Data sovereignty is the principle that data is subject to the laws and governance of the country or jurisdiction where it is collected or stored. In the EU context, data sovereignty means that personal data of EU residents must be processed in compliance with GDPR and related regulations, regardless of where the processing organisation is located.
Key Takeaways
EU data sovereignty is enforced through a layered framework: GDPR, the Data Act, the Data Governance Act, NIS2, DORA, and the AI Act each impose distinct requirements on where and how data may be processed.
The Schrems II ruling (C-311/18) fundamentally changed international data transfers, requiring organisations to verify that destination countries provide protection essentially equivalent to EU law.
The EU-US Data Privacy Framework (DPF) restores a legal pathway for US transfers, but faces ongoing legal challenges and could be invalidated (a potential "Schrems III" scenario).
Data sovereignty is not the same as data localization. You can process EU data outside the EU if adequate legal safeguards are in place, but the trend is unmistakably toward stricter controls.
Major cloud providers now offer EU-sovereign cloud environments, but feature parity, cost, and contractual terms vary significantly.
Organisations that combine contractual controls, encryption with EU-held keys, and data mapping are best positioned to meet current requirements and adapt to future regulatory changes.
Penalties for non-compliant international transfers reach EUR 20 million or 4% of global annual turnover under GDPR, with additional sanctions under NIS2 and DORA.
Quick Reference
Details
What is data sovereignty?
The principle that data is governed by the laws of the jurisdiction where it is collected or stored
Key EU regulations
GDPR (2016/679), Data Governance Act (2022/868), Data Act (2023/2854), ePrivacy Directive (2002/58/EC), AI Act (2024/1689)
Primary GDPR articles
Articles 44-49 (international transfers), Article 3 (territorial scope), Article 32 (security of processing)
Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay, and the US (under DPF)
Share article
Need help with compliance?
Contact us for a free consultation
Maximum penalty
EUR 20 million or 4% of global annual turnover (GDPR Article 83)
Key case law
Schrems I (C-362/14), Schrems II (C-311/18), Meta EUR 1.2 billion fine (2023)
Data sovereignty refers to the concept that data is subject to the laws, regulations, and governance structures of the jurisdiction in which it is collected, processed, or stored. For organisations operating in or serving the European Union, this means that personal data relating to individuals in the EU must be handled in full compliance with the GDPR and the broader EU regulatory ecosystem, irrespective of where the organisation is headquartered or where its infrastructure is physically located.
The concept has deep roots in national sovereignty principles. Just as a nation exercises authority over people and property within its borders, data sovereignty extends that authority to information. In the digital economy, where data crosses borders in milliseconds, this principle creates a complex legal landscape that every multinational organisation must navigate.
Data sovereignty encompasses three core dimensions:
Legal jurisdiction: which country's laws govern the data
Access control: who can compel disclosure of the data (including foreign governments)
Processing governance: what rules apply to how the data is used, stored, and transferred
Why does data sovereignty matter for non-EU companies? Under GDPR Article 3, any organisation that offers goods or services to EU individuals or monitors their behaviour is subject to EU data protection law. This means a US SaaS company with EU customers must comply with EU data sovereignty requirements even if it has no physical presence in Europe. See our GDPR for US Companies guide for a detailed analysis of extraterritorial scope.
Data Sovereignty vs Data Residency vs Data Localization
These three terms are frequently confused but describe distinct concepts. Understanding the differences is essential for making informed infrastructure and compliance decisions.
Concept
Definition
Legal Requirement?
Example
Data sovereignty
Data is subject to the laws of the jurisdiction where it is collected or stored
Yes (enforced by GDPR, national laws, and sectoral regulations)
EU personal data processed by a US cloud provider must still comply with GDPR
Data residency
Data is stored in a specific geographic location, typically chosen by the organisation
Usually contractual, not always legally mandated
A company contractually requires its cloud provider to store data in the EU (Frankfurt region)
Data localization
Data must remain within the borders of a specific country or region and cannot be transferred out
Yes (mandated by specific national or sectoral laws)
Russia's Federal Law No. 242-FZ requires personal data of Russian citizens to be stored on servers located in Russia
Key Distinctions
Data sovereignty does not require data localization. Under GDPR, you can transfer EU personal data to a third country if you use an approved transfer mechanism (adequacy decision, SCCs, BCRs, or a derogation). The data leaves the EU, but EU law continues to govern it. This is sovereignty without localization.
Data residency is a business decision, not always a legal one. Many organisations choose to keep data in the EU for practical reasons (latency, customer trust, risk reduction) even when the law does not strictly require it. However, certain sectoral regulations do mandate residency for specific data types.
Data localization is the strictest approach. Some countries and sectors require data to physically remain within defined borders. The EU generally does not mandate blanket data localization, but the trend toward sovereign cloud solutions and the increasing complexity of transfer mechanisms have made EU data residency the de facto standard for many organisations.
The EU Data Sovereignty Framework
EU data sovereignty is not governed by a single law. It is enforced through an interconnected web of regulations, each addressing a different dimension of how data must be handled.
GDPR (Regulation 2016/679)
The foundation of EU data sovereignty. Chapter V (Articles 44-49) restricts transfers of personal data to third countries unless specific conditions are met. Article 3 establishes the extraterritorial scope that extends GDPR's reach to any organisation worldwide that processes EU personal data.
Data Governance Act (Regulation 2022/868)
Effective since September 2023, the DGA establishes conditions for the re-use of public sector data, creates a framework for data intermediaries, and introduces rules for data altruism organisations. It reinforces data sovereignty by requiring that public sector data re-use respects EU legal protections and that data intermediary services maintain neutrality.
Data Act (Regulation 2023/2854)
Applicable from 12 September 2025, the Data Act addresses access to and use of data generated by connected products and related services. Article 27 is particularly significant for data sovereignty: it requires cloud service providers to implement technical, organisational, and contractual measures to prevent unlawful international government access to non-personal data held in the EU. It also mandates that providers enable customers to switch between cloud services and port their data without unreasonable barriers.
ePrivacy Directive (2002/58/EC)
Complements GDPR by specifically addressing confidentiality of electronic communications, cookie consent, and direct marketing. The long-awaited ePrivacy Regulation (intended to replace the Directive) remains in legislative process, but the existing Directive continues to impose requirements on electronic communications data.
EU Cloud Code of Conduct
The EU Cloud Code of Conduct (approved by the Belgian DPA under GDPR Article 40) provides a transparency framework for cloud service providers demonstrating GDPR compliance. While voluntary, it serves as a practical tool for evaluating cloud providers' data sovereignty capabilities and has been adopted by major providers including Google Cloud, Oracle, SAP, and IBM.
AI Act (Regulation 2024/1689)
The AI Act introduces data governance requirements for high-risk AI systems. Article 10 requires that training, validation, and testing datasets are subject to appropriate data governance practices, including examination for biases. Where these datasets contain personal data of EU individuals, GDPR data sovereignty requirements apply in full, creating a dual compliance obligation for organisations developing or deploying AI systems.
Why Data Sovereignty Matters Now
Data sovereignty has moved from a technical compliance topic to a strategic business concern. Several converging forces have elevated its urgency.
The Schrems II Aftermath
The Court of Justice of the EU's July 2020 ruling in Schrems II (Case C-311/18) invalidated the EU-US Privacy Shield and imposed strict new conditions on Standard Contractual Clauses. The court found that US surveillance laws (particularly Section 702 of FISA and Executive Order 12333) did not provide protection essentially equivalent to EU fundamental rights.
The practical impact was seismic. Organisations could no longer rely on Privacy Shield for US transfers, and every SCC-based transfer to the US now required a Transfer Impact Assessment (TIA) evaluating whether US law undermined the protections in the SCCs. Meta's EUR 1.2 billion fine in May 2023 for continued US data transfers without adequate safeguards demonstrated that enforcement was real and at scale.
US CLOUD Act Conflicts
The Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 allows US law enforcement to compel US-based technology companies to produce data stored anywhere in the world. This creates a direct conflict with GDPR Article 48, which states that decisions by foreign courts or administrative authorities requiring data transfers are not recognised or enforceable unless based on an international agreement.
This conflict means that a US cloud provider storing EU data in a Frankfurt data centre could face contradictory legal obligations: US law requiring disclosure and EU law prohibiting it. For organisations evaluating data sovereignty risk, this jurisdictional tension is a primary driver of interest in EU-headquartered cloud providers.
Geopolitical Tensions and Digital Sovereignty
The European Commission's 2020 Digital Strategy and the subsequent European Data Strategy explicitly frame data sovereignty as a matter of European strategic autonomy. Initiatives like Gaia-X (a federated data infrastructure for Europe) and the push for European cloud providers reflect a political commitment to reducing dependence on non-EU technology companies for critical data infrastructure.
Geopolitical developments, including trade tensions, sanctions regimes, and the evolving US political landscape, have reinforced the perception that reliance on non-EU infrastructure introduces risks that are political as well as legal.
AI Act Data Requirements
The AI Act's data governance requirements (Article 10) create new data sovereignty considerations. High-risk AI systems must use training data that meets specific quality criteria, and where that data includes EU personal data, all GDPR transfer restrictions apply. Organisations developing AI systems using EU personal data must ensure that their data pipelines, including training environments that may run on global GPU clusters, comply with data sovereignty requirements.
GDPR and International Data Transfers
GDPR Chapter V (Articles 44-49) establishes the rules for transferring personal data outside the EU/EEA. These provisions are the primary legal mechanism through which EU data sovereignty is enforced.
The Transfer Restriction Principle
Article 44 establishes the baseline: personal data may only be transferred to a third country or international organisation if the conditions in Chapter V are met. This applies to any transfer, regardless of the volume of data, the purpose of the transfer, or whether the transfer is a one-time event or ongoing.
Adequacy Decisions (Article 45)
The European Commission can determine that a third country provides an adequate level of data protection essentially equivalent to EU standards. Transfers to adequate countries do not require additional safeguards.
Countries and territories with adequacy decisions (as of March 2026):
Country/Territory
Adequacy Decision Date
Scope
Andorra
2010
Full
Argentina
2003
Full
Canada
2001
Commercial organisations under PIPEDA
Faroe Islands
2010
Full
Guernsey
2003
Full
Israel
2011
Full
Isle of Man
2004
Full
Japan
2019
Full (mutual)
Jersey
2008
Full
New Zealand
2013
Full
Republic of Korea
2022
Full
Switzerland
2000
Full
United Kingdom
2021
Full (expires June 2025, expected renewal)
United States
2023
Only for DPF-certified organisations
Uruguay
2012
Full
Important: The UK adequacy decision was originally set to expire on 27 June 2025. The European Commission has indicated its intention to renew, but organisations should monitor developments and have contingency plans. For current status and practical guidance, see our Standard Contractual Clauses guide.
Standard Contractual Clauses (Article 46(2)(c))
SCCs are the most widely used transfer mechanism. The 2021 SCCs (Commission Implementing Decision 2021/914) use a modular structure with four modules matching different transfer scenarios:
Module
Transfer Relationship
Example
Module 1
Controller to Controller
EU retailer sharing customer data with a US marketing partner
Module 2
Controller to Processor
EU company using a US cloud hosting provider
Module 3
Processor to Processor
EU processor sub-contracting to an Indian IT services firm
Module 4
Processor to Controller
Rare (data returns from an EU processor to a non-EU controller)
Since Schrems II, SCCs alone are not sufficient. Organisations must conduct a Transfer Impact Assessment (TIA) for each transfer to evaluate whether the destination country's legal framework undermines the protections provided by the SCCs. If the TIA identifies risks, supplementary measures (technical, organisational, or contractual) must be implemented to fill the gap.
Binding Corporate Rules (Article 47)
BCRs are internal policies approved by EU supervisory authorities that allow multinational groups to transfer personal data internationally within the group. They require significant investment in development and approval (typically 12-24 months) but provide a robust framework for intra-group transfers.
Derogations (Article 49)
Article 49 provides limited exceptions for specific situations:
Explicit consent: the individual explicitly consents after being informed of the risks
Contract necessity: transfer is necessary for a contract with the individual
Important public interest: recognised in EU or member state law
Legal claims: transfer is necessary for establishing, exercising, or defending legal claims
Vital interests: transfer is necessary to protect someone's life
Public register: data from a register intended to be publicly available
Critical limitation: Derogations under Article 49 are intended for occasional, non-repetitive transfers. They cannot be used as a basis for systematic, large-scale, or ongoing transfers. Relying on Article 49 derogations for regular business operations is a common compliance error.
The EU-US Data Privacy Framework
The EU-US Data Privacy Framework (DPF), established by the European Commission's adequacy decision of 10 July 2023, provides a legal mechanism for transferring personal data from the EU to US organisations that self-certify under the framework.
How the DPF Works
Element
Details
Legal basis
Commission Implementing Decision (EU) 2023/1795
Mechanism
US organisations self-certify through the Department of Commerce
Scope
Only covers transfers to DPF-certified organisations
US legal reforms
Executive Order 14086 (7 October 2022) introduced proportionality requirements for US signals intelligence and established the Data Protection Review Court (DPRC)
Oversight
Department of Commerce, FTC, and the DPRC for EU individual complaints
The DPF is legally sound as of March 2026, but organisations should understand its vulnerabilities:
Legal challenge risk. Privacy advocate Max Schrems and his organisation noyb have publicly indicated their intention to challenge the DPF. The core argument is that Executive Order 14086, while an improvement, does not provide protections equivalent to EU fundamental rights because (a) it can be amended or revoked by a future US president without Congressional approval, and (b) the DPRC is not a judicial body with full independence in the EU constitutional sense.
Political risk. The DPF's foundation rests on a US executive order, not legislation. Changes in US administration could alter the executive order, potentially triggering a reassessment by the European Commission. The 2024 US elections and subsequent policy developments are being closely monitored by EU data protection authorities.
Scope limitation. The DPF only covers transfers to organisations that have self-certified. If your US data recipient is not DPF-certified, you still need SCCs or another transfer mechanism. Additionally, DPF certification applies to specific data types, so you must verify that the certification covers the categories of data you intend to transfer.
Practical Guidance for Organisations
Verify DPF certification before each transfer by checking the official list at dataprivacyframework.gov
Maintain SCC fallback by having executed SCCs in place with US partners, even if they are DPF-certified, to ensure continuity if the DPF is invalidated
Document your assessment by recording why you consider the DPF adequate for your specific transfer and what contingency measures you have in place
Monitor developments by tracking CJEU cases and European Commission statements regarding DPF validity
Conduct TIAs for non-DPF transfers because any transfer to the US that relies on SCCs (rather than the DPF) still requires a Transfer Impact Assessment
Cloud Providers and Data Sovereignty
The choice of cloud infrastructure is one of the most consequential data sovereignty decisions an organisation makes. Major cloud providers have responded to EU data sovereignty concerns by launching dedicated sovereign cloud offerings, but the details vary significantly.
EU Sovereign Cloud Comparison
Provider
Programme
Data Residency
EU Staff Only
EU-Held Encryption Keys
EU Legal Entity
Key Features
AWS
European Sovereign Cloud
EU only (planned Germany launch)
Yes
Yes
Separate EU entity
Physically and logically separate from existing AWS regions; independent EU-operated infrastructure
Microsoft Azure
EU Data Boundary
EU only
Yes (for support)
Customer-managed keys available
Microsoft Ireland Operations
Processes EU data within EU boundary; Azure Confidential Computing for sensitive workloads
Google Cloud
Sovereign Controls (with T-Systems/Thales)
EU only
Controlled access
Yes (external key management via Thales)
Partnerships with EU entities
Key Access Justifications provide visibility into every access request; S3NS joint venture with Thales in France
OVHcloud
Native EU provider
EU only
EU staff
Yes
French-headquartered
SecNumCloud-qualified; no exposure to non-EU jurisdictional claims; reversible and interoperable by design
Hetzner
Native EU provider
EU (Germany, Finland)
EU staff
Customer-managed
German-headquartered
Cost-effective; no US parent company; GDPR-native infrastructure
IONOS
Native EU provider
EU (Germany, Spain, UK)
EU staff
Customer-managed
German-headquartered (United Internet AG)
BSI C5 certified; strong German data protection heritage
Scaleway
Native EU provider
EU (France, Netherlands, Poland)
EU staff
Customer-managed
French-headquartered (Iliad Group)
Part of Gaia-X initiative; reversible cloud commitment
Key Evaluation Criteria
When assessing cloud providers for data sovereignty, consider these factors:
Parent company jurisdiction: Is the provider subject to the US CLOUD Act, Chinese National Intelligence Law, or similar extraterritorial access laws?
Encryption key control: Can you hold encryption keys outside the provider's access? Are keys stored in EU-based hardware security modules (HSMs)?
Staff access controls: Can support and operations staff outside the EU access your data? Under what conditions?
Contractual commitments: Does the provider contractually commit to challenging non-EU government access requests and notifying you?
Certification and audit: Does the provider hold relevant certifications (ISO 27001, SOC 2, BSI C5, SecNumCloud)?
Data portability: Can you extract your data and migrate to another provider without unreasonable cost or technical barriers? (The Data Act will mandate this from September 2025.)
Feature parity: Do sovereign configurations offer the same services, performance, and innovation velocity as non-sovereign offerings?
Practical consideration: EU-native providers (OVHcloud, Hetzner, IONOS, Scaleway) eliminate the jurisdictional risk from non-EU parent companies entirely, but may offer fewer advanced services (particularly in AI/ML) compared to AWS, Azure, or Google Cloud. Many organisations adopt a hybrid approach: EU-native providers for sensitive and regulated data, hyperscalers for non-sensitive workloads where advanced capabilities are needed.
Data Sovereignty Requirements by Regulation
Different EU regulations impose different data sovereignty obligations. This table summarises what each regulation requires regarding data location, processing, and transfer.
Regulation
Data Location Requirements
Transfer Restrictions
Key Provisions
Penalties
GDPR (2016/679)
No mandatory EU localization, but transfers to third countries require legal safeguards
Articles 44-49: adequacy, SCCs, BCRs, or derogations
Chapter V governs all international transfers; TIA required for SCCs post-Schrems II
EUR 20M or 4% of global turnover
NIS2 (2022/2555)
Incident reporting and risk management data should be accessible to EU authorities
Essential and important entities must ensure supply chain security, including data processing arrangements
Article 21: risk management measures; Article 23: incident reporting to national CSIRTs
EUR 10M or 2% of turnover (essential entities)
DORA (2022/2554)
ICT third-party service providers must ensure data is accessible for regulatory oversight; critical providers must have EU presence
Financial entities must ensure contractual arrangements address data location and access
Determined by national financial regulators; periodic penalty payments for critical providers
AI Act (2024/1689)
Training data must meet quality and governance standards; GDPR transfer rules apply to personal data in training sets
No specific additional transfer mechanism, but Article 10 data governance requirements create practical localization incentives
Article 10: data governance for high-risk AI; Article 15: accuracy, robustness, cybersecurity
EUR 35M or 7% of turnover (prohibited AI); EUR 15M or 3% (other violations)
Data Act (2023/2854)
Cloud providers must prevent unlawful international government access to non-personal data in the EU
Article 27: safeguards against unlawful third-country access; notification and challenge obligations
Articles 23-27: switching between data processing services; Article 27: international access safeguards
Determined by member states
ePrivacy Directive (2002/58/EC)
Communications data subject to national implementing laws; some member states require local storage
Follows GDPR transfer rules for personal data; additional national requirements may apply
Article 5: confidentiality of communications; Article 6: traffic data; Article 9: location data
Varies by member state implementation
Integration point: Organisations subject to multiple regulations (which is most organisations of significant size) should build a unified data governance framework that satisfies the strictest applicable requirements. Vision Compliance helps organisations map overlapping obligations and identify the most efficient path to multi-regulation compliance through our regulatory compliance services.
Practical Data Sovereignty Strategies
Moving from regulatory understanding to operational implementation requires a structured approach. These strategies are applicable regardless of industry or organisation size.
1. Comprehensive Data Mapping
You cannot govern what you cannot see. A thorough data mapping exercise is the essential first step.
Identify all personal data processing activities by using GDPR Article 30 Records of Processing Activities as the foundation
Map data flows to trace where data goes, including sub-processors, analytics platforms, backup locations, and development/testing environments
Classify data by sensitivity because not all data carries the same sovereignty risk; special category data (Article 9) and financial data require stricter controls
Document legal bases and transfer mechanisms for each cross-border flow, identifying the legal basis for the transfer
Contracts are your primary enforcement mechanism with third-party processors and sub-processors.
Implement 2021 SCCs for all transfers to non-adequate countries, selecting the appropriate module for each relationship
Add data sovereignty clauses beyond standard SCC requirements: specify data storage locations, restrict sub-processing to approved jurisdictions, require notification before any change in processing location
Include government access provisions that require processors to challenge non-EU government access requests, notify you of such requests (where legally permitted), and exhaust all available legal remedies before disclosure
Negotiate audit rights to contractually secure the right to audit the processor's compliance with data sovereignty commitments
3. Encryption and Key Management
Technical controls provide a layer of protection that survives jurisdictional conflicts.
Encrypt data at rest and in transit using strong cryptographic standards (AES-256 for storage, TLS 1.3 for transport)
Maintain encryption key control within the EU by using EU-based hardware security modules (HSMs) or EU-operated key management services
Consider client-side encryption for the most sensitive data, where data is encrypted before it reaches the cloud provider, ensuring the provider cannot access plaintext data even under compulsion
Implement access logging for all key usage, creating an auditable trail of who accessed what data and when
4. Sovereign Cloud Adoption
For organisations with high data sovereignty requirements, sovereign cloud services provide an infrastructure-level solution.
Evaluate sovereign cloud offerings from hyperscalers (AWS European Sovereign Cloud, Azure EU Data Boundary, Google Sovereign Controls) and EU-native providers (OVHcloud, Hetzner, IONOS)
Assess feature requirements to determine whether sovereign configurations offer the services you need or whether a hybrid approach is necessary
Verify sovereign claims independently by reviewing certifications, audit reports, and contractual terms rather than relying solely on marketing materials
Plan for portability because the Data Act's switching provisions (effective September 2025) will strengthen your ability to move between providers, but planning for portability from the outset reduces migration costs
5. Hybrid Architecture Approach
Most organisations will find that a pure single-provider approach is either impractical or unnecessarily restrictive.
Tier your data by placing regulated and sensitive data on sovereign infrastructure; use global infrastructure for non-sensitive workloads
Implement API gateways to centralise data access through EU-hosted API layers that enforce sovereignty policies regardless of where downstream processing occurs
Use pseudonymisation at the boundary to strip identifying elements before data leaves the sovereign zone, reducing the legal classification of exported data
Maintain a centralised data governance platform providing a single view of data flows, classifications, and compliance status across all environments
Industry-Specific Considerations
Healthcare and Patient Data
Healthcare data is among the most heavily regulated in the EU. Beyond GDPR's classification of health data as a special category (Article 9), member states frequently impose additional localization requirements:
Germany: state hospital laws (Landeskrankenhausgesetze) often require patient data to remain within the federal state
France: the HDS (Hébergeur de Données de Santé) certification is required for hosting health data, and recent policy moves favour SecNumCloud-qualified providers
EU Health Data Space (proposed regulation): will establish rules for secondary use of health data across the EU, with explicit data sovereignty safeguards
Practical recommendation: Healthcare organisations should default to EU-resident, EU-provider infrastructure for all patient data and obtain specific legal advice for each member state where they operate.
Financial Services and DORA
Financial entities face dual obligations under GDPR and DORA (applicable from 17 January 2025):
ICT third-party risk management (DORA Article 28) requires financial entities to assess and manage risks from cloud providers and other ICT service providers, including data sovereignty risks
Contractual requirements (DORA Article 30) mandate specific provisions in ICT service contracts, including data storage and processing location, access and inspection rights, and exit strategies
Critical provider oversight (DORA Article 31): the European Supervisory Authorities (ESAs) can designate cloud providers as critical ICT third-party service providers, subjecting them to direct regulatory oversight
Financial entities using non-EU cloud providers for critical functions should ensure their arrangements satisfy both GDPR transfer requirements and DORA's third-party risk management framework. Our cybersecurity services include DORA compliance assessments tailored to financial institutions.
Government and Public Sector
Public sector organisations face the strictest data sovereignty expectations:
National security frameworks: many EU member states require government data to be processed on nationally certified infrastructure (Germany's BSI C5, France's SecNumCloud)
Public procurement rules: cloud procurement contracts increasingly mandate EU-headquartered providers or sovereign cloud configurations
Classified information: NATO and EU classified information handling rules impose specific infrastructure requirements that go far beyond GDPR
Common Data Sovereignty Mistakes
Mistake
Risk
Fix
Assuming EU data centre location equals data sovereignty
Non-EU parent company may be compelled to disclose data under CLOUD Act or equivalent laws
Evaluate the provider's corporate jurisdiction, not just server location; use EU-held encryption keys
Relying solely on the EU-US DPF without contingency planning
DPF invalidation (potential "Schrems III") would leave transfers without a legal basis overnight
Maintain executed SCCs as fallback with all US partners; conduct TIAs; document supplementary measures
Ignoring sub-processor chains
Your EU cloud provider may use non-EU sub-processors, routing data through non-adequate jurisdictions
Map and approve the complete sub-processor chain; contractually restrict sub-processing locations
Using Article 49 derogations for routine transfers
Derogations are for occasional, non-repetitive transfers only; reliance for systematic transfers is non-compliant
Implement proper transfer mechanisms (SCCs, BCRs, or adequacy) for all regular data flows
Treating data sovereignty as an IT-only issue
Compliance failures result in legal penalties and business consequences that extend far beyond IT
Establish cross-functional governance involving legal, compliance, IT, procurement, and business leadership
Neglecting Transfer Impact Assessments
SCCs without a TIA are non-compliant following Schrems II; supervisory authorities are actively auditing TIA practices
Conduct and document TIAs for every SCC-based transfer; review annually and when destination country laws change
Overlooking development and testing environments
Production data copied into development environments hosted outside the EU constitutes an international transfer
Apply data sovereignty controls to all environments; use synthetic or anonymised data for development/testing
Failing to monitor regulatory changes
EU data sovereignty law is evolving rapidly; what was compliant last year may not be compliant today
Implement a regulatory monitoring process; subscribe to supervisory authority newsletters; engage specialist advisors
FAQ
Can I store EU personal data in the US?
Yes, but only with a valid legal mechanism. If your US data recipient is certified under the EU-US Data Privacy Framework (DPF), the transfer is covered by the Commission's adequacy decision. If not, you need Standard Contractual Clauses (SCCs) with a Transfer Impact Assessment (TIA) evaluating whether US surveillance laws undermine the SCCs' protections, plus supplementary measures if needed. You may also use Binding Corporate Rules for intra-group transfers or Article 49 derogations for occasional, non-systematic transfers.
What happens if the EU-US Data Privacy Framework is invalidated (Schrems III)?
If the CJEU invalidates the DPF, transfers to DPF-certified US organisations would lose their legal basis immediately, mirroring what happened when Privacy Shield was struck down in 2020. Organisations that maintained SCCs as a fallback would need to activate those SCCs and ensure their TIAs are current. Those without fallback mechanisms would need to suspend US transfers or implement alternative safeguards rapidly. This is why maintaining parallel transfer mechanisms is considered best practice.
Do I need EU-based servers to comply with GDPR?
No. GDPR does not mandate data localization within the EU. You can process EU personal data on servers located outside the EU provided you comply with Chapter V transfer requirements (adequacy decisions, SCCs, BCRs, or derogations). However, storing data in the EU significantly reduces compliance complexity, eliminates the need for transfer mechanisms, and is increasingly expected by customers, supervisory authorities, and sector-specific regulations. For many organisations, EU-based servers are the simplest path to compliance.
How does the AI Act affect data sovereignty?
The AI Act (Regulation 2024/1689) requires that training, validation, and testing datasets for high-risk AI systems meet specific data governance requirements under Article 10. Where these datasets contain EU personal data, GDPR data sovereignty rules apply in full. This means that training a high-risk AI model on EU personal data in a non-EU environment requires a valid transfer mechanism, appropriate safeguards, and documentation of the data governance measures applied. The AI Act's penalties (up to EUR 35 million or 7% of global turnover for prohibited practices) add further incentive to get data governance right.
Does the CLOUD Act override GDPR?
Not within the EU legal order. GDPR Article 48 states that judgments or decisions of foreign courts or administrative authorities requiring data transfers are not recognised or enforceable unless based on an international agreement (such as a mutual legal assistance treaty). A US CLOUD Act order cannot, under EU law, serve as a legal basis for transferring EU personal data. However, a US-headquartered company subject to both CLOUD Act and GDPR faces a genuine legal conflict. The recommended approach is to use EU-held encryption keys, challenge CLOUD Act orders in US courts on the basis of EU legal obligations, and, where possible, structure operations so that the US entity does not have technical access to unencrypted EU data.
What is the difference between GDPR data sovereignty and national data sovereignty?
GDPR establishes the EU-wide baseline for data sovereignty, but individual member states can impose additional requirements through national law. Germany, for example, has strong federal data protection traditions and sector-specific rules (particularly in healthcare and telecommunications). France has the HDS certification requirement for health data hosting and the SecNumCloud qualification for government cloud services. Organisations operating across multiple EU member states must comply with both the GDPR baseline and any applicable national requirements.
How should I handle data sovereignty for SaaS products with global users?
Implement a data residency architecture that routes EU user data to EU-based infrastructure by default. This is typically achieved through geographic routing at the application layer, with separate data stores for different regions. Ensure that your data processing agreements with customers specify where data will be stored and processed, what transfer mechanisms are in place for any cross-border flows, and what controls prevent unauthorised access. Many SaaS providers now offer EU-only deployment options as a premium feature.
Is ISO 27001 certification sufficient for data sovereignty compliance?
ISO 27001 provides an excellent foundation for information security management but does not specifically address data sovereignty or GDPR compliance. It demonstrates that you have a systematic approach to managing information security risks, which supports the technical and organisational measures required by GDPR Article 32 and the security requirements of NIS2 and DORA. However, you still need to address GDPR-specific requirements (lawful basis, data subject rights, international transfer safeguards) and data sovereignty-specific controls (encryption key management, jurisdictional analysis, sub-processor governance). See our ISO 27001 Implementation Guide for how to build an ISMS that supports broader compliance objectives.
Conclusion
EU data sovereignty is no longer an abstract legal concept. It is a practical, operational requirement that affects infrastructure decisions, vendor relationships, product architecture, and business strategy. The regulatory framework continues to tighten: the Data Act's provisions on switching and international access safeguards take effect in September 2025, the AI Act's data governance requirements are phasing in, and supervisory authorities are increasingly scrutinising international data transfers following the precedent set by Meta's EUR 1.2 billion fine.
Organisations that approach data sovereignty proactively, combining contractual controls with technical safeguards and strategic infrastructure choices, will find that compliance creates competitive advantage. Customers increasingly demand transparency about where their data is processed. Regulators reward organisations that demonstrate genuine commitment to data protection. And the ability to operate seamlessly across jurisdictions while respecting sovereignty requirements is becoming a differentiator in B2B markets.
Key actions for 2026:
Map your data flows comprehensively, including sub-processors, development environments, and AI training pipelines
Audit your transfer mechanisms to ensure TIAs are current for all SCC-based transfers and verify DPF certifications for US partners
Evaluate your cloud strategy to assess whether your current infrastructure aligns with your data sovereignty obligations and risk tolerance
Prepare contingency plans with documented procedures for responding to DPF invalidation, new adequacy decision changes, or regulatory enforcement actions
Build cross-functional governance because data sovereignty is a legal, technical, and business challenge that requires coordinated leadership
Related Articles
GDPR Compliance Guide: Complete overview of GDPR principles, rights, and compliance requirements
Need support with EU data sovereignty compliance? Vision Compliance helps organisations assess their data sovereignty posture, implement compliant transfer mechanisms, evaluate cloud provider options, and build governance frameworks that satisfy GDPR, NIS2, DORA, and the AI Act simultaneously.
Data Protection Services: Data sovereignty assessments, transfer mechanism implementation, and ongoing compliance management
Cybersecurity Services: Cloud security, encryption architecture, and infrastructure sovereignty reviews
Contact us: Schedule a data sovereignty assessment
Robert Lozo, mag. iur., is a Partner at Vision Compliance specializing in EU regulatory compliance. He advises organizations on GDPR, NIS2, AI Act, and financial regulation, delivering audit-ready documentation and compliance roadmaps across regulated industries.
