EU Cloud Sovereignty Assessment

Answer the following 10 questions to assess your organization's EU cloud sovereignty posture. Each question is grounded in EU and US regulations.

1. Where is your organization's data primarily stored and processed?

Based on: GDPR (Regulation (EU) 2016/679), Data Governance Act (Regulation (EU) 2022/868)

2. What is the legal jurisdiction of your primary cloud service provider?

Based on: CLOUD Act (Clarifying Lawful Overseas Use of Data Act), FISA (Foreign Intelligence Surveillance Act), Declaration for European Digital Sovereignty (2025)

3. Who controls the encryption keys for your data at rest and in transit?

Based on: NIS2 Directive (Directive (EU) 2022/2555), EU Cybersecurity Act (Regulation (EU) 2019/881)

4. How mature is your EU regulatory compliance program?

Based on: GDPR (Regulation (EU) 2016/679), NIS2 Directive (Directive (EU) 2022/2555), DORA (Regulation (EU) 2022/2554)

5. What safeguards govern your cross-border data transfers?

Based on: GDPR (Regulation (EU) 2016/679) — Chapter V, Data Act (Regulation (EU) 2023/2854)

6. How prepared is your organization for the EU AI Act requirements?

Based on: Artificial Intelligence Act (Regulation (EU) 2024/1689)

7. Does your organization support or plan to support EU Digital Identity Wallets (eIDAS 2.0)?

Based on: eIDAS 2.0 (Regulation (EU) 2024/1183)

8. Can your organization report significant cyber incidents within the required timelines?

Based on: NIS2 Directive (Directive (EU) 2022/2555), DORA (Regulation (EU) 2022/2554)

9. How easily can your organization switch cloud providers or retrieve all its data?

Based on: Data Act (Regulation (EU) 2023/2854), Digital Markets Act (Regulation (EU) 2022/1925)

10. How does your organization manage and audit its cloud subprocessors?

Based on: GDPR (Regulation (EU) 2016/679) — Art. 28, NIS2 Directive (Directive (EU) 2022/2555) — Art. 21(2)(d), DORA (Regulation (EU) 2022/2554) — Art. 28-30