Why Data Sovereignty Matters for Cybersecurity in 2026

In June 2025, a Microsoft executive testified under oath before the French Senate that the company cannot guarantee data sovereignty for European customers. When asked directly whether data on French citizens could be transmitted to the US government without French government consent, Anton Carniaux, Microsoft France’s director of public and legal affairs, answered: no, that guarantee cannot be given.

This was not a leak or an accusation from a competitor. It was a sworn admission from one of the world’s largest technology companies. And it applies to every US-headquartered vendor operating in Europe – including every major cybersecurity platform.

For businesses choosing a cybersecurity vendor, this creates a problem that most have not fully evaluated: the jurisdiction of your security provider determines who can legally access your most sensitive operational data. Not the physical location of the servers. Not the contractual commitments in the service agreement. The corporate jurisdiction.

This article explains the legal conflict at the center of this issue, what it means specifically for cybersecurity data, how to evaluate vendor risk, and what data sovereignty looks like in practice for organizations operating in the European Union.

What Is the CLOUD Act and Why Does It Affect European Businesses?

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a US federal law enacted on March 23, 2018. It amends the Stored Communications Act to clarify that US law enforcement can compel US-based companies to produce data in their possession, custody, or control – regardless of whether that data is physically stored inside or outside the United States.

In practical terms, this means that if your cybersecurity vendor is a US company (or a subsidiary of one), the US government can issue a legal order requiring the vendor to hand over data stored on servers in Frankfurt, Milan, Amsterdam, or any other location worldwide. The jurisdiction follows the corporate entity, not the data center.

The CLOUD Act originated from a legal dispute between the US government and Microsoft that began in 2013. The government sought access to customer emails stored on Microsoft servers in Ireland. Microsoft argued that US warrants should not apply to data stored outside the country. The case reached the Supreme Court, but before a ruling was issued, Congress passed the CLOUD Act, which resolved the question legislatively: US companies must comply with valid legal orders for data they control, wherever that data resides.

The law does include procedural safeguards – requests must be targeted, based on probable cause, and subject to judicial review. However, these safeguards operate within the US legal system. European courts, European data protection authorities, and European governments have no role in the process. The European customer whose data is requested may not even be notified.

How Does the CLOUD Act Conflict with GDPR?

The conflict between the CLOUD Act and the EU General Data Protection Regulation (GDPR) is direct and unresolved.

Article 48 of the GDPR states that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a data controller or processor to transfer personal data may only be recognized or enforceable if based on an international agreement, such as a mutual legal assistance treaty, between the requesting third country and the EU or a Member State.

The CLOUD Act is not such an agreement. No bilateral agreement between the US and the EU under the CLOUD Act framework has been concluded as of early 2026. This means that when a US court orders a US cybersecurity vendor to produce European customer data under the CLOUD Act, the vendor faces a legal impossibility: complying with the US order violates GDPR, and complying with GDPR means defying the US order.

In 2019, the European Data Protection Supervisor formally stated that it considers the CLOUD Act to be in conflict with GDPR. The European Data Protection Board has reiterated this position in subsequent guidance. Yet the conflict remains unresolved at the legislative level, leaving European businesses – and their US-headquartered vendors – in a legal grey zone with no clear path to compliance with both frameworks simultaneously.

For businesses, this is not an abstract legal debate. It means that every byte of security telemetry processed by a US-jurisdictioned vendor – endpoint logs, user behavior data, authentication events, network connections, threat intelligence – exists in a jurisdictional limbo where two legal systems make contradictory claims over who can access it.

Why Does Data Sovereignty Matter Specifically for Cybersecurity?

Cybersecurity platforms collect some of the most sensitive operational data in any organization. An XDR or MDR platform ingests endpoint telemetry (which processes are running, which files are accessed, which users are logged in), network traffic metadata (which systems communicate with which external addresses), authentication logs (who accessed what, when, from where), behavioral profiles (patterns of normal and abnormal activity for every user and device), and incident response records (what happened during a security event and how it was handled).

This is not generic business data. This is a real-time map of how an organization operates – its people, their behaviors, its vulnerabilities, its defenses, and its response capabilities. In the wrong hands, this telemetry is an intelligence goldmine. It reveals not just what an organization is protecting, but exactly how it is protecting it and where the gaps are.

When this data is managed by a vendor subject to the CLOUD Act, the European customer has no legal mechanism under EU law to prevent its disclosure to US authorities. The vendor may challenge the request – Microsoft and others have stated they would contest requests they consider overly broad – but the final decision rests with US courts, not European ones. The customer is not a party to that proceeding.

For organizations in regulated sectors – banking, healthcare, critical infrastructure, defense supply chains, public administration – this jurisdictional exposure is not merely a compliance concern. It is a strategic vulnerability. The entity responsible for defending your infrastructure may be legally compelled to share your defense posture with a foreign government, and you may never be informed that it happened.

Does Hosting Data in EU Data Centers Solve the Problem?

No. This is the most common and most dangerous misconception about data sovereignty.

Many US vendors market “EU data residency” as a solution to sovereignty concerns. They offer options to store data exclusively in European data centers – Frankfurt, Dublin, Amsterdam, Stockholm. Some have gone further, creating dedicated “sovereign cloud” offerings with European-only staff, local encryption key management, and operational separation from US infrastructure.

These measures address data residency – the physical location of data. They do not address data jurisdiction – the legal authority over who can compel access to that data.

The CLOUD Act is explicit: it applies to data in the “possession, custody, or control” of a US company, regardless of where that data is stored. A US-headquartered cybersecurity vendor operating an EU data center is still a US company. Its European subsidiary is still part of a US corporate structure. And the data it controls – wherever it sits physically – remains reachable by US legal process.

This was precisely the point of Microsoft’s testimony before the French Senate. Despite completing its EU Data Boundary initiative in February 2025, despite investing billions in European data centers, despite creating “sovereign” cloud offerings with European operational staff – when asked under oath whether it could guarantee that European data would not be disclosed to US authorities, the answer was no.

The distinction between residency and jurisdiction is not a technicality. It is the entire issue. Any vendor risk assessment that evaluates only where data is stored, without evaluating which legal system governs who can access it, is fundamentally incomplete.

Which Cybersecurity Vendors Are Subject to the CLOUD Act?

The CLOUD Act applies to any company that is incorporated in the United States, headquartered in the United States, or has significant operations in the United States that bring it within US jurisdiction. This includes companies that appear European or non-American on the surface but are ultimately controlled by US corporate entities.

Vendors with direct US jurisdiction include CrowdStrike (headquartered in Austin, Texas), SentinelOne (headquartered in Mountain View, California), Palo Alto Networks (headquartered in Santa Clara, California), and Malwarebytes (headquartered in Santa Clara, California). These companies are unambiguously subject to the CLOUD Act. Every log, telemetry record, and behavioral profile their agents collect from European endpoints is under US jurisdiction.

Vendors with indirect US jurisdiction require closer examination. Sophos, for example, is widely perceived as a British company. However, Sophos was acquired in 2020 by Thoma Bravo, a US private equity firm headquartered in San Francisco, for approximately $3.9 billion. The acquisition entity is registered as “Sophos, Inc.” in Massachusetts. As a company ultimately controlled by a US entity, Sophos’s exposure to the CLOUD Act is equivalent to that of a directly US-headquartered vendor – a fact that many European customers are unaware of, particularly since the UK’s departure from the EU has added further regulatory uncertainty.

Vendors with partial or limited exposure include Trend Micro, which is headquartered in Tokyo, Japan, and listed on the Tokyo Stock Exchange. Trend Micro is not directly subject to the CLOUD Act as a Japanese company. However, it maintains a significant US subsidiary (headquartered in Irving, Texas), and data processed by that subsidiary could be subject to US jurisdiction. Notably, Trend Micro itself acknowledges on its website that data controlled by a foreign provider may still be accessible under laws like the CLOUD Act.

Vendors with no CLOUD Act exposure include companies that are fully incorporated, owned, and operated within the European Union, with no US parent company, no US subsidiary processing customer data, and no corporate control chain extending to US jurisdiction. For these vendors, customer data is governed exclusively by GDPR and applicable EU Member State law.

What Is the Geopolitical Risk Beyond the CLOUD Act?

The legal risk from the CLOUD Act does not exist in a vacuum. It sits within a broader geopolitical context that makes vendor jurisdiction an increasingly urgent business consideration.

Trade tensions, tariffs, sanctions, and political volatility between the US and Europe have escalated significantly since 2024. These dynamics create a category of risk that goes beyond data access: operational continuity risk. A European business that depends on a US-headquartered vendor for its security infrastructure is exposed to potential service disruptions driven by political decisions entirely outside its control – sanctions, export restrictions, licensing changes, or retaliatory measures in trade disputes.

The European Union has responded to these concerns with concrete policy action. In November 2025, EU Member States adopted a Declaration on European Digital Sovereignty, signaling a clear political direction toward reducing dependency on non-EU technology providers for critical digital infrastructure. The EU Cloud Sovereignty Framework, introduced in October 2025, established specific requirements for sovereign cloud services, including a sovereignty score that measures exposure to foreign legislation and resilience to foreign sanctions.

For cybersecurity specifically, this means that the question “where are my security data” is evolving into a broader strategic question: “who ultimately controls my security infrastructure, and under which legal and political system do they operate?”

How Should Businesses Evaluate Cybersecurity Vendor Sovereignty?

A practical vendor sovereignty assessment should examine five dimensions.

Corporate jurisdiction. Where is the vendor incorporated? Who is the ultimate parent company? Is any entity in the corporate chain subject to US jurisdiction? This is the single most important question and the one most frequently overlooked in procurement processes.

Data processing jurisdiction. Where is telemetry stored, processed, and accessed? Are operational staff who can access customer data located exclusively within the EU? Can the vendor contractually guarantee that no data transits through non-EU jurisdictions?

Legal conflict exposure. Has the vendor publicly addressed how it would handle a CLOUD Act request that conflicts with GDPR? Does it have a documented procedure for challenging such requests? Has it published transparency reports showing the volume and nature of government data requests it has received?

Operational independence. Could the vendor’s service continue uninterrupted in the event of US sanctions, export controls, or trade restrictions? Does the vendor depend on US-based infrastructure, licensing, or supply chains for core service delivery?

Technical architecture. Does the vendor offer on-premises or private deployment options that allow the customer to retain physical control of all data? Is the agent and platform code proprietary to the vendor, or does it depend on US-sourced components?

What Does True Data Sovereignty Look Like in Cybersecurity?

True data sovereignty in cybersecurity means that the entire stack – the technology, the data, the people, and the legal jurisdiction – is governed by the same legal framework as the customer.

For a European business, this means choosing a vendor that is incorporated and headquartered in the EU, with no corporate control chain extending to the US or other non-EU jurisdictions. It means that all security telemetry is stored and processed exclusively within EU-hosted infrastructure. It means that all personnel with access to customer data operate under EU labor and data protection law. And it means that no foreign government can compel the vendor to disclose customer data without going through the proper legal channels established by EU law and international agreements.

This is not an impossible standard. European cybersecurity vendors exist that meet all of these criteria. The choice to use them is not a concession on capability – it is a deliberate architectural decision that eliminates an entire category of legal, operational, and geopolitical risk.

For organizations that cannot immediately switch vendors, intermediate steps include: encrypting all data with customer-managed keys that the vendor cannot access; deploying on-premises or private instances where technically feasible; documenting the jurisdictional risk formally in the organization’s risk register; and including CLOUD Act exposure in vendor due diligence and procurement criteria going forward.

Frequently Asked Questions

Does the CLOUD Act mean US authorities have automatic access to European data?

No. The CLOUD Act does not provide automatic or unfettered access. Requests must be targeted, based on probable cause, and issued through proper legal process (typically a warrant or subpoena). However, that legal process is governed entirely by US courts. European customers and European authorities have no role in approving, reviewing, or blocking the request. The vendor can challenge the request in US court, but the final decision rests with the US judiciary.

Can a US company guarantee GDPR compliance if it is subject to the CLOUD Act?

Not fully. A US company can implement technical and organizational measures to comply with GDPR in normal operations. But if it receives a valid CLOUD Act order that conflicts with GDPR Article 48, it faces a legal impossibility: complying with one law means violating the other. No contractual guarantee – including Standard Contractual Clauses or Data Processing Agreements – can override this structural conflict between two sovereign legal systems.

Is the UK still covered by GDPR after Brexit?

The UK enacted its own data protection legislation (UK GDPR and Data Protection Act 2018) that mirrors EU GDPR in most respects. However, the UK is no longer an EU Member State, and it has entered into a bilateral CLOUD Act agreement with the United States (signed in 2019, entered into force in 2022). This means that data processed in the UK by UK entities may be subject to both UK and US access requests under this agreement – a factor that EU businesses should consider when evaluating UK-headquartered vendors.

My vendor says they have never received a CLOUD Act request for European data. Does that mean we are safe?

The absence of past requests does not eliminate the legal risk. The CLOUD Act is a standing law – it creates a permanent legal authority that can be exercised at any time. Microsoft’s transparency reports confirm that it has not received such requests for European enterprise data to date, but its own legal team has publicly stated that it cannot guarantee this will remain the case. The risk is structural, not historical.

What sectors are most affected by cybersecurity data sovereignty concerns?

Any sector that handles sensitive personal data, classified information, critical infrastructure, or intellectual property should treat vendor jurisdiction as a primary evaluation criterion. Financial services, healthcare, public administration, defense supply chain, energy, and manufacturing with proprietary processes are the most directly affected. However, supply chain dynamics mean that even smaller businesses in less regulated sectors may face sovereignty requirements from their larger clients as a condition of doing business.

Can I use a US cybersecurity vendor if I encrypt my data with my own keys?

Customer-managed encryption mitigates some risk but does not eliminate jurisdictional exposure entirely. Encrypted data at rest is protected from access without the key. However, XDR and MDR platforms process data in real time – behavioral analysis, threat correlation, rule matching – which requires data to be decrypted during processing. The vendor may also have access to metadata, logs, and telemetry that reveal sensitive operational information even without decrypting content. Encryption is a valuable technical safeguard but it is not a substitute for jurisdictional sovereignty.

Prootego is a cybersecurity platform built entirely in Italy – with Italian ownership, European-hosted infrastructure, and zero corporate ties to US jurisdiction. No security telemetry processed by Prootego is subject to the CLOUD Act. Book a demo to see how sovereign cybersecurity works in practice.