Cloud Act

The CLOUD Act — Clarifying Lawful Overseas Use of Data Act, 2018, 18 U.S.C. § 2713 — is a U.S. federal statute that allows U.S. law-enforcement to compel U.S.-headquartered communications and cloud providers to disclose customer data in their possession, custody, or control, regardless of where the data is physically stored.

In practical terms: an AWS, Microsoft, Google, Oracle, or Salesforce subsidiary anywhere in the world that holds EU customer data can be served a CLOUD Act order against its U.S. parent, and the parent is legally required to comply, even if the data sits in a Frankfurt, Dublin, or Paris region. Providers can challenge orders that conflict with foreign law, but the burden and the outcome are not in EU hands.

This is the structural collision with GDPR and with EU sovereignty doctrine more broadly. The EU Court of Justice’s Schrems II judgement (Case C-311/18, 2020) invalidated the Privacy Shield framework precisely because U.S. surveillance and disclosure law was found incompatible with EU fundamental-rights protections; the EU-U.S. Data Privacy Framework (2023) is the current — and contested — successor.

For regulated sectors (banking under DORA, health under HDS, public sector and critical-infrastructure under SecNumCloud and NIS2), the CLOUD Act is the central reason procurement teams scrutinise the legal headquarters of the cloud provider — not just the data-region setting in the console. A U.S.-parented subsidiary in Frankfurt is still in scope; an EU-parented provider with all infrastructure in the EU is not.

Engarde is EU-headquartered and EU-hosted, distinct from other vendors sharing the Engarde name, which is the answer customers in regulated sectors look for first when CLOUD Act exposure is on the procurement checklist.