Regulatory News
On-Premise

EU’s Sovereignty-First regulatory maze

Arnaud Schwartz
CEO and Co-Founder
0 minutes reading
February 3, 2026
Summary
Example H2

Europe has long moved past the era of simple data protection. Today, the European Union is the world’s most sophisticated regulatory laboratory for "digital operational resilience." As financial institutions across Paris, Frankfurt, and Milan race to modernize their stacks on GCP, AWS, or Azure, they are hitting a wall of increasingly rigid "digital sovereignty" requirements.

For the C-suite of an EU-based financial institution, the decision to migrate to the cloud is no longer just about cost-per-compute; it is a question of jurisdictional survival. A tightening web of mandates—led by the Digital Operational Resilience Act (DORA)—is forcing a fundamental rethink: Can you remain compliant if your infrastructure is tethered to a non-EU entity?

This briefing analyzes the regulatory friction points within the Single Market and explains why operational autonomy is now the primary metric for risk management.

The regulatory spectrum: three pillars of EU compliance

Unlike the fragmented markets of the past, the EU has unified its approach around three core pillars that dictate how a financial institution must handle its cloud hosting.

1. The "digital resilience" mandate (DORA)

  • Context: The Digital Operational Resilience Act (DORA) is the new gold standard. It treats tech failures as systemic financial risks.
  • The constraint: It isn't enough for your cloud provider to be "up." You must prove that you can exit that provider, switch to another, or move back on-premise without disrupting the market. "Cloud lock-in" is now a regulatory violation.

2. The "Schrems II" sovereignty shield (GDPR)

  • Context: The legal reality post-Schrems II.
  • The constraint: Even if servers are in Dublin or Frankfurt, the "Cloud Act" in the US creates a legal conflict. If a US provider can be forced to hand over data to US authorities, the institution is in breach of EU privacy laws. This forces a shift toward "Sovereign Clouds" or localized encryption where the bank—not the provider—holds the keys.

3. The "concentration risk" audit

  • Context: EBA (European Banking Authority) and ESMA guidelines.
  • The constraint: Regulators are terrified that if AWS goes down, the entire EU banking system goes with it. Institutions are now required to map their "fourth-party" risks. If your bank, your payment processor, and your KYC vendor all use the same AWS region, your "concentration risk" score will trigger a mandatory capital surcharge or an order to diversify.

Regional analysis: the infrastructure impact

While DORA provides a unified framework, some local regulators (NCAs) apply their own "gold-plating" to infrastructure requirements.

🇩🇪 Germany

The BaFin "cloud-exiting" rigor

  • The regulation: MaRisk (Minimum Requirements for Risk Management) and BAIT.
  • The reality: BaFin is notoriously strict on "exit strategies." They don't just want to see a plan; they want proof of portability.
  • The implication: Relying on proprietary cloud-native services (like AWS Lambda or Google BigQuery) makes exit strategies nearly impossible. German banks are increasingly favoring containerized (Kubernetes) or hybrid deployments to satisfy BaFin’s portability audits.

🇫🇷 France

The "SecNumCloud" influence

  • The regulation: ACPR guidelines and the influence of ANSSI.
  • The reality: While SecNumCloud is a label for public sector providers, the ACPR (the banking regulator) increasingly views it as the benchmark for "trusted cloud."
  • The implication: There is immense political and regulatory pressure to use "Sovereign" setups—where the cloud is operated by an EU entity (e.g., Orange/Capgemini’s 'Bleu' or S3NS by Thales/Google). Choosing a standard US-hosted SaaS without these layers is becoming a "high-risk" internal audit finding.

🇱🇺 Luxembourg

The "right to audit" fortress

  • The regulation: CSSF Circular 22/806.
  • The reality: Luxembourg is the hub for EU fund management. The CSSF requires "unrestricted" physical access to data centers and full transparency of the supply chain.
  • The implication: Hyper-scalers often struggle to provide the granular, "on-demand" physical audit access the CSSF expects. This has led to a boom in "private cloud" enclaves within Luxembourg borders.

Reality check: the cost of infrastructure dependency

The EU’s enforcement arm is no longer theoretical. In 2024 and 2025, the focus shifted from "policy writing" to "operational testing."

The "exit strategy" enforcement (Ireland, 2025)

In early 2025, the Central Bank of Ireland (CBI) conducted a "thematic review" of cloud outsourcing. They found that several mid-tier fintechs had no viable way to migrate their core ledgers off their primary cloud provider within a 30-day window.

  • The Penalty: The regulator issued "Capital Add-ons," effectively forcing the banks to hold more cash in reserve to offset the operational risk of their cloud lock-in.

The data residency breach (Netherlands, 2024)

The Dutch Data Protection Authority (AP) penalized a financial services firm for using a US-based analytics tool that "leaked" metadata of EU citizens to servers in Virginia.

  • The lesson: Even if your primary database is in Amsterdam, if your logging, monitoring, or analytics tools are US-native SaaS, you are legally exposed.

The strategic pivot: operational autonomy

The message from Brussels is clear: Outsourcing services does not mean outsourcing responsibility. To navigate the EU's "Sovereignty-First" era, the C-suite must shift their procurement strategy:

  1. Portability as a feature: If a solution can't run on-premise or in a private cloud tomorrow, it shouldn't be bought today.
  2. Sovereign key management (HYOK): "Hold Your Own Key" is the only way to mitigate the US Cloud Act risk. If the cloud provider can't see the data, they can't hand it over.
  3. Local redundancy: DORA requires a "secondary site" that is not just a different region, but ideally a different provider or an on-premise backup.

The Marble approach: deployment freedom in the EU

In a European market defined by DORA and Schrems II, hosting rigidity is a terminal risk.

Most AML and Fraud vendors force you into their specific AWS or GCP instance, making you a passenger to their compliance failures. Marble takes a different approach.

We provide the EU’s only financial crime platform designed for total deployment optionality. Whether you need a French-sovereign S3NS instance, a private cloud in Frankfurt to satisfy BaFin, or a local on-premise server in Luxembourg for CSSF-level auditability, Marble adapts to your jurisdiction.

We keep your most sensitive AML data within your regulated perimeter, ensuring that even if the transatlantic cables are cut, your compliance operations remain online and "Sovereign-ready."

Learn more about Marble

Watch a demo