Text: Michel Heinst, CEO and owner Tech Outlet Ltd
The promise was tempting in its simplicity: no more own servers, no worries about updates or security patches, and infinite scalability available at the push of a button. Anyone investing in their own 'iron' in 2015 was met with pitying looks.
However, by 2025, the atmosphere has radically changed. The honeymoon period with the hyperscalers - Amazon Web Services (AWS), Microsoft Azure, and Google Cloud - is definitively over. What began as a flirtation with flexibility and modernization has turned into a stifling marriage for many Dutch organizations, characterized by vendor lock-in, unpredictable cost explosions, and a fundamental lack of control over their own data.
IDC predicts that by 2026, as much as 65% of enterprises will switch to a hybrid model, where data processing and AI tasks are pulled back to edge or on-premise environments. McKinsey signals a clear trend shift: CIOs in Europe are shifting their focus from pure cloud adoption to digital sovereignty and cost control.
This report analyzes not only the numbers but also the human and organizational stories behind this movement. Why does a successful SaaS entrepreneur choose to leave the cloud for dedicated servers? Why does the Dutch government shudder at the thought of American data seizures? And is it technically and financially feasible to regain control?
Part I: The Legal Reality – Data in Foreign Hands
The Illusion of the European Region
The fundamental problem with the dominance of American hyperscalers - who collectively hold more than 68% of the global cloud infrastructure market - is the extraterritorial application of American legislation.
Many European managers and policymakers operate under the assumption that when they choose 'Region Western Europe' (often physically located in data centers around Amsterdam or Eemshaven), their data is safely shielded from American interference. 'The data is in the polder, right?' is the frequently heard defense.
This is, legally speaking, a dangerous illusion. American legislation does not look at the ground on which the server stands, but at who holds the keys to the front door.
The US CLOUD Act: The Long Arm of Washington
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), enacted in 2018, has fundamentally changed the playing field. This law requires American technology companies to hand over user data to American judicial authorities, regardless of where that data is physically stored.
The legal criterion is not the location of the server, but the control ('possession, custody, or control') that the American parent company has over the data. Since Microsoft Corporation in Redmond, Washington, has full control over its subsidiary Microsoft Nederland BV, data in the data center in Wieringermeer legally falls under the direct scope of an American warrant.
A Dutch judge has no say in this matter. This creates a direct conflict with the European GDPR, which imposes strict conditions on sharing personal data with countries outside the EU. Organizations find themselves in a legal vise: complying with the American warrant means violating European privacy legislation, and vice versa.
FISA 702: Unmarked Surveillance
Even more intrusive is Section 702 of the Foreign Intelligence Surveillance Act (FISA). This legislation allows American intelligence agencies such as the NSA to intercept, collect, and analyze communications of non-Americans located outside the United States.
The crucial difference from regular law enforcement is that no individual judicial warrant based on suspicion of a crime is needed here. It concerns intelligence gathering in the context of national security, a concept that is interpreted very broadly in the US.
The Court of Justice of the European Union has previously declared the exchange of data with the US illegal based on earlier treaties precisely because of this legislation in the high-profile Schrems II ruling. Although new political agreements have since been made, such as the 'Data Privacy Framework', the legal basis under FISA 702 remains precariously unchanged.
The OVH-Canada Case: The End of Naivety
The concerns about the CLOUD Act are not academic theories, as evidenced by a recent and shocking ruling from a Canadian court in 2024 regarding the European cloud market.
In the case concerning OVHcloud, a French company that positions itself as the sovereign European counterpart to AWS and Azure, the Royal Canadian Mounted Police (RCMP) demanded access to customer data. However, this data was not in Canada, but on servers in France, the United Kingdom, and Australia. The data belonged to customers who had nothing to do with Canada.
The Canadian judge ruled that the Canadian subsidiary of OVHcloud could be compelled to hand over this data, despite the data being physically located in Europe. The judge stated that the interests of the state (criminal prosecution) outweighed the objections of OVHcloud.
This ruling hit the European tech community like a bomb. OVHcloud was forced into an impossible dilemma:
- Complying with the Canadian order would lead to a direct violation of the French 'blocking statute' and the GDPR, with fines up to €90,000 and imprisonment for the French executives
- Refusing would lead to contempt of the Canadian court, with sanctions against the Canadian branch
This case unequivocally demonstrates that as soon as a cloud provider - even one with a European headquarters - has legal entities in jurisdictions with extraterritorial powers, the 'sovereignty' of the data is at stake.
The Vulnerability of the Dutch Government
Research by NOS shows that at least 1,722 websites of the government, semi-government, and critical infrastructure are directly dependent on at least one American cloud service. These are not trivial blogs or campaign websites:
- Ministries: Nine of the fifteen ministries use Microsoft services for critical processes, including email and document storage
- Decentralized Government: All twelve provinces and nearly all municipalities heavily rely on American infrastructure
- Regulators: Even watchdogs like the Authority for the Financial Markets (AFM) and the Authority for Personal Data cannot escape this vendor lock-in
The risks are twofold:
1. Espionage and Oversight
IT expert Bert Hubert sharply noted: 'It is not technically difficult for the American government to eavesdrop.' With the changing political winds in Washington, this access can be used as a political pressure tool. Access to internal policy documents on trade, defense, or economic strategy can directly undermine the Dutch negotiating position.
2. Continuity and Availability (The 'Kill Switch')
What happens if Microsoft or Amazon decides - or is forced by the American government - to cease operations? In May 2025, the Microsoft account of the chief prosecutor of the International Criminal Court in The Hague was blocked, presumably as part of American sanctions. This incident shows that tech giants can be used as geopolitical weapons.
The Netherlands Court of Audit released a devastating report in January 2025: the government has lost control over its ICT and data due to a thoughtless and too rapid flight to the cloud, without adequate exit strategies.
This is the first part of the series 'The Great Cloud Exodus', in collaboration with Michel Heinst from Tech Outlet. The remaining parts will be published on the website in the coming weeks.
About TechOutlet.eu
TechOutlet.eu has been a specialist in enterprise IT hardware for the Benelux since 2014. They supply EOL (End-of-Life) and new servers, workstations, and laptops from brands like HP, Dell, and Lenovo to SMEs, government, and healthcare.
The focus is on:
- Digital Sovereignty: Hardware that you fully own and manage
- Flexibility: Choice between EOL (cost-efficient) and new hardware (compliance)
- Sustainability: Optimal utilization of hardware lifespan
- Cost Efficiency: Enterprise quality for SME budgets
- Fast Delivery: 24-hour delivery from Dutch stock
Contact: For advice on your cloud exit strategy and the necessary hardware, please contact us via www.techoutlet.eu
