> The actual risk is that US spooks can use these hardware features to infiltrate European clouds.

If your threat model is clandestine government actors then I think it would be a rather odd decision to host on ANY cloud !

The main risk for most people is being subject to US CLOUD Act, US PATRIOT Act etc. etc. Which, despite what the sales-droids will tell you, still applies in the fake-EU clouds operated by the US providers.

If you are serious about EU data sovereignty then you absolutely want an EU OpCo that has nothing whatsoever to do with any US company. If OpCo has ties to a US company or IS a US company such as AWS or Microsoft, then you've lost the EU jurisdiction.

That’s a risk, but for most cases likely not the most material up front risk - there’s a million ways for the spooks to enter the building.

TBH, all of these entities are likely actively penetrated by US, Israeli and Russian human assets. You don’t need esoteric knowledge of CPU flaws or whatever if the dude holding the keys works for you.

A risk, but not remotely the same risk or same severity of risk as hosting data in US clouds.

It’s not. It’s a real concern.

But they are two different things.

You can’t solve all problems at once.

It’s reasonable to start by solving the problems which provide rrhe best improvement for the lowest effort and risk.

Prioritizing data sovereignty as the OP has done well naming it, seems like a good trade off to me.

Well, to be fair, then it's precisely a theoretical concern about hardware sovereignty.

Is this an actual risk? If I buy a Intel/AMD CPU today and chuck it into this "European cloud" I'm running, how exactly will that be used to infiltrate this cloud?

AFAIK, there is absolutely zero evidence either Intel or AMD CPUs are compromised, even less so that they're somehow remotely accessible by the US government...

Or any other country. It is not like you can keep that genie inside the bottle.