Where is the AWS European Sovereign Cloud physically located?

The AWS European Sovereign Cloud (ESC) is located in Brandenburg, Germany. AWS is investing €7.8 billion in the German infrastructure, which has been generally available since January 15, 2026.

Who operates the AWS European Sovereign Cloud?

The ESC is operated exclusively by EU citizens residing in the EU. No AWS employee outside the EU has access to ESC systems or customer data. Leadership is provided by Stéphane Israël as CEO of AWS European Sovereign Cloud and Stefan Hoechbauer as President of AWS Germany.

What are the key differences between the ESC and the standard AWS region eu-central-1?

The critical differences are: full operational separation (no AWS personnel outside the EU), permanent data storage in Germany (not replicable to other regions), structural exclusion of US government access, and a standalone BSI C5 attestation. The service catalog is somewhat smaller than eu-central-1 at launch but grows continuously.

Is the AWS ESC BSI C5 certified?

Yes. The AWS European Sovereign Cloud holds BSI C5 Type 2 attestation — an independently audited proof that security controls operate effectively over a defined period. This attestation was built into the design from the start, not retrofitted after launch.

AWS European Sovereign Cloud: What DACH Businesses Need to Know

Executive Summary

The AWS European Sovereign Cloud (ESC) reached general availability in Brandenburg, Germany, on January 15, 2026 — the first hyperscaler cloud partition operated exclusively by EU residents in the EU. AWS is investing €7.8 billion in the German infrastructure, creating approximately 2,800 full-time-equivalent positions. The ESC is structurally separated from standard AWS infrastructure: dedicated APIs, control planes, security boundaries — and BSI C5 Type 2 attestation from day one. For DACH enterprises in critical infrastructure sectors, regulated industries, and public administration, it is the first hyperscaler option that addresses all sovereignty requirements under one platform. This article explains everything decision-makers and architects need to know about the ESC launch: location, operational model, available services, and how it differs from the standard region.

Background: Why a Separate Cloud Partition?

Existing AWS regions in Europe — led by eu-central-1 in Frankfurt — provide data residency in Germany. But data residency alone does not fully resolve the sovereignty problem. The core issue: as long as a hyperscaler's parent company is subject to the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), US authorities can theoretically access data stored in that hyperscaler's EU data centers — regardless of where the physical infrastructure sits.

For KRITIS operators, government agencies, and regulated industries, this theoretical access is not an acceptable residual risk. NIS2, GDPR Articles 44 ff., and the BSI demand demonstrable exclusion mechanisms — not merely contractual assurances, but operational separation.

AWS's answer to this requirement is the ESC: a fully separated cloud partition with its own governance, its own personnel, and its own legal accountability framework within the EU. The question is not only where data is stored, but who has access to it — and under which legal system that person operates.

Location and Infrastructure: Brandenburg as the Starting Point

The ESC launched in Brandenburg, Germany. Choosing Germany as the opening location is deliberate: Germany is Europe's largest economy, has the strictest data protection authorities, and the densest regulatory landscape — particularly with NIS2 and the BSI as a globally recognized security authority.

AWS is investing €7.8 billion in ESC infrastructure in Germany — one of the largest cloud infrastructure investments in European history. This figure covers data center facilities, network infrastructure, power and cooling systems, and the build-out of the operational team. The investment scale signals that this is not a pilot project but a platform decision for the next decade.

The ESC operates in a dedicated Availability Zone cluster that is physically and logically separated from standard AWS regions. Multi-AZ deployments within the ESC are fully supported — all Availability Zones are located within Germany. Data replication outside the ESC is technically blocked by Service Control Policies, not merely contractually prohibited.

AWS has announced plans to extend the ESC to additional European countries over time. Brandenburg is the launch point of a pan-European sovereign cloud infrastructure buildout that will grow in the coming years.

Operational Model: EU Operators as the Core Principle

The ESC's operational model is the decisive differentiator versus all previous EU-region offerings. The governing rule: No AWS employee outside the EU has access to ESC systems or customer data.

In concrete terms, this means:

All operators, engineers, support staff, and executives with access to ESC systems are EU citizens residing in the EU.
Support tickets from ESC accounts are handled exclusively by EU-resident AWS employees.
Audit logs and access controls for ESC operators are segregated from standard AWS access control systems.
The ESC leadership team — Stéphane Israël (CEO) and Stefan Hoechbauer (President AWS Germany) — operates exclusively under European law.

This model closes the legal grey area that remains with standard hyperscaler regions. A US government access request via the CLOUD Act requires that the service provider is able to access the data. If no AWS employee with US legal standing has operational access, compelled access is structurally excluded — not just contractually promised.

For organizations processing VS-NfD (restricted classified) data or similarly sensitive information, this operational separation model is a baseline prerequisite.

Available Services: What the ESC Offers at Launch

The ESC launched with a catalog of over 150 AWS services in general availability — sufficient for the majority of enterprise workloads, but smaller than the full AWS catalog in eu-central-1 with over 200 services. The catalog is expanding continuously.

Available service categories in the AWS European Sovereign Cloud at launch (January 2026)
Category	Representative Services	Sovereignty Relevance
Compute	EC2, Lambda, ECS, EKS, Fargate	High — core requirement for all workloads
Storage	S3, EBS, EFS, Glacier	Very high — data storage enforced in EU
Databases	RDS, Aurora, DynamoDB, ElastiCache	Very high — personal data, transactions
Security & IAM	KMS, CloudHSM, IAM, Security Hub, GuardDuty	Critical — encryption, access control, audit
Governance	Control Tower, Config, CloudTrail, Audit Manager	Critical — NIS2, BSI C5, GDPR compliance
Networking	VPC, Direct Connect, PrivateLink, Transit Gateway	High — isolated network perimeters
Analytics & Data	Athena, Glue, Redshift, Kinesis	Medium — depends on data classification
AI/ML	SageMaker (selected features), Bedrock (roadmap)	Growing — EU AI Act preparation
Monitoring	CloudWatch, X-Ray, Systems Manager	High — operational security, incident response

Important for architects: not all services available in standard regions are available at ESC launch. A service mapping exercise is required before migration planning — which services are currently in use, which are available in the ESC, and which need to be replaced with ESC-native alternatives?

The current, complete service list is maintained by AWS at: AWS Europe Digital Sovereignty

Certifications and Compliance Evidence

The ESC was designed for certification conformance from the start — not as a post-launch audit exercise but as a design principle. The current attestations are:

BSI C5 Type 2: The Cloud Computing Compliance Criteria Catalogue — Germany's gold standard for cloud security assurance. Type 2 means: independent audit over a defined operational period, not just a point-in-time snapshot. For federal agencies and KRITIS operators, BSI C5 has effectively become a procurement prerequisite.
ISO 27001: The international standard for information security management systems. Covers confidentiality, integrity, and availability. Commonly required in enterprise procurement contracts and public sector tendering processes.
SOC 1 / SOC 2 / SOC 3: Service Organization Control Reports. SOC 2 Type II is particularly relevant for SaaS customers and financial services — covering security, availability, processing integrity, confidentiality, and privacy over an extended audit period.
ISO 27017 / ISO 27018: Extensions to ISO 27001 specifically for cloud services (27017) and protection of personal data in public clouds (27018). Relevant for demonstrating GDPR conformance to data protection supervisory authorities.

All attestation reports are publicly accessible via the AWS Artifact portal. Enterprise customers can download full audit reports and present them to compliance departments, data protection officers, and supervisory authorities.

ESC vs. Standard Region: What Matters for DACH

The most frequent question in DACH architecture workshops is: isn't eu-central-1 sufficient? The answer depends on the workload — but for specific categories, the ESC is not an option but a requirement.

ESC vs. standard AWS region eu-central-1: decision-relevant differences
Dimension	AWS ESC (eu-sovereign-1)	Standard eu-central-1
Operational separation	Full — no AWS personnel outside EU	No — global AWS team with access controls
CLOUD Act risk	Structurally excluded	Theoretically present (US parent entity)
BSI C5 Type 2	Yes, from launch	Yes
VS-NfD suitability	First hyperscaler solution with eligibility	No
NIS2 KRITIS suitability	Fully demonstrable	With additional measures
Service catalog	150+ services (growing)	200+ services (complete)
Cost	~15–25% premium	Reference pricing
Data storage location	Permanently Brandenburg / Germany	Frankfurt, replication possible
Support team	EU-resident, ESC-dedicated	Global AWS support team

For most DACH organizations, a mixed approach is recommended: workloads with elevated sovereignty requirements (personal data, KRITIS systems, VS-NfD) on the ESC — innovation and low-sensitivity workloads on eu-central-1. AWS calls this the "Sovereign by Design" model.

Who Benefits Most? Industry Relevance in the DACH Market

The ESC primarily addresses workloads with regulatory sovereignty requirements. The following sectors and organization types have the strongest case for ESC adoption:

Public Administration (Federal, State, Municipal): The first hyperscaler option with VS-NfD eligibility and BSI C5 proof. E-government platforms, citizen portals, and inter-agency communication can migrate to the ESC with demonstrable data sovereignty for audit courts and data protection officers.
Critical Infrastructure Operators (Energy, Water, Transport, Healthcare): NIS2 and the forthcoming KRITIS-DACHG regulation require demonstrable cybersecurity and sovereignty measures. The ESC with BSI C5 Type 2 provides the strongest available attestation posture — particularly for OT/IT convergence scenarios.
Financial Services (Banks, Insurers, Asset Managers): DORA combined with GDPR and BaFin requirements makes sovereign cloud a compliance imperative for core systems. The ESC fulfills all DORA resilience requirements for critical ICT third-party service providers.
Healthcare (Hospitals, Health Insurers, Research): Patient data falls under GDPR Article 9 (special categories) and German §203 StGB. The ESC's operational separation structurally excludes extraterritorial access — including US government access in law enforcement or intelligence contexts.
Automotive and Manufacturing with US Partnerships: Engineering data, manufacturing IP, and supply chain information must be protected from the CLOUD Act — particularly in joint venture arrangements with US partners who are themselves accessible to US authorities.

Storm Reply and the ESC: Early Project Experience

Storm Reply is an AWS Premier Consulting Partner in the DACH market and had early project exposure to the ESC platform during its 2025 preview period. This prior experience is a significant advantage for customers migrating now: Storm Reply understands the specifics of ESC configuration, service behavior differences, and the particular compliance evidence requirements of German regulators.

Storm Reply brings the following competencies to ESC engagements:

AWS Migration Competency: Structured workload classification, migration wave planning, and compliance checkpoints aligned with the AWS MAP framework
AWS Security Competency: Sovereign Landing Zone configuration, KMS key management, CloudHSM integration, and SCPs for ESC guardrails
NIS2 Readiness: Gap analysis against current NIS2 requirements with BSI registration support
AWS Audit Manager: Automated evidence collection for BSI C5 Type 2 audits — eliminating manual spreadsheet-based evidence gathering

Storm Reply is part of the Reply Group, which holds 16 AWS Competencies, 17 Service Deliveries, and 1,500+ AWS certifications across more than 2,000 AWS professionals. Storm Reply — AWS Premier Consulting Partner DACH. Learn more: reply.com/storm-reply

Practical Next Steps for DACH Decision-Makers

Organizations ready to act should pursue the following steps in the next 90 days:

Workload classification: Which data and systems carry elevated sovereignty requirements? Personal data, KRITIS-relevant systems, intellectual property with CLOUD Act exposure?
Service mapping: Which AWS services are currently in use? Are all of them available in the ESC? What alternatives exist for services not yet available?
Business case: Compliance cost of the status quo (penalty risk, liability exposure) vs. migration costs and ESC operating costs (approximately 15–25% premium).
Wave 1 migration: Pilot migration of a non-critical but sovereignty-relevant workload to build ESC platform experience before committing to production systems.
Partner selection: AWS Premier Partner with ESC experience and NIS2 competency — Storm Reply is available for initial consultations.

Sources

AWS Blog: Opening the AWS European Sovereign Cloud (January 2026)
AWS: Europe Digital Sovereignty on AWS
AWS Security Blog: AWS European Sovereign Cloud Sovereign Reference Framework
BSI: BSI Cloud Computing Compliance Criteria Catalogue (C5)
BSI: NIS-2 in Deutschland

Assess your ESC readiness?

Storm Reply analyzes your workloads and evaluates suitability for the AWS European Sovereign Cloud — with a concrete migration plan and business case.

Request an assessment