Updated juni 26, 2026
Summary: Regulated European organisations must align data classification labelling with GDPR, NIS-2 and ISO/IEC 27001:2022, implement enforcement at the metadata layer inside sovereign infrastructure, and produce immutable audit logs that stand up to supervisory inspection.

Data classification labelling on sovereign infrastructure is the practice of assigning structured sensitivity markings to information assets at the point of creation or ingestion, then enforcing those markings through technical controls that run entirely within jurisdictions where foreign government access orders cannot reach. For regulated European organisations, this is not a best-practice recommendation; it is a compliance obligation that sits at the intersection of GDPR, NIS-2, DORA, and sector-specific frameworks such as NATO information security policy.

Classification Frameworks That Govern Sovereign Hosting Decisions

The framework an organisation operates under determines directly which data tiers require sovereign infrastructure and which can tolerate lower-assurance hosting.

EU institutions and bodies working with classified information operate under Council Decision 2013/488/EU, which establishes the EU Restricted marking as the entry-level classification for sensitive non-public information. Data marked EU Restricted may not be processed on infrastructure subject to foreign jurisdiction law. This immediately disqualifies US-headquartered hyperscalers, even when they operate data centres in Frankfurt or Amsterdam, because the US CLOUD Act (18 U.S.C. § 2713) compels those providers to disclose data to US authorities regardless of where the data physically resides.

NATO member states mirror this logic through the NATO CONFIDENTIAL tier and below, and national classification schemes in Germany (Verschlusssachen), France (Diffusion Restreinte), the Netherlands (Departementaal Vertrouwelijk) and elsewhere each define handling rules that translate into infrastructure location requirements. In practice, any data classified above “unclassified public” in these national schemes must reside on sovereign or approved infrastructure.

For organisations outside the state-secret space, GDPR Article 9 creates a de facto classification obligation for special-category personal data: health records, biometric data, genetic data, political opinions, trade union membership and related categories. These categories carry higher risk and therefore demand technical controls that go beyond what is proportionate for ordinary personal data. The consequence is a two-tier hosting architecture: special-category data on the most restricted sovereign infrastructure, ordinary personal data on sovereign or GDPR-adequate infrastructure, and non-personal data potentially on any suitable platform.

Let op: A US-based cloud provider that signs a GDPR Data Processing Agreement does not remove US jurisdiction exposure. The CLOUD Act and FISA 702 operate independently of contractual arrangements. Only infrastructure that is structurally outside US legal reach eliminates this exposure, for example Swiss-hosted infrastructure under the revised Swiss Federal Act on Data Protection (revFADP), which has no equivalent foreign-access instrument.

Technical Labelling and Tagging in a Nextcloud-Based Sovereign Workspace

Implementing classification in a Nextcloud deployment means mapping policy tiers to machine-readable tags that drive access controls, retention and audit logging automatically.

Metadata-level classification in Nextcloud

Nextcloud’s native tagging system, extended through the Files Access Control app and the Retention app, allows administrators to define tags such as “CONFIDENTIAL”, “RESTRICTED” or “SPECIAL-CATEGORY-PERSONAL” and attach conditional rules: a file tagged RESTRICTED cannot be shared with external users, cannot be downloaded to unmanaged devices, and triggers an alert if a user attempts to move it to an unclassified folder. These rules are enforced server-side, meaning they apply regardless of which client the user connects from. Classification metadata is stored in Nextcloud’s database alongside file metadata and travels with the file on internal moves and copies.

Automated enforcement and retention

Retention rules tied to classification tags ensure that, for example, files tagged with a legal-hold label are blocked from deletion, while files tagged as transient working documents are purged after a configurable period. This automation directly supports GDPR Article 5(1)(e) storage limitation and produces a documented, reproducible process that can be shown to a supervisory authority.

Connecting Classification Registers to GDPR Article 30, NIS-2 and ISO 27001

Three overlapping documentation requirements converge on the same underlying data inventory, and managing them as separate silos creates both administrative burden and audit risk.

GDPR Article 30 requires a record of processing activities (RoPA) listing processing purposes, data categories, recipients, transfers and retention periods. A data classification register adds the sensitivity tier and infrastructure location constraint for each category. Maintaining the RoPA and the classification register as linked documents, rather than independent spreadsheets, means that when a new processing activity is added to the RoPA, the classification tier is assigned at the same time and immediately governs which infrastructure may host it.

NIS-2 Article 21 requires essential and important entities to adopt risk management measures covering asset management, access control, incident handling and supply chain security. The asset inventory implied by Article 21 and made explicit in the implementing technical guidance from ENISA overlaps substantially with both the RoPA and the classification register: all three documents are trying to answer the question “what data do we hold, where, and how sensitive is it?”

ISO/IEC 27001:2022 Annex A.5.12 (information classification) formalises this by requiring organisations to classify information according to legal requirements, value, criticality and sensitivity, then label it accordingly. Annex A.5.12 does not prescribe a specific tier structure, but it requires the structure to be documented, applied consistently and reviewed periodically. An organisation that aligns its internal classification scheme with the EU Restricted and national equivalents, maps it to GDPR Article 9 categories, links it to the Article 30 RoPA, and references it in its NIS-2 Article 21 risk register, has a single authoritative source of truth that satisfies all three frameworks simultaneously.

Let op: Over 60 percent of all recorded GDPR enforcement actions through 2023 cited insufficient technical or organisational measures under Article 32, according to the GDPR Enforcement Tracker maintained by CMS Law. A classification register without automated technical enforcement is treated by supervisory authorities as a paper control, not a genuine safeguard.

DLP Without US Cloud Routing

Data loss prevention in a sovereign stack must itself be sovereign: routing file content through a US-based DLP cloud service for inspection defeats the purpose of keeping data in European jurisdiction.

OpenDLP is an open-source DLP tool that scans file systems, databases and Windows shares for sensitive content patterns (regular expressions for social security numbers, IBAN codes, health identifiers and similar) without any external connectivity. It runs entirely on-premises or within a private cloud environment under the organisation’s control. OpenDLP is particularly useful for discovery scans during migration, identifying files that need to be reclassified before moving from a legacy platform to a Nextcloud-based sovereign workspace.

European commercial alternatives include solutions from vendors such as Varonis (which has EU-hosted deployment options) and several national-market products certified under country-specific government security frameworks. When evaluating any DLP tool, the key test is simple: does the product require any data to leave the organisation’s sovereign perimeter for analysis, model training or telemetry? If yes, it is incompatible with sovereign infrastructure requirements for classified or special-category data.

DLP Approach Data leaves sovereign perimeter? Suitable for EU Restricted / Article 9 data? Notes
OpenDLP (on-premises) No Yes Discovery and at-rest scanning; no real-time traffic inspection
US-based cloud DLP (e.g., Microsoft Purview in M365 tenant) Yes, to US-controlled infrastructure No CLOUD Act exposure; incompatible with sovereign requirements
European commercial DLP, on-premises deployment No, if self-hosted Yes, subject to vendor audit Verify no telemetry or model-update callbacks to non-EU endpoints

Segregating and Protecting GDPR Article 9 Special-Category Data

Special-category data under GDPR Article 9 requires not just a higher classification tier, but a distinct set of technical controls that can be demonstrated to a supervisory authority on inspection.

The minimum credible control set consists of four elements. First, physical or logical segregation: Article 9 data should reside in dedicated storage volumes or Nextcloud instances that are not accessible to users without explicit role-based authorisation. Second, encryption at rest with sovereign key management: the encryption keys must be held by the organisation itself, not by a cloud provider, and the key management system must be hosted on sovereign infrastructure. Hardware Security Modules (HSMs) certified to FIPS 140-2 Level 3 or CC EAL4+ provide the strongest assurance. Third, access logging that is granular and tamper-evident: every read, write, share and export of Article 9 data must be logged with a timestamp, user identity and action. Fourth, formal access review: who has access to Article 9 data must be reviewed and reconfirmed on a documented schedule, typically quarterly for health and biometric data.

The IBM Cost of a Data Breach Report 2024 found that the average total cost of a data breach reached USD 4.88 million, the highest figure in the report’s history, with breaches involving data across multiple environments costing even more. For Article 9 data, the reputational and regulatory cost on top of this operational figure can be existential for healthcare and financial institutions.

Producing Audit Evidence That Satisfies Supervisory Authorities

The European Data Protection Board has stated that supervisory authorities expect organisations to demonstrate, not merely assert, that their technical and organisational measures are proportionate to the risk. Demonstration requires evidence, and evidence requires logging infrastructure that cannot be manipulated by the same administrators who operate the systems being audited.

Immutable logging in a sovereign context means append-only log storage on a system that is logically separated from the production environment, with cryptographic integrity verification (hash chaining or a Merkle-tree structure) so that any retrospective modification is detectable. Log entries must capture at minimum: who accessed which data, at what time, from which device, and what action was taken. For Article 9 data and EU Restricted data, these logs must be retained for a period that allows investigation of incidents that may not be discovered immediately, typically a minimum of 12 months online and 36 months in archive.

When a data protection authority requests evidence of classification controls, the organisation should be able to produce: the current classification register linked to the Article 30 RoPA; evidence that the classification tags in Nextcloud match the register; access control rule exports showing that RESTRICTED-tagged files have the expected sharing restrictions; a sample of access logs for Article 9 data over the inspection period; and the key management policy with evidence of key rotation. This package, drawn from a sovereign stack with immutable logging, constitutes a defensible audit response. The same package drawn from a US-controlled cloud is legally problematic because the organisation cannot guarantee that the logs themselves have not been subject to a sealed foreign legal process.

FAQ

Does EU Restricted classification automatically mean data must be stored on sovereign infrastructure?

Yes, in practice. EU Restricted is the baseline marking under Council Decision 2013/488/EU for EU institutional information, and equivalent national schemes impose equivalent requirements. Data carrying this marking may not be processed on infrastructure subject to foreign jurisdiction, which rules out US-headquartered hyperscalers regardless of their European data centre locations.

Can Nextcloud enforce classification-based access controls without a separate DLP product?

Nextcloud can enforce tag-based access controls, share restrictions and retention rules natively through its Files Access Control and Retention apps. For content inspection and policy enforcement at the file-content level, a complementary tool such as OpenDLP or a European commercial DLP solution integrated via Nextcloud’s REST API is recommended.

How does GDPR Article 30 relate to a data classification register?

Article 30 requires a record of processing activities describing categories of data, purposes, recipients and retention periods. A data classification register extends this by adding sensitivity tiers, handling rules and infrastructure location constraints. The two documents should be maintained in sync: every processing activity in the Article 30 record should have a corresponding classification level that determines where and how it may be hosted.

What makes audit logs immutable for supervisory authority purposes?

Immutability means logs cannot be altered or deleted by the same administrators who operate the system being audited. This is typically achieved through append-only log storage on a separate system, cryptographic chaining such as a Merkle-tree structure, or write-once media. Supervisory authorities expect organisations to demonstrate, upon inspection, that logs have not been tampered with after the fact.

Is OpenDLP sufficient as a standalone DLP solution for regulated sectors?

OpenDLP is a capable open-source tool for discovering and scanning sensitive data at rest across file systems, databases and network shares. For regulated sectors it is typically used as one layer within a broader DLP strategy, combined with classification labelling, access controls and monitoring. It does not provide real-time traffic inspection, so organisations handling high-volume data flows may need to complement it with a European commercial solution.

Frequently asked questions

Does EU Restricted classification automatically mean data must be stored on sovereign infrastructure?
Yes, in practice. EU Restricted is the baseline marking under Council Decision 2013/488/EU for EU institutional information, and equivalent national schemes impose equivalent requirements. Data carrying this marking may not be processed on infrastructure subject to foreign jurisdiction, which rules out US-headquartered hyperscalers regardless of their European data centre locations.
Can Nextcloud enforce classification-based access controls without a separate DLP product?
Nextcloud can enforce tag-based access controls, share restrictions and retention rules natively through its Files Access Control and Retention apps. However, for content inspection and policy enforcement at the file-content level, a complementary tool such as OpenDLP or a European commercial DLP solution integrated via Nextcloud's REST API is recommended.
How does GDPR Article 30 relate to a data classification register?
Article 30 requires a record of processing activities describing categories of data, purposes, recipients and retention periods. A data classification register extends this by adding sensitivity tiers, handling rules and infrastructure location constraints. The two documents should be maintained in sync: every processing activity in the Article 30 record should have a corresponding classification level that determines where and how it may be hosted.
What makes audit logs 'immutable' for supervisory authority purposes?
Immutability means logs cannot be altered or deleted by the same administrators who operate the system being audited. This is typically achieved through append-only log storage on a separate system, cryptographic chaining (such as a Merkle-tree structure), or write-once media. Supervisory authorities expect organisations to demonstrate, upon inspection, that logs have not been tampered with after the fact.
Is OpenDLP sufficient as a standalone DLP solution for regulated sectors?
OpenDLP is a capable open-source tool for discovering and scanning sensitive data at rest across file systems, databases and network shares. For regulated sectors it is typically used as one layer within a broader DLP strategy, combined with classification labelling, access controls and monitoring. It does not provide real-time traffic inspection, so organisations handling high-volume data flows may need to complement it with a European commercial solution.