Navigating uncertainty around US cloud services in Europe

In recent weeks, a growing wave of concern has swept across the European public sector and private businesses. At the heart of the issue: US cloud services and the legal uncertainty surrounding digital services’ reliance on them. This has been increasing significantly due to a variety of decisions and executive actions being taken by the US government, including dismantling the privacy and civil liberties watchdog PCLOB.

It is a reminder of the importance of staying informed, and to make sure your organisation is taking action to be prepared for whatever comes next.

As Sweden’s data protection authority, IMY, warns organisations to stay alert, Norway’s regulator goes one step further, advising businesses to prepare an “exit strategy” in a guidance issued in February 2025. This further highlights concerns over the stability of the EU-US Data Privacy Framework and the potential of abrupt changes that could affect data transfers without a transition period.​

“At Cleura, we welcome the Norwegian regulator’s conclusion. We are firm in our belief that Europe needs to strengthen its own capabilities in all areas, from underlying infrastructure to the actual service layer, to avoid dependencies on third parties. Europe needs to be in the driver’s seat to avoid being punished in trade wars or risking its citizens’ privacy rights.“
Jim Johansson, CEO at Cleura
The European cloud, trusted by Scrive

Those are only a couple examples from the Nordics, but at Scrive, we believe this is a moment that demands clarity, leadership, and above all, action from organisations all across Europe.

“This isn’t just a question of compliance, it’s about trust and predictability,” says Mads Rebsdorf, CEO at Scrive. “For organisations across Europe, especially in the public sector, relying on US-based cloud services now carries increasing uncertainty. It’s our responsibility as a European digitalisation partner to offer secure and robust alternatives.”

Erosion of legal certainty

The central challenge lies in the differences between European data protection standards and US surveillance laws. Despite the EU-US Data Privacy Framework aiming to restore confidence in transatlantic data flows, recent court decisions and national regulator statements regarding the use of US-owned technology in schools, public sector organisations and businesses have reintroduced uncertainty. If transfers of personal data to US services are deemed non-compliant, organisations could face enforcement actions, halted projects, and reputational damage.

“Supervisory authorities across the Nordics are no longer just hinting, they’re saying outright that businesses need to be ready to pivot. Such changes may be challenging unless you don’t have the right partner by your side.”
Peter Carlstedt, Chief Legal Officer at Scrive

Scrive Extended Compliance – built for digital trust and control

This is a chance for organisations to revisit their vendor landscape, reduce exposure to regulatory risk, and align with European values around privacy and digital sovereignty. And at the same time, an opportunity for European vendors to showcase why they are the right choice when it comes to trust, security and digital sovereignty. 

At Scrive, compliance has always been core to what we do not only as a trust service provider but as a European business on a mission towards a safer, more digital European Union. Our existing platform already meets the highest standards of EU law, with GDPR- and eIDAS-aligned digital transaction workflows hosted in Europe. But we also know that for some, just being compliant may not feel secure enough anymore.

That’s why we built Scrive EC, our Extended Compliance offering.

Scrive EC is a specialised version of our platform offering more or less the same services as our standard platform but hosted entirely on European-owned infrastructure. This lets our customers avoid exposure to US data jurisdiction, while delivering the same seamless experience across e-signing, ID verification and forms.

It’s available across all our products, and built for organisations of all sizes, not just those in highly regulated sectors like finance, government or healthcare.

Scrive is built in and for Europe and as a Qualified Trust Service Provider (QTSP) we operate under some of the strictest legal and technical requirements in the world. We offer solutions that work exclusively with European cloud infrastructure providers that meet European legal requirements for data processing and storage, allowing our customers to significantly reduce the risk of any long-arm jurisdiction.

“We understand the pressures decision-makers are under. Innovation and productivity gains from e.g. Scrive solutions, can’t wait, but neither can trust. What we offer is not just compliance; it’s a pathway to digital maturity that puts you in control of your data.”
Mads Rebsdorf, CEO at Scrive

Our message to European public sector and business leaders

Don’t wait for uncertainty to turn into inaction. Whether you’re already planning for this shift, or just starting to assess your position, we’re here to support you with clarity, flexibility, and solutions that keep you in control of your data.

We offer:

• Proven e-signature and ID verification solutions with full legal alignment across the EU & EEA
• Hosting and data processing arrangements within Europe, letting you avoid the risk of long arm jurisdiction due to the CLOUD Act or FISA
• Experience working with highly regulated sectors such as public organisations, banks and telcos.

Final words

This is a moment that matters and a moment for everyone invested in building digital trust and stability across Europe to take action to ensure a safer digital future.

If you’re facing questions around compliance, vendor strategy or digital transformation, reach out to explore how Scrive EC could fit your compliance roadmap.