STACKIT 3: Data Sovereignty, CLOUD Act, and DORA Compliance with STACKIT
The compliance case for STACKIT rests on two things: its legal ownership structure and its certifications. This post looks at both what they mean in practice, what they enable, and why they matter for businesses operating in regulated industries.
The CLOUD Act and Why Ownership Matters More Than Location
The CLOUD Act, or the Clarifying Lawful Overseas Use of Data Act, was signed into US law in 2018. It gives US federal authorities the power to compel American companies to produce data held anywhere in the world. The law applies to any company incorporated in the United States and to its foreign subsidiaries.
AWS, Microsoft Azure, and Google Cloud are all American companies. Their European data centres may store data physically in Europe, but the companies themselves are still subject to US law. That means a CLOUD Act demand can still reach that data, regardless of where it sits physically.
STACKIT is owned by the Schwarz Group, a German family-owned company with no US parent and no US controlling shareholders. The CLOUD Act does not apply to STACKIT. There is no legal route by which US federal authorities can compel STACKIT to hand over data under US law.
That distinction, between where data is stored and who controls it legally, sits at the heart of the sovereignty argument. Keeping data in the EU matters, but on its own it is not enough to guarantee true data sovereignty. Ownership structure is what makes the real difference.
GDPR Compliance
GDPR imposes obligations on how EU personal data is processed and how it may be transferred to third countries. When EU personal data is held by an American company, even on European servers, there remains a theoretical route by which that data could be disclosed to US authorities under the CLOUD Act, potentially without the knowledge of the data subject and without the safeguards expected under Article 46.
With STACKIT, that conflict does not arise. The provider is not subject to US law, so there is no CLOUD Act route. GDPR restrictions on third-country transfers apply when data moves outside the EEA, and with STACKIT’s data centres in Germany and Austria, data remains within the EEA.
For data protection officers conducting Data Protection Impact Assessments of cloud infrastructure, STACKIT’s ownership structure and SEAL 3 certification simplify the analysis. The standard CLOUD Act risk assessment for AWS does not apply here.
DORA and Financial Services
The Digital Operational Resilience Act, or DORA, applies to financial services firms operating in the EU. It came into force in January 2025. DORA requires firms to assess and manage ICT third party risk, including concentration risk, which is the risk created by relying too heavily on a small number of cloud providers.
STACKIT is DORA compliant. Its certifications, including ISO 27001 and BSI C5, along with its German data residency and SEAL 3 status, support the ICT risk management expectations DORA places on financial services firms.
For firms currently concentrated on AWS, bringing STACKIT into the picture helps address both CLOUD Act jurisdiction risk and the wider third country concentration concerns that DORA compliance teams need to think about. STACKIT can act as a primary platform for new workloads or as a secondary provider for workloads that need EU resident hosting outside US jurisdiction.
BSI C5 and German Public Sector
The BSI Cloud Computing Compliance Criteria Catalogue, known as C5, is the cloud security standard published by the German Federal Office for Information Security. It is mandatory for cloud services used by German federal agencies and is increasingly expected in procurement at Länder level as well.
STACKIT holds BSI C5 certification. For businesses supplying services to German public sector customers, working with German technology partners, or operating under contracts that refer to BSI C5, this removes a major procurement barrier that rules out many non German cloud providers.
ISO 27001
ISO 27001 is the international standard for information security management systems. It covers the full range of security controls, including risk management, access control, cryptography, physical security, incident response, and supplier management.
STACKIT’s ISO 27001 certification is independently audited and renewed each year. For organisations that require their cloud provider to hold ISO 27001 as a contractual or regulatory condition, STACKIT meets that requirement.
The EU Commission Contract
In April 2026, the European Commission awarded a €180 million sovereign cloud contract to four providers that had achieved SEAL 3 certification. STACKIT was one of them.
The Commission’s procurement process involves extensive due diligence. Being awarded part of a €180 million contract is not just a marketing label. It reflects a serious assessment of legal structure, technical capability, security posture, and operational resilience. For procurement teams in regulated organisations, it offers a useful external point of reference.
Summary: What STACKIT's Compliance Posture Covers
- SEAL 3: Legally and operationally outside US jurisdiction. The CLOUD Act does not apply.
- German data residency: Data centres in Germany and Austria only. Data stays within the DACH region.
- GDPR: No third country transfer risk. No CLOUD Act route to EU personal data.
- DORA: DORA compliant. Supports ICT risk management requirements in financial services.
- BSI C5: Required for German public sector cloud procurement.
- ISO 27001: International standard for information security management.
- EU Commission contract: Awarded at SEAL 3 level in April 2026.
Ready to Have a Conversation?
If you have read this series and recognised your organisation in it, the next step is simple. Get in touch. We will have a chat, ask a few questions, and give you an honest view of what is involved. No charge. No obligation.
Back to: Migrate from AWS to Stackit Series
