A server in Germany doesn't protect you if an American company operates it.

In 2023, US prosecutors accessed emails stored in Microsoft's Dublin data center. The data was on European soil. The operator was American. That distinction is what your regulator is now testing.

€1.2B

Meta's 2023 GDPR fine for transferring EU user data to the US

60%

of non-US banks and insurers will move to sovereign cloud by 2028

68%

of enterprises cite governance gaps as the main cause of compliance failures

4 of 7

top barriers to public cloud adoption are sovereignty-related

The regulatory clock

Most of this is not incoming. It's here.

2018

GDPR meets US CLOUD Act

One protects European data. The other can override it.

Jan 2025

DORA takes effect

ICT dependency registers, audit trails, full regulator access — mandatory for financial institutions.

Sep 2025

NIS2 enforcement

Energy, transport, healthcare, digital infrastructure — same obligations as banks.

Jan 2026

EU Data Act

Sovereignty extends to industrial and operational data, not just personal data.

2027–2028

EU AI Act high-risk obligations

Full Data Act scope. Three budget cycles away.

Penalties already running: up to 2% of global annual turnover under DORA · €10M or 2% of revenue under NIS2.

THE SOVEREIGNTY GAP

Your provider's EU region covers one of these five.

Hosting data in an EU region satisfies one requirement: where the server is. It does not determine which laws govern that data, or who can demand access to it. Most organisations have the first layer covered. The other four are where the gaps are.

01Usually covered

Data residency

Where data physically sits.

02Gap zone

Data localization

Enforceable policies preventing data from crossing specific borders.

03Gap zone

Data sovereignty

Which country's laws govern the data, regardless of where it is hosted.

04Gap zone

Operational sovereignty

Exclusively EU-based personnel for critical systems. No US escalation paths.

05Gap zone

Technological sovereignty

You hold the encryption keys, not your provider.

SECTOR EXPERTISE

Built for regulated industries.

Banking & FSI

  • DORA ICT third-party register — built, classified, ready for your regulator
  • Sovereign architecture satisfying DORA operational requirements and GDPR Art. 46
  • EU-based engineering teams with no US legal escalation paths
  • Audit trail your regulator can examine on short notice

Pharma & Healthcare

  • GxP-compliant infrastructure with full ALCOA+ traceability
  • Patient and clinical data on EU-only infrastructure
  • Private AI environments with EU-only processing
  • Encryption key custody stays with your organisation

Industrial & Manufacturing

  • NIS2 and KRITIS-aligned architecture for OT/IT environments
  • Sovereignty mapping across operational and supply chain systems
  • Sovereign cloud migration for critical process control
  • Incident notification audit trail built to NIS2 spec

Public Sector

  • BSI-compliant infrastructure, exclusively EU-based operations
  • Documented governance chain ready for regulatory examination
  • Encryption key custody external to your cloud provider
  • Air-gap architecture for workloads that cannot leave your perimeter

OUR APPROACH

How we work.

AWS Premier Tier Services PartnerAWS Digital Sovereignty CompetencyAWS European Sovereign Cloud Launch Partner
01

Scan and map

We start with your current stack: cloud, AI tools, third-party ICT dependencies, data flows. We map which sovereignty layers have gaps and which carry regulatory risk now versus what's coming.

You get

A sovereignty gap map and a prioritised list of what to fix, in what order.

02

Design and build

N-iX architects design the sovereign architecture for your environment — the right cloud model, encryption controls, governance framework, ICT dependency register. Then we build it.

You get

Implemented sovereign architecture, compliant with the regulations that apply to you.

03

Document and verify

Every element is documented to the standard your regulator expects — audit trail, access controls, key custody chain, ICT register. We test it before your regulator sees it.

You get

Documentation your team can defend under examination.

SOVEREIGN MODELS

Three ways to go sovereign.

01

Local provider

EU-native infrastructure, operated by EU-based personnel. No foreign jurisdiction exposure.

Examples
OVHcloudIONOSOpen Telekom CloudHetzner
Trade-off: Smaller service catalogue. AI/ML tooling less mature than hyperscalers.
Best for: Government, critical infrastructure, public healthcare
02

Hyperscaler partnership

AWS, Azure, or Google operate dedicated EU sovereign regions, separated from global infrastructure and staffed by EU-based employees.

Examples
AWS European Sovereign CloudMicrosoft EU Data BoundaryGoogle Cloud + T-Systems / Thales
Trade-off: Does not fully eliminate US CLOUD Act exposure.
Best for: FSI, pharma, large enterprise needing advanced AI/ML
03

Hybrid sovereign

Regulated workloads on sovereign infrastructure. Less sensitive applications on standard public cloud. Audited interfaces connect the two.

Examples
Mixed: sovereign + publicClassified data flowsAudited interconnects
Trade-off: Requires data classification before you build.
Best for: Large enterprises with diverse workloads and multiple regulatory regimes

Which model fits your regulatory exposure? We work through that in your free 30-minute assessment.

Reply to get started

WHY N-IX

Engineering sovereignty for regulated enterprises across Europe.

24+
years on market
2,400+
engineering professionals
400+
cloud specialists
150+
cloud projects delivered
80+
enterprise clients
25+
FSI clients
"Companies under strict data localisation rules need to control their data and infrastructure without giving up cloud scale. N-iX designs and runs sovereign setups that help our clients move with speed and certainty."
Matthias Thiemann
Matthias Thiemann
VP Customer Success, N-iX

Compliance standards supported in production

DORA
NIS2
GDPR / DSGVO
PCI DSS
ISO 27001
SOC 2
AML / KYC
PSD2 / PSD3
Basel III / IFRS 9
FATCA
GxP
DORA
NIS2
GDPR / DSGVO
PCI DSS
ISO 27001
SOC 2
AML / KYC
PSD2 / PSD3
Basel III / IFRS 9
FATCA
GxP
Digital Sovereignty Readiness Assessment

30 minutes. One N-iX cloud and sovereignty expert.

A structured call assessing your setup against DORA, NIS2, GDPR and the EU AI Act. Afterwards you receive a short written summary: where your gaps are, how serious they are, what to address first.

No preparation required.