Updated juli 6, 2026
Summary: A self-hosted UEBA deployment using open-source tools removes foreign-jurisdiction exposure for behavioural telemetry and satisfies NIS-2 Article 21 monitoring obligations, provided the DPIA, retention policy and works council governance are properly structured.

Sovereign UEBA insider threat detection on-premises refers to the practice of collecting, processing and analysing user and entity behaviour data exclusively within infrastructure under the direct legal and operational control of the organisation, without routing that telemetry to any foreign-jurisdiction SaaS platform. For regulated European organisations, this distinction is not architectural preference: it is a legal requirement shaped by the CLOUD Act, GDPR Chapter V, and the monitoring obligations now codified in NIS-2 Implementing Regulation 2024/2690.

Key figure: The Ponemon Institute’s Cost of Insider Risks Global Report 2023 found that the average cost of insider threat incidents reached USD 16.2 million per organisation per year, making insider risk one of the most financially damaging threat categories a regulated organisation faces.

Why US-Controlled SaaS UEBA Creates CLOUD Act Exposure

Routing behavioural telemetry to a SaaS SIEM operated by a US-headquartered vendor transfers legal control over that data to a jurisdiction where the Clarifying Lawful Overseas Use of Data (CLOUD Act) of 2018 applies, regardless of whether the data is physically stored in an EU data centre.

Authentication events, file-access logs and email metadata are personal data under GDPR Article 4(1). When these data streams flow into a US-controlled platform, three legal problems arise simultaneously. First, the CLOUD Act compels US-incorporated cloud operators to produce data held anywhere in the world in response to a US government order, without requiring notification to the EU controller or the affected data subjects. Second, FISA Section 702 authorises collection of communications data involving non-US persons from electronic communications service providers operating in the US, again without the knowledge of the EU organisation. Third, Standard Contractual Clauses (SCCs) do not neutralise compelled-disclosure risk: the European Data Protection Board has stated explicitly that SCCs cannot override national security law in the destination country.

The critical nuance is that individually non-sensitive log lines still constitute personal data in aggregate. A sequence of authentication timestamps, geolocation data from VPN connections and file-access patterns creates a behavioural profile that is highly sensitive as a corpus, even if each individual event appears innocuous. Transferring this corpus to a US SaaS SIEM without an Article 46 transfer mechanism and a completed Transfer Impact Assessment is a Chapter V violation.

“The transfer of employee data to a third country without an adequate legal basis, including transfers embedded in SaaS telemetry pipelines, constitutes a violation of Chapter V of the GDPR.” (Andrea Jelinek, former Chair, European Data Protection Board)

Building a Self-Hosted UEBA Stack Without Foreign-Jurisdiction Dependency

A sovereign UEBA stack can be assembled entirely from open-source components that run on infrastructure the organisation controls, whether on-premises, in a Swiss-hosted private cloud, or on a sovereign EU-jurisdiction colocation facility.

Core components and their roles

Component Role in sovereign UEBA Foreign-jurisdiction dependency
Wazuh (agent + manager) Endpoint telemetry collection, file integrity monitoring, active response, built-in UEBA module None when self-hosted; open-source Apache 2.0
OpenSearch Security Analytics Detection rule management (Sigma format), alert correlation, dashboards None when self-hosted; open-source Apache 2.0
Elastic SIEM (self-hosted) Advanced correlation rules, ML-based anomaly detection on behavioural baselines None when Elastic Stack is deployed on-premises without Elastic Cloud
Nextcloud audit log (files_log app) File access, share creation, deletion events from sovereign file share None; logs forwarded via syslog to on-premises SIEM

Wazuh agents deploy on Linux, Windows and macOS endpoints and forward normalised events to the Wazuh manager over an encrypted channel. The manager applies detection rules and forwards alerts to an OpenSearch index. The OpenSearch Security Analytics plugin then applies Sigma-format detection rules, which can be version-controlled in a Git repository and presented to a national competent authority as audit evidence. This architecture produces no outbound data transfers to any external service.

Baseline detection rules for NIS-2 Article 21 compliance

NIS-2 Article 21(2)(b) requires measures for incident handling, and Article 21(2)(e) requires security in network and information systems, including monitoring. NIS-2 Implementing Regulation 2024/2690, published in October 2024, operationalises these obligations by requiring logging of privileged access events and anomaly detection for critical systems. A defensible baseline for a Wazuh or Elastic SIEM deployment should include rules covering: privileged account creation or modification outside change-management windows; repeated authentication failures followed by success; bulk file operations on sensitive directories; new outbound connections from servers that normally accept only inbound connections; and service account logins at hours inconsistent with the account’s baseline.

“Organisations must implement appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems, including monitoring, logging and anomaly detection.” (European Union Agency for Cybersecurity, ENISA, NIS-2 implementation guidance, 2023)

GDPR Article 88 and Works Council Constraints Across EU Jurisdictions

GDPR Article 88 permits member states to introduce more specific rules for employee data processing, and every major EU jurisdiction has done so, creating a patchwork of constraints that applies directly to any UEBA deployment regardless of where the stack runs.

Jurisdiction Key legal instrument Works council / representative body requirement Prohibited uses of UEBA data
Germany BetrVG Section 87(1)(6); BDSG Section 26 Mandatory Betriebsvereinbarung before deployment Performance assessment, disciplinary action without separate lawful basis
France Labour Code Article L.2312-38; CNIL guidance on employee monitoring Prior information and consultation of Comité Social et Économique (CSE) Covert monitoring; monitoring outside defined security purpose
Netherlands Works Councils Act (WOR) Article 27(1)(l) Prior consent of ondernemingsraad for any monitoring system Individual performance surveillance without separate legal basis
Switzerland Revised FADP (nDSG); CO Article 328b No statutory works council right, but internal policy documentation required Processing beyond what is necessary for the employment relationship

A practical consequence: in Germany, deploying Wazuh agents before a signed Betriebsvereinbarung is in place means that any behavioural evidence collected cannot be used in disciplinary or legal proceedings. The works council agreement must specify the categories of events logged, who can access UEBA dashboards, what decisions can and cannot be made on the basis of UEBA alerts, and the retention period.

Important: The SANS Institute’s Insider Threat Survey 2024 found that 57% of organisations experienced an insider threat incident in the preceding 12 months, yet fewer than a third had a formally documented and legally reviewed monitoring policy in place.

Structuring the DPIA for a Sovereign UEBA Deployment

A DPIA under GDPR Article 35 is mandatory for systematic monitoring of employees, which a UEBA deployment unambiguously constitutes. The DPO must lead the DPIA and document four core elements.

The necessity assessment must demonstrate that the specific categories of events collected are required for the stated security purpose and that less intrusive alternatives were considered and rejected. Logging all keystrokes, for example, would fail necessity; logging authentication events and file-access patterns would pass it for a security operations purpose.

The proportionality assessment must justify the scope of monitoring against the actual threat model. A legal services firm with access to client-privileged documents faces a materially different risk profile than a logistics company, and the DPIA should reflect that specificity rather than relying on generic templates.

The retention policy must set a defined period for each log category, with automated deletion enforced at the storage layer. A defensible default, aligned with guidance from the German BSI and consistent with NIS-2 inspection expectations, is 12 months online retention and 24 months cold archive, after which deletion is guaranteed and logged. Access to UEBA data must be restricted by role-based access control to named individuals within the security operations function, with access logs themselves retained and reviewable.

The purpose limitation control is the most operationally significant constraint. UEBA data collected for security monitoring cannot be repurposed for HR performance management, productivity measurement or any purpose outside the defined security scope. This must be enforced technically (access controls and query auditing on the OpenSearch cluster) and documented in the DPIA as a specific control.

Insider Threat Indicators in Nextcloud and SFTP Audit Logs

A sovereign Nextcloud deployment with the files_log audit application enabled produces structured event records for every file access, share creation, deletion and permission change. When forwarded to a Wazuh or Elastic SIEM via syslog, these records become the foundation for pre-resignation exfiltration detection.

The four highest-signal correlation patterns are: bulk downloads exceeding a configurable threshold (for example, 500 files within 60 minutes) from an account whose HR system record carries a resignation date; external share link creation on folders outside the user’s normal working pattern, particularly outside business hours; repeated authentication failures followed by a successful login from an IP address not associated with the user’s registered locations; and a Nextcloud admin role grant followed within 24 hours by a large outbound file transfer. These four rules, implemented as Sigma detections in OpenSearch Security Analytics, cover the majority of pre-departure data theft scenarios documented in incident response practice.

For SFTP environments, equivalent rules monitor connection counts per user per hour, transfer volume anomalies and connections from non-whitelisted source IPs. Correlation across both Nextcloud and SFTP logs in a single SIEM allows the detection of a user who moves files from the sovereign file share to a local SFTP staging directory before exfiltrating via a personal cloud service, a multi-hop pattern that single-source monitoring cannot detect.

NIS-2 Implementing Regulation 2024/2690: What Inspectors Actually Expect

NIS-2 Implementing Regulation 2024/2690 specifies that essential and important entities must maintain logs of privileged access to network and information systems, with sufficient detail to reconstruct security events after the fact. During a supervisory inspection by a national competent authority, the evidence format typically expected includes: a log inventory document listing all log sources, their formats and their retention periods; sample log exports in a structured format (JSON or CEF) demonstrating that the required fields (timestamp, user identity, source IP, action, resource affected) are present; evidence that detection rules are active and have produced alerts; and documentation of the alert triage process, including who reviews alerts and within what timeframe.

For Kubernetes environments hosting sovereign workloads, this means enabling Kubernetes audit logging at the API server level, forwarding those logs to the SIEM, and having rules that detect privileged namespace access, container escape attempts and unusual service account token usage. The log evidence must be tamper-evident: storing logs in an append-only OpenSearch index with role-based write controls is a standard technical control that satisfies this requirement without requiring a separate immutable log appliance.

Total GDPR fines issued across the EEA exceeded EUR 4.2 billion by the end of 2023, according to the GDPR Enforcement Tracker maintained by CMS Law, reflecting that supervisory authorities treat documentation gaps and unlawful data transfers as material violations rather than administrative technicalities. A sovereign, well-documented UEBA deployment is simultaneously a security control and a compliance asset.

FAQ

Does sending UEBA telemetry to a US SaaS SIEM automatically create a GDPR violation?

Not automatically, but it creates significant exposure. Authentication events, file-access logs and email metadata are personal data under GDPR. Routing them to a US-controlled platform triggers Chapter V transfer rules, and the US CLOUD Act means that platform can be compelled to disclose data to US authorities without notifying the data subject or the EU controller. Standard Contractual Clauses do not neutralise a compelled-disclosure risk, as the EDPB has clarified.

What is the minimum viable sovereign UEBA stack for a mid-sized public sector organisation?

A practical baseline consists of Wazuh agents on all endpoints and servers feeding a self-hosted Wazuh manager, with log data indexed in an on-premises OpenSearch cluster. The OpenSearch Security Analytics plugin provides detection rule management using Sigma-format rules. This stack can be deployed on bare metal or a private Kubernetes cluster and requires no outbound data transfer to any foreign-jurisdiction infrastructure.

How long should UEBA event logs be retained under NIS-2 and GDPR?

NIS-2 Implementing Regulation 2024/2690 does not specify an exact retention period but requires that logs be sufficient to support incident investigation and supervisory inspection. A defensible approach, confirmed by several national competent authorities including the German BSI, is 12 months online and 24 months archived, with access restricted to the security operations function and guaranteed destruction at end of retention. The DPIA must document and justify the chosen period.

Can a works council block a sovereign UEBA deployment in Germany?

Under the German Betriebsverfassungsgesetz (BetrVG) Section 87(1)(6), the works council has mandatory co-determination rights over any technical device capable of monitoring employee behaviour or performance. This applies to UEBA regardless of where the stack runs. The works council cannot block deployment outright but must agree to a Betriebsvereinbarung defining scope, access controls, retention and prohibited uses. Starting deployment without this agreement exposes the organisation to injunctions and the evidence collected may be inadmissible in disciplinary proceedings.

Which insider threat indicators should be prioritised in a Nextcloud audit log correlation rule?

The highest-signal indicators for a sovereign file share environment are: bulk downloads exceeding a defined threshold (for example, more than 500 files within one hour) by a user whose HR status is recorded as notice period; share link creation for externally accessible links on folders outside normal working patterns; repeated failed authentication followed by success from an IP not matching the user’s registered location; and privilege escalation events in the Nextcloud admin log combined with a subsequent large file transfer. These four patterns account for the majority of pre-resignation exfiltration scenarios documented in incident response casework.

Frequently asked questions

Does sending UEBA telemetry to a US SaaS SIEM automatically create a GDPR violation?
Not automatically, but it creates significant exposure. Authentication events, file-access logs and email metadata are personal data under GDPR. Routing them to a US-controlled platform triggers Chapter V transfer rules, and the US CLOUD Act means that platform can be compelled to disclose data to US authorities without notifying the data subject or the EU controller. Standard Contractual Clauses do not neutralise a compelled-disclosure risk, as the EDPB has clarified.
What is the minimum viable sovereign UEBA stack for a mid-sized public sector organisation?
A practical baseline consists of Wazuh agents on all endpoints and servers feeding a self-hosted Wazuh manager, with log data indexed in an on-premises OpenSearch cluster. The OpenSearch Security Analytics plugin provides detection rule management using Sigma-format rules. This stack can be deployed on bare metal or a private Kubernetes cluster and requires no outbound data transfer to any foreign-jurisdiction infrastructure.
How long should UEBA event logs be retained under NIS-2 and GDPR?
NIS-2 Implementing Regulation 2024/2690 does not specify an exact retention period but requires that logs be sufficient to support incident investigation and supervisory inspection. A defensible approach, confirmed by several national competent authorities including the German BSI, is 12 months online and 24 months archived, with access restricted to the security operations function and destruction guaranteed at end of retention. The DPIA must document and justify the chosen period.
Can a works council block a sovereign UEBA deployment in Germany?
Under the German Betriebsverfassungsgesetz (BetrVG) Section 87(1)(6), the works council has mandatory co-determination rights over any technical device capable of monitoring employee behaviour or performance. This applies to UEBA regardless of where the stack runs. The works council cannot block deployment outright but must agree to a works agreement (Betriebsvereinbarung) defining scope, access controls, retention and prohibited uses. Starting deployment without this agreement exposes the organisation to injunctions and the evidence collected may be inadmissible in disciplinary proceedings.
Which insider threat indicators should be prioritised in a Nextcloud audit log correlation rule?
The highest-signal indicators for a sovereign file share environment are: bulk downloads exceeding a defined threshold (for example, more than 500 files within one hour) by a user whose HR status is 'notice period'; share link creation for externally accessible links on folders outside normal working patterns; repeated failed authentication followed by success from an IP not matching the user's registered location; and privilege escalation events in the Nextcloud admin log combined with a subsequent large file transfer. These four patterns account for the majority of pre-resignation exfiltration scenarios documented in incident response casework.