True data sovereignty for companies is more important than ever

Why the cloud location alone is not decisive

Under the General Data Protection Regulation (GDPR), the transfer of personal data to third countries is permitted only under strict conditions. The former agreements Safe Harbor and Privacy Shield were declared invalid by the European Court of Justice, as U.S. laws such as FISA Section 702 and Executive Order 12333 do not sufficiently guarantee the protection of European data. The subsequent EU–U.S. Data Privacy Framework also cannot guarantee full data sovereignty, as U.S. laws know no territorial limits.

More recent approaches, such as Microsoft’s EU Data Boundary, also cannot fully eliminate the legal risk. A prominent example is the International Criminal Court, whose Chief Prosecutor was no longer able to use Microsoft’s email service after the U.S. President imposed sanctions on the court in The Hague.

The decisive factor is not the physical storage location, but the jurisdiction of the company. As a result, even European subsidiaries of U.S. corporations can be compelled to hand over data—creating a conflict with the GDPR and lacking transparency for the affected companies.

Ensuring true digital data sovereignty

Establishing digital sovereignty in the face of the dominance of U.S. technology corporations is no easy task. Especially when it comes to cloud solutions from leading data and IT security platforms, a compliance dilemma arises. However, there are ways to combine the advantages of both worlds.

European cloud providers are subject exclusively to European law. Their data may be disclosed only on the basis of European or national court orders—not under the U.S. CLOUD Act. This protects against extraterritorial jurisdiction and ensures a high level of digital sovereignty.

Security and data services in the German cloud – Consist TrustedCloud

With its cloud services, Consist Software Solutions GmbH provides a GDPR-compliant, high-performance, and scalable alternative to non-European offerings. The services are certified according to SOC 2 Type II and ISO 27001 and ensure the highest level of data security in customer environments.

They are delivered via STACKIT’s German cloud infrastructure and meet all requirements of the EU GDPR, NIS2, KRITIS, and the DORA regulation.

Two specialized variants are available:

CTC Data is aimed at companies that want to analyze data in real time, optimize processes, and make data-driven decisions—without operating their own infrastructure.

CTC Security expands this offering with an integrated SIEM platform for detecting and analyzing security-relevant events. Optionally, the service can be extended with a Cyber Security Operations Center (CSOC) that provides round-the-clock monitoring and professional operation.

STACKIT: On the path to becoming a European hyperscaler

The sovereign cloud platform underpinning the CTC services is provided by STACKIT, the cloud provider of the Schwarz Group. STACKIT currently operates four data centers in Germany and Austria and is building another one in Lübbenau, Brandenburg. Based in Neckarsulm, the company pursues the goal of sustainably strengthening Europe’s digital sovereignty.

Digital resilience through European cloud security

The combination of CTC services and STACKIT infrastructure creates a platform that unites data protection, IT security, and flexibility. Companies benefit from modern security and data analytics tools that are operated entirely under European control—a key step toward genuine digital resilience and technological independence.