Updated juli 2, 2026
Summary: Regulated European organisations must go beyond standard DPAs when procuring sovereign cloud services: contract due diligence must address CLOUD Act exposure, sub-processor jurisdiction chains, SLA obligations under NIS-2 Article 21 and DORA Article 30, and enforceable exit rights under the EU Data Act. This article provides a clause-by-clause framework for doing that work before and after contract signature.

Sovereign cloud contract due diligence is the structured legal, technical, and governance process by which a regulated European organisation verifies that a cloud service provider’s contractual commitments actually deliver data sovereignty, not merely the appearance of it. For compliance officers, CISOs, and data protection officers operating under GDPR, NIS-2, and DORA, the gap between marketing language and enforceable contractual obligation is where significant legal and operational risk lives.

Why Standard Cloud Contracts Are Inadequate for Regulated European Organisations

Most hyperscaler agreements are drafted under US or Irish law and leave open the possibility of foreign governmental access. Even when data is physically hosted in Frankfurt or Amsterdam, a US-incorporated parent company may be compelled to disclose that data under the CLOUD Act (18 U.S.C. § 2523), which asserts extraterritorial reach over providers incorporated in the United States regardless of where data is stored. Similarly, FISA Section 702 authorises targeted collection from US-nexus providers without the customer’s knowledge or consent.

Let op: Physical EU data residency is a necessary but not sufficient condition for data sovereignty. If the provider is incorporated in, majority-owned by, or operationally dependent on an entity subject to US, Chinese, or other extraterritorial law, GDPR-compliant hosting can still coexist with lawful foreign access compelled through the provider’s parent.

The IBM Cost of a Data Breach Report 2024 found that 40 percent of breaches involved data stored across multiple environments, including public cloud, private cloud, and on-premises infrastructure. The same report recorded an average total breach cost of USD 4.88 million, the highest figure in the study’s history. These numbers make the cost of inadequate contract due diligence concrete. GDPR enforcement adds a further dimension: supervisory authorities across the EU have issued over 2,000 fines totalling more than EUR 4.5 billion since GDPR entered into force in May 2018, according to the GDPR Enforcement Tracker maintained by CMS Law.

The November 2025 EU Standard Contractual Clauses for Cloud: What Changes and What Does Not

The European Commission’s November 2025 Standard Contractual Clauses for cloud computing (EU Cloud SCCs) provide a formal template satisfying the requirements of GDPR Article 28(7), which authorises the Commission to establish standard contractual clauses for processor agreements. The Cloud SCCs address subject-matter, processing duration, nature and purpose of processing, the categories of data and data subjects involved, and the obligations and rights of the controller, as required by GDPR Article 28(3).

However, regulated entities in financial services and critical infrastructure must understand that the Cloud SCCs set a floor, not a ceiling. DORA Article 30 mandates additional contractual content for financial entities using ICT third-party service providers, including full audit access, termination rights linked to regulatory inspection, and business continuity provisions. NIS-2 Article 21 requires operators of essential services to ensure that supply chain security measures, including cloud service contracts, incorporate incident handling, access control, cryptography, and vulnerability disclosure obligations. Organisations must therefore layer these sector-specific requirements on top of the Commission’s Cloud SCC template rather than treating the template as exhaustive.

The European Data Protection Board has stated: “Cloud service providers must ensure that personal data is only processed in accordance with documented instructions from the controller, and the processor contract must specify the subject-matter, duration, nature and purpose of the processing.” The November 2025 Cloud SCCs formalise this requirement but do not address DORA or NIS-2 obligations, which remain the organisation’s contractual responsibility to specify.

Auditing Sub-Processor and Sub-Provider Chains for Foreign Jurisdiction Exposure

A sovereign cloud contract that covers the primary provider is only as strong as its weakest sub-processor. Due diligence must map the entire chain, asking at each tier whether any entity is incorporated in, operationally controlled by, or technically dependent on a third-country entity subject to extraterritorial access legislation.

The practical audit process involves three steps. First, require the provider to disclose a full and current register of sub-processors and sub-providers, including their country of incorporation, ultimate beneficial ownership, and the specific processing activities delegated to each. Second, assess each entity against the CLOUD Act threshold: the Act applies to any provider that is a US person or is sufficiently controlled by a US person, including through minority shareholding combined with operational control. Third, request copies of the sub-processor agreements to verify that the sovereignty commitments in the primary contract flow down contractually.

The EU Cloud Sovereignty Framework SEAL assurance levels provide a structured vocabulary for this assessment. SEAL Level 1 (basic sovereignty) requires EU-based ownership and operations; SEAL Level 2 (enhanced sovereignty) adds requirements for EU-controlled key management and EU-resident support personnel; SEAL Level 3 (high sovereignty) requires full operational independence from any non-EU entity. Organisations should contractually specify the minimum required SEAL level and require the provider to maintain that level with annual third-party certification as a contract performance obligation, not merely as a procurement criterion.

SLA Provisions That Satisfy NIS-2, DORA, and GDPR Simultaneously

DORA Article 30(2)(d) requires contractual arrangements to include “provisions on full access, inspection and audit rights by the financial entity and by competent authorities.” NIS-2 Article 21 requires that security measures include incident handling, business continuity, and supply chain security. GDPR Article 28 requires that processor contracts address the processor’s obligations regarding confidentiality, security, sub-processor engagement, and cooperation with supervisory authorities. The following table maps the key SLA provisions to their regulatory source.

SLA Provision GDPR Article 28 DORA Article 30 NIS-2 Article 21
Data localisation commitment (EU/EEA only, contractually binding) Required Required Required
72-hour incident notification to controller/competent authority Required (Art. 33 trigger) Required (Art. 30(2)(g)) Required (Art. 23)
Right to audit, including unannounced inspections Required Explicitly required Implied via supply chain security
Sub-processor change notification (prior, not post-hoc) Required (Art. 28(2)) Required Implied
Exit and data return/deletion on termination Required (Art. 28(3)(g)) Required (Art. 30(2)(e)) Required
Foreign access request notification and challenge obligation Implied via Art. 28(3)(a) Not specified Not specified

EU Data Act Switching Rights and What They Require in Contract Language

The EU Data Act Articles 23 to 29 establish a mandatory switching and interoperability regime for cloud services that took effect progressively from September 2025. Under Articles 25 to 27, providers must eliminate excessive switching fees by a defined deadline and support complete data portability in open, interoperable formats. Article 29 requires providers to make available to customers all data, including metadata and configuration data, necessary to reconstitute the service with a different provider.

For regulated organisations, relying on the Data Act’s minimum requirements is insufficient. The Act’s baseline switching period, ending by 2027 at the latest for fee elimination, does not guarantee operationally feasible migration within the timeframes that DORA and NIS-2 business continuity obligations may require. Contracts should therefore specify: the exact data export format (preferably an open standard such as OVF for virtualised workloads or standard SQL/CSV for databases), a minimum 90-day migration assistance window with defined support levels, the completeness of metadata and permissions export, and a test export right that allows the customer to verify portability before initiating termination.

Let op: An exit clause that lacks a defined metadata export commitment can make a cloud migration technically incomplete even when the primary data transfers successfully. File permissions, audit logs, and access control configurations must be explicitly included in the scope of exit assistance, particularly when migrating from a Microsoft 365-equivalent workspace to a sovereign Nextcloud environment where permission models differ structurally.

Governance Response to Ownership Changes and SEAL Level Risk

A sovereign cloud provider that is acquired by a third-country entity may cease to meet the contractually required SEAL assurance level overnight, with no change to the physical infrastructure or the data’s location. Compliance officers and CISOs must therefore build a governance trigger mechanism into the contract itself, not manage this risk purely through periodic reviews.

The recommended governance sequence is: first, a contractual change-of-control notification clause requiring the provider to notify the customer at least 30 days before any transaction that would result in a change of ultimate beneficial ownership or corporate control; second, a right for the customer to commission an independent SEAL re-assessment at the provider’s cost within 60 days of notification; third, a conditional termination right, exercisable without penalty within 90 days of notification if the re-assessment confirms a reduction in SEAL level below the contractually specified minimum; and fourth, an escrow arrangement ensuring that encryption keys remain under the customer’s exclusive control during any transition period.

Using the EU Cloud Sovereignty Framework as a Living Contract Checklist

The EU Cloud Sovereignty Framework’s eight-objective scoring grid (covering data localisation, legal jurisdiction, operational independence, transparency, security certification, portability, sub-processor control, and incident management) was designed for procurement evaluation. Organisations that limit its use to the pre-signature stage miss its value as a continuous compliance instrument.

Each of the eight objectives should be mapped to a specific, measurable contractual obligation. The provider’s score against each objective should be re-assessed annually using the same grid, with the results documented in the organisation’s supplier risk register. Any downgrade in a provider’s score should be treated as a material change, triggering the same notification and review process as a change of ownership. This approach transforms the SEAL framework from a procurement label into an operational governance tool that supports the continuous monitoring obligations of both NIS-2 Article 21 and DORA’s ICT risk management framework.

FAQ

What is the single most important clause a regulated European organisation must add to any sovereign cloud contract?

A binding jurisdiction-lock clause that explicitly excludes the application of any third-country law, including the US CLOUD Act and FISA 702, to the stored data, combined with a requirement that the provider notify the customer immediately and challenge any foreign governmental access request before complying. Without this clause, physical EU hosting alone does not eliminate foreign-law exposure.

Do the November 2025 EU Standard Contractual Clauses for cloud computing replace GDPR Article 28 processor agreements?

No. The November 2025 SCCs for cloud computing satisfy the formal requirements of GDPR Article 28(7), but regulated entities in finance and critical infrastructure must also layer DORA Article 30 and NIS-2 Article 21 obligations on top. The SCCs provide a floor, not a complete compliance solution for multi-regulatory environments.

How long must a sovereign cloud provider support data portability and migration assistance under the EU Data Act?

Under EU Data Act Articles 25 to 27, cloud providers must offer a switching process with fees capped at cost during a transition period ending no later than 2027. Contracts signed before the Data Act fully applies should already include equivalent exit-assistance clauses specifying the format, completeness of metadata export, and a defined handover window of at least 30 days.

What governance action should a CISO take immediately when a sovereign cloud provider announces a merger or acquisition?

The CISO should trigger a formal SEAL-level re-assessment by requesting updated ownership and sub-processor disclosures, cross-checking whether the acquirer is subject to CLOUD Act or equivalent extraterritorial legislation, and escalating to the DPO to evaluate whether the change constitutes a material change to the processor contract under GDPR Article 28(4). A contractual change-of-control notification clause with a 30-day notice period and a unilateral termination right is the operative safeguard.

Can the EU Cloud Sovereignty Framework SEAL levels be used as ongoing contractual KPIs rather than just a one-time procurement criterion?

Yes. Organisations should contractually require the provider to maintain a minimum SEAL level throughout the contract term, submit annual re-certification evidence, and grant the customer audit rights to verify the continued validity of the assurance level. A SEAL downgrade should trigger a predefined remediation period and, if unresolved, a right to exit without penalty.

Frequently asked questions

What is the single most important clause a regulated European organisation must add to any sovereign cloud contract?
A binding jurisdiction-lock clause that explicitly excludes the application of any third-country law, including the US CLOUD Act and FISA 702, to the stored data, combined with a requirement that the provider notify the customer immediately and challenge any foreign governmental access request before complying. Without this clause, physical EU hosting alone does not eliminate foreign-law exposure.
Do the November 2025 EU Standard Contractual Clauses for cloud computing replace GDPR Article 28 processor agreements?
No. The November 2025 SCCs for cloud computing are a Commission template that satisfies the formal requirements of GDPR Article 28(7), but regulated entities in finance and critical infrastructure must also layer DORA Article 30 and NIS-2 Article 21 obligations on top. The SCCs provide a floor, not a complete compliance solution for multi-regulatory environments.
How long must a sovereign cloud provider support data portability and migration assistance under the EU Data Act?
Under EU Data Act Articles 25 to 27, cloud providers must offer a maximum switching period ending no later than 2027 during which they cannot charge above-cost switching fees. Contracts signed before the Data Act applies should already include equivalent exit-assistance clauses specifying the format, completeness of metadata export, and a defined handover window of at least 30 days.
What governance action should a CISO take immediately when a sovereign cloud provider announces a merger or acquisition?
The CISO should trigger a formal SEAL-level re-assessment by requesting updated ownership and sub-processor disclosures from the provider, cross-checking whether the acquirer is incorporated or majority-owned in a third country subject to CLOUD Act or equivalent extraterritorial legislation, and escalating to the DPO to evaluate whether the change constitutes a material change to the processor contract under GDPR Article 28(4). A contractual change-of-control notification clause with a 30-day notice period and a unilateral termination right is the operative safeguard.
Can the EU Cloud Sovereignty Framework SEAL levels be used as ongoing contractual KPIs rather than just a one-time procurement criterion?
Yes, and this is precisely the approach recommended by ENISA guidance. Organisations should contractually require the provider to maintain a minimum SEAL level throughout the contract term, submit annual re-certification evidence, and grant the customer audit rights to verify the continued validity of the assurance level. A SEAL downgrade should trigger a predefined remediation period and, if unresolved, a right to exit without penalty.