Skip to content
Server room, modern data center.

Scaleway 6: Scaleway for Regulated Industries – GDPR, DORA, and Public Sector

Not every cloud migration is driven by cost or convenience alone. For businesses in regulated industries, choosing a cloud provider is as much a compliance decision as it is a technology decision. This post looks at how Scaleway’s SEAL 3 status and European ownership structure help address the specific obligations faced by organisations in financial services, healthcare, legal services, and the public sector.

GDPR and Cloud Provider Jurisdiction

GDPR places obligations on the transfer of personal data to countries outside the European Economic Area. When a European business uses AWS, its data may be physically stored in Europe, but it is still held by an American company that is subject to US law.

The CLOUD Act allows US authorities to compel AWS to hand over data regardless of where it is physically stored. If that compelled disclosure involves EU personal data, it becomes a transfer to a third country under GDPR, potentially without the safeguards required by Article 46.

Scaleway, as a SEAL 3 certified provider with no US ownership or legal exposure, removes that conflict. Data held by Scaleway is not subject to US federal demands. The CLOUD Act does not apply. For organisations where the GDPR compliance team or DPO has already flagged cloud jurisdiction as an audit concern, that is a meaningful difference.

DORA and Financial Services

  • The Digital Operational Resilience Act, or DORA, applies to financial services firms operating in the EU, including banks, insurers, investment firms, and payment service providers. It came into force in January 2025 and introduced mandatory requirements around ICT risk management, third party concentration risk, and operational resilience.

    DORA does not ban the use of non EU cloud providers, but it does require organisations to assess and manage concentration risk. That includes the risk that a single provider’s failure, or its legal exposure, could disrupt critical services.

    Scaleway’s SEAL 3 status helps with DORA compliance in two important ways. First, it removes CLOUD Act jurisdiction risk from the ICT risk register. Second, it gives organisations an EU based diversification option if they are currently too reliant on US cloud providers. Using a SEAL 3 provider for some or all workloads directly reduces the third country exposure that DORA compliance teams need to account for.

Healthcare and Sensitive Personal Data

  • Healthcare organisations handling patient data under GDPR face some of the highest potential penalties for data protection failures. Health data is treated as a special category under Article 9, which means it requires a higher level of protection.

    For healthcare providers assessing cloud infrastructure, the CLOUD Act exposure that comes with US cloud providers is a real concern. That is not because US authorities are likely to request patient records, but because any setup that creates even a theoretical route for third country access to special category data needs clear justification under GDPR.

    A SEAL 3 provider removes the need for that justification. The route simply is not there. For DPOs and legal teams carrying out DPIA, or Data Protection Impact Assessment, reviews of cloud infrastructure, that makes the process meaningfully simpler.

Legal Services and Professional Confidentiality

Solicitors, barristers, and legal firms have professional duties around client confidentiality that sit alongside GDPR and, in some cases, go beyond it. Legal professional privilege is a core principle, and client communications must be protected from disclosure to third parties, including authorities.

The CLOUD Act creates a potential conflict with that privilege. If a US federal order can compel AWS to produce data that includes privileged communications, and AWS cannot legally refuse, then the protection of that privilege may depend on whether the Law Society or the courts can step in quickly enough.

Storing client data with a SEAL 3 provider that is legally outside the reach of the CLOUD Act removes that conflict at the source. For legal firms reviewing their data governance in light of the Law Society of Ireland’s practice notes on data protection and digital privacy, SEAL 3 certification is a relevant factor.

Public Sector and Procurement

  • The EU Commission’s sovereign cloud contract in April 2026, worth €180 million and awarded to four SEAL 3 providers including Scaleway, sends a clear signal that public procurement in Europe is moving towards sovereignty requirements. Contracting authorities across the EU are starting to build SEAL 3, or equivalent sovereign cloud requirements, into ICT procurement specifications.

    For public sector organisations in Ireland and across the EU, Scaleway’s SEAL 3 status makes procurement justification more straightforward. The certification is externally validated, recognised at EU level, and closely aligned with the direction of EU digital policy. Irish public sector buyers operating under OGP frameworks should review whether sovereignty requirements are being incorporated into future ICT procurement specifications.

Practical Next Steps for Regulated Businesses

The compliance case for SEAL 3 cloud is clear. For regulated businesses, the practical next step is an assessment: what is currently running on US cloud providers, what data each workload holds, and the level of risk attached to it.

iWorks works with businesses in regulated sectors to assess their current cloud posture, identify the workloads where SEAL 3 matters most, and plan migrations to Scaleway or STACKIT, our other preferred European sovereign cloud provider.

Ready to Have a Conversation?

If you have read this series and recognised your organisation in it, the next step is simple. Get in touch. We will have a chat, ask a few questions, and give you an honest view of what is involved. No charge. No obligation.

Contact iWorks

Back to: Migrate from AWS to Stackit Series

Recent Posts