Controlling interest & FISA 702 risk (jurisdiction ≠ residency)
Why important?
For US-controlled providers, “data residency” can be solved technically, but legal/governmental reach-through via the parent company remains a risk (e.g., FISA 702 / CLOUD Act). Relevance strongly depends on the use case.
How measured?
Scale 0–5 + N/A:
- 0 = High jurisdiction/disclosure risk (e.g., US control, FISA 702 exposure) with no mitigation
- 1 = Elevated risk, mitigations unclear/weak
- 2 = Some mitigations, but residual risk high or scope narrow
- 3 = Mitigations present (EU entity, processes), but residual risk remains relevant
- 4 = Strong mitigations (legal/operational separation), risk reduced and documented
- 5 = Low risk (EU control/ownership, no relevant extraterritorial exposure) demonstrable
- N/A = no reliable evidence
Sources / Evidence
Validation questions (RFP)
- Who is the ultimate parent / controlling interest? What disclosure/notification obligations exist? Is there independent EU governance that reviews government requests?
Scores comparison
| Providers | Score | |
|---|---|---|
| Hetzner Cloud | 5.0 | |
| IONOS Cloud | 5.0 | |
| OVHcloud Public Cloud (inkl. SecNumCloud) | 5.0 | |
| STACKIT | 5.0 | |
| Scaleway | 5.0 | |
| SysEleven OpenStack Cloud | 5.0 | |
| Cloud Temple Trusted Cloud | 5.0 | No US parent. 100% FR-owned. SecNumCloud 3.2 qualified – requires immunity from extraterritorial laws (FISA 702, CLOUD Act). Gaia-X Label Level 3 (first EU company). |
| Infomaniak Public Cloud | 5.0 | Swiss company. No US parent. Swiss law (FADP). No FISA 702 / CLOUD Act risk. Switzerland provides strong data protection. No extraterritorial exposure. |
| T Cloud Public | 5.0 | |
| UpCloud | 5.0 | |
| noris Sovereign Cloud | 5.0 | |
| Delos Cloud | 4.0 | |
| Exoscale | 4.0 | |
| pluscloud open | 4.0 | |
| AWS European Sovereign Cloud | 1.0 | |
| Microsoft Sovereign Cloud | 1.0 | |
| Oracle EU Sovereign Cloud | 1.0 |