Europe built sovereign clouds to escape US control. Then forgot about the processors

Europe is making substantial investments, exceeding €2 billion, into sovereign cloud initiatives aimed at bolstering digital autonomy and reducing reliance on US jurisdiction. These efforts, exemplified by France's SecNumCloud framework with its extensive technical requirements, seek to provide an environment "immune from extraterritorial laws." The core objective is to establish cloud infrastructure that is demonstrably independent of foreign governmental influence and control. However, a critical oversight has emerged: the underlying hardware, specifically the processors, largely remains sourced from US manufacturers like Intel and AMD. These processors contain sophisticated management engines, operating at a privilege level beneath the operating system, which are largely invisible and uncontrolled by host security software. This embedded technology, even when a machine appears powered off, can still be active and potentially vulnerable. This reliance on US-designed silicon presents a significant challenge to the goals of digital sovereignty, as US legislation like the Reforming Intelligence and Securing America Act (RISAA) 2024 can classify hardware manufacturers as "electronic communications service providers." This designation allows for potential access through secret government orders, circumventing the security certifications of European cloud frameworks. The architecture of these management engines, with their independent memory, clock, and network capabilities, means traffic generated by them can be indistinguishable from legitimate host traffic, posing a covert exfiltration risk that existing security measures cannot detect.