US-EAST-1 Outage: Europe's Digital Backbone Exposed and GDPR Under Scrutiny

By Alexius Dionysius Diakogiannis on October 24, 2025

The AWS US-EAST-1 outage of October 20, 2025, served as a stark reminder of Europe's opaque and critical reliance on Amazon's data center infrastructure in Virginia, USA. A DNS issue originating in the United States cascaded globally, disrupting authentication and service management systems, plunging European banks, national agencies, and healthcare providers into darkness. This widespread disruption affected hundreds of companies and millions of users, highlighting not only vulnerabilities in technical resilience but also significant questions regarding transparency and GDPR compliance. Many EU companies, despite believing their IT operations and data were confined to European regions, discovered hidden architectural dependencies on US-EAST-1, leading to both service outages and unforeseen legal exposure. Crucially, end-users are seldom aware when their data, or the commands affecting it, cross international borders.

This article delves into the technical specifics of the October 2025 AWS outage, pinpointing the European entities and sectors most severely impacted. It scrutinizes the transparency and compliance shortcomings that allowed a US-centric incident to cripple services across the EU. Furthermore, it explores the implications under Schrems II, uncovers weaknesses in AWS’s terms of service for European clients, and urges European CIOs and regulators to demand more robust guarantees to prevent future disruptions that threaten both business continuity and fundamental data protections.

What Happened in US-EAST-1, October 2025?

Just after midnight US Pacific Time, the AWS US-EAST-1 region suffered a critical failure related to DNS resolution for DynamoDB API endpoints. Although initially attributed to a technical update corrupting DNS records, the faulty configuration's ripple effect extended far beyond a single database cluster. AWS engineers swiftly entered incident response mode, deploying patches and throttling operations for key services like EC2, SQS, and Lambda. However, relentless client retries overwhelmed internal networks, leading to jammed queues and backlogs across the interdependent stack. It took over seven hours for most status dashboards to report "operational" again, leaving hundreds of millions of users globally with partial or complete outages.

Anatomy of Catastrophe

AWS typically promotes its regions as isolated units, each boasting independent infrastructure and redundancy. Yet, a critical vulnerability lies in global AWS services such as Identity and Access Management (IAM), CloudFront, Route53, Lambda@Edge, and Certificate Manager. These services, which are fundamental to cloud operations, depend on centralized control-plane endpoints, predominantly rooted in US-EAST-1. Consequently, when these core management, authentication, or API orchestration services fail, so do all dependent workloads, irrespective of whether a company's primary data and compute resources are hosted in other regions.

Why a US Outage Grounded European Digital Life

The AWS incident served as a rude awakening for European companies and agencies operating in EU regions like eu-west-1 (Ireland) or eu-central-1 (Frankfurt), who mistakenly believed their systems were isolated. A significant number of core platform control-plane services—especially those governing authentication, permissions management, and certain orchestration tasks—are centralized in Virginia. This means that crucial operations, from initiating a new instance to updating user permissions, implicitly rely on US-EAST-1. Even in scenarios where no primary data resides in the US, these architectural dependencies and “global” API calls route through American servers.

During the outage, severe disruptions were reported by banks across the UK, Netherlands, Belgium, and Germany. National agencies, including the UK's HM Revenue & Customs (HMRC), and even the European Commission's digital platforms, experienced outages or severe performance degradation.

Real-World Impact Examples:

• Banking: Lloyds Bank, Bank of Scotland, various fintech trading platforms, and the UK’s tax and payments authority all ceased operations, exposing direct risks to critical national financial infrastructure.
• Healthcare: Hospitals and clinics faced loss of access to digital patient records, directly impacting patient care and critical medical operations.
• Government: HMRC, the European Commission, and other public sector entities dependent on AWS for communications and workflows reported widespread disruptions, with EU institution service portals becoming dysfunctional by mid-morning.
• Automotive Manufacturing: Major Original Equipment Manufacturers (OEMs) utilizing cloud-based supply chain and production management systems were idled, demonstrating the outage's reach beyond consumer applications to essential industrial infrastructure.
• Other Sectors: Popular messaging apps (WhatsApp, Signal, Snapchat), gaming platforms, e-commerce sites, and airline operations also reported failures.

European Sectors Hit Hardest

Europe’s dependence on cloud services is far more profound than generally understood by citizens or policymakers. Key sectors such as financial services (e.g., Barclays, Lloyds, HSBC), e-government (including HMRC and Parliament tools), healthcare providers (like NHS digital health records and hospital systems), and telecoms (such as Vodafone, BT) all reported significant impacts. The disruption extended beyond public-facing digital services, crippling vital backend operations crucial for regulatory, health, and commercial infrastructure.

Particular areas of concern included:

• Banks and Financial Markets: Transactional platforms ceased functioning, impacting trading desks, digital payments, and online banking applications during active global market hours.
• Health and Emergency Systems: Access to critical patient records and system authentication was blocked, posing direct risks to patient safety and emergency response coordination.
• National Revenue Authorities: Government tax, customs, and payments operations were shut down or rendered unavailable, exposing societies to far greater risks than typical consumer service downtime.

Given that these sectors process and store highly sensitive personal information, their reliance on cross-Atlantic services—and by extension, US legal oversight—raises profound security and legal concerns.

GDPR and the Cloud: The Unknowns for Users and Companies

The General Data Protection Regulation (GDPR) unequivocally mandates that European data must be protected with respect to security, integrity, and, critically, transparency regarding its processing location and methods. However, AWS's architectural decisions—often compounded by developers' unfamiliarity with the fine print—mean that EU-hosted workloads might still silently route user commands or backup data through US-EAST-1. Many organizations inadvertently centralize critical permission and orchestration functions in the United States by leaving SDKs and toolkits configured to the default US-EAST-1 region. Consequently, end-users are rarely informed when their personal data, or operations impacting it, cross US borders or rely on US-based control infrastructure.

As one HMRC staff member commented, "When a service needs to refresh or obtain their permissions, IAM is queried. Hence, the more global outage."

Transparency and Notification Failures

AWS asserts that customer data remains within the customer-specified region, unless required for operations, troubleshooting, or legal compliance. Yet, AWS’s terms do not mandate prior notification to either end-users or even account holders about cross-region dependencies for control-plane operations or failover events, unless explicit multi-region replication or legal compulsion is involved. This significant lack of transparency directly conflicts with GDPR’s stipulations for providing clear information to data subjects about the processing location and methodology of their data, particularly when services implicitly rely on US-based resources for authentication, access control, or system management.

Schrems II: The Legal Earthquake Beneath the Outage

What is Schrems II?

Schrems II denotes the landmark 2020 ruling by the Court of Justice of the European Union (CJEU) that invalidated the EU-US Privacy Shield, thereby rendering it an unlawful mechanism for transferring personal data from the EU to the US. While the ruling upheld the use of Standard Contractual Clauses (SCCs), it stipulated that these clauses are only valid if accompanied by supplementary measures robust enough to protect EU data from US government surveillance and meet the stringent privacy standards set by the GDPR.

Implications for the Outage

Like other hyperscale cloud providers, AWS now depends on SCCs and additional technical and contractual safeguards for transatlantic data transfers. However, as various Data Protection Authority (DPA) guidances underscore, achieving genuine Schrems II compliance becomes challenging when a core component, such as the control plane for IAM or DynamoDB, is both architecturally and legally situated in the US, making it subject to US surveillance laws like FISA. Even with AWS’s offerings of encryption and "bring your own key" (BYOK) options, DPA investigations have repeatedly warned of the risk that US-based personnel or government authorities could compel data disclosure. This risk persists even for data that is nominally confined "within Europe" but is implicated in cross-region operations or logging metadata.

Numerous DPAs have issued advisories on the risks associated with cloud providers and are actively investigating, particularly concerning critical infrastructure and sensitive public-sector contracts. The European Data Protection Supervisor (EDPS) has even initiated specific proceedings regarding the "Cloud II" contracts between EU authorities and major providers like AWS and Microsoft.

AWS Agreements and Regional Dependence

Fine Print and "Region" Myths

AWS’s Customer Agreement and Service Terms outline commitments to retain customer content within selected regions, but these are accompanied by broad exceptions. These exceptions cover scenarios where AWS must maintain or troubleshoot services, comply with legal requirements, or support global features such as account management and IAM control.

For example, the Amazon Compute SLA guarantees 99.99% availability per region for EC2 when workloads are spread across availability zones. However, this guarantee does not account for failures in global services like IAM. While credits may be offered for outages falling below the promised threshold, customers found that the true systemic risk stems not from localized "regional" failures, but from the concealed centralization of global control planes within US-EAST-1.

As widely acknowledged, "Some AWS features (for example global account-management, IAM, some control APIs, or even replication endpoints) are served from US-EAST-1, even if you’re running workloads in Europe. If those services go down or become very slow, even European workloads may be impacted."

What the DPA and Service Agreements Say

The AWS Data Processing Addendum (DPA), which is incorporated by reference into the AWS Service Terms, includes Standard Contractual Clauses (SCCs). However, it explicitly permits AWS to transfer data or metadata as required for maintaining global account services, even under contracts designed for EU-only operations. Critically, the DPA does not mandate explicit user notification when such routing occurs, despite GDPR’s stringent requirements for informing data subjects. The reality is that most "Global" features—including IAM, CloudFront, and Lambda@Edge—are inherently dependent on US-EAST-1, a fact often not fully disclosed to end customers or even to DevOps teams within EU corporations.

Transparency Failures and Hidden Data Transfers

Notwithstanding the assurances of "local" cloud regions, the technical reality of AWS’s architecture means that a misconfiguration or failure in a US region can disrupt systems operating exclusively in Europe. The control plane, responsible for managing identities, permissions, and configuration state, acts as a single point of global failure present in almost every European deployment. This holds true with the notable exception of the newly announced European Sovereign Cloud, which, as of October 2025, remains largely unavailable for most workloads.

This situation leaves European customers, particularly those in privacy-sensitive sectors such as finance, healthcare, and government, unable to independently verify how frequently their operations or metadata cross international borders. The sheer scale and inherent opacity of AWS’s metadata handling, debugging processes, and platform event logging render it virtually impossible for regulated companies to definitively prove (or disprove) that personal data remained entirely within European jurisdiction during an incident or failover.

The Single Point of Global Failure: IAM

IAM (Identity and Access Management) forms the critical core of AWS’s global architecture. Even when attempting to create backup roles or modify policies within a European region, the logical "source of truth" and crucial change-management APIs are firmly rooted in US-EAST-1. During the October 2025 outage, companies with operations exclusively in EU regions discovered they were unable to authenticate sessions, launch failover instances, or update access policies—all because the IAM control plane in Virginia was unreachable.

Is "Cloud" Just Another Person's Computer?

This outage unequivocally demonstrated the adage that "the cloud is just another person’s computer." More specifically, it highlighted that this computer often resides in another country, governed by distinct priorities, legal frameworks, and business objectives. European organizations license stability from AWS, yet the fundamental physical and management control remains with a corporation subject to US law and its own commercial interests. The widespread disruption was a direct consequence of this transfer of control, exposing the legal ambiguities of GDPR compliance when a third party, operating across the Atlantic, holds the technical reins.

What CIOs Should Do Now: An Action Checklist

In light of these revelations, European CIOs and IT leaders must take immediate action to mitigate future risks and ensure compliance:

• Map Control-Plane Dependencies: Thoroughly identify and document all dependencies for control-plane services within AWS workloads.
• Challenge "Regional" Assumptions: Dispel the misconception that "regional" automatically implies "sovereign" or isolated from global dependencies.
• Review and Configure Core Services: Scrutinize all IAM, Route53, Certificate Manager, and Lambda@Edge configurations for default cross-region settings. Explicitly define and enforce regional access for all core services wherever feasible.
• Examine Contracts and DPA: Conduct a meticulous review of all AWS contracts and the Data Processing Addendum (DPA), particularly for critical workloads. Seek legal counsel regarding the implications of technical and contractual exceptions that permit metadata or operational transfers.
• Perform Technical Due Diligence: Verify whether essential operational commands can be executed, and redundancy maintained, without relying on cross-region dependencies.
• Demand Transparency from AWS: Insist that AWS provide clear information about which services incorporate control-plane components in other regions, and advocate for roadmaps that prioritize the localization of these functions within Europe.
• Consult DPA and EDPS Guidance: Stay informed on national DPA and European Data Protection Supervisor (EDPS) guidance. Prepare for potential regulatory actions if compliance with Schrems II or GDPR data locality requirements cannot be guaranteed during either outages or routine operations.
• Test Disaster Recovery Scenarios: Rigorously test and drill failover and disaster recovery plans, including scenarios where global authentication and naming services originating from US-EAST-1 become unavailable.

DPA and Regulatory Reactions

Official and Sector Guidance

European Data Protection Authorities (DPAs), spearheaded by the European Data Protection Supervisor (EDPS), have already initiated investigations into the implications of "Cloud II" style contracts and the sufficiency of supplementary measures offered by AWS post-Schrems II. The emerging consensus is clear: while encryption and key management provide some safeguards, genuine compliance remains questionable if US-based corporate entities possess technical or legal access to operational metadata, or even encrypted customer content. National DPAs are intensifying their scrutiny and may introduce additional requirements or restrict cloud usage for sensitive sectors, including public administration, critical infrastructure, and healthcare.

These pivotal issues continue to be high on the political agenda in Brussels. The intertwined concepts of sovereignty, transparency, and technical resilience are under active debate as European leaders strive to ensure that future outages do not surreptitiously bring European digital life, or personal data, under American jurisdiction.

Conclusion

Europe’s pervasive reliance on the US-based AWS US-EAST-1 region has been exposed not merely as a technical vulnerability, but as a complex legal and compliance quagmire. Outages are no longer isolated incidents; they are global events with far-reaching regulatory and reputational repercussions. The tragic reality is that most end-users, and indeed many corporate clients, remain largely oblivious to the true complexity and inherent risks lurking beneath the cloud’s seemingly benign surface.

Until the fundamental architecture of the internet evolves, or European policymakers successfully champion and enforce digital sovereignty, the sobering lesson endures: when you operate in the cloud, you are essentially renting someone else’s computer, and sometimes that computer is an ocean away. True transparency, genuine regional independence for control services, and stringent contractual guarantees are the only path to harmonizing the immense power of cloud computing with the vital promises of GDPR.

---

Author's Note:

This article provides a technical and legal review based on published AWS statements, industry reports, and European regulatory analyses. Technical diagrams and system architecture flowcharts are available upon request.

Alexius Dionysius Diakogiannis is a Senior Java Solutions Architect and Squad Lead at the European Investment Bank. With over 20 years of experience in Java/JEE development, his expertise lies in enterprise architecture, security, and performance optimization across a wide array of technologies, including Spring, Hibernate, and JakartaEE.

A certified Scrum Master, Alexius is passionate about agile development and is an experienced trainer and speaker, having presented at numerous conferences and meetups. In his current role, he leads a development team building mission-critical applications, focusing on architectural design, performance, and security.

Passionate Archer, Runner, Linux lover and JAVA Geek! That's about everything!