Removing your cloud environment from the United States: a legal step-by-step plan

A cloud migration is a large-scale and complex process involving various considerations. From a legal perspective, the complexity lies mainly in the convergence of multiple jurisdictions, both European and American.

European and Dutch framework

The GDPR imposes strict requirements on the handling of personal data and the transfer of personal data to countries outside the EEA.[1]The Data Act outlinesthe framework for data control, while theNIS2 Directiverequires organizations in essential sectors to implement enhanced cybersecurity measures, including requirements for supply chains. The NIS2 is expected to be incorporated into the Cybersecurity Act (CBW) in the Netherlands in Q2 2026.

American framework

The Cloud Act givesUS authorities the power to request data from US providers, regardless of where that data is physically stored. A European data center belonging to a US provider therefore does not offer complete protection. FISA Section 702 also expands surveillance capabilities, with potential impact on EU citizens' data. These laws create structural tension with European privacy standards.

Contractual arrangements

In addition, various contractual pitfalls and points of attention play a major role and deserve thorough analysis:

• Start with thetermination policy. Check whether early termination is possible, the notice periods involved, and any associated costs (termination fee).
• Next, theexit arrangementsdeserve attention. Are you entitled to data export in a common, readable format? And within what period must the provider permanently delete your data? Without clear agreements, you risk data loss or costly delays.
• Also pay attentionto migration clauses: some contracts oblige the provider to actively cooperate in the transfer. If such a provision is missing, you will be dependent on goodwill when you leave.
• Thedivision of liability upontermination of the contract also requires attention. Exoneration clauses can significantly limit your options for recourse in the event of problems.
• Finally, there is therisk ofvendor lock-in. Proprietary formats, specific APIs, or deeply integrated services can make migration technically and financially complex. It is therefore important to identify these dependencies at an early stage.

Technical and operational risks

A cloud migration is more than just a legal exercise. The technical implementation has its own risks with legal implications:

• Firstly,data security duringthe migration itself. Encryption, strict access control, andlogging areessential. Ensure that a processing agreement is in place with both the old and new providers that clearly defines responsibilities.
• Continuityalso playsakey role.Downtime canlead to business losses and contractual liability towards your own customers – so ask yourself: who bears the risk in the event of interruptions?
• Data integrityalso deserves attention: data loss or corruption during migration immediately raises questions about liability. Establish in advance who is responsible for what.
• Finally,don'tforget thesub-processors. The new provider may engage its own subcontractors for hosting or support. As the controller, you are obliged to know the entire chain and assess it for GDPR compliance.

Practical tips for a controlled migration

1. Start with thoroughdue diligence. Assess potential providers on GDPR compliance, relevant certifications (ISO 27001, SOC 2 Type II), and—crucially—location and ownership structure. A European subsidiary of an American parent company is still subject to the CLOUD Act, given its extraterritorial effect.
2. Next, have your contracts reviewed by a lawyer. Check exit rights, notice periods, and liability provisions before taking any action. Prevention is better than litigation. Please note: in some cases, switching cloud service providers may require consultation with your Works Council (Article 25 WOR).
3. Involve your new European cloud service provider in the process. Have the contracts you want to conclude with your new provider reviewed, and involve them in the migration process. Ideally, your new provider will assist you in the process.
4. In addition, opt for a phased migration. A step-by-step transfer will limit the risks. If possible, run parallel systems temporarily to ensure continuity.
5. Document everything carefully. Record all processing activities, risk analyses, and decisions. The accountability requirement in Article 5(2) of the GDPR requires you to be able to demonstrate that you are acting in compliance.
6. Finally, assemble a multidisciplinary team. Combine legal, technical, and operational expertise. Cloud migration affects legal, IT, privacy, procurement, finance, and management.

Conclusion: forewarned is forearmed.

Current international developments make one thing clear: legal frameworks can suddenly disappear. Companies that are now reviewing their cloud strategy and preparing migration plans will be in a stronger position when the next seismic shift occurs (see alsothis blog on cybersecurity). For directors, CISOs, privacy officers, and corporate lawyers, the message is therefore: assess your current situation, evaluate your contractual position, and engage specialists in good time (see alsothis blog about directors' liability). Proactive action is not only legally prudent, it is strategically necessary.