EU compliance and data sovereignty, run from inside the Union.
The AI Act, NIS2, DORA and the CRA now carry fines and, in places, personal liability for directors. For some workloads they make EU-resident infrastructure a requirement. We build readiness into systems we operate ourselves, inside the EU.
EU compliance and data sovereignty come down to two questions: who can legally reach your data, and whether you can prove how your systems behave. In 2026 a cluster of EU laws — the AI Act, NIS2, DORA, the CRA and GDPR — turned that from a policy stance into an operational one with penalties and personal liability attached. Argus Root builds the controls, the evidence and the in-region hosting that answer it, as an operator under EU jurisdiction rather than a broker reselling someone else's cloud.
In short
- Five EU regimes now overlap with teeth: GDPR, NIS2, DORA, the AI Act and the CRA — compliance moved from policy to an operational obligation with penalties.
- Region is not jurisdiction. Under the US CLOUD Act a US-headquartered provider can be compelled to hand over your data regardless of which region the servers sit in.
- Sovereignty is decided by who operates and owns the infrastructure, not only where it is hosted — an EU data centre run by a US company is still reachable under foreign law.
- The recurring assessment finding is a foreign sub-processor buried in the chain that nobody mapped — an analytics tool, a support platform, a CDN.
- The deliverable is evidence: mapped controls, a data-flow and sub-processor map, and the logs and reports an assessor asks to see — not a policy PDF.
The rules now have teeth.
NIS2's transposition deadline passed in October 2024, and the first administrative penalties landed in early 2026. DORA has applied to financial entities since January 2025, with regulators auditing their ICT providers through the year. The AI Act reaches full application for high-risk systems on 2 August 2026, and the Cyber Resilience Act starts reporting obligations on 11 September 2026.
| Framework | What it governs | Status | 2026 milestone |
|---|---|---|---|
| EU AI Act | Risk-based rules for AI systems | Phasing in | High-risk obligations apply 2 Aug 2026 |
| NIS2 | Cybersecurity baseline for essential and important entities | Enforced | First penalties issued; fines to €10M or 2% turnover |
| DORA | Operational resilience for finance and its ICT providers | In force since Jan 2025 | Active audits; third-party ICT oversight |
| CRA | Security-by-design for products with digital elements | Phasing in | Reporting obligations from 11 Sep 2026 |
| GDPR | Personal data protection | In force | Record fines across 2025 |
What changed in 2026 is enforcement rather than the existence of the rules. Cumulative GDPR fines passed €7.1 billion by January 2026, with cross-border data transfers a standing target, and data-protection authorities in Austria, France and Italy have ruled specific US-based tools unlawful over transatlantic transfers. NIS2 moved from a transposition deadline to administrative penalties issued in the first quarter of 2026. The line going round among compliance teams is that 2026 is not when the regulations arrive but when enforcement turns serious.
The laws also interlock rather than stand alone. The AI Act, NIS2, DORA, the Data Act and GDPR each govern a different slice, by data type, by sector, by risk level, and together they form a layered architecture that an EU operation now has to map deliberately rather than meet by instinct. A single high-risk AI system can sit under the AI Act for its data governance, under NIS2 for the resilience of the service around it, and under GDPR for the personal data it touches, all at the same time.
Member states transpose the directives on their own timelines and thresholds, so a business operating across several EU countries meets the same rule expressed slightly differently in each, and a classification that falls below the line in one jurisdiction can sit above it next door. The work is to read your real obligations across the countries you operate in, rather than apply one national checklist and assume it travels.
Why is where your data lives now a control?
Under the US CLOUD Act, a US-headquartered provider can face legal demands for your data regardless of which region the servers sit in. For workloads under DORA, NIS2 and the AI Act, that exposure is becoming hard to defend, and EU-resident infrastructure run by an EU operator is the answer regulators and customers accept.
This stopped being theoretical in March 2026, when an attack on the Commission's cloud-hosted Europa.eu platform put supply-chain risk on the table for everyone relying on a foreign hyperscaler. We host inside the EU, on infrastructure we run, so the chain between you and your data has no foreign parent in it.
The argument that EU-located servers are enough did not survive 2025. In June that year, Microsoft's own legal director told the French Parliament under oath that no technical or contractual arrangement could stop the company handing over data if compelled under US law. Your data can sit in Frankfurt and still fall under a US demand, because the exposure follows the provider's headquarters rather than the location of the disk. A US hyperscaler's "sovereign" sub-brand does not resolve this, since the parent it answers to remains American.
NIS2 turns that exposure into your concern as much as the provider's. It makes you accountable for the sovereignty posture of your whole supply chain, so a foreign-headquartered cloud beneath you becomes an explicit input to your own assessment. DORA goes further for financial entities, requiring full audit rights over outsourced arrangements, contractual control of your data, and incident response and recovery that are demonstrably in-region. For health data, the European Health Data Space lets member states require that it be stored and processed only within the EU. The pattern is consistent: who can reach the data has become a regulated question, and the honest answer turns on who runs the infrastructure.
| US provider, incl. "sovereign" tier | EU-incorporated operator | |
|---|---|---|
| CLOUD Act exposure | Remains, through the US parent | None |
| Who you contract with | A US-headquartered entity | An EU entity you can name |
| DORA audit rights | Constrained by scale | Direct |
| Data residency | A region setting | Operated in-region, by us |
| Who holds access | The provider, globally | Us, inside the EU |
| In your Register of Information | A global hyperscaler | Your named operator |
What do we run for you?
Readiness and operation, mapped to the rules that apply to you rather than a generic checklist.
Framework gap assessment
A workload-by-workload read of where you stand against the AI Act, NIS2, DORA, the CRA and GDPR, with the gaps ranked by exposure.
Third-party ICT oversight
The documentation and contractual evidence DORA expects of your ICT providers, structured so you can list us in your Register of Information cleanly.
AI Act readiness
Risk classification, data governance and the technical documentation high-risk systems need before the August 2026 obligations apply.
NIS2 measures
Risk management, incident response, supply-chain security and access control, implemented and evidenced rather than written into a policy and forgotten.
Sovereign hosting
EU-resident, EU-operated infrastructure for the workloads where in-region data and access control have become a requirement.
Evidence & documentation
The artefacts auditors and procurement teams ask for, kept current instead of rebuilt in a scramble each review.
We are the EU operator, not a broker.
When a regulator or a customer's procurement team asks where your data sits and who can access it, the answer is a provider you can name and list, with no US parent in the chain. We run the infrastructure inside the EU under our own name, and we keep the evidence that backs the claim.
One honest boundary: we are not your law firm. For how a regulation applies to your specific case, you will still want counsel. What we do is build and operate the controls those interpretations require, and keep them auditable.
# every obligation mapped to a control, its evidence, and residency - obligation: NIS2 Art.21 — incident handling control: 24/7 detection + documented IR runbook evidence: [MTTD/MTTR report, IR test log] residency: EU - obligation: DORA — ICT risk management control: tested recovery, RTO/RPO per system evidence: [quarterly restore-test record] - obligation: GDPR Art.44 — international transfers control: in-region processing, EU-jurisdiction operator evidence: [data-flow map, sub-processor list]
The direction of travel is one way.
The regulatory push is widening rather than settling. EU member states adopted a Declaration for European Digital Sovereignty in November 2025, a statement of shared intent to reduce dependence on foreign technology, and in June 2026 the Commission published its first draft of a Cloud and AI Development Act aimed squarely at cutting reliance on foreign cloud and AI providers, with a sovereignty framework that would require public bodies to run a risk assessment before adopting a cloud service. The Data Act, applicable since September 2025, already obliges providers to support switching and to block unlawful third-country access to data, chipping away at the lock-in that kept workloads on foreign platforms.
None of this reverses. A business choosing infrastructure in 2026 is choosing against a backdrop where in-region operation moves steadily from advantage to expectation to, for some workloads, requirement. Building on an EU operator now is the position that ages well, rather than a bet that the rules will loosen.
Sovereignty is a workload question, not a slogan.
Not every system needs sovereign hosting, and a vendor who tells you otherwise is selling rather than assessing. A public marketing site carries little that a regulator cares where it sits; a FinTech's transaction records, a HealthTech's patient data, or a regulated SaaS platform's customer information are a different matter, and for those the AI Act, NIS2, DORA and the European Health Data Space have moved in-region operation from preference toward obligation. The useful first step is to classify your workloads by sovereignty criticality and treat each on its merits.
We do that assessment workload by workload and tell you which ones genuinely cross the line and which are fine where they are. The result is usually a split estate: the regulated, sensitive systems on EU-resident infrastructure we operate, the rest left wherever it already runs well. Moving everything is expensive theatre; moving the workloads that carry real exposure is the proportionate answer, and the one that survives a regulator's question about why each system sits where it does.
Evidence is the deliverable.
Compliance is judged on what you can show, not what you intend. An auditor, a regulator or a customer's procurement team asks for artefacts: the risk assessments, the technical documentation a high-risk AI system needs under the AI Act, the implemented and recorded NIS2 measures, the contractual and operational evidence DORA expects of an ICT provider, structured so you can enter us in your Register of Information without a scramble. The gap that sinks most reviews is not the absence of controls but the absence of current proof that they exist and work.
We build and keep that evidence as a standing artefact rather than a document rebuilt in a panic before each audit. Where the question is who should own the compliance posture and answer for it at board level, that is a leadership role our vCISO service fills; where it is the security operations that NIS2 and DORA expect to see running, that connects to our observability work. The compliance pillar is where the regulatory map, the in-region hosting and the evidence come together as one operation rather than three disconnected efforts.
Who do these rules reach?
FinTech and financial entities sit under DORA, which pulls their ICT providers into scope and demands audit rights, data control and resilience that can be shown rather than asserted. HealthTech meets the European Health Data Space layered on top of NIS2, which can require patient data to stay inside the EU. Regulated SaaS platforms feel the rules second-hand through procurement: their customers are bound by DORA, NIS2 or the AI Act, and that obligation flows down the contract as questions about where data sits and who can reach it. Suppliers to public bodies face the risk assessments the draft Cloud and AI Development Act would make routine.
Beneath all of them is GDPR, which reaches any organisation handling EU personal data and has made the location of a processing tool a live procurement question rather than a detail. The common position is a company that is not a bank or a hospital but sells to one, or holds enough personal data that a transfer to a foreign cloud has become a liability it would rather not carry. For each of them the question is the same: which of our systems these rules genuinely touch, and what does that require us to change?
What does an assessment usually turn up?
The recurring finding is a foreign sub-processor buried somewhere in the chain that nobody mapped: an analytics tool, a support platform, a backup target that quietly moves data to a US-headquartered provider, undoing the in-region story the rest of the estate tells. Close behind it are AI features shipped without anyone classifying them against the AI Act, so a system that may be high-risk carries none of the documentation it will need by August 2026. Both are invisible until someone goes looking.
The other frequent gap is evidence rather than controls. Most organisations have access control, incident response and risk management of some kind; what they lack is current proof that those controls exist and work, the artefact an auditor asks for and a policy document does not satisfy. We also see Registers of Information that list a hyperscaler with no exit plan, and data flows that cross a border at a step no one had charted. The assessment names each of these, ranks them by exposure, and turns them into a short list of things to fix rather than a vague sense that compliance is somewhere off track.
Questions buyers ask.
When does the EU AI Act fully apply?
What are the NIS2 penalties?
Is DORA already in force?
When do Cyber Resilience Act obligations start?
Do I need EU-resident or sovereign cloud?
Can a US provider be compelled to share EU-hosted data?
Does a US hyperscaler's sovereign cloud solve the CLOUD Act problem?
What does the EU Data Act change?
Where must health data be hosted under the EHDS?
What is the Cloud and AI Development Act?
How large are GDPR penalties in practice?
We operate in several EU countries. Does one assessment cover us?
Do you provide legal advice on how a rule applies to us?
What is a Register of Information?
Do we have to leave our current cloud entirely?
How do you prove data really stays in the EU?
Does NIS2 apply to us if we only supply an essential entity?
What does "sovereign cloud" really mean?
Why does an EU-incorporated operator matter more than EU-located servers?
When do the main 2026 obligations land?
Tell us which rules reach you. We'll map the gaps.
Send us your workloads and the frameworks your customers keep citing. We report where you stand and what closing each gap takes, before you commit to anything. If a gap is yours to close internally, we will say so.