For the better part of a decade, European companies told themselves a comforting story. As long as the data sat in a Frankfurt or Paris data center, the compliance box was ticked. Pick the European region in your AWS or Azure console, sign the data processing agreement, and move on.
That story is now breaking down. A wave of EU law and policy moving through Brussels, Paris, and Berlin in 2025 and 2026 is making one thing clear: where your data is stored matters far less than who controls the company storing it. European data residency, on its own, is no longer enough.
This shift has direct consequences for every software vendor you work with, and it raises the stakes considerably for one category in particular: the compliance platform that holds the evidence of how you meet your legal obligations. This article walks through the proposals reshaping the landscape, why France is pushing hardest, what Germany and other member states are doing, and what all of it means for how you choose vendors.
The problem European data residency was never built to solve
The legal pressure point is the US CLOUD Act, passed in 2018. It allows US law enforcement to compel any American-headquartered provider to hand over data the provider controls, regardless of where in the world that data physically sits. A server in Frankfurt operated by a US company is still within reach.
For years this was treated as a theoretical risk. In June 2025 it stopped being theoretical. Testifying under oath before the French Senate, Microsoft's legal representatives confirmed they could not guarantee that data stored in the EU would be shielded from US authorities. The admission landed hard because it confirmed what European regulators had suspected: data residency and data sovereignty are not the same thing. Residency is about geography. Sovereignty is about jurisdiction and control. A European address does not place a US-owned provider outside US legal reach.
That distinction is the engine behind almost every proposal below.
The EU Tech Sovereignty Package and the Cloud Sovereignty Framework
At the European level, the response has been twofold: build a measurement standard, then attach it to the rules that govern public money and sensitive data.
The European Commission's Cloud Sovereignty Framework, explained in detail in mid-2025 and applied in 2026, moves sovereignty away from vague principle and toward something a procurement officer can score. It assesses cloud services across eight objectives, covering strategic, legal, operational, and technological sovereignty, along with supply chain transparency and security. For the first time, a buyer can rank providers on how genuinely independent they are from non-EU control.
The framework is not academic. In April 2026 the Commission awarded a sovereign cloud tender worth up to 180 million euros over six years, and every one of the four winning bids came from European providers selected specifically for their alignment with the sovereignty criteria. The message to the market was unmistakable: alignment with European control is now a purchasing advantage.
Sitting above this is the Tech Sovereignty Package, which includes the Cloud and AI Development Act (CADA) and a second Chips Act. Reporting through 2026 indicates the Commission is weighing restrictions that would stop member-state governments from using US cloud providers to process sensitive public-sector data in areas such as healthcare, finance, and the judicial system. In November 2025, member states adopted a Declaration for European Digital Sovereignty, signaling political will behind the technical groundwork.
For private companies, the public sector is the leading indicator. Sovereignty requirements that begin in government procurement have a long history of flowing downstream into regulated industries and then into supplier expectations across the wider economy.
France: the most urgent push
No country is moving faster than France. Its SecNumCloud certification, run by the national cybersecurity agency ANSSI, is the strictest sovereignty standard in Europe and the clearest preview of where the continent may be heading.
SecNumCloud does not simply ask where data lives. It imposes roughly 1,200 technical and organizational requirements and, critically, sets ownership conditions: a certified provider cannot be controlled by non-EU interests beyond defined caps, and key personnel and operations must sit within the EU. The logic is direct. If a provider can be legally compelled by a foreign government, no amount of encryption or data localization fully closes the gap. France has been campaigning to fold SecNumCloud-style sovereignty requirements into the EU-wide cybersecurity certification scheme.
France's urgency is partly cultural and partly strategic, but the underlying argument is one every compliance leader should sit with: the only durable protection against foreign jurisdiction is choosing a provider that foreign jurisdiction cannot reach.
Germany: measurement, migration, and a hard look at dependence
Germany has taken a more engineering-minded route to the same destination. In April 2026 the Federal Office for Information Security (BSI) published its C3A criteria, short for Criteria enabling Cloud Computing Autonomy, which make cloud sovereignty objectively verifiable across six dimensions: strategic, legal, data, operational, supply chain, and technological sovereignty.
Alongside the measurement work, German public bodies have begun acting. The Bundestag has explored what observers call "Operation Sovereignty" to reduce reliance on US software. The state of Schleswig-Holstein migrated tens of thousands of accounts off Microsoft email and productivity tools to open-source alternatives, and the German armed forces signed a multi-year deal for a sovereign desktop environment.
The most telling data point is about the gap between intent and reality. Surveys indicate that around 82 percent of German companies want to end their technical dependence on US cloud providers, yet roughly 78 percent remain dependent in practice. That gap is precisely the risk surface that the new rules are designed to close, and it is where forward-looking companies are starting to move.
A continent that does not fully agree, yet
It would be misleading to present this as a settled European consensus. When France pushed to embed strict sovereignty and ownership requirements into the EU-wide certification scheme, a group of member states including Denmark, Estonia, Greece, Ireland, the Netherlands, Poland, and Sweden circulated objections, arguing that hard ownership criteria could fragment the single market and cut Europe off from the best available technology.
This disagreement matters for planning. It tells you the destination is becoming clear while the timeline and the exact thresholds remain in motion. The companies that fare best will not wait for the final text. They will reduce their exposure early, so that whichever version of the rules arrives, they are already on the right side of it.
Why this hits compliance platforms harder than almost anything else
Everything above applies to every vendor in your stack. Your email, your CRM, your analytics, your storage: all of it now carries a sovereignty question. But there is one category where the exposure is sharper, and it is worth being explicit about why.
A compliance management platform does not hold ordinary operational data. It holds the record of how you meet your legal obligations. It contains your audit evidence, your risk assessments, your data processing inventories, your incident documentation, your control mappings against frameworks like ISO 27001, NIS2, GDPR, and DORA. It often holds the personal data of your employees and the sensitive details of your security posture, including where your weaknesses are.
Consider the contradiction in placing that information with a provider subject to foreign compulsory disclosure. You would be storing the proof of your European compliance inside a system that a non-European authority could compel to open. The tool meant to demonstrate your control over data would itself be a sovereignty liability. For a compliance platform, sovereignty is not one feature among many. It is the foundation the entire value proposition rests on.
This is the practical takeaway from the legal shift: for most vendors, sovereignty is becoming important. For your compliance platform, it should be non-negotiable.
Residency versus sovereignty at a glance
What European companies should do now
You do not need to overhaul your entire technology stack overnight, and you should not pretend the rules are final when they are still being negotiated. A measured response looks like this.
Start by mapping where your most sensitive data lives and who ultimately controls each provider holding it. Separate the question of data location from the question of corporate ownership and legal jurisdiction, because they are not the same. Pay special attention to the systems that hold regulated, personal, or security-sensitive information, and treat your compliance platform as a priority case rather than an afterthought. Where you find US-controlled providers holding your most sensitive records, begin evaluating European alternatives before a regulation forces a rushed migration on an unforgiving deadline.
Where Kertos fits
This is the environment Kertos was built for. Kertos is the number one European compliance platform, created in Europe and hosted in Europe, and developed specifically for the frameworks that European companies actually answer to: GDPR, NIS2, ISO 27001, TISAX, DORA, and the EU AI Act. There is no foreign parent company sitting behind the data and no quiet exposure to non-European disclosure law. The sovereignty question that now hangs over so many vendors is one Kertos answers by design.
That European foundation is reinforced by who built the platform. Kertos was founded and is led by Dr. Kilian Schmidt, a German lawyer. That background is not a footnote. Compliance is, at its core, a legal discipline, and a platform shaped by genuine legal expertise reflects how regulations are actually interpreted and enforced rather than how a generic checklist imagines them. When the person setting the product direction understands the law from the inside, the result is guidance you can stand behind in front of an auditor or a regulator.
Behind the platform sits a team of certified experts holding accreditations from leading German and European authorities, so the support you receive is grounded in recognized professional standards rather than improvised best guesses. In a moment when European companies are being asked to prove not just that they comply but that the tools they rely on are themselves trustworthy and sovereign, that combination of European hosting, legal leadership, and certified expertise is exactly what the new landscape rewards.
If you want to see how a genuinely European compliance platform handles the obligations described in this article, you can book a demo with the Kertos team.
Frequently asked questions
Is European data residency still useful?
Yes, but it is no longer sufficient on its own. Storing data in the EU is a necessary baseline. What the new wave of rules adds is the question of control: whether the provider holding your data can be compelled by a non-EU government. Residency answers where; sovereignty answers who. You now need both.
What exactly is the problem with the US CLOUD Act?
The CLOUD Act lets US authorities compel American-headquartered providers to disclose data they control, no matter where that data is physically stored. So a US-owned provider operating an EU data center can still, in principle, be ordered to hand over European data. In June 2025, Microsoft confirmed under oath to the French Senate that it could not rule this out.
Does this mean I have to stop using all US software immediately?
Not really. The rules are still being negotiated and member states do not fully agree on the thresholds. The sensible approach is to map your exposure, prioritize your most sensitive systems, and move deliberately, starting with the data that would be most damaging to lose control of.
Why are compliance platforms singled out as higher risk?
Because a compliance platform holds the evidence of how you meet your legal obligations, including audit records, risk assessments, data inventories, and details of your security posture. Placing that in a system exposed to foreign disclosure law undermines the very control the platform is meant to demonstrate.
How does Kertos address the sovereignty question?
Kertos is a European platform, created and hosted in Europe, with no non-European parent company and no exposure to foreign compulsory disclosure by design. It is built for European frameworks, led by a German lawyer, and supported by experts certified by leading German and European authorities.
