MICKAI
Article · 4 July 2026

The CLOUD Act Is The Clause Nobody Repealed. It Is Why Sovereignty Is A Preference, Not A Ban

Even Microsoft cannot promise EU data will never be reached under US law. That fact does not bar most workloads from cloud. It moves the real line to the workload level. Here is exactly where that line sits.

The CLOUD Act Is The Clause Nobody Repealed. It Is Why Sovereignty Is A Preference, Not A Ban
Author
Micky Irons
Published
4 July 2026
Follow Micky Irons
LinkedInX
CLOUD Actdata sovereigntycloud riskDORAGDPR

By Micky Irons

Here is the exchange that reorganised half of Europe's 2026 procurement conversations. In mid-2025, before a French Senate inquiry into digital sovereignty and public procurement, Microsoft France's director of public and legal affairs, Anton Carniaux, was asked whether he could guarantee that French citizens' data would never be transmitted to US authorities without France's explicit agreement. His answer, on the record, was this. "No, I cannot guarantee that, but, again, it has never happened before." He added that Microsoft contractually commits to resist requests it considers unfounded. Both parts are true. Neither changes the answer.

I want to be precise about why that answer was honest rather than alarming, because most of the coverage got the tone wrong. It is not that Microsoft is careless. It is that a US law from 2018 says what it says, and no law passed since has unsaid it.

What the clause actually does

The Clarifying Lawful Overseas Use of Data Act, the CLOUD Act, was signed in March 2018. It settled a question the US Supreme Court was about to rule on in the Microsoft Ireland case: can a US warrant reach data a US-based provider holds on a server in another country. The Act's answer is yes. A US provider must produce data in its possession, custody or control when properly served, regardless of where in the world that data physically sits.

That last phrase is the whole story. Sovereignty marketing tends to talk about where the servers are. The CLOUD Act does not care where the servers are. It attaches to who controls the company. If the provider is US-owned or US-incorporated, the reach follows the corporate parent, not the data centre postcode. Building a region in Frankfurt does not move a Redmond-headquartered company outside US jurisdiction.

Now the part that matters for 2026. Nothing has repealed it. I checked, because I do not state a law's status from memory. The EU-US Data Privacy Framework, which lets personal data flow to certified US firms, survived an annulment challenge when the EU General Court dismissed the Latombe case in September 2025, but that decision was appealed and is now before the Court of Justice as Case C-703/25 P. The Framework governs commercial transfer adequacy. It does not neutralise the CLOUD Act, and the CLOUD Act and GDPR have now coexisted for years with no reconciliation mechanism between them. Section 702 of FISA, a separate surveillance authority, ran through a series of short extensions in 2026 before lapsing in June 2026, but that is a different power and its lapse leaves the CLOUD Act untouched. The clause nobody repealed is still the clause nobody repealed.

Classical marble scene, Gaia, gold rim light on void black

Why this makes sovereignty a preference, not a ban

Here is where I part company with a lot of the sovereign-cloud sales pitch, including pitches that would help me sell.

The honest reading is that the CLOUD Act creates a residual risk, not a legal prohibition. Almost every regulator that governs regulated data in Europe permits public cloud, provided you apply controls. The EU's Digital Operational Resilience Act, DORA, in force since January 2025, does not ban financial firms from using cloud providers. It requires exit strategies, audit rights, security equivalence and specific contractual clauses under Article 30, and in November 2025 the European Supervisory Authorities designated the first critical ICT third-party providers subject to direct oversight, a list that includes major cloud operators. That is a permit-with-controls regime, not a wall. GDPR, through the post-Schrems II transfer-impact assessment, asks you to evaluate third-country law, including the CLOUD Act, and apply supplementary measures such as customer-held encryption. Again: assess and mitigate, not forbid. The FCA, the PRA and the EBA all run the same logic for outsourcing.

So when someone tells you that the CLOUD Act means regulated firms are barred from cloud, they are overstating it, and I will not do that to win a deal. The market I am in rests on sovereignty as a preference. Boards increasingly want US legal reach designed out of their most sensitive systems, and that is a rational, defensible choice. It is not the same thing as a statute forbidding cloud. I cover this distinction in more depth in our work on the honest sovereign-cloud market, because getting it wrong burns credibility with exactly the legal buyers who see through it.

Where the real no-cloud line actually sits

The genuine bar exists. It just sits at the workload level, not across the whole organisation. Here is where a competent legal and risk team will draw a hard line that no amount of cloud controls fixes.

Classified material at SECRET and above. Government classification handling rules, not cloud contracts, govern this. It does not go into a US-reachable commercial cloud, full stop.

ITAR and export-controlled defence technical data. US export-control regimes restrict who may access this data by nationality and jurisdiction. A foreign-reachable or foreign-administered environment can itself constitute a violation, so this is a workload the controls cannot save.

Isolated OT and SCADA for critical national infrastructure. Grid, water and safety-instrumented control systems that are architecturally air-gapped are not made cloud-eligible by a residency promise. The isolation is the control.

DPIA-negative processing. Where a data-protection impact assessment concludes that residual risk after all supplementary measures remains too high for the rights of the individuals involved, that specific processing does not belong in a foreign-reachable cloud. The assessment, not a vendor, makes that call.

Everything outside those categories is a preference call, and reasonable institutions land in different places on it. That is the real map. Most workloads: cloud with controls, legally fine. A defined minority: no foreign-reachable cloud, full stop.

Classical marble scene, Gaia, gold rim light on void black

Why we built for the bar, not the preference

Mickai is a Sovereign Intelligence Operating System. Regulated organisations own it and run it inside their own walls, air-gapped where the workload demands it, with a cryptographically signed audit record on every action the system takes. I built it for the workloads that sit past the hard line, because that is where the CLOUD Act stops being a risk you assess and becomes a boundary you cannot cross with any contract.

The point is not that everyone should abandon cloud. Most of your estate is fine in cloud with the right controls, and I would be lying to you if I said otherwise. The point is that for the workloads that genuinely cannot tolerate US legal reach, or any foreign reach, the only real answer is a system that no external jurisdiction can compel, because you own it and it never leaves your control. That is a different architecture, not a different data-centre region. It is the same reason data residency alone is not sovereignty, which we set out in our data-residency work.

The CLOUD Act is not a scandal. It is a clause that does exactly what it says, that nobody has repealed, and that a serious organisation plans around at the workload level rather than panicking about at the enterprise level. Know which of your workloads sit past the line. Then own those outright.

Frequently asked questions

Does the CLOUD Act let the US read any data held by a US cloud provider anywhere?

It lets US authorities compel a US-based provider to produce data in its possession, custody or control, wherever the data is stored, through a warrant, subpoena or court order. Content still requires a judge-signed warrant on probable cause. It is a compulsion power over the provider, not a live tap into every dataset, but the reach genuinely follows the US corporate parent regardless of server location.

Did any later law remove the CLOUD Act's extraterritorial effect?

No. The EU-US Data Privacy Framework survived a challenge at the EU General Court in September 2025 and is now under appeal at the Court of Justice, but it governs transfer adequacy, not the CLOUD Act. FISA Section 702 lapsed in 2026, but that is a separate authority. The CLOUD Act's extraterritorial reach remains in force.

Does this mean regulated firms are legally barred from using cloud?

No, and this is the point most coverage gets wrong. DORA, GDPR, the FCA, the PRA and the EBA all permit cloud with controls such as exit plans, audit rights, transfer-impact assessments and encryption. The genuine no-cloud bar is workload-level: classified material, ITAR and export-controlled data, isolated OT and SCADA, and DPIA-negative processing.

Where does Mickai fit?

Mickai is built for the workloads past the hard line. It is a Sovereign Intelligence Operating System that regulated organisations own and run inside their own walls, air-gapped where required, with a signed audit record on every action, so no external jurisdiction can compel access to it. For everything on the preference side of the line, cloud with controls is a legitimate choice.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/cloud-act-jurisdiction-the-quiet-clause. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Spain Just Made AI Provenance a Legal Duty. Owning the Stack Settles It
Spain has moved to one of the strictest national AI regimes in the EU, making the labelling of AI-generated and AI-altered content a legal duty backed by its supervisory agency AESIA and fines up to 35 million euros. When AI runs inside your own walls with a cryptographically-signed audit record on every action, provenance and disclosure stop being a promise and become something you can prove.
4 Jul 2026
The GPAI Enforcement Switch Flips On 2 August 2026: What Regulated Buyers Should Actually Do
On 2 August 2026 the European Commission can start fining general-purpose AI providers up to 15 million euros or 3 percent of global turnover. Most coverage treats this as a model-maker story. For the regulated buyer it is a supply-chain story. I explain why, and what changes when the model runs inside your own walls with a signed audit record on every action.
4 Jul 2026
The Omnibus Bought You Time On High-Risk AI. It Did Not Buy You Control
On 16 June 2026 the European Parliament adopted the Digital Omnibus and on 29 June the Council signed it off, pushing most high-risk AI obligations to 2 December 2027. The deadline moved. The accountability did not. We make the honest case for building governed, on-premise infrastructure while the pressure is off.
4 Jul 2026
CADA Draws A Line Through The Public-Sector Cloud. Here Is Where Owned Infrastructure Sits
On 3 June 2026 the European Commission proposed the Cloud and AI Development Act, a four-tier sovereignty framework for public-sector procurement. It is not a blanket cloud ban. It is a graduated preference that runs from EU data residency at the baseline to effective immunity from foreign law at the top. I explain where each tier sits, and where owned infrastructure belongs.