Text: Michel Heinst, CEO and owner Tech Outlet Ltd
The promise was tempting in its simplicity: no more own servers, no worries about updates or security patches, and infinite scalability available at the push of a button. Those who invested in their own 'iron' in 2015 were looked at with pity.
However, by 2025, the atmosphere has radically changed. The honeymoon period with the hyperscalers - Amazon Web Services (AWS), Microsoft Azure, and Google Cloud - is definitively over. What began as a flirtation with flexibility and modernization has turned into a stifling marriage for many Dutch organizations, characterized by vendor lock-in, unpredictable cost explosions, and a fundamental lack of control over their own data.
IDC predicts that by 2026, as much as 65% of enterprises will switch to a hybrid model, where data processing and AI tasks are pulled back to edge or on-premise environments. McKinsey signals a clear trend shift: CIOs in Europe are shifting their focus from pure cloud adoption to digital sovereignty and cost control.
This report analyzes not only the numbers but also the human and organizational stories behind this movement. Why does a successful SaaS entrepreneur choose to leave the cloud for dedicated servers? Why does the Dutch government shudder at the thought of American data seizures? And is it technically and financially feasible to regain control?
Part I: The Legal Reality – Data in Foreign Hands
The Illusion of the European Region
The fundamental problem with the dominance of American hyperscalers - who together hold more than 68% of the global cloud infrastructure market - is the extraterritorial effect of American legislation.
Many European managers and policymakers operate under the assumption that when they choose 'Region West Europe' (often physically located in data centers around Amsterdam or Eemshaven), their data is safely shielded from American interference. 'The data is in the polder, right?' is the frequently heard defense.
This is, legally speaking, a dangerous illusion. American legislation does not look at the ground on which the server stands, but at who holds the keys to the front door.
The US CLOUD Act: The Long Arm of Washington
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), enacted in 2018, has fundamentally changed the playing field. This law requires American tech companies to hand over user data to American judicial authorities, regardless of where that data is physically stored.
The legal criterion is not the location of the server, but the control ('possession, custody, or control') that the American parent company has over the data. Since Microsoft Corporation in Redmond, Washington, has full control over its subsidiary Microsoft Netherlands BV, data in the data center in Wieringermeer is legally under the direct jurisdiction of an American warrant.
A Dutch judge has no say in this matter. This creates a direct conflict with the European GDPR, which imposes strict conditions on sharing personal data with countries outside the EU. Organizations thus find themselves in a legal vise: complying with the American warrant means violating European privacy legislation, and vice versa.
FISA 702: Unmarked Surveillance
Even more intrusive is section 702 of the Foreign Intelligence Surveillance Act (FISA). This legislation allows American intelligence agencies such as the NSA to intercept, collect, and analyze communications of non-Americans located outside the United States.
The crucial difference with regular law enforcement is that no individual judicial warrant with suspicion of a crime is required here. It concerns intelligence gathering in the context of national security, a concept that is interpreted very broadly in the US.
The Court of Justice of the European Union has already declared the exchange of data with the US illegal based on previous treaties due to this legislation in the landmark Schrems II ruling. Although new political agreements have since been made, such as the 'Data Privacy Framework', the legal basis under FISA 702 remains precariously unchanged.
The OVH-Canada Case: The End of Naivety
That concerns about the CLOUD Act are not academic theories is proven by a recent and shocking ruling from a Canadian court in 2024 regarding OVHcloud, a French company that positions itself as the sovereign European counterpart to AWS and Azure. The Royal Canadian Mounted Police (RCMP) demanded access to customer data. However, this data was not in Canada, but on servers in France, the United Kingdom, and Australia. The data belonged to customers who had nothing to do with Canada.
The Canadian judge ruled that the Canadian subsidiary of OVHcloud could be compelled to hand over this data, despite the fact that the data was physically located in Europe. The judge stated that the interests of the state (prosecution) outweighed the objections of OVHcloud.
This ruling hit the European tech community like a bomb. OVHcloud was forced into an impossible dilemma:
- Complying with the Canadian warrant would lead to a direct violation of the French 'blocking statute' and the GDPR, with fines up to €90,000 and imprisonment for French executives
- Refusing would lead to contempt of the Canadian court, with sanctions against the Canadian branch
This case unequivocally demonstrates that once a cloud provider - even one with a European headquarters - has legal entities in jurisdictions with extraterritorial powers, the 'sovereignty' of the data is at stake.
The Vulnerability of the Dutch Government
Research by NOS shows that at least 1,722 websites of the government, semi-government, and vital infrastructure are directly dependent on at least one American cloud service. These are not trivial blogs or campaign websites:
- Ministries: Nine of the fifteen ministries use Microsoft services for critical processes, including email and document storage
- Decentralized Government: All twelve provinces and nearly all municipalities heavily rely on American infrastructure
- Regulators: Even watchdogs such as the Authority for the Financial Markets (AFM) and the Authority for Personal Data cannot escape this vendor lock-in
The risks are twofold:
1. Espionage and Oversight
IT expert Bert Hubert sharply noted: 'It is technically not difficult for the American government to eavesdrop.' With the changing political winds in Washington, this access can be used as a political pressure tool. Insight into internal policy documents on trade, defense, or economic strategy can directly undermine the Dutch negotiating position.
2. Continuity and Availability (The 'Kill Switch')
What happens if Microsoft or Amazon decides - or is forced by the American government - to cease services? In May 2025, the Microsoft account of the chief prosecutor of the International Criminal Court in The Hague was blocked, presumably as part of American sanctions. This incident shows that tech giants can be used as geopolitical weapons.
The Dutch Court of Audit released a damning report in January 2025: the State has lost control over its ICT and data due to a thoughtless and too rapid flight to the cloud, without adequate exit strategies.
This is the first part of the series 'The Great Cloud Exodus', in collaboration with Michel Heinst from Tech Outlet. The remaining parts will be published on the website in the coming weeks.
About TechOutlet.eu
TechOutlet.eu has been a specialist in enterprise IT hardware for the Benelux since 2014. They supply EOL (End-of-Life) and new servers, workstations, and laptops from brands such as HP, Dell, and Lenovo to SMEs, government, and healthcare.
The focus is on:
- Digital Sovereignty: Hardware that you fully own and manage
- Flexibility: Choice between EOL (cost-efficient) and new hardware (compliance)
- Sustainability: Optimal use of hardware lifespan
- Cost Efficiency: Enterprise quality for SME budgets
- Fast Delivery: 24-hour delivery from Dutch stock
Contact: For advice on your cloud exit strategy and the necessary hardware, please contact via www.techoutlet.eu
