Data Residency vs Data Sovereignty: What EU SaaS Buyers Get Wrong

Data Residency vs Data Sovereignty: What EU SaaS Buyers Get Wrong

When you are evaluating a SaaS vendor, "EU-hosted" sounds reassuring. The data stays in Europe. GDPR-friendly. Box checked.

It is not that simple. Most vendors are selling you data residency when what you actually need is data sovereignty. The distinction is not academic. Under the CLOUD Act, GDPR Article 48, the EU Data Act (Chapter VII), and the post-Schrems II regulatory environment, treating residency and sovereignty as the same thing is a procurement-grade mistake.

Key Takeaways

• Data residency = where the bits sit. Data sovereignty = whose law controls access to them.
• A US-incorporated provider is subject to the US CLOUD Act, even when data is physically stored in Frankfurt or Dublin.
• GDPR Article 48 prohibits handing over personal data to non-EU authorities except via international agreement — putting EU customers of US providers in ongoing structural conflict.
• The EU Data Act, Chapter VII, has applied since 12 September 2025 and requires cloud and data-processing providers operating in the EU to challenge unlawful non-EU government access requests.
• For NIS2 essential entities, DORA financial entities, and the UK and Norwegian regulated sectors, this distinction is now a vendor-selection criterion.

What is the difference?

Data residency is the geographic location of stored data. It is a question of facts: which data center, which region, which country.

Data sovereignty is the legal authority that governs the data. It is a question of jurisdiction: whose courts can issue orders, whose laws apply, whose government can compel disclosure.

You can have residency without sovereignty. A US-incorporated company operating EU data centers provides residency. As a US legal entity, it remains subject to US law — including the CLOUD Act.

You cannot have sovereignty without residency. But residency on its own is not enough.¹

The CLOUD Act problem

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) authorizes US law enforcement to compel US-incorporated providers to produce data in their "possession, custody, or control" — regardless of where that data is physically stored.² In practice this means a US warrant can reach a data center in Dublin, with or without a gag order attached.

This creates a direct conflict with the General Data Protection Regulation:

• GDPR Article 48 states that any transfer of personal data to a third-country authority on the basis of a foreign court or administrative order shall only be recognized or enforceable if based on an international agreement (such as a Mutual Legal Assistance Treaty). The CLOUD Act is not such an agreement.³
• Schrems II (Case C-311/18, July 2020) invalidated the EU-US Privacy Shield precisely because US surveillance laws gave US authorities access to EU personal data in a way incompatible with GDPR.⁴ The CJEU established that geographic location cannot substitute for jurisdictional control.

The European Data Protection Board has flagged the resulting structural risk repeatedly. A vendor caught between US and EU law systems is not a vendor that can offer your customers a clean answer.

"Sovereign cloud" is not always sovereign

US vendors have caught on to demand. Many now market "sovereign cloud" or "EU data residency" tiers. Bolting EU servers onto a US-headquartered company does not change the jurisdiction question — the CLOUD Act still applies.

The 2023 EU-US Data Privacy Framework was supposed to help, but two prior frameworks (Safe Harbor, Privacy Shield) have already collapsed. Building a long-term sovereignty strategy on a third-time-lucky transfer mechanism is fragile by design.⁵

The EU Data Act tightens the screws

The most consequential 2025 development was the EU Data Act (Regulation (EU) 2023/2854).⁶ Chapter VII, applicable since 12 September 2025, requires cloud and data-processing providers in the EU to:

• Implement technical, legal, and organisational measures to prevent unlawful non-EU government access to non-personal data held in the EU.
• Challenge non-EU access requests that conflict with EU law.
• Document the measures and make them available to customers and regulators.

This is the EU's strongest direct counter to the CLOUD Act so far. For a US-incorporated provider operating in the EU, complying with both CLOUD Act subpoenas and EU Data Act Chapter VII is structurally difficult — the vendor is now legally required to challenge the US order rather than quietly comply.

Your vendor might be EU-based — their infrastructure might not

This is the part that catches buyers out. Plenty of EU-incorporated SaaS vendors run on AWS, Azure, or Google Cloud. Others rely on US-based subprocessors for analytics, support, or integrations.

If your data touches a US-controlled entity anywhere in the chain — primary infrastructure, support tooling, error logging, AI inference — the same CLOUD Act question applies to that link. The subprocessor list tells you more about a vendor's sovereignty posture than the marketing site does. Article 28 of the GDPR makes that subprocessor list a contractual obligation, not a courtesy.⁷

For trust center platforms specifically, this matters more than for most SaaS categories. See Trust Center Data Sovereignty: EU Hosting vs EU Sovereignty.

Is EU hosting standard or "enterprise only"?

Worth checking. Many US vendors treat data residency as a premium feature. If you have to "talk to sales" to find out where your data lives, that tells you something about how foundational the EU is to the platform's design. EU sovereignty as an enterprise-tier upcharge is not EU sovereignty — it is EU residency-on-request.

What about the UK and Norway?

European compliance is wider than the EU.

• United Kingdom. UK GDPR was retained post-Brexit and largely mirrors GDPR Articles 44–50. The Data Protection Act 2018 reinforces transfer obligations, and the Information Commissioner's Office (ICO) publishes its own guidance on international transfers. The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025 and progressing in 2026, would extend NIS-style obligations to managed service providers and critical suppliers, raising the bar on supply-chain sovereignty even further.⁸⁹
• Norway / EEA. Norway implements GDPR via the EEA Agreement, with Datatilsynet as the data protection authority. Nasjonal sikkerhetsmyndighet (NSM) governs cybersecurity. Norwegian public sector procurement and regulated industries increasingly scrutinize US-provider exposure after Schrems II, with Datatilsynet's Google Analytics guidance as a concrete example.¹⁰

If a vendor cannot answer the UK and Norwegian sovereignty questions distinctly from the EU question, that is a pan-European blind spot.

What to actually ask a vendor

If sovereignty matters for your use case, raise these:

• Where is the vendor incorporated? Not the marketing "based in" — the actual legal entity.
• Who are the subprocessors and where are they incorporated? Public list, ideally.
• Is EU hosting the default, or do you pay extra?
• Who holds the encryption keys? If the customer controls them, the provider cannot hand over readable data even if compelled.
• Has the vendor published a transparency report? Documented government data requests, refusals, and outcomes.
• What is the vendor's stated process under EU Data Act Chapter VII? Will they challenge a CLOUD Act order on EU customer data?

Not everything needs this level of scrutiny

For a marketing site or a public landing page, the risk is low. Pick the easiest tool, move on.

For sensitive customer data, regulated industries (financial services under DORA, essential entities under NIS2, public-sector bodies, healthcare), or vendor-of-record positions in someone else's compliance program — the questions matter more. Residency is a checkbox. Sovereignty takes more work.

If you are publishing security and compliance evidence at scale, the platform you choose for your trust center carries this exposure on behalf of your customers. That is one of the reasons EU-built trust center platforms — see our Ultimate Guide to Trust Center Software and Why European Companies Need a European Trust Center — are now a serious procurement choice rather than a nationalist preference.

---

Sources & References

---

Related reading

• Trust Center Data Sovereignty: EU Hosting vs EU Sovereignty
• GDPR Articles 28, 32, 33, and 34
• SafeBase Alternative for EU Companies
• Best Trust Center Platforms in 2026
• NIS2: Internal Proof vs External Proof
• Trust Center Software: The Ultimate Guide for 2026
• Data Sovereignty Glossary

Footnotes

1. IBM. "Data Sovereignty vs. Data Residency". ↩

2. US CLOUD Act (H.R. 4943). Congress.gov. ↩

3. Regulation (EU) 2016/679 (GDPR), Article 48. EUR-Lex. ↩

4. Court of Justice of the European Union. Judgment in Case C-311/18 (Schrems II), 16 July 2020. CURIA. ↩

5. Orrick. "Data Localization and the Sovereign Cloud: EU Cloud Regulations Explained" (January 2026). ↩

6. Regulation (EU) 2023/2854 (Data Act). EUR-Lex. Chapter VII, applicable from 12 September 2025. ↩

7. GDPR Article 28. EUR-Lex. ↩

8. UK Information Commissioner's Office. "International data transfers". ↩

9. UK Department for Science, Innovation and Technology. "Cyber Security and Resilience Bill". ↩

10. Datatilsynet. "Google Analytics kan være ulovlig" (2022). ↩