EuroComply
Zarejestruj się
Back to blog
Vendor Risk 7 min read

CLOUD Act exposure: a 2026 buyer's checklist for EU SMEs

What you need to know: CLOUD Act exposure: a 2026 buyer's checklist for EU SMEs

EU procurement teams now ask vendors about CLOUD Act exposure. Here's the 8-question checklist they use — and the 4 exposure tiers your vendors fall into.

Source: EuroComply Editorial (2026-05-11)Reviewed:
EuroComply Team
EU regulatory specialistsContent reviewed against official EUR-Lex texts
EuroComply Team
0 views

TL;DR

The US CLOUD Act lets US authorities compel any US-controlled company to hand over data, including data stored in EU data centres. EU procurement teams now screen SaaS vendors for this risk before signing. This checklist gives you the eight questions to ask and a four-tier scoring model to rank vendor exposure.

What the CLOUD Act actually says (and what it doesn't)

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) became US federal law in March 2018. It amended 18 U.S.C. §2713 of the Stored Communications Act. The relevant text reads: "A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States." Source: 18 U.S.C. §2713.

Three points matter for EU buyers. First, the law binds any provider "subject to US jurisdiction". That includes US parent companies, their EU subsidiaries, and joint ventures with US controlling interest. Second, the data location does not matter. A Microsoft data centre in Dublin or an AWS region in Frankfurt is in scope if the parent is US. Third, the provider cannot always tell the customer about a disclosure order. Section 2705(b) allows non-disclosure orders.

The Court of Justice of the European Union ruled in Schrems II (C-311/18) on 16 July 2020 that US surveillance law conflicts with EU fundamental rights under the GDPR. The court invalidated the Privacy Shield. The current EU-US Data Privacy Framework adopted in July 2023 attempts to address those gaps, but the CLOUD Act itself remains unchanged. The European Data Protection Board has flagged the residual risk in Recommendations 01/2020 on supplementary measures.

The 4 exposure tiers

EuroComply's /cloud-act-scores methodology v1.0 ranks SaaS vendors into four tiers based on legal control, data residency, encryption posture, and disclosure history. The aggregate score runs 0-100, where higher is better (less exposed).

Sovereign (80-100). EU-headquartered company, EU-only data residency, EU-managed encryption keys, no US parent or controlling US ownership. Examples: Hetzner, OVHcloud, Scaleway, Mistral AI.

Mixed (50-79). EU operations with some US dependency, or EU subsidiary of a non-US foreign parent. May use a US sub-processor for a non-critical function (analytics, fraud detection). EuroComply itself scores 27/100 in this tier — we use Paddle (UK), Vercel (EU regions), and a Frankfurt Supabase database, but our payment processor falls under non-EU corporate control.

US-Dominant (20-49). US-headquartered company with strong EU data residency commitments (in-region storage, regional sub-processors, customer-managed keys available). Examples include Cloudflare, AWS, and most US hyperscalers that have invested in EU Sovereign Cloud offerings. The legal exposure under §2713 remains, but technical mitigations reduce the surface area.

US-Only (0-19). US-headquartered company with US-centric infrastructure, no customer-managed encryption, and limited regional controls. Most US compliance SaaS vendors sit here.

The buyer's checklist

These eight questions cover the issues your procurement and DPO teams need to settle before signing.

  1. Corporate structure. Where is the company incorporated? Who owns more than 25% of the equity? Is there a US parent, subsidiary, or joint venture in the corporate tree?
  2. Data residency. Where is customer data physically stored? Where are backups stored? Can you contract for EU-only residency, and is it enforced technically (not just by policy)?
  3. Sub-processors. List every sub-processor with the country of incorporation and the data category they receive. How often does this list change, and how is the customer notified?
  4. Encryption keys. Who holds the encryption keys? Are customer-managed keys available (BYOK or HYOK)? Can the vendor decrypt customer data without customer consent?
  5. Government access transparency. Does the vendor publish a transparency report? How many CLOUD Act, FISA 702, and National Security Letter requests have they received in the last 12 months? How many did they comply with?
  6. Notification commitments. Will the vendor notify the customer of any government data request before disclosure? What is the exception list? How will they handle a §2705(b) gag order?
  7. Supplementary measures. What supplementary measures (as defined in EDPB Recommendations 01/2020) are implemented? Encryption with EU-held keys? Pseudonymisation? Split processing?
  8. Exit terms. On termination, when is customer data deleted from primary storage, backups, and sub-processors? Is the deletion auditable?

Worked example: scoring three popular SaaS vendors

Hetzner (Sovereign, ~90/100). German GmbH, headquartered in Gunzenhausen. Data centres in Germany and Finland. No US parent. No US sub-processors disclosed in standard contracts. The company's legal disclosures confirm no transfers outside the EEA. Customer-managed encryption is available on object storage.

Cloudflare (US-Dominant, ~35/100). Delaware corporation, headquartered in San Francisco. Operates EU data centres but legal control sits in the US. Their 2024 Transparency Report discloses receipt of National Security Letters and FISA orders. Cloudflare offers an EU-only data localisation suite for additional cost. Encryption keys are customer-managed for several products. The exposure is real but technically mitigated.

Vanta (US-Only, ~15/100). Delaware corporation, headquartered in San Francisco. Primary infrastructure on AWS US regions. EU customer data is processed in US regions by default. The company's trust report discloses no transparency data on US government requests. No customer-managed encryption. This is the canonical US-Only profile.

These scores are illustrative. Run the full checklist before sourcing decisions.

What this means for your vendor inventory

Three actions follow.

First, build a vendor exposure register. List every SaaS vendor in your stack, the data categories you send them, and their current tier. Look up tier scores at /cloud-act-scores. Treat anything in the US-Only tier handling personal data, financial data, or trade secrets as a transfer impact assessment trigger under GDPR Article 46.

Second, write the eight checklist questions into your Master Services Agreement template. EU SMEs that buy software without these clauses are signing away the audit rights they need 18 months later when a Data Protection Authority asks for proof.

Third, run the checklist against your existing vendors quarterly. Sub-processors change. Corporate ownership changes. A vendor that scored Mixed in January 2026 can drop to US-Dominant after an acquisition.

Frequently asked questions

Is the EU-US Data Privacy Framework enough?

No. The DPF authorises personal data transfers under GDPR but does not override the CLOUD Act. A US authority can still compel disclosure from a DPF-certified vendor.

Does the CLOUD Act apply to a US company's EU subsidiary?

Yes, in most cases. The CLOUD Act covers providers under US "possession, custody, or control". US parent companies typically control their EU subsidiaries through ownership and contractual arrangements. The European Commission's Schrems II FAQ treats this as a key risk factor.

What about UK vendors after Brexit?

The UK has its own data protection regime. UK vendors are not in scope of the CLOUD Act unless they have US corporate control. The EU treats the UK as an adequate jurisdiction under the 2021 adequacy decision.

Are there technical measures that fully neutralise CLOUD Act risk?

Customer-held encryption keys for data at rest and in transit, combined with pseudonymisation at the application layer, remove the vendor's ability to disclose readable data. The EDPB calls these "supplementary measures". They are necessary but rarely sufficient on their own — operational metadata still leaks.

Look up exposure scores for any SaaS vendor at /cloud-act-scores, or run the riskometer against your full stack at /riskometer.

EC

EuroComply Editorial Team

EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.

For informational purposes only. Consult qualified legal counsel.

Share:

Ready to check compliance?

Start auditing your AI systems and tech stack today.

← Back to blog