STACKIT 6: for Financial Services and the Public Sector
STACKIT’s compliance posture was built for some of the most demanding regulatory environments in Europe. As a result, it is a cloud platform that is particularly well suited to financial services, the public sector, and any organisation where cloud provider compliance is not optional.
Financial Services: DORA and ICT Risk
The Digital Operational Resilience Act (DORA) has applied to EU financial services firms since January 2025. It sets mandatory requirements for ICT risk management, third-party provider oversight, and operational resilience.
For financial services organisations using AWS, DORA raises several questions that need active management. CLOUD Act jurisdiction exposure must be recorded in the ICT risk register. Third country concentration, meaning reliance on US cloud providers for critical services, must be assessed and managed. Business continuity planning must also account for the theoretical risk that a CLOUD Act order could cause service disruption.
STACKIT removes these issues from the risk register. It is DORA compliant, its German data residency removes third-country transfer risk, and its SEAL 3 status means the CLOUD Act does not apply.
For DORA compliance officers, using STACKIT for relevant workloads simplifies the ICT third-party risk assessment.
BSI C5 and Banking Regulation
BSI C5, the German Federal Office for Information Security’s Cloud Computing Compliance Criteria Catalogue, is the required cloud security standard for German public sector cloud procurement and is increasingly referenced in German banking and financial services regulation.
German financial services regulators expect institutions to carry out due diligence on cloud providers in line with BaFin’s cloud outsourcing requirements. BSI C5 certification is the most widely recognised technical standard for meeting that expectation.
STACKIT holds BSI C5 certification. For financial services firms operating in Germany or working with German counterparties, this certification removes a procurement barrier that rules out most non-German cloud providers. AWS does not hold BSI C5 certification in the same way.
ISO 27001 and Audit Requirements
Many financial services procurement processes require cloud providers to hold ISO 27001 certification. STACKIT holds ISO 27001, which is independently audited and renewed each year.
For procurement teams and internal audit functions that maintain a vendor certification register, STACKIT’s ISO 27001 certificate is available to include. The certification covers STACKIT’s information security management system across all service lines.
Public Sector: The EU Commission Signal
In April 2026, the European Commission awarded €180 million in sovereign cloud contracts to four SEAL 3 certified providers. STACKIT was one of them. The other three were Scaleway, OVHcloud, and CleverCloud.
This contract matters for public sector procurement in two ways. First, it shows that the EU’s own institutions have carried out a rigorous sovereignty assessment and awarded STACKIT a major contract. Second, it gives procurement officers a reference point they can cite to justify selecting STACKIT over a US cloud provider.
EU procurement rules require value for money and a clear justification for compliance. A SEAL 3 certification and an EU Commission contract award provide strong evidence for both.
Healthcare and Special Category Data
Healthcare organisations processing patient data under GDPR face the highest level of scrutiny when choosing cloud infrastructure. Patient data is special category data under Article 9, which requires a higher standard of protection and clear justification for any processing or transfer.
STACKIT’s German data residency means patient data never leaves the EEA. Its SEAL 3 status means there is no CLOUD Act pathway. Its ISO 27001 certification provides independently audited security controls. For DPOs carrying out DPIA assessments on cloud infrastructure, this combination of credentials makes the analysis much more straightforward.
Legal Services
Legal firms have professional obligations around client confidentiality that create specific requirements for cloud infrastructure. Client communications are privileged and protected from disclosure to third parties. The CLOUD Act creates a theoretical conflict with that protection when data is held by a US company.
STACKIT’s ownership structure removes this conflict. The CLOUD Act does not apply to STACKIT. For law firms, barristers’ chambers, and in house legal teams reviewing their cloud governance, this is a meaningful difference from AWS.
Getting Started for Regulated Organisations
For regulated businesses, the starting point for evaluating STACKIT is usually a workload classification exercise, identifying which current workloads have the highest sovereignty and compliance requirements, and assessing whether STACKIT is the right fit for each.
Ready to Have a Conversation?
If you have read this series and recognised your organisation in it, the next step is simple. Get in touch. We will have a chat, ask a few questions, and give you an honest view of what is involved. No charge. No obligation.
Back to: Migrate from AWS to Stackit Series
