European organisations that choose EU data centres for their Microsoft 365 or Google Workspace deployments often believe they have addressed their sovereignty exposure. The data is in the EU. The box is ticked.
But data location is only one of many control points a cloud provider holds over your organisation. Even with EU-hosted data, a US provider retains administrative access, controls the encryption keys, operates the identity layer, and can push updates or policy changes without your consent. The CLOUD Act (18 U.S.C. §2713) gives US law enforcement the legal authority to compel data disclosure regardless of where the data is physically stored.