Swedish military rejects US clouds, secrecy rules collide with American law, procurement shifts toward domestic hosting

• An internal report circulating among Swedish security authorities describes encrypted US cloud services as a “false sense of security” for classified data.
• The concern is not only hacking but American legislation that can compel US companies to hand over information.
• The Swedish Armed Forces and the Defence Materiel Administration are among the agencies cited as ruling out such services for secret material.
• The dispute is likely to steer more procurement toward Swedish or European providers that fall outside US jurisdiction.

Sweden’s armed forces are rejecting cloud services from Google, Amazon and Microsoft for secret information, after an internal assessment concluded that the companies’ encrypted offerings still leave the data exposed to American legal demands. In a report first described by SVT Nyheter, Swedish security officials call the promise of protection a “false sense of security” when the provider remains subject to US law.

The immediate issue is classified material, not ordinary office software. According to SVT, both the Swedish Armed Forces and the Swedish Defence Materiel Administration, FMV, have taken the position that secret information cannot be placed in the public cloud services offered by the American giants. The report circulating among security authorities points to the same problem that has shadowed European public-sector IT procurement for years: encryption protects data against outsiders, but not against a provider that can be ordered by its home state to assist. If the company is American, the legal reach is American too, even when the server hall stands in Sweden or elsewhere in Europe.

That distinction matters beyond the military. Swedish agencies have spent years moving email, archives, case handling and storage into outsourced environments sold as cheaper, faster and easier to scale than systems run in-house. For unclassified workloads, that trade-off has often been accepted. For secret material, the calculation changes. A state that stores sensitive defence or security information with a foreign provider is not only buying computing capacity; it is importing another country’s legal system into its own records management.

SVT reports that the assessment has been circulating among several Swedish security authorities, which suggests the question reaches further than one procurement dispute. The agencies most exposed are those handling defence planning, intelligence-adjacent material, critical infrastructure or protected personal data. The dilemma is familiar across Europe: local officials are told the data is encrypted, partitioned and geographically stored nearby, while the contract still sits with a corporation that can be compelled from Seattle, Redmond or Mountain View.

The alternatives are less glamorous and usually more expensive. Sweden has domestic data-centre operators and defence-sector suppliers that can host sensitive systems under Swedish jurisdiction, and there are European cloud initiatives marketed as sovereign options. They lack the scale and convenience of the American platforms, but they also lack the same legal vulnerability. That changes procurement arithmetic. The extra cost of domestic or Nordic hosting buys something the global vendors cannot sell to a defence ministry: a shorter chain of command and fewer foreign hands on the switch.

For years, cloud procurement was sold as a technical upgrade. The report described by SVT turns it back into a state-power question. The servers may be in Europe, the contract may be in Swedish, and the login page may carry a crown logo; the company answering the subpoena is still American.

Källor: SVT Nyheter