---
title: Data sovereignty
date: 2026-04-16T10:59:00+02:00
author: Hannes Heckel
canonical_url: "https://www.fast-lta.de//en/blog/data-sovereignty"
section: Pillar Pages
---
[1. 1. What does data sovereignty mean?](#1-what-does-data-sovereignty-mean)[1. 2. The regulatory landscape](#2-the-regulatory-landscape)[1. 3. Cloud vs. on-premises: The sovereignty question](#3-cloud-vs-on-premises-the-sovereignty-question)[1. 4. Vendor lock-in: The underestimated risk](#4-vendor-lock-in-the-underestimated-risk)[1. 5. Made in Germany: Why origin matters for hardware](#5-made-in-germany-why-origin-matters-for-hardware)[1. 6. Sector-specific requirements](#6-sector-specific-requirements)[1. 7. Sovereign data architecture: Reference model](#7-sovereign-data-architecture-reference-model)[1. 8. Recommendations for action](#8-recommendations-for-action)[1. 9. Frequently asked questions](#9-frequently-asked-questions)
### 1. What does data sovereignty mean? [\#](#1-what-does-data-sovereignty-mean "1. What does data sovereignty mean?")

Data sovereignty has three dimensions:

#### Dimension 1: Legal sovereignty [\#](#dimension-1-legal-sovereignty "Dimension 1: Legal sovereignty")

Your data is subject to the legal framework you choose — not one imposed by a third country. This means: data is stored and processed in a jurisdiction whose data protection laws you know and accept. For European organizations, this means GDPR as the primary legal framework, without conflicts arising from extraterritorial laws such as the US CLOUD Act.

#### Dimension 2: Technical sovereignty [\#](#dimension-2-technical-sovereignty "Dimension 2: Technical sovereignty")

You have technical control over your data — independent of any single vendor. This means:

- Access to your data is available at any time, without requiring a third party’s authorization
- Data can be migrated to another system without disproportionate effort
- No single point of failure through a single cloud provider

#### Dimension 3: Operational sovereignty [\#](#dimension-3-operational-sovereignty "Dimension 3: Operational sovereignty")

You can independently manage, back up, and recover your data — without dependence on external services or network connectivity. In a crisis (cyberattack, network outage, provider insolvency), your data availability is guaranteed.

#### Why data sovereignty is relevant now [\#](#why-data-sovereignty-is-relevant-now "Why data sovereignty is relevant now")

DevelopmentImpact on data sovereignty**Schrems II ruling (2020)**EU-US Privacy Shield invalidated; data transfers to the US legally uncertain**US CLOUD Act (2018)**US authorities can demand data held by US companies — even when servers are located in the EU**EU-US Data Privacy Framework (2023)**Successor to Privacy Shield; legally fragile — another Schrems ruling is possible**NIS2 Directive (2024)**Stricter requirements for data backup and supply chain security**DORA (Digital Operational Resilience Act) (17 January 2025)**Digital Operational Resilience Act for the financial sector; requirements for ICT third-party providers**EU Data Act (12 September 2025)**New rules on data portability and cloud switching### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

  

[###### Blog Post | 12/16/2025

What Is Data Sovereignty? Definition and Three Dimensions

"Data sovereignty" appears in every cloud provider's marketing. But what does it actually mean? And how does it differ from data protection?A simple definition: **Data sovereignty means you have full control over your data: legally, technically and operationally.**This article explains the three dimensions and why they matter for your organisation.---

[](https://www.fast-lta.de//en/blog/was-ist-datensouver%C3%A4nit%C3%A4t-definition-und-drei-dimensionen "What Is Data Sovereignty? Definition and Three Dimensions")](https://www.fast-lta.de//en/blog/was-ist-datensouver%C3%A4nit%C3%A4t-definition-und-drei-dimensionen "What Is Data Sovereignty? Definition and Three Dimensions")[###### Blog Post | 2/10/2026

EU-US Data Privacy Framework: How Stable Is the New Framework?

The EU-US Data Privacy Framework (DPF) has been in effect since July 2023. It is intended to resolve the issues raised by Schrems II and once again permit transfers of personal data to the United States. But is it actually secure?In short: not fully. The framework survived its first court challenge in September 2025, but an appeal is pending before the EU Court of Justice, and the CLOUD Act still applies to US providers.---

[](https://www.fast-lta.de//en/blog/eu-us-data-privacy-framework-wie-stabil-ist-der-neue-rahmen "EU-US Data Privacy Framework: How Stable Is the New Framework?")](https://www.fast-lta.de//en/blog/eu-us-data-privacy-framework-wie-stabil-ist-der-neue-rahmen "EU-US Data Privacy Framework: How Stable Is the New Framework?")

### 2. The regulatory landscape [\#](#2-the-regulatory-landscape "2. The regulatory landscape")

#### GDPR: The foundation [\#](#gdpr-the-foundation "GDPR: The foundation")

The General Data Protection Regulation (GDPR) is the regulatory framework that defines data sovereignty for European organizations. The most relevant articles for data storage:

**Art. 44 – 49 GDPR — Transfer of personal data to third countries:** Personal data may only be transferred to third countries where an adequate level of protection is guaranteed. For the US, the EU-US Data Privacy Framework has applied since 2023 — but its long-term stability is uncertain.

**Art. 32 GDPR — Security of processing:** The controller must implement technical and organizational measures appropriate to the risk — including encryption, pseudonymization, and the ability to restore the availability of personal data promptly after an incident.

**Art. 28 GDPR — Processors:** Cloud providers acting as processors must be contractually bound; the controller remains responsible for compliance with all GDPR requirements — even when data is held by an external provider.

#### US CLOUD Act: The conflict potential [\#](#us-cloud-act-the-conflict-potential "US CLOUD Act: The conflict potential")

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) authorizes US authorities to require US companies to produce data — **regardless of where that data is physically stored**. This affects:

- Amazon Web Services (AWS)
- Microsoft Azure
- Google Cloud Platform (GCP)
- All other US cloud providers and their subsidiaries

**The practical consequence:** If your backup sits with a US cloud provider — even on a server in Frankfurt — a US authority can demand that data. The provider then faces a conflict between US law (obligation to produce) and EU law (GDPR prohibition on disclosure).

**How do data protection authorities assess this risk?**

European data protection authorities (particularly the Austrian DSB, the French CNIL, and the Bavarian LDA) have concluded in several decisions that using US cloud services for certain data categories provides an insufficient level of protection — regardless of the Data Privacy Framework.

#### NIS2 Directive and supply chain security [\#](#nis2-directive-and-supply-chain-security "NIS2 Directive and supply chain security")

The NIS2 Directive (§30 BSIG-new, in force since December 2025) explicitly requires assessment of supply chain security. Cloud providers and backup software vendors are part of this supply chain. For NIS2-affected organizations, the question is: which legal framework governs my backup provider? And what risks does that create?

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### US CLOUD Act

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

  

[###### Blog Post | 12/2/2025

GDPR and Cloud Storage: Legally Compliant Handling of Personal Data

The GDPR permits cloud storage, but under strict conditions. Third-country transfers (to the US, China and other non-EU countries) are particularly complex. Many organisations do not realise that their current setup falls short of the requirements.This article explains the GDPR requirements for cloud storage and where the legal risks sit.---

[](https://www.fast-lta.de//en/blog/dsgvo-und-cloud-speicherung-rechtskonformer-umgang-mit-personenbezogenen-daten "GDPR and Cloud Storage: Legally Compliant Handling of Personal Data")](https://www.fast-lta.de//en/blog/dsgvo-und-cloud-speicherung-rechtskonformer-umgang-mit-personenbezogenen-daten "GDPR and Cloud Storage: Legally Compliant Handling of Personal Data")[###### Blog Post | 12/4/2025

The US CLOUD Act Explained: Why Server Location Alone Is Not Enough

This is one of the most common misconceptions in cloud procurement: "My data sits on a server in Frankfurt, so it is out of reach for US authorities."That assumption is wrong. The **US CLOUD Act** makes the server location largely irrelevant when the provider is a US company.---

[](https://www.fast-lta.de//en/blog/us-cloud-act-erkl%C3%A4rt-warum-der-serverstandort-allein-nicht-sch%C3%BCtzt "The US CLOUD Act Explained: Why Server Location Alone Is Not Enough")](https://www.fast-lta.de//en/blog/us-cloud-act-erkl%C3%A4rt-warum-der-serverstandort-allein-nicht-sch%C3%BCtzt "The US CLOUD Act Explained: Why Server Location Alone Is Not Enough")[###### Blog Post | 1/7/2026

NIS2 Explained: Who Is Affected and What Do You Need to Do?

NIS2 is here. Directive (EU) 2022/2555 on network and information security applies across the European Union. Member states had to transpose it into national law by 17 October 2024. Many did so on time, some later: Germany, for example, brought its implementation act (NIS2UmsuCG) into force on 6 December 2025, without a general transition period. The result across the EU: tens of thousands of organisations must implement concrete IT security measures. Those that do not risk fines of up to EUR 10 million or 2% of global annual turnover.This article explains who is affected, what the directive requires, and what you need to do now.---

[](https://www.fast-lta.de//en/blog/nis2-einfach-erkl%C3%A4rt-wer-ist-betroffen-und-was-muss-ich-tun "NIS2 Explained: Who Is Affected and What Do You Need to Do?")](https://www.fast-lta.de//en/blog/nis2-einfach-erkl%C3%A4rt-wer-ist-betroffen-und-was-muss-ich-tun "NIS2 Explained: Who Is Affected and What Do You Need to Do?")

### 3. Cloud vs. on-premises: The sovereignty question [\#](#3-cloud-vs-on-premises-the-sovereignty-question "3. Cloud vs. on-premises: The sovereignty question")

#### The cloud promises — and their limits [\#](#the-cloud-promises-and-their-limits "The cloud promises — and their limits")

Cloud storage offers undeniable advantages: scalability, pay-as-you-go models, global availability. But for data sovereignty, specific risks arise:

CriterionPublic cloud (US hyperscaler)European cloudOn-premises**Legal framework**GDPR + CLOUD Act conflictGDPRGDPR**Physical control**None — provider determines locationLimitedComplete**Vendor lock-in**High — proprietary APIs and formatsMediumNone**Access during network outage**ImpossibleImpossibleGuaranteed**Data portability**Complex (egress costs)MediumImmediate**Third-country government access**Yes (CLOUD Act)No (EU providers)No**Total cost (5 years, 100 TB)**Calculable with egress surprisesMediumCalculable#### When cloud makes sense — and when it does not [\#](#when-cloud-makes-sense-and-when-it-does-not "When cloud makes sense — and when it does not")

**Cloud makes sense:**

- For non-critical data without personal information
- As supplementary geographic redundancy (Tier 4)
- For short-term scaling spikes
- When the organization operates no data center infrastructure of its own

**Cloud is problematic:**

- For backup data that must be available offline in a crisis
- For personal data with high protection requirements
- For regulated sectors with strict data location requirements (BAIT, §203 StGB)
- When single-point-of-failure risks must be avoided

#### The hybrid reality [\#](#the-hybrid-reality "The hybrid reality")

In practice, most organizations run a hybrid approach. The sovereignty question then becomes not ​“cloud or on-premises?” but: **which data belongs where?**

**Recommendation for a sovereign hybrid architecture:**

- **Tier 1 (primary backup):** On-premises — fast access, full control
- **Tier 2 (air gap):** On-premises — physical isolation, no cloud dependency
- **Tier 3 (long-term archive):** On-premises — audit-proof WORM storage under your own roof
- **Tier 4 (geo-redundancy):** European cloud OR second on-premises location

**The key point:** Your most critical data — backups for crisis recovery — must not depend on a network connection, a cloud provider, or a third-country legal framework.

→ [Silent Brick System: On-premises air-gap backup](/en/products/silent-brick-system/)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

  

[###### Blog Post | 1/6/2026

Data Egress Fees: The Hidden Costs of Your Cloud Backup

Cloud backup looks cheap on the price list: a few cents per gigabyte per month for archive-tier storage. The surprise comes when you retrieve your data, for a recovery, a migration or a restore test. Outbound transfer (egress) to the internet is typically priced around USD 0.05 to 0.09 per GB at hyperscaler list rates, several times the monthly storage cost of the same gigabyte.At that rate, retrieving 100 TB costs roughly USD 5,000 to 9,000 in transfer fees alone. For backup workloads, where full retrieval is exactly the scenario you are paying for, this changes the economics fundamentally.---

[](https://www.fast-lta.de//en/blog/egress-kosten-die-versteckten-kosten-ihres-cloud-backups "Data Egress Fees: The Hidden Costs of Your Cloud Backup")](https://www.fast-lta.de//en/blog/egress-kosten-die-versteckten-kosten-ihres-cloud-backups "Data Egress Fees: The Hidden Costs of Your Cloud Backup")

#### **How sovereign is your data infrastructure?**

Our architects assess your current storage and backup architecture for sovereignty risks — at no cost and without obligation.

 

### 4. Vendor lock-in: The underestimated risk [\#](#4-vendor-lock-in-the-underestimated-risk "4. Vendor lock-in: The underestimated risk")

#### What vendor lock-in means [\#](#what-vendor-lock-in-means "What vendor lock-in means")

Vendor lock-in occurs when dependence on a single provider becomes so significant that switching is disproportionately expensive, time-consuming, or technically difficult. For cloud storage and backup, this manifests as:

- **Proprietary data formats:** Backup data in vendor-specific formats that cannot be easily migrated
- **Egress costs:** Cloud providers charge high fees for downloading your own data (typically EUR 0.05 – 0.12/GB)
- **API dependencies:** Applications built on provider-specific APIs
- **Contractual binding:** Long-term contracts with minimum consumption commitments

#### The cost of lock-in [\#](#the-cost-of-lock-in "The cost of lock-in")

**Example calculation: Migrating 100 TB of backup data from a hyperscaler**

Cost factorAmountEgress costs (100 TB × EUR 0.09/GB)EUR 9,000Migration effort (staff, 2 weeks)EUR 15,000−30,000Parallel operation during migrationEUR 5,000−10,000Risk: downtime during migrationIncalculable**Total cost of a provider switch****EUR 30,000−50,000**These costs arise every time you want — or need — to switch providers. And they scale linearly with data volume.

#### The EU Data Act and data portability [\#](#the-eu-data-act-and-data-portability "The EU Data Act and data portability")

The EU Data Act (in force since 12 September 2025) partly addresses this problem:

- Cloud providers must facilitate switching to another provider
- Egress fees for provider switching will be phased out
- Minimum interoperability requirements will be defined

But: full implementation takes time, and proprietary data formats remain a practical obstacle.

#### The sovereign alternative: Open standards, local control [\#](#the-sovereign-alternative-open-standards-local-control "The sovereign alternative: Open standards, local control")

On-premises storage with open interfaces eliminates lock-in risk:

- **Standard protocols:** NFS, SMB, iSCSI, FC, S3-compatible — no proprietary formats
- **No egress costs:** Your data is available locally at any time
- **Vendor independence:** Backup software and storage hardware can be changed independently
- **Calculable costs:** No variable cloud fees, no billing surprises

  

[###### Blog Post | 1/20/2026

EU Data Act: What Changes for Cloud Users

The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024 and has applied since 12 September 2025. It obliges cloud providers to make customer data portable and to remove the barriers that keep customers locked in.The practical implications are highly relevant for IT decision-makers, but many are still unaware of the regulation.---

[](https://www.fast-lta.de//en/blog/eu-data-act-was-sich-f%C3%BCr-cloud-nutzer-%C3%A4ndert "EU Data Act: What Changes for Cloud Users")](https://www.fast-lta.de//en/blog/eu-data-act-was-sich-f%C3%BCr-cloud-nutzer-%C3%A4ndert "EU Data Act: What Changes for Cloud Users")

### 5. Made in Germany: Why origin matters for hardware [\#](#5-made-in-germany-why-origin-matters-for-hardware "5. Made in Germany: Why origin matters for hardware")

#### Why hardware origin is a sovereignty question [\#](#why-hardware-origin-is-a-sovereignty-question "Why hardware origin is a sovereignty question")

Data sovereignty is not only about storage location — it is also about the origin of the technology. Hardware developed and produced in a third country is subject to that country’s legal framework. And that can include backdoors, disclosure obligations, or export restrictions that European users cannot control.

#### The case for European hardware [\#](#the-case-for-european-hardware "The case for European hardware")

**Legal framework:** Hardware developed and produced in the EU is subject exclusively to European law. No CLOUD Act, no FISA 702, no extraterritorial disclosure obligation.

**Supply chain security:** The NIS2 Directive requires assessment of supply chain security. A European manufacturer offers a more transparent supply chain than a global corporation manufacturing across dozens of countries.

**Geopolitical independence:** In a world of growing geopolitical tensions — export restrictions, sanctions, trade conflicts — European hardware reduces dependencies that can become strategic risks.

**Privacy by design:** European manufacturers develop products in the context of GDPR and European data protection principles. Data protection is a design principle, not a retroactive add-on.

#### FAST LTA: Made in Germany [\#](#fast-lta-made-in-germany "FAST LTA: Made in Germany")

FAST LTA GmbH develops and manufactures all storage systems in Munich:

- **Silent Brick System:** Air-gap backup with physical network isolation
- **Silent Cubes:** Hardware WORM for audit-proof long-term archiving
- **Silent AI:** On-premises AI storage

All systems: German development, German manufacturing, European legal framework. No CLOUD Act. No third-country risk.

→ [About FAST LTA](/en/fast/about/) → [Products overview](/en/products/)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

  

### 6. Sector-specific requirements [\#](#6-sector-specific-requirements "6. Sector-specific requirements")

#### Financial services: BAIT and DORA [\#](#financial-services-bait-and-dora "Financial services: BAIT and DORA")

**BAIT (German supervisory requirements for IT in banking):** BaFin requires that IT outsourcing by financial institutions (including cloud services) does not result in loss of control. Backup data in a US cloud raises specific questions that must be resolved with the supervisory authority.

**DORA (Digital Operational Resilience Act):** Since 17 January 2025, financial entities must assess and manage dependencies on ICT third-party providers (including cloud providers). DORA requires stress testing and exit strategies for every critical ICT service provider.

**Recommendation:** Critical backup data on-premises with air-gap protection. Cloud only for non-critical data or as supplementary redundancy at European providers.

#### Healthcare: §203 StGB and patient data [\#](#healthcare-203-stgb-and-patient-data "Healthcare: §203 StGB and patient data")

In healthcare, patient data is protected under criminal law through §203 StGB (breach of professional secrecy). Disclosure to third parties — including cloud providers — is only permitted under narrow conditions.

**Recommendation:** Patient data backups exclusively on-premises. Hardware WORM for long-term archiving of medical documents (§28 RöV for radiation therapy records: 30 years; 10 years for diagnostic X‑rays).

→ [Industry solution: Healthcare](/en/verticals/healthcare/)

#### Public administration: BSI (German Federal Office for Information Security) requirements [\#](#public-administration-bsi-german-federal-office-for-information-security-requirements "Public administration: BSI (German Federal Office for Information Security) requirements")

Public authorities at federal and state level are subject to BSI IT-Grundschutz requirements. For classified information (VS-NfD and above), additional physical security requirements apply that preclude cloud storage in many cases.

**Recommendation:** On-premises storage with BSI-compliant backup architecture. Air-gap layer for critical infrastructure (KRITIS) systems.

→ [Industry solution: Public administration](/en/verticals/public-sector/)

#### Industry and critical infrastructure: Production data and OT security [\#](#industry-and-critical-infrastructure-production-data-and-ot-security "Industry and critical infrastructure: Production data and OT security")

In manufacturing and for critical infrastructure operators, data sovereignty covers not only personal data but also production data, formulations, control configurations, and OT (Operational Technology) systems. This data is business-critical and must neither be lost nor fall into the wrong hands.

**Recommendation:** Strict separation of OT and IT backup. Air-gap protection for production data backups. Sovereign storage without cloud dependency.

→ [Industry solution: Manufacturing](/en/verticals/industry/)

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### BSI IT-Grundschutz

The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz)

### KRITIS (Critical Infrastructure)

KRITIS refers to organizations and facilities whose failure or impairment would cause significant supply shortages or threats to public safety — KRITIS operators are subject to heightened IT security requirements under §8a of the German BSI Act and must demonstrate compliance to the BSI every two years.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/kritis-critical-infrastructure)

  

#### A robust backup architecture for your industry

We understand the regulatory requirements of your industry — and can show you exactly what a robust architecture looks like.

 

[Make an appointment ](https://www.fast-lta.de//en/fast/contact/backup "Make an appointment")

### 7. Sovereign data architecture: Reference model [\#](#7-sovereign-data-architecture-reference-model "7. Sovereign data architecture: Reference model")

#### The four principles of sovereign data storage [\#](#the-four-principles-of-sovereign-data-storage "The four principles of sovereign data storage")

**Principle 1: Legal clarity** All storage systems are subject exclusively to European law. No third-country conflicts, no CLOUD Act risk.

**Principle 2: Physical control** Critical data is stored on your own hardware, physically located in your own data center. No loss of control through third-party providers.

**Principle 3: Open standards** Standard protocols and open interfaces prevent vendor lock-in. Data is portable at any time.

**Principle 4: Self-sufficient recoverability** In a crisis — network outage, cloud outage, provider insolvency — all critical data can be independently recovered, without dependence on external services.

#### Reference architecture: Sovereign backup and archive [\#](#reference-architecture-sovereign-backup-and-archive "Reference architecture: Sovereign backup and archive")

```
┌────────────────────────────────────────────────────────┐
│                    YOUR OWN DATA CENTER                 │
│                                                        │
│  Tier 1: Primary backup (Silent Brick)                 │
│  ├── Fast recovery (RTO < 1h)                          │
│  ├── Standard protocols: NFS, SMB, iSCSI, S3           │
│  └── Fully under your own control                      │
│                                                        │
│  Tier 2: Air gap layer (Silent Brick Max Air)          │
│  ├── <button data-glossary="true" data-popover-target="glossary-557710652-1" data-popover-trigger="hover" type="button">Physical network isolation</button> after backup           │
│  ├── <button data-glossary="true" data-popover-target="glossary-557710652-3" data-popover-trigger="hover" type="button">Ransomware</button>-resistant recovery                     │
│  └── Hardware Made in Germany                          │
│                                                        │
│  Tier 3: <button data-glossary="true" data-popover-target="glossary-557710652-2" data-popover-trigger="hover" type="button"><button data-glossary="true" data-popover-target="glossary-557710652-4" data-popover-trigger="hover" type="button">WORM</button> archive</button> (Silent Cubes)                   │
│  ├── Hardware <button data-glossary="true" data-popover-target="glossary-557710652-5" data-popover-trigger="hover" type="button">WORM</button>: physically immutable               │
│  ├── Audit-proof long-term archiving                   │
│  └── 10+ year retention, compliance-compliant          │
│                                                        │
└────────────────────────────────────────────────────────┘
              │ (optional, geo-redundancy only)
              ▼
┌────────────────────────────────────────────────────────┐
│  Tier 4: Geo-redundancy                                │
│  ├── Option A: Second own location                     │
│  └── Option B: European cloud provider (supplementary) │
└────────────────────────────────────────────────────────┘

```

**Result:** An architecture that is fully sovereign — under your own roof, under your own legal framework, with your own recovery capability.

→ [Products overview](/en/products/)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### Ransomware

Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

  

### 8. Recommendations for action [\#](#8-recommendations-for-action "8. Recommendations for action")

#### Immediate: Quick wins for greater sovereignty [\#](#immediate-quick-wins-for-greater-sovereignty "Immediate: Quick wins for greater sovereignty")

1. **Create a data inventory:** Where does which data sit? Which legal framework governs the storage systems?
2. **Assess CLOUD Act exposure:** Are you using US cloud providers for personal or business-critical data? If so: assess and document the risk.
3. **Calculate egress costs:** What would it cost to download your cloud data? That is the price of your dependency.
4. **Check backup location:** Is your backup data available without a network connection in a crisis?

#### Medium-term: Adjust the architecture [\#](#medium-term-adjust-the-architecture "Medium-term: Adjust the architecture")

1. **Bring critical data on-premises:** Migrate backup and archive data with high protection requirements to your own sovereign hardware.
2. **Introduce an air-gap layer:** Physically isolated backup for ransomware resilience and operational sovereignty.
3. **Implement WORM archiving:** Audit-proof long-term archiving on hardware WORM — without cloud dependency.
4. **Reduce vendor lock-in:** Switch to standard protocols and open interfaces.

#### Long-term: Sovereignty as strategy [\#](#long-term-sovereignty-as-strategy "Long-term: Sovereignty as strategy")

1. **Supply chain assessment under NIS2:** Assess hardware and software vendors on origin, legal framework, and dependencies.
2. **Evaluate European alternatives:** For new projects, prefer European providers — GAIA‑X compatible, GDPR-native, without third-country risks.

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### EU AI Act

The EU AI Act is the world's first comprehensive legislative regulation of AI systems, in force since August 2024. It classifies AI applications by risk level and sets concrete requirements for transparency, control, data protection and human oversight for high-risk systems.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/eu-ai-act)

  

### 9. Frequently asked questions

  

#### Is it enough if my cloud data is on servers in the EU?

No — not automatically. The US CLOUD Act authorizes US authorities to demand data from US companies, regardless of server location. If your cloud provider is a US company (AWS, Azure, GCP), the EU server location alone does not protect against a data demand. What matters is the legal framework governing the provider — not the physical location of the server.

### US CLOUD Act

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act)

### US CLOUD Act

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act)

 

#### What is the difference between data sovereignty and data protection?

Data protection (in particular GDPR) regulates the protection of personal data — purpose limitation, consent, data subject rights. Data sovereignty goes further: it covers complete control over all data — including non-personal business data, production data, and configurations. Data sovereignty means: you decide where your data sits, who accesses it, and which law governs it.

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

 

#### What does the EU Data Act mean for my cloud contracts?

The EU Data Act (valid since 12 September 2025) improves data portability: cloud providers must facilitate switching and phase out egress fees. For existing contracts, it is worth pressing for Data Act-compliant terms at the next renewal.

 

#### Is on-premises storage not more expensive than cloud?

In the short term, often yes — acquisition costs are higher. Over five years, on-premises storage is cost-effective in many scenarios: no ongoing storage fees, no egress costs, no variable costs as data volume grows. Our TCO comparison shows the differences transparently.

 

#### How does BSI (German Federal Office for Information Security) assess cloud storage for critical data?

BSI recommends a risk-based assessment in its cloud computing guidelines. For data with high protection requirements and for critical infrastructure systems, BSI recommends additional protective measures — including the question of whether cloud storage is even appropriate for that data category.

 

#### What is GAIA-X?

GAIA-X is a European initiative for a sovereign, interoperable data infrastructure. The goal is to create European cloud and data ecosystems that conform to European values and legal frameworks. GAIA-X defines standards for portability, transparency, and sovereignty — but is still in development and is not a finished product.

### EU AI Act

The EU AI Act is the world's first comprehensive legislative regulation of AI systems, in force since August 2024. It classifies AI applications by risk level and sets concrete requirements for transparency, control, data protection and human oversight for high-risk systems.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/eu-ai-act)

### EU AI Act

The EU AI Act is the world's first comprehensive legislative regulation of AI systems, in force since August 2024. It classifies AI applications by risk level and sets concrete requirements for transparency, control, data protection and human oversight for high-risk systems.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/eu-ai-act)