US CLOUD Act
The Clarifying Lawful Overseas Use of Data Act — commonly called the CLOUD Act — is a US federal law enacted in March 2018 that gives US law enforcement agencies, including the FBI and the Department of Justice, the authority to compel US-headquartered cloud providers and their subsidiaries to produce data stored anywhere in the world, including in EU data centres, in response to a lawful US court order or warrant. The CLOUD Act applies to any provider that is subject to US jurisdiction — meaning incorporated in the United States, listed on a US stock exchange, or having its principal place of business in the United States — regardless of where the data sits physically. The CLOUD Act creates a direct conflict with GDPR for organisations that store personal data of EU residents with a US-based cloud provider. If a US government agency compels that provider to hand over EU personal data without the data subject's knowledge and without a GDPR-compliant legal basis, the transfer likely violates GDPR's Chapter V restrictions on transfers to third countries. The data subject's rights of access, rectification, and transparency are also unavailable when data is accessed covertly by government agencies. This conflict has not been definitively resolved by EU–US treaty, and neither the EU–US Data Privacy Framework nor Standard Contractual Clauses neutralise CLOUD Act obligations — SCCs bind the parties to a commercial contract but cannot override a US statutory obligation. The CLOUD Act's reach extends to US parent companies: a subsidiary incorporated in Germany but owned by a US parent can receive a CLOUD Act order directing the parent to produce data from the subsidiary's EU systems. This means that the nationality of the operating entity's local subsidiary does not provide protection if the ultimate parent is US-headquartered. For an EU SME, CLOUD Act exposure is a genuine operational risk when using AWS, Microsoft Azure, Google Cloud, Salesforce, or any other service operated by a US corporate group. A sovereignty audit — mapping each SaaS and cloud provider against its legal headquarters and parent company structure — is the starting point for understanding and reducing this exposure. EU-sovereign alternatives from providers with no US parent and no US listing are outside CLOUD Act jurisdiction.
Related terms
GDPR
The General Data Protection Regulation (Regulation (EU) 2016/679) is the cornerstone of EU data protection law, replacing the 1995 Data Protection Directive and entering into force on 25 May 2018. It applies to any organisation — regardless of where it is established — that processes personal data of individuals residing in the European Union or European Economic Area. Personal data means any information that can identify a living person, directly or indirectly: a name, an email address, an IP address, a cookie identifier, or a combination of attributes that singles someone out. The regulation is built on seven foundational principles set out in Article 5: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Accountability is the principle that distinguishes GDPR from its predecessor — organisations must be able to demonstrate compliance, not merely assert it. For an EU SME, GDPR creates concrete operational obligations. You need a documented lawful basis for every processing activity (Article 6), a privacy notice that meets the transparency requirements of Articles 13 and 14, a mechanism to respond to data subject requests within one month (Articles 15–22), and a procedure for notifying your national Data Protection Authority of a personal data breach within 72 hours (Article 33). If your processing is high-risk, you must complete a Data Protection Impact Assessment before starting (Article 35). The consequences of getting it wrong are severe. The supervisory authority in your member state can impose administrative fines of up to €10 million or 2% of global annual turnover for violations of organisational requirements such as missing records or inadequate processor contracts. The upper tier — up to €20 million or 4% of global annual turnover, whichever is higher — applies to breaches of the fundamental principles, lack of lawful basis, or violations of data subject rights. These percentages apply to the entire corporate group's worldwide revenue, not just the entity in breach. Beyond fines, supervisory authorities can issue temporary or permanent bans on processing, which can be existential for data-dependent businesses. See the GDPR compliance guide at eurocomply.app/regulations/gdpr
EU AI Act
Regulation (EU) 2024/1689, known as the EU AI Act, is the world's first comprehensive horizontal legal framework for artificial intelligence. Published in the Official Journal of the EU on 12 July 2024, it entered into force on 1 August 2024 and applies in phases over a 36-month transition period. The regulation applies to providers who place AI systems on the EU market or put them into service in the EU, regardless of whether the provider is established inside or outside the Union. It also applies to deployers — organisations that use AI systems in a professional context — when those systems are classified as high-risk. The Act classifies AI systems into four risk tiers. Unacceptable-risk practices (Article 5) are prohibited outright and have applied since 2 February 2025. Limited-risk systems — such as chatbots — carry transparency obligations requiring users to be informed they are interacting with AI. Minimal-risk systems face no mandatory requirements. High-risk systems, defined in Article 6 and Annex III, are the Act's main regulatory target: they must meet requirements covering risk management, training data governance, technical documentation (Annex IV), logging, transparency, human oversight, accuracy, and robustness before being placed on the market. For EU SMEs, the most pressing deadline is 2 August 2026, when obligations for high-risk AI systems under Annex III fully apply. If your business uses AI in hiring decisions, creditworthiness assessment, access to essential services, or safety-critical operations, you are almost certainly in scope. The Act also introduces requirements for General Purpose AI models (Chapter V) — large foundational models such as those underlying popular AI tools. Penalties are steep: up to €35 million or 7% of global annual turnover for deploying prohibited AI, up to €15 million or 3% for violations of other obligations, and up to €7.5 million or 1.5% for supplying incorrect information to regulators. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
NIS2 Directive
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union — known as NIS2 — entered into force on 16 January 2023, with member states required to transpose it into national law by 17 October 2024. It replaces the original NIS Directive (2016/1148) and represents a dramatic expansion in scope, bringing thousands of additional organisations across Europe under mandatory cybersecurity requirements for the first time. NIS2 covers 18 sectors divided into two annexes. Annex I contains highly critical sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Annex II contains other critical sectors including postal and courier services, waste management, chemicals, food production, manufacturing, digital providers, and research organisations. Within these sectors, organisations are classified as essential entities or important entities depending on their size and criticality, with different supervisory regimes and penalty ceilings applying to each tier. The core obligations in Article 21 require all in-scope organisations to implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These measures must cover ten minimum areas: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; network and information system acquisition and development; policies and procedures to assess cybersecurity risk management measures; basic cyber hygiene practices and training; cryptography and encryption policies; human resources security and access control policies; and the use of multi-factor authentication and secure communication systems. For an EU SME operating in a covered sector, NIS2 compliance means conducting a scope assessment, implementing the Article 21 measures, registering with your national competent authority, and establishing the processes needed to submit incident notifications within the required timeframes. Management bodies — boards and senior executives — bear personal responsibility for approving and overseeing cybersecurity measures, and can be held personally liable for non-compliance. Fines for essential entities can reach €10 million or 2% of global annual turnover; for important entities, €7 million or 1.4%. See the NIS2 compliance guide at eurocomply.app/regulations/nis2
DORA
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is the EU's mandatory cybersecurity and operational resilience framework for the financial sector. Directly applicable across all member states since 17 January 2025, DORA applies to a broad range of financial entities including credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, central counterparties, trade repositories, and many others. Critically, it also applies to ICT third-party providers — cloud platforms, data analytics providers, and software vendors — that are designated as critical by the European Supervisory Authorities. DORA is structured around five pillars. The first is ICT risk management: financial entities must implement a comprehensive ICT risk management framework under Chapter II that includes policies for protection, detection, response, recovery, and learning from incidents. The second pillar is ICT-related incident management, classification, and reporting under Chapter III, with mandatory reporting timelines to competent authorities for major incidents. The third pillar, Chapter IV, covers digital operational resilience testing — including basic testing annually and advanced threat-led penetration testing (TLPT) at least every three years for significant entities. The fourth pillar manages ICT third-party risk under Chapter V, requiring due diligence, contractual provisions, and exit strategies for all ICT service providers. The fifth pillar addresses information sharing arrangements among financial entities. For an EU SME in the financial sector, DORA's most immediate practical demands are a documented ICT risk management framework, a register of all ICT third-party service providers (Article 28), contractual clauses in every ICT provider agreement covering audit rights, security standards, and termination rights, and a tested incident response and recovery plan. Regulators can impose administrative sanctions — the specific penalty regime is set by member states and sector-specific supervisory authorities, but supervisory powers include requiring remediation, suspending activities, and imposing fines calibrated to the severity and duration of the breach. See the DORA compliance guide at eurocomply.app/regulations/dora