Sovereignty Audit
A sovereignty audit is a structured assessment of an organisation's digital infrastructure and service stack designed to identify which systems, data flows, and providers are subject to the jurisdiction of non-EU legal regimes — and to quantify the legal access risk this creates for data that must be protected under EU law. The term is distinct from a cybersecurity audit, which assesses technical vulnerabilities, and from a GDPR compliance audit, which assesses the lawfulness of processing activities. A sovereignty audit focuses specifically on the legal and jurisdictional question: who, outside the EU, has a legal right to access our data without our knowledge or consent? The primary legal frameworks that create sovereignty risk for EU organisations are the US CLOUD Act (2018), which allows US law enforcement to compel US-headquartered cloud providers to produce data stored anywhere globally; the US FISA Section 702, which authorises US intelligence agencies to collect communications of non-US persons from US electronic communications service providers; and the UK Investigatory Powers Act (IPA, 2016), which grants UK intelligence and law enforcement agencies access powers over providers subject to UK jurisdiction. Conducting a sovereignty audit involves five steps. First, inventory every SaaS application, cloud provider, and data processor the organisation uses. Second, for each provider, identify its legal headquarters, its ultimate parent company, and the jurisdiction of its parent — since CLOUD Act obligations flow through corporate ownership. Third, map the categories of personal and sensitive data that flow through or are stored in each system. Fourth, assess whether the legal regime governing each provider creates access risk that is incompatible with GDPR or with contractual or regulatory obligations to your customers or sector. Fifth, prioritise the highest-exposure services and evaluate EU-sovereign alternatives or data minimisation strategies that reduce the volume of sensitive data flowing through non-EU-governed providers. For an EU SME, a sovereignty audit is both a compliance exercise and a procurement framework. It produces a ranked list of sovereignty risk by provider and data category, enabling risk-informed decisions about which systems to replace, which to remediate through encryption and data minimisation, and which are acceptable given their risk profile. Regulators in healthcare, finance, and defence sectors increasingly expect evidence of sovereignty risk management as a component of broader security and data protection assessments.
Related terms
GDPR
The General Data Protection Regulation (Regulation (EU) 2016/679) is the cornerstone of EU data protection law, replacing the 1995 Data Protection Directive and entering into force on 25 May 2018. It applies to any organisation — regardless of where it is established — that processes personal data of individuals residing in the European Union or European Economic Area. Personal data means any information that can identify a living person, directly or indirectly: a name, an email address, an IP address, a cookie identifier, or a combination of attributes that singles someone out. The regulation is built on seven foundational principles set out in Article 5: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Accountability is the principle that distinguishes GDPR from its predecessor — organisations must be able to demonstrate compliance, not merely assert it. For an EU SME, GDPR creates concrete operational obligations. You need a documented lawful basis for every processing activity (Article 6), a privacy notice that meets the transparency requirements of Articles 13 and 14, a mechanism to respond to data subject requests within one month (Articles 15–22), and a procedure for notifying your national Data Protection Authority of a personal data breach within 72 hours (Article 33). If your processing is high-risk, you must complete a Data Protection Impact Assessment before starting (Article 35). The consequences of getting it wrong are severe. The supervisory authority in your member state can impose administrative fines of up to €10 million or 2% of global annual turnover for violations of organisational requirements such as missing records or inadequate processor contracts. The upper tier — up to €20 million or 4% of global annual turnover, whichever is higher — applies to breaches of the fundamental principles, lack of lawful basis, or violations of data subject rights. These percentages apply to the entire corporate group's worldwide revenue, not just the entity in breach. Beyond fines, supervisory authorities can issue temporary or permanent bans on processing, which can be existential for data-dependent businesses. See the GDPR compliance guide at eurocomply.app/regulations/gdpr
EU AI Act
Regulation (EU) 2024/1689, known as the EU AI Act, is the world's first comprehensive horizontal legal framework for artificial intelligence. Published in the Official Journal of the EU on 12 July 2024, it entered into force on 1 August 2024 and applies in phases over a 36-month transition period. The regulation applies to providers who place AI systems on the EU market or put them into service in the EU, regardless of whether the provider is established inside or outside the Union. It also applies to deployers — organisations that use AI systems in a professional context — when those systems are classified as high-risk. The Act classifies AI systems into four risk tiers. Unacceptable-risk practices (Article 5) are prohibited outright and have applied since 2 February 2025. Limited-risk systems — such as chatbots — carry transparency obligations requiring users to be informed they are interacting with AI. Minimal-risk systems face no mandatory requirements. High-risk systems, defined in Article 6 and Annex III, are the Act's main regulatory target: they must meet requirements covering risk management, training data governance, technical documentation (Annex IV), logging, transparency, human oversight, accuracy, and robustness before being placed on the market. For EU SMEs, the most pressing deadline is 2 August 2026, when obligations for high-risk AI systems under Annex III fully apply. If your business uses AI in hiring decisions, creditworthiness assessment, access to essential services, or safety-critical operations, you are almost certainly in scope. The Act also introduces requirements for General Purpose AI models (Chapter V) — large foundational models such as those underlying popular AI tools. Penalties are steep: up to €35 million or 7% of global annual turnover for deploying prohibited AI, up to €15 million or 3% for violations of other obligations, and up to €7.5 million or 1.5% for supplying incorrect information to regulators. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
NIS2 Directive
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union — known as NIS2 — entered into force on 16 January 2023, with member states required to transpose it into national law by 17 October 2024. It replaces the original NIS Directive (2016/1148) and represents a dramatic expansion in scope, bringing thousands of additional organisations across Europe under mandatory cybersecurity requirements for the first time. NIS2 covers 18 sectors divided into two annexes. Annex I contains highly critical sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Annex II contains other critical sectors including postal and courier services, waste management, chemicals, food production, manufacturing, digital providers, and research organisations. Within these sectors, organisations are classified as essential entities or important entities depending on their size and criticality, with different supervisory regimes and penalty ceilings applying to each tier. The core obligations in Article 21 require all in-scope organisations to implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These measures must cover ten minimum areas: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; network and information system acquisition and development; policies and procedures to assess cybersecurity risk management measures; basic cyber hygiene practices and training; cryptography and encryption policies; human resources security and access control policies; and the use of multi-factor authentication and secure communication systems. For an EU SME operating in a covered sector, NIS2 compliance means conducting a scope assessment, implementing the Article 21 measures, registering with your national competent authority, and establishing the processes needed to submit incident notifications within the required timeframes. Management bodies — boards and senior executives — bear personal responsibility for approving and overseeing cybersecurity measures, and can be held personally liable for non-compliance. Fines for essential entities can reach €10 million or 2% of global annual turnover; for important entities, €7 million or 1.4%. See the NIS2 compliance guide at eurocomply.app/regulations/nis2
DORA
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is the EU's mandatory cybersecurity and operational resilience framework for the financial sector. Directly applicable across all member states since 17 January 2025, DORA applies to a broad range of financial entities including credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, central counterparties, trade repositories, and many others. Critically, it also applies to ICT third-party providers — cloud platforms, data analytics providers, and software vendors — that are designated as critical by the European Supervisory Authorities. DORA is structured around five pillars. The first is ICT risk management: financial entities must implement a comprehensive ICT risk management framework under Chapter II that includes policies for protection, detection, response, recovery, and learning from incidents. The second pillar is ICT-related incident management, classification, and reporting under Chapter III, with mandatory reporting timelines to competent authorities for major incidents. The third pillar, Chapter IV, covers digital operational resilience testing — including basic testing annually and advanced threat-led penetration testing (TLPT) at least every three years for significant entities. The fourth pillar manages ICT third-party risk under Chapter V, requiring due diligence, contractual provisions, and exit strategies for all ICT service providers. The fifth pillar addresses information sharing arrangements among financial entities. For an EU SME in the financial sector, DORA's most immediate practical demands are a documented ICT risk management framework, a register of all ICT third-party service providers (Article 28), contractual clauses in every ICT provider agreement covering audit rights, security standards, and termination rights, and a tested incident response and recovery plan. Regulators can impose administrative sanctions — the specific penalty regime is set by member states and sector-specific supervisory authorities, but supervisory powers include requiring remediation, suspending activities, and imposing fines calibrated to the severity and duration of the breach. See the DORA compliance guide at eurocomply.app/regulations/dora