1. What does data sovereignty mean? #

Data sovereignty has three dimensions:

Your data is subject to the legal framework you choose — not one imposed by a third country. This means: data is stored and processed in a jurisdiction whose data protection laws you know and accept. For European organizations, this means as the primary legal framework, without conflicts arising from extraterritorial laws such as the US CLOUD Act.

Dimension 2: Technical sovereignty #

You have technical control over your data — independent of any single vendor. This means:

  • Access to your data is available at any time, without requiring a third party’s authorization
  • Data can be migrated to another system without disproportionate effort
  • No single point of failure through a single cloud provider

Dimension 3: Operational sovereignty #

You can independently manage, back up, and recover your data — without dependence on external services or network connectivity. In a crisis (cyberattack, network outage, provider insolvency), your data availability is guaranteed.

Why data sovereignty is relevant now #

DevelopmentImpact on data sovereignty
Schrems II ruling (2020)EU-US Privacy Shield invalidated; data transfers to the US legally uncertain
US CLOUD Act (2018)US authorities can demand data held by US companies — even when servers are located in the EU
EU-US Data Privacy Framework (2023)Successor to Privacy Shield; legally fragile — another Schrems ruling is possible
NIS2 Directive (2024)Stricter requirements for data backup and supply chain security
DORA (Digital Operational Resilience Act) (17 January 2025)Digital Operational Resilience Act for the financial sector; requirements for ICT third-party providers
EU Data Act (12 September 2025)New rules on data portability and cloud switching
Blog Post | 2/10/2026
EU-US Data Privacy Framework: How Stable Is the New Framework?
The EU-US Data Privacy Framework (DPF) has been in effect since July 2023. It is intended to resolve the issues raised by Schrems II and once again permit transfers of personal data to the United States. But is it actually secure?In short: not fully. The framework survived its first court challenge in September 2025, but an appeal is pending before the EU Court of Justice, and the CLOUD Act still applies to US providers.---

2. The regulatory landscape #

GDPR: The foundation #

The () is the regulatory framework that defines data sovereignty for European organizations. The most relevant articles for data storage:

Art. 44 – 49  — Transfer of personal data to third countries: Personal data may only be transferred to third countries where an adequate level of protection is guaranteed. For the US, the EU-US Data Privacy Framework has applied since 2023 — but its long-term stability is uncertain.

Art. 32  — Security of processing: The controller must implement technical and organizational measures appropriate to the risk — including encryption, pseudonymization, and the ability to restore the availability of personal data promptly after an incident.

Art. 28  — Processors: Cloud providers acting as processors must be contractually bound; the controller remains responsible for compliance with all requirements — even when data is held by an external provider.

US CLOUD Act: The conflict potential #

The (CLOUD Act, 2018) authorizes US authorities to require US companies to produce data — regardless of where that data is physically stored. This affects:

  • Amazon Web Services (AWS)
  • Microsoft Azure
  • Google Cloud Platform (GCP)
  • All other US cloud providers and their subsidiaries

The practical consequence: If your backup sits with a US cloud provider — even on a server in Frankfurt — a US authority can demand that data. The provider then faces a conflict between US law (obligation to produce) and EU law ( prohibition on disclosure).

How do data protection authorities assess this risk?

European data protection authorities (particularly the Austrian DSB, the French CNIL, and the Bavarian LDA) have concluded in several decisions that using US cloud services for certain data categories provides an insufficient level of protection — regardless of the Data Privacy Framework.

NIS2 Directive and supply chain security #

The NIS2 Directive (§30 BSIG-new, in force since December 2025) explicitly requires assessment of supply chain security. Cloud providers and backup software vendors are part of this supply chain. For NIS2-affected organizations, the question is: which legal framework governs my backup provider? And what risks does that create?

Blog Post | 1/7/2026
NIS2 Explained: Who Is Affected and What Do You Need to Do?
NIS2 is here. Directive (EU) 2022/2555 on network and information security applies across the European Union. Member states had to transpose it into national law by 17 October 2024. Many did so on time, some later: Germany, for example, brought its implementation act (NIS2UmsuCG) into force on 6 December 2025, without a general transition period. The result across the EU: tens of thousands of organisations must implement concrete IT security measures. Those that do not risk fines of up to EUR 10 million or 2% of global annual turnover.This article explains who is affected, what the directive requires, and what you need to do now.---

3. Cloud vs. on-premises: The sovereignty question #

The cloud promises — and their limits #

Cloud storage offers undeniable advantages: scalability, pay-as-you-go models, global availability. But for data sovereignty, specific risks arise:

CriterionPublic cloud (US hyperscaler)European cloudOn-premises
Legal frameworkGDPR + CLOUD Act conflictGDPRGDPR
Physical controlNone — provider determines locationLimitedComplete
Vendor lock-inHigh — proprietary APIs and formatsMediumNone
Access during network outageImpossibleImpossibleGuaranteed
Data portabilityComplex (egress costs)MediumImmediate
Third-country government accessYes (CLOUD Act)No (EU providers)No
Total cost (5 years, 100 TB)Calculable with egress surprisesMediumCalculable

When cloud makes sense — and when it does not #

Cloud makes sense:

  • For non-critical data without personal information
  • As supplementary geographic redundancy (Tier 4)
  • For short-term scaling spikes
  • When the organization operates no data center infrastructure of its own

Cloud is problematic:

  • For backup data that must be available offline in a crisis
  • For personal data with high protection requirements
  • For regulated sectors with strict data location requirements (BAIT, §203 StGB)
  • When single-point-of-failure risks must be avoided

The hybrid reality #

In practice, most organizations run a hybrid approach. The sovereignty question then becomes not cloud or on-premises?” but: which data belongs where?

Recommendation for a sovereign hybrid architecture:

  • Tier 1 (primary backup): On-premises — fast access, full control
  • Tier 2 (air gap): On-premises — physical isolation, no cloud dependency
  • Tier 3 (long-term archive): On-premises — audit-proof storage under your own roof
  • Tier 4 (geo-redundancy): European cloud OR second on-premises location

The key point: Your most critical data — backups for crisis recovery — must not depend on a network connection, a cloud provider, or a third-country legal framework.

Silent Brick System: On-premises air-gap backup

How sovereign is your data infrastructure?

Our architects assess your current storage and backup architecture for sovereignty risks — at no cost and without obligation.

4. Vendor lock-in: The underestimated risk #

What vendor lock-in means #

Vendor lock-in occurs when dependence on a single provider becomes so significant that switching is disproportionately expensive, time-consuming, or technically difficult. For cloud storage and backup, this manifests as:

  • Proprietary data formats: Backup data in vendor-specific formats that cannot be easily migrated
  • Egress costs: Cloud providers charge high fees for downloading your own data (typically EUR 0.05 – 0.12/GB)
  • API dependencies: Applications built on provider-specific APIs
  • Contractual binding: Long-term contracts with minimum consumption commitments

The cost of lock-in #

Example calculation: Migrating 100 TB of backup data from a hyperscaler

Cost factorAmount
Egress costs (100 TB × EUR 0.09/GB)EUR 9,000
Migration effort (staff, 2 weeks)EUR 15,00030,000
Parallel operation during migrationEUR 5,00010,000
Risk: downtime during migrationIncalculable
Total cost of a provider switchEUR 30,00050,000

These costs arise every time you want — or need — to switch providers. And they scale linearly with data volume.

The EU Data Act and data portability #

The EU Data Act (in force since 12 September 2025) partly addresses this problem:

  • Cloud providers must facilitate switching to another provider
  • Egress fees for provider switching will be phased out
  • Minimum interoperability requirements will be defined

But: full implementation takes time, and proprietary data formats remain a practical obstacle.

The sovereign alternative: Open standards, local control #

On-premises storage with open interfaces eliminates lock-in risk:

  • Standard protocols: NFS, SMB, iSCSI, FC, S3-compatible — no proprietary formats
  • No egress costs: Your data is available locally at any time
  • Vendor independence: Backup software and storage hardware can be changed independently
  • Calculable costs: No variable cloud fees, no billing surprises

5. Made in Germany: Why origin matters for hardware #

Why hardware origin is a sovereignty question #

Data sovereignty is not only about storage location — it is also about the origin of the technology. Hardware developed and produced in a third country is subject to that country’s legal framework. And that can include backdoors, disclosure obligations, or export restrictions that European users cannot control.

The case for European hardware #

Legal framework: Hardware developed and produced in the EU is subject exclusively to European law. No CLOUD Act, no FISA 702, no extraterritorial disclosure obligation.

Supply chain security: The NIS2 Directive requires assessment of supply chain security. A European manufacturer offers a more transparent supply chain than a global corporation manufacturing across dozens of countries.

Geopolitical independence: In a world of growing geopolitical tensions — export restrictions, sanctions, trade conflicts — European hardware reduces dependencies that can become strategic risks.

Privacy by design: European manufacturers develop products in the context of and European data protection principles. Data protection is a design principle, not a retroactive add-on.

FAST LTA: Made in Germany #

FAST LTA GmbH develops and manufactures all storage systems in Munich:

  • Silent Brick System: Air-gap backup with physical network isolation
  • Silent Cubes: Hardware for audit-proof long-term archiving
  • Silent AI: On-premises AI storage

All systems: German development, German manufacturing, European legal framework. No CLOUD Act. No third-country risk.

About FAST LTAProducts overview

6. Sector-specific requirements #

Financial services: BAIT and DORA #

BAIT (German supervisory requirements for IT in banking): BaFin requires that IT outsourcing by financial institutions (including cloud services) does not result in loss of control. Backup data in a US cloud raises specific questions that must be resolved with the supervisory authority.

(): Since 17 January 2025, financial entities must assess and manage dependencies on ICT third-party providers (including cloud providers). requires stress testing and exit strategies for every critical ICT service provider.

Recommendation: Critical backup data on-premises with air-gap protection. Cloud only for non-critical data or as supplementary redundancy at European providers.

Healthcare: §203 StGB and patient data #

In healthcare, patient data is protected under criminal law through §203 StGB (breach of professional secrecy). Disclosure to third parties — including cloud providers — is only permitted under narrow conditions.

Recommendation: Patient data backups exclusively on-premises. Hardware for long-term archiving of medical documents (§28 RöV for radiation therapy records: 30 years; 10 years for diagnostic X‑rays).

Industry solution: Healthcare

Public administration: BSI (German Federal Office for Information Security) requirements #

Public authorities at federal and state level are subject to BSI requirements. For classified information (VS-NfD and above), additional physical security requirements apply that preclude cloud storage in many cases.

Recommendation: On-premises storage with BSI-compliant backup architecture. Air-gap layer for critical infrastructure (KRITIS) systems.

Industry solution: Public administration

Industry and critical infrastructure: Production data and OT security #

In manufacturing and for , data sovereignty covers not only personal data but also production data, formulations, control configurations, and OT (Operational Technology) systems. This data is business-critical and must neither be lost nor fall into the wrong hands.

Recommendation: Strict separation of OT and IT backup. Air-gap protection for production data backups. Sovereign storage without cloud dependency.

Industry solution: Manufacturing

A robust backup architecture for your industry

We understand the regulatory requirements of your industry — and can show you exactly what a robust architecture looks like.

7. Sovereign data architecture: Reference model #

The four principles of sovereign data storage #

Principle 1: Legal clarity All storage systems are subject exclusively to European law. No third-country conflicts, no CLOUD Act risk.

Principle 2: Physical control Critical data is stored on your own hardware, physically located in your own data center. No loss of control through third-party providers.

Principle 3: Open standards Standard protocols and open interfaces prevent vendor lock-in. Data is portable at any time.

Principle 4: Self-sufficient recoverability In a crisis — network outage, cloud outage, provider insolvency — all critical data can be independently recovered, without dependence on external services.

Reference architecture: Sovereign backup and archive #

┌────────────────────────────────────────────────────────┐
│                    YOUR OWN DATA CENTER                 │
│                                                        │
│  Tier 1: Primary backup (Silent Brick)                 │
│  ├── Fast recovery (RTO < 1h)                          │
│  ├── Standard protocols: NFS, SMB, iSCSI, S3           │
│  └── Fully under your own control                      │
│                                                        │
│  Tier 2: Air gap layer (Silent Brick Max Air)          │
│  ├──  after backup           │
│  ├── -resistant recovery                     │
│  └── Hardware Made in Germany                          │
│                                                        │
│  Tier 3:  archive (Silent Cubes)                   │
│  ├── Hardware : physically immutable               │
│  ├── Audit-proof long-term archiving                   │
│  └── 10+ year retention, compliance-compliant          │
│                                                        │
└────────────────────────────────────────────────────────┘
              │ (optional, geo-redundancy only)
              ▼
┌────────────────────────────────────────────────────────┐
│  Tier 4: Geo-redundancy                                │
│  ├── Option A: Second own location                     │
│  └── Option B: European cloud provider (supplementary) │
└────────────────────────────────────────────────────────┘

Result: An architecture that is fully sovereign — under your own roof, under your own legal framework, with your own recovery capability.

Products overview

8. Recommendations for action #

Immediate: Quick wins for greater sovereignty #

  1. Create a data inventory: Where does which data sit? Which legal framework governs the storage systems?
  2. Assess CLOUD Act exposure: Are you using US cloud providers for personal or business-critical data? If so: assess and document the risk.
  3. Calculate egress costs: What would it cost to download your cloud data? That is the price of your dependency.
  4. Check backup location: Is your backup data available without a network connection in a crisis?

Medium-term: Adjust the architecture #

  1. Bring critical data on-premises: Migrate backup and archive data with high protection requirements to your own sovereign hardware.
  2. Introduce an air-gap layer: Physically isolated backup for ransomware resilience and operational sovereignty.
  3. Implement archiving: Audit-proof long-term archiving on hardware  — without cloud dependency.
  4. Reduce vendor lock-in: Switch to standard protocols and open interfaces.

Long-term: Sovereignty as strategy #

  1. Supply chain assessment under NIS2: Assess hardware and software vendors on origin, legal framework, and dependencies.
  2. Evaluate European alternatives: For new projects, prefer European providers — G‑X compatible, -native, without third-country risks.

9. Frequently asked questions

No — not automatically. The authorizes US authorities to demand data from US companies, regardless of server location. If your cloud provider is a US company (AWS, Azure, GCP), the EU server location alone does not protect against a data demand. What matters is the legal framework governing the provider — not the physical location of the server.

Data protection (in particular ) regulates the protection of personal data — purpose limitation, consent, data subject rights. Data sovereignty goes further: it covers complete control over all data — including non-personal business data, production data, and configurations. Data sovereignty means: you decide where your data sits, who accesses it, and which law governs it.

The EU Data Act (valid since 12 September 2025) improves data portability: cloud providers must facilitate switching and phase out egress fees. For existing contracts, it is worth pressing for Data Act-compliant terms at the next renewal.

In the short term, often yes — acquisition costs are higher. Over five years, on-premises storage is cost-effective in many scenarios: no ongoing storage fees, no egress costs, no variable costs as data volume grows. Our TCO comparison shows the differences transparently.

BSI recommends a risk-based assessment in its cloud computing guidelines. For data with high protection requirements and for critical infrastructure systems, BSI recommends additional protective measures — including the question of whether cloud storage is even appropriate for that data category.

G-X is a European initiative for a sovereign, interoperable data infrastructure. The goal is to create European cloud and data ecosystems that conform to European values and legal frameworks. G-X defines standards for portability, transparency, and sovereignty — but is still in development and is not a finished product.

Disclaimer

This article was written by our editorial team and edited using AI. It provides a general overview and does not constitute legal advice – we recommend seeking professional advice for your specific situation.