Your Cloud Files Are Not Where You Think — and for an SME That's a Compliance Problem, Not a Geography One
When a cloud provider says «servers in Europe» or «EU data residency», business owners breathe a sigh of relief: the data stays on European soil, therefore it is safe under the GDPR. It is a costly misunderstanding, because it confuses where the data is physically stored with which law it is subject to.
The truth is less intuitive: the data center's location matters little. What matters far more is the jurisdiction of the company that owns and runs the infrastructure. A US-based provider remains subject to US law even when its servers sit in Frankfurt, Dublin or Milan. For an SME this is not an academic detail: it is a risk that, in a GDPR audit or a NIS2 assessment, must be mapped and documented — and that almost nobody documents today.
CLOUD Act: The Law That Crosses the Ocean
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), in force since 23 March 2018, states it explicitly: US authorities can compel a US-based provider to hand over the data in its custody regardless of where that data is physically stored. Even if the data belongs to European citizens. Even if it resides in a data center inside the European Union.
In practice: if your company uses Google Workspace, Microsoft 365, Dropbox or any service provided by a US company, the «storage region: Europe» option does not shield you from an access request issued in the United States. Geographic residency is a choice about latency and marketing, not a legal shield.
The Conflict of Laws the SME Ends Up In
This is where the real problem starts. The CLOUD Act and the GDPR can enter into direct conflict: complying with a CLOUD Act order may constitute a GDPR breach (disclosure of personal data without an adequate legal basis); complying with the GDPR may mean defying a US court order. The provider is caught in the middle, but it is the data controller — your company — that answers to the supervisory authority if its clients' or employees' data leaves the expected perimeter.
The attempt to ease this tension is the EU-US Data Privacy Framework (DPF), on which the European Commission adopted an adequacy decision on 10 July 2023. Two points that rarely reach the SME decision-maker:
- The DPF only covers certified providers. It is not a blanket pass for «any US service»: it applies to organisations that have registered and self-certified to the program.
- Its stability is not guaranteed. The two previous frameworks — Safe Harbor and Privacy Shield — were struck down by the EU Court of Justice (Schrems I and Schrems II). The DPF passed a first test — on 3 September 2025 the EU General Court dismissed the annulment action in the Latombe case — but a «Schrems III» before the Court of Justice is widely expected, driven by doubts over the independence of US oversight bodies (PCLOB, FTC).
Building your compliance on an adequacy decision that could fall is a continuity risk to put on the balance sheet, not a formality.
The Three Questions to Ask Every Cloud Provider
The good news is that the risk can be governed. You don't need to become a lawyer: three questions are enough, to be asked of every provider and put on record.
- What is the company's jurisdiction? Not where the servers are: where the entity that signs the contract and controls the infrastructure is legally based. A European subsidiary of a US group can still fall under the parent's law.
- Where do the data and backups reside? Including logs, disaster-recovery copies and sub-processors (your provider's provider). The chain must be followed all the way down.
- Who controls the encryption keys? This is the decisive question. If the provider does not hold the keys — zero-knowledge / end-to-end encryption — then, even faced with a legal order, it can only hand over unreadable data. If the provider holds the keys, «encrypted» merely means «encrypted to outsiders, not to whoever runs the service».
What It Means for NIS2 or ISO 27001
For a company facing the NIS2 Directive or an ISO/IEC 27001 certification, this topic is not optional: it is an integral part of the work.
- Mapping of data flows (GDPR Art. 30, record of processing activities): where the data really lives, through which providers, under which jurisdictions.
- Supplier and supply-chain risk management (an explicit pillar of NIS2): the cloud sub-processor must be assessed, and the assessment written down.
- Appropriate technical and organisational measures (GDPR Art. 32): the choice of a provider, its jurisdiction and the key-management model are measures, and as such must be justified and documented.
In an audit, what counts is not only what you chose, but whether you can demonstrate that you thought it through. The difference between a compliant SME and an exposed one is often simply the documentation.
The Bottom Line
«My files are in the cloud, in Europe, so I'm fine» is a sentence that does not hold up in an audit. Data sovereignty is not measured in kilometres from the data center, but in jurisdiction, actual residency and key control. Three variables that every company can — and today should — know and put in writing.
Do You Really Know Where Your Company's Data Lives?
Tomato Blue helps SMEs map the jurisdiction, residency and key control of their cloud providers, and produce the documentation that stands up to a GDPR or NIS2 audit.
Talk to us →Sources
- CLOUD Act — Clarifying Lawful Overseas Use of Data Act (Pub. L. 115-141, 23 marzo 2018)
- European Commission — EU-US Data Privacy Framework, decisione di adeguatezza (10 luglio 2023)
- Tribunale UE — caso Latombe c. Commissione, rigetto del ricorso di annullamento del DPF (3 settembre 2025)
- CGUE — Schrems II (C-311/18), annullamento del Privacy Shield (16 luglio 2020)
- GDPR Reg. (UE) 2016/679 — EUR-Lex (artt. 30, 32)
- Direttiva NIS2 (UE) 2022/2555 — EUR-Lex