Data sovereignity
Navigating the Maze of AI and Data Sovereignty in the EU
Can hardware-rooted attestation provide a verifiable proof of compliance across EU regulations?
Connor Dunlop
EU Policy Director
Aug 29, 2025
Governments across the European Union are increasingly focused on AI and data sovereignty. This trend is driven by a range of new regulations, from broad frameworks like the EU Cybersecurity Act to sectoral rules such as health, finance, government and defence.
For any organisation in Europe's digital ecosystem - from cloud, hardware, and network infrastructure providers to the public and private sector entities deploying critical systems - navigating this landscape has become a strategic necessity.
In this post, we'll break down the key regulations driving these sovereignty obligations and introduce our solution for seamlessly and securely proving the sovereignty of your critical AI workloads and data: Sovereign Certificates.
The Foundation: The EU Cybersecurity Act (CSA) and EUCS
The EU Cybersecurity Act (CSA) serves as the legal foundation for harmonised, EU-wide cybersecurity certifications. It doesn't list specific controls but creates the rulebook for schemes like the upcoming EU Cloud Certification Scheme (EUCS).
A critical part of the CSA is Article 52, which defines three "assurance levels":
Basic: Protects against known risks.
Substantial: Protects against attackers with limited resources.
High: strongest assurance for critical use cases.
This 'High' level provides the legal justification for embedding sovereignty requirements into EU-wide certifications. Drafts of the EUCS have considered doing just that by defining a key security objective as protecting data from unlawful access by third-country authorities, directly justifying the need for sovereignty controls.
Raising the bar: France's SecNumCloud
SecNumCloud has already implemented strict sovereignty criteria. Drafted by the French cybersecurity agency (ANSSI), it is currently the strictest sovereignty-focused certification in Europe. It goes far beyond simple data localisation to make a provider legally and structurally immune to non-EU legal overreach.
Key sovereignty requirements in SecNumCloud include:
Protection Against Non-EU Law: The provider’s corporate structure and headquarters must be in the EU. Strict limits are placed on non-EU ownership.
Data and Operations Localisation: All customer and technical data, as well as all administration and supervision, must be located and performed within the EU.
Legal Framework: Service agreements must be governed by the law of an EU member state.
A Sector-Specific Example: The European Health Data Space (EHDS)
The trend towards sovereignty is particularly clear in critical sectors. The European Health Data Space (EHDS) is a prime example. This regulation aims to create a single market for digital health data, allowing researchers and innovators to access high-quality health data for the public good (known as "secondary use").
To protect this highly sensitive information, the EHDS regulation mandates that this data can only be accessed and processed within secure processing environments. A core requirement is that these environments must be physically and operationally managed within the EU. Crucially, data within these environments cannot be transferred to or accessed from third countries. This creates a clear, legally binding sovereignty requirement for anyone wanting to access European health data via this initiative.
Sector-Specific Driver 2: Finance and the Digital Operational Resilience Act (DORA)
Similarly, the financial sector is facing intense pressure to guarantee sovereignty. The Digital Operational Resilience Act (DORA) harmonizes digital resilience rules for all financial entities in the EU.
A key focus for supervisory authorities, including the European Central Bank (ECB), is the sector's heavy reliance on external cloud providers. Recent ECB guidance on outsourcing signals increasing scrutiny on the location of hosted data and operations. This is pushing banks, insurers, and investment firms to demand stronger guarantees of data sovereignty to ensure their operational resilience and regulatory compliance under DORA.
Our Solution: Sovereignty Certificates
Navigating these complex requirements can be both burdensome and technically unverifiable: usually relying on strict but blunt operational or personnel controls and contractual promises, not verifiable proof. Sovereignty Certificates offer a streamlined, targeted solution to ensure customers can simply and securely verify that their AI workloads and related data remain within their chosen jurisdiction. These both compliment and are meaningfully differentiated from the sovereignty standards mentioned in this article:
Complementary: By meeting our standard, your organisation implements the core technical sovereignty controls required by SecNumCloud, the proposed 'High' level of the EUCS, and sector-specific rules like the EHDS. This simplifies the path to full certification and helps meet obligations under the GDPR, Data Act, and ISO 27001.
Differentiated: For customers who need to guarantee sovereignty without the overhead of a full SecNumCloud qualification, our certificates provide a powerful "Sovereignty Guarantee." This unlocks new, sensitive sectors like health and finance, offering a distinct competitive advantage.
The gap between regulatory requirements and technical capabilities is widening. While regulations demand proof, traditional approaches offer only promises. Sovereignty Certificates bridge that gap with hardware-rooted verification that regulators can trust and customers can verify.
Annex - EU Legislation Incentivising Digital Sovereignty
EU Law / Regulation | Key Sovereignty Incentive(s) | How it Works (Simplified) |
EU Cybersecurity Act (CSA) | Creates a legal basis for sovereignty requirements in EU-wide certifications. | The Act's 'High' assurance level is designed to protect against state-level threats, justifying the need for controls against non-EU legal access. |
EUCS (Proposed) | Aims to create a harmonized, high-assurance "sovereign cloud" standard for the EU. | The draft scheme proposes mandatory EU-based corporate structures and technical immunity from non-EU laws for its highest level of certification. |
Data Act | Legally protects EU data from unlawful third-country government access requests. Facilitates switching between cloud providers to prevent vendor lock-in. | It requires providers to reject non-EU government access requests unless they are based on an international treaty and removes technical/financial barriers to switching services. |
GDPR | Imposes strict conditions on the transfer of personal data outside the EU. | Data transfers to third countries are only permitted if that country provides an "adequate" level of data protection, creating a strong incentive to keep data within the EU. |
NIS2 Directive | Mandates that critical entities secure their supply chains and manage risks from ICT suppliers. | Forces essential entities (in energy, transport, health, etc.) to scrutinize their cloud providers, favoring those who can guarantee data and operations are managed within the EU to minimize supply chain risks. |
Digital Operational Resilience Act (DORA) | Requires financial entities to manage and control risks from third-party ICT providers, including cloud services. | Pushes financial firms to demand stronger guarantees on data location and operational control from suppliers to ensure resilience and reduce cross-border dependency risks. |
European Health Data Space (EHDS) | Mandates a sovereign environment for the use of health data for research and innovation. | The regulation requires that sensitive health data for secondary use is only processed in a secure environment within the EU, with no access from third countries. |
SecNumCloud (France) | Provides a clear, auditable "gold standard" for what a sovereign service looks like. | Although a national standard, its strict rules on EU ownership, control, and operations heavily influence the EU-level debate and the design of the EUCS. |
