Title: A Tool for Security? Cloud Computing in Border Control

Dependency on Hyperscalers

In Europe, cloud computing is predominantly provided by US Big Tech companies. As these firms supply cloud infrastructure to security actors, they exert material influence over how the EU’s external borders are governed. Policymakers should therefore recognize that border control is increasingly treated as a market in which so-called hyperscalers operate according to commercial incentives and remain subject to US law.

Amidst efforts to implement AI across different contexts, rising geopolitical tensions, and a strained relationship between the US and European allies, EU policymakers have increasingly recognized the critical nature of technologies used in security-critical domains. In 2021, France proposed a European cloud certification scheme that would have prohibited non-European vendors from providing “high assurance level” cloud services, but the EU has since then shifted toward a more flexible approach to lower costs and enhance competition. As of early 2026, European policymakers, in countries such as France and Finland, have started to more closely scrutinize and regulate cloud service providers in domains such as justice, social security, or communication in public services.

Hyperscalers, such as Amazon Web Services, Microsoft Azure, and Google Cloud, dominate the international cloud computing market, especially in Europe. These services are widely used by individuals, industry, and public administrations, resulting in structural dependence on a small number of non-European Big Tech companies. As European countries have begun to realize their vulnerable position and engage with questions of where and how users’ data is stored, companies have proposed so-called “sovereign” solutions. Microsoft, for example, has communicated that user data is stored almost exclusively in EU data centers, with Amazon, Google, and Salesforce “assuring European governments and businesses that their clouds were safe, shielded, and separate” as well.

However, even “sovereign” clouds remain subject to the CLOUD Act, which requires companies to transfer user data to US authorities and, thus, outside European territory.  As EU border authorities increasingly rely on foreign hyperscalers despite criticisms, their dependency has continued to raise concerns about data sovereignty and governance. This article argues that to address these risks, the EU must reassess dependencies in border control, invest in European cloud solutions, and increase awareness of the safety-critical nature of scenarios in border control.

Border Control as a Market

Literature on international political economy and sovereignty has shown that IT companies’ growing influence over security governance has become a geopolitical issue and therefore warrants critical assessment. Free and open-source platforms could serve as alternatives to commercial products.

Border control constitutes a safety-critical application that warrants particular scrutiny. In partnership with research institutions and industry actors, Frontex, the agency responsible for governing the EU’s external borders, has, to date, committed to building on technologies, such as “cloud computing, Big Data and Machine Learning” to develop its “data management and processing capabilities.” This trajectory is reflected in recent initiatives, including Frontex’s “industry days” focused on cloud and edge computing and the Horizon project EINSTEIN, which aims to develop a cloud-based application for “online ID issuance” for “biometric quality checks and fraud detection.” Complementing edge computing, cloud computing enables data storage and access from multiple locations, as well as the analysis of large, synchronized datasets.

The adoption of cloud computing in border control further entrenches dependence on US hyperscalers. Frontex relies on Microsoft-based information systems (.NET, SharePoint, and MS-SQL) hosted on Azure to manage migrant screening and forced returns. Policymakers need to pay attention to the marketization of border control and recognize that consultant groups or Big Tech companies might be less critical of—or benefit from—vendor lock-in.

Applicability to Safety-Critical Scenarios

In controlling the EU’s external borders, Frontex collects data on individuals who are not EU citizens and who are often in precarious situations. As noted by scholars of data justice and as reflected in investigations by the European Data Protection Supervisor, it is important to audit how cloud computing is implemented in border control, including whether data protection and management regulations are considered and to which (non-EU) bodies data is transferred further. Thus, although cloud computing might be perceived as a general-purpose technology, policymakers should consider the sensitivity of the safety-critical context of border control.

With the COVID-19 pandemic accelerating the adoption of cloud computing, Frontex had “deployed two-thirds of Frontex users into the Microsoft 365” by early February 2021. The goal was to “reduce the volume of data processed in the on-premise infrastructure in favor of the usage of the M365/O365 services.” Since then, Frontex’s “move to the cloud” has drawn criticism by the European Data Protection Supervisor (EDPS) who reprimanded Frontex “of moving to the cloud without proper data protection assessment.” The move to “a hybrid cloud consisting of Microsoft Office 365, Amazon Web Services (AWS), and Microsoft Azure” was criticized because the agency “failed to observe the principles of lawfulness and data minimization.” Subsequently, Frontex was required to carry out an adequate data protection assessment, while the use of Microsoft products continued to be permitted. Understandably, and especially in a pandemic context that necessitated remote collaboration, the adoption of cloud computing seems promising. Cloud computing allows border control personnel to access data and services “in the cloud” from different locations. At the same time, however, cloud computing is overwhelmingly offered by hyperscalers, and thus data is concentrated in their data centers. While edge computing is also used in border control, cloud computing aligns with the idea that different EU actors can collaborate in a common “data space for security and law enforcement.” However, cloud computing’s reliance on centralized data infrastructures may conflict with context-specific requirements of safety-critical scenarios, such as privacy, robustness, or security.

With the application of new technologies, border control serves as a “testing ground,” albeit a safety-critical one, in which errors and malfunctions have real-life consequences. Research in Human-Computer Interaction has emphasized that effective design and implementation require attention to the context of use. The implementation of cloud computing, as well as AI and related technology, should therefore be assessed against context-specific characteristics, such as physical proximity, organizational setting, and design goals. Border control shares similarities with other safety-critical scenarios in which Cloud-based AI-as-a-Service (AIaaS) platforms are envisioned as the technological foundation of operations, enabling predictive, collaborative, and automated decision-making. The border security market has seen a growing convergence of “defense contractors, technology companies, and AI startups,” with “companies such as NVIDIA, Microsoft, and IBM providing the infrastructure and algorithms for large-scale data processing.” This convergence reflects an assumption of cross-context applicability, reinforced by the view that cloud computing is a prerequisite for AI adoption in border control. However, insights from domestic and international contexts, such as emergency response and military operations, are not easily transferable, as contexts differ in their goals and regulatory environment.

In Need for Equitable Data Practices

Media outlets have criticized Frontex’s “intrusive personal data collection from migrants, refugees, and NGO staff.” Prior reports have pointed out diverse cases of data privacy violations in different national contexts, with migrants’ private photos and other data being accessed based on “voluntary” permissions. With people on the move often finding themselves in crisis situations at EU borders, their data autonomy is limited. At the same time, the use of cloud computing in border control has been under scrutiny. This scrutiny relates specifically to data minimization requirements established by the Law Enforcement Directive 2016/680, as well as to the training and application of AI models in border control as regulated by the EU’s AI Act.

While data is collected and transferred with or without cloud computing, it does make a difference where data travels, what purposes it serves, and how it is protected. From a data justice perspective, the engagement of commercial actors located outside the EU needs to be called into question. Even with hyperscalers proposing “on-site” data centers designed to prevent data from leaving the EU premises, legal questions with respect to the CLOUD Act and accountability persist, while people on the move retain little control over their data amid expanding use of AI in border control.

To address the risks associated with the EU’s reliance on hyperscalers, the regional body must pursue a three-pronged approach.

First, the EU should reassess its dependencies and, especially for security purposes, foster local cloud solutions. Here, evidence-based policy entails data collection and analysis on international trade of digital goods and services, e.g., building on indices of digital dependence. While hyperscalers such as AWS have offered localized solutions, policymakers should thoroughly assess the extent to which these solutions actually decrease dependencies. This also includes the assessment of encryption key management solutions that give entities different levels of data control. As of January 2026, the EU Commission proposed a revision of the Cybersecurity Act that would phase out foreign providers in critical use cases. In this regard, supply chain analyses help to identify “chokepoints” caused by high digital dependency on suppliers of both hard and software.

Second, considering the marketization of border control, EU policymakers need to pay attention to the risk of vendor lock-in and support the development of free, open-source solutions. More recently, Austria has started an initiative to foster the European open-source ecosystem. Considering short- and mid-term costs that arise in the adoption of local solutions, the private sector needs to be incentivized, both when it comes to research and development as well as when switching from a (cheaper) hyperscaler provider to a local supplier. Considering the proposal of the Cloud and AI Development Act, public procurement and energy policies also become crucial areas that determine local businesses’ competitiveness. Thereby, taxpayers’ money needs to be spent in a sensitive manner and communicated plausibly.

Third, security professionals, including applied researchers in border control projects, should increase awareness of the safety-critical nature of scenarios in border control and follow socio-technical design approaches. The application of cloud computing in contexts such as cargo screening may have a less immediate impact on human lives than coastal border control, for example. Regarding the latter, a context-sensitive approach to design and development that includes the assessment of legal, organizational, and ethical institutions and rules is necessary. With the EU’s approach to trustworthy, human-centric AI, socio-technical design approaches allow us to go beyond branding in that they consider the sociopolitical environment.

Conclusion

Hyperscalers play an active role in today’s geopolitics. This includes their engagement with border control for the sake of national security. Considering the different actors who interact with commercial clouds—EU policymakers, security professionals, and border-crossing individuals—three policy implications for cloud computing in border control emerge. Technology should ultimately benefit society. In an interconnected and ever-changing world, tech governance needs to be continuously attuned to steer the impact of technology, especially in security-critical domains.

. . .

Stefka Schmid is a postdoctoral researcher at the Digital Economic Security Lab (DIESL) at Aalto University, Finland. She currently studies the geopolitics of cloud computing, with a particular focus on the relationship between states and hyperscalers. Her prior work also includes analyses of governmental visions of AI as well as human-computer interaction in crisis scenarios.

Image Credit: Data Center by ESO, CC BY 4.0, via Wikimedia Commons