AWS Initiatives for European Cloud Sovereignty and NIS 2 Compliance
Amazon Web Services (AWS) has announced the AWS European Sovereign Cloud, a new independent cloud infrastructure designed to address the unique sovereignty, security, and compliance requirements of European public sector organizations and highly regulated industries. The AWS European Sovereign Cloud incorporates the Sovereign Reference Framework (ESC-SRF), which aligns with governance, operational control, data residency, and technical isolation criteria, and is undergoing independent third-party audits to validate its compliance with European regulatory expectations. AWS is also making the ESC-SRF available through AWS Artifact, enabling customers and partners to build upon these sovereignty controls for their own compliance needs.
In parallel, AWS has reaffirmed its commitment to supporting customers in meeting the requirements of the EU's NIS 2 Directive, which aims to strengthen cybersecurity across the Union. As NIS 2 is transposed into national law across EU member states, AWS is working closely with national cybersecurity authorities and customers to ensure robust security practices and compliance. These efforts are part of AWS's broader responsibility to secure digital infrastructure in Europe and to help organizations build resilience and trust in the online environment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
AWS makes ESC-SRF available in Artifact and begins external validation
AWS made the Sovereign Reference Framework available through AWS Artifact and said it is undergoing independent third-party audit validation. AWS also said it will provide a dedicated SOC 2 report for the AWS European Sovereign Cloud to document these controls.
AWS launches European Sovereign Cloud framework
AWS announced the AWS European Sovereign Cloud and introduced the Sovereign Reference Framework (ESC-SRF), a control framework for sovereignty requirements in Europe. The framework covers governance independence, operational control, data residency, and technical isolation for public sector and highly regulated customers.
AWS publishes EU cybersecurity and NIS 2 support overview
AWS published a blog outlining its approach to securing digital infrastructure in the European Union, including cooperation with authorities and tools to help customers meet NIS 2 obligations. The post also highlighted AWS compliance programs, shared responsibility guidance, and security-by-design support for regulated sectors.
EU adopts NIS 2 cybersecurity directive
The European Union adopted Directive (EU) 2022/2555, known as NIS 2, to strengthen cybersecurity and resilience requirements across member states and critical sectors. This directive forms the regulatory backdrop for later AWS security and compliance efforts in Europe.
AWS establishes agreements with European national cybersecurity agencies
AWS established partnerships and agreements with national cybersecurity agencies in Germany, Spain, the Netherlands, and Italy to support cybersecurity cooperation in Europe. The reference does not specify when each agreement was signed.
AWS supports Ukraine's digital resilience during the war
AWS played a significant role in helping support Ukraine's digital resilience during the war, cited as part of its broader cybersecurity and resilience work in Europe. The reference does not provide a specific date for this support.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AWS Launches EU Sovereign Cloud Amid European Data Sovereignty Concerns
Amazon Web Services announced the general availability of its **European Sovereign Cloud**, a physically and logically isolated cloud region designed to meet EU data residency and sovereignty requirements. The offering is operated within the EU by EU-resident staff under a new German parent company, with supporting systems such as **metadata, billing, and identity management** kept inside the EU; AWS said it will start with roughly **90 services** available from Germany and later expand via *Local Zones* in Belgium, the Netherlands, and Portugal, plus *Dedicated Local Zones* for single-tenant, highly sensitive workloads. The launch is positioned as a response to European customer concerns about exposure to **U.S. extraterritorial authorities** (e.g., the **CLOUD Act**) and broader geopolitical risk influencing cloud procurement decisions. Commentary in the accompanying opinion piece frames this as part of a wider “tech dependency” problem in which reliance on U.S.-based providers can become a geopolitical vulnerability, reinforcing why EU organizations are seeking stronger sovereignty controls and alternatives—even as some industry leaders remain skeptical that technical and legal measures (including AWS’s references to protections like the **Nitro System**) can fully eliminate foreign-jurisdiction risk.
Mar 21, 2026
Cloud Providers Expand European Data Sovereignty Offerings
Microsoft and Amazon Web Services (AWS) have announced significant enhancements to their cloud services aimed at addressing European data sovereignty and compliance requirements. Microsoft is introducing new features such as end-to-end AI data processing within Europe as part of the EU Data Boundary, in-country processing for Microsoft 365 Copilot interactions in select countries, and expanding Azure Local capabilities to support larger, more sovereign private clouds. These measures are designed to reassure European customers amid ongoing concerns about the reach of US laws like the CLOUD Act and shifting geopolitical dynamics, particularly following recent changes in US leadership. AWS has released a whitepaper detailing the design and objectives of its upcoming AWS European Sovereign Cloud, which will launch its first region in Brandenburg, Germany by the end of 2025. The new infrastructure will feature dedicated physical resources, logical isolation from other AWS regions, independent operational controls, and a distinct EU-based corporate governance structure. Both providers are responding to increasing demand from public sector and highly regulated industries in Europe for greater control over data residency, operational autonomy, and protection from extraterritorial legal requests.
Mar 21, 2026
European Push for Digital Sovereignty in Cloud Infrastructure
European governments and organizations are intensifying efforts to achieve digital sovereignty in cloud infrastructure, driven by geopolitical uncertainties and concerns over reliance on American hyperscalers such as Microsoft, Google, and Amazon Web Services. With U.S. policy shifts and potential transatlantic tensions, European leaders are prioritizing the development of domestic alternatives and strategies to ensure control over sensitive data and critical workloads. Despite these ambitions, local cloud providers currently hold only a small share of the market, and experts suggest that a new European hyperscaler is unlikely to emerge soon, with existing players like SAP and Deutsche Telekom each controlling only about 2% of the market. In response to these sovereignty concerns, cloud providers are expanding offerings tailored to regulatory and data residency requirements. Amazon Web Services, for example, has introduced Dedicated Local Zones to provide customers with greater control over data location, security, and compliance, supporting sensitive workloads for public sector and regulated industries. These initiatives reflect a broader trend of cloud service adaptation to meet the evolving needs of European customers seeking to balance operational flexibility with strict sovereignty and compliance mandates.
May 12, 2026