EU Data Sovereignty¶
Not just GDPR compliance. A fundamental engineering principle. All data processing, storage, and transit within EU jurisdiction. No exceptions.
What This Is¶
EU data sovereignty means that every byte of data GE handles — client data, user data, analytics, logs, backups, DNS resolution, email delivery, payment processing — is processed, stored, and transmitted exclusively within the legal jurisdiction of the European Union.
This is more than checking a "EU region" box on a cloud provider. It is a structural decision about which companies, under which laws, have access to the data.
Why This Exists¶
The US CLOUD Act¶
The Clarifying Lawful Overseas Use of Data Act (2018) gives US law enforcement the authority to compel US-headquartered companies to hand over data stored anywhere in the world. This means:
- Data stored in "AWS Frankfurt" is subject to US legal demands because Amazon is a US company
- Data stored in "Azure Germany" is subject to US legal demands because Microsoft is a US company
- Data stored in "Google Cloud Netherlands" is subject to US legal demands because Google is a US company
The location of the server does not matter. The jurisdiction of the company does.
A US company storing data in the EU is subject to both EU law (which restricts data transfer outside the EU) and US law (which compels data transfer to the US). These two obligations directly conflict. The company is forced to choose which law to break.
The EU response¶
The EU has been tightening its position:
- Schrems II (2020): Invalidated the EU-US Privacy Shield, ruling that US surveillance laws provide inadequate protection for EU citizens' data
- Declaration for European Digital Sovereignty (November 2025): Non-binding commitment by EU Member States to strengthen digital sovereignty
- EU Cloud and AI Development Act (CADA, expected 2026): Expected to define sovereign cloud requirements and restrict non-EU cloud providers for sensitive workloads
- EU e-evidence package (August 2026): New cross-border evidence framework applying across all EU Member States
The direction is clear: EU data sovereignty is becoming a legal requirement, not just a best practice.
GE's competitive position¶
GE is EU-founded, EU-operated, and EU-hosted. Every service provider in the stack is EU-headquartered. This is not a compliance checkbox — it is a genuine competitive advantage.
Most competitors use US cloud providers with "EU region" settings. When a client asks "Is my data safe from foreign government access?" most competitors cannot give an honest "yes." GE can.
For SME business owners — GE's target market — this matters. They handle customer data, financial records, and business-critical information. They need to trust that their SaaS provider is not one subpoena away from handing their data to a foreign government.
The Principle¶
Every technology decision at GE is evaluated against this question:
If a non-EU government issued a legal demand to the company providing this service, could they access our data or our clients' data?
If the answer is "yes" or "maybe," the service is not acceptable for production use. A European alternative must be found.
What Sovereignty Covers¶
Data at rest¶
Where data is physically stored. All databases, file storage, backups, and archives must be in EU data centers operated by EU-headquartered companies.
Data in transit¶
How data moves between systems. All network traffic must stay within EU-operated infrastructure. DNS resolution, email routing, CDN delivery, and API calls must not transit through US-operated networks.
Data in processing¶
Where data is processed. All compute — application servers, background workers, LLM inference (where possible) — must run on EU-operated infrastructure.
Metadata¶
Often overlooked. Analytics data, access logs, error reports, and performance metrics also contain sensitive information. These must also stay within EU jurisdiction.
EU vs. "EU Region"¶
This distinction is critical and frequently misunderstood:
| EU Region (not sovereign) | EU Sovereign | |
|---|---|---|
| Server location | EU | EU |
| Company HQ | US | EU |
| Legal jurisdiction | US + EU | EU only |
| CLOUD Act exposure | Yes | No |
| Data access by foreign gov | Possible | Not without EU legal process |
| Example | AWS eu-west-1 | UpCloud Helsinki |
"EU region" means the server is in the EU. "EU sovereign" means the company is in the EU.
Only EU-headquartered companies operating EU-located infrastructure provide genuine data sovereignty.
Implementation¶
For every new service or integration¶
- Check headquarters location — is the company EU-headquartered?
- Check data processing location — does all processing happen in EU?
- Check sub-processors — do they use US sub-processors?
- Check the contract — does it guarantee EU-only processing?
- Document the decision — record why this service was chosen
For existing services¶
All current services have been evaluated. See Service Selection for the EU-first provider map.
Ownership¶
| Role | Agent | Responsibility |
|---|---|---|
| Compliance Officer | Julian | Sovereignty policy, vendor assessment, audit |
| Infrastructure Provisioner | Arjan | Infrastructure sovereignty, provider selection |
| Network Engineer | Stef | Network sovereignty, DNS, routing |
| Edge Specialist | Karel | CDN sovereignty, EU-only routing |
| Backup Guardian | Otto | Backup storage sovereignty |
Further Reading¶
- Service Selection — EU-first provider map
- Data Flow — Data flow mapping and cross-border analysis
- Sovereignty Pitfalls — Hidden US dependencies
- Compliance Overview — ISO 27001, SOC 2 Type II