power will increase their pricing significantly.
in come two elements:
The latest push to their market power came as an unintended consequence of EU Law: DORA. That EU law requires companies to have testable exit plans in place. But it goes well beyond this. The EU has increased the regulatory burden on companies significantly. BusinessEurope, a supranational organization, estimates that in the past five years, the Eu managed to release over 13,000 legislative acts. This is compared to 3,500 in the US.
Coming back to DORA, this law requires EU companies to actually test their exit plans and show proof of it to the EU ESAs (European Supervisory Agency). The reaction I have seen in industry representative organizations is complacency.
The cost of compliance is significant; hence, companies try to limit their exposure to the law as much as possible. They typically do this by limiting the applicability scope of the law to their business, based on the wording of the law. And herein lies the trap. This is not lost on the IT providers. They see that companies do the heavy lifting for them. What do I mean by that? Several large providers are looked at by the EU as systemic providers. They fall under direct supervision by the ESAs.
For local EU providers, it is what it is, but for non-EU providers, they get to show their goodwill, using sovereign IT services. I will come back to this in the next point, US unpredictability and laws. But the main point is: we are giving them more market power, and we have less contractual power. Why? Because we are showing them that we will go to great lengths to keep using their services.
US companies must comply with US law. So far, so good. Current US legislation also already requires US companies to share data on non-US citizens.
This last one is of particular concern. Not so much because of its contents, but because it is an Executive Order.
We know that the current (May 2025) US government mostly works through executive orders. Let's not forget that executive orders are a legitimate way to implement policy, This means that the US government could use access to cloud services as a lever to obtain more favorable trade rules.
The EU responds to this (the laws and executive order) by implementing several sovereignty countermeasures like GDPR, DORA, Digital markets Act (DMA), Data Governance Act (DGA), Cybersecurity Act and the upcoming European Health Data Act (EHDS). This is called the “Brussels Effect.”
Europe is also investing in several strategic initiatives such as
This points to a new dynamic between the EU and the US, EU-based companies simply cannot trust their US counterparts anymore to the degree they could before. The sad thing is, that there is no difference on the interpersonal level. It is just that companies must comply with their respective laws.
Hence, Microsoft, Google, and AWS and any other US provider cannot legally provide sovereign cloud services. In a strict legal sense, Microsoft and Google cannot absolutely guarantee that they can completely insulate EU companies and citizens from all US law enforcement requests for data, despite their robust efforts and sovereign cloud offerings. This is because they are US companies, subject to US law and US jurisdiction. The CLOUD act and FISA section 702 compel US companies to comply.
Moreover, there is the nature of sovereign cloud offerings:
And lastly, there are the legal challenges to the EU data privacy Framework (DPF)
This all means that while the cloud providers are doing everything they can, and I'm assuming they are acting in good faith. The fact that they are US entities means however that they are subject to all US legislation and executive orders. And we cannot trust this last part. Again, this is why the EU is pursuing its digital sovereignty initiatives and why some highly sensitive EU public sector entities are gravitating towards truly EU-owned and operated cloud solutions.
If your provider goes bankrupt, you do not have a leg to stand on. Most jurisdictions, including the EU and US, have the following elements regarding bankruptcy:
Automatic Stay: Upon a bankruptcy filing (in most jurisdictions, including the US and EU), an “automatic stay” is immediately imposed. This is a court order that stops most collection activities against the debtor. For you as a customer, this can mean you might be prevented from:
Debtor's Estate and Creditor Priority
So, while I understand the wait and see stance in regard to exit plans, given where we are, it is in my opinion the wrong thing to do. Companies must make actionable exit plans and prepare beforehand for the exit. That means that you have to:
If you want more detailed steps on how to get there, feel free to contact me.
This site and all contents is © 2025 Tymans Group BV