SOV-EU active definition

European sovereignty

Data and infrastructure within the European Union, guaranteed GDPR compliance.

// What it means

SOV-EU means that every component of the system, from databases to backups to application logs, resides in cloud regions located within the European Union. The applicable jurisdiction is that of an EU member state and the processing of personal data is subject directly to the GDPR. It must however be noted: when relying on hyperscalers with a non-EU parent company (AWS, Azure, GCP), post-Schrems II it is prudent practice to integrate SCC and a Transfer Impact Assessment anyway, because the provider remains technically subject to the US CLOUD Act even if the data is in an EU region. We disclose this explicitly during contracting.

Unlike SOV-IT, here we accept pan-European sovereign cloud providers (Hetzner, OVH, Scaleway, Supabase EU) and EU regions of the major hyperscalers. This opens access to managed services, multi-AZ scalability and European CDNs, while keeping data residency within the EU perimeter. The practical difference between EU sovereign providers and US hyperscalers in an EU region must be assessed case by case and documented.

It is typically the most balanced choice for Italian and European companies operating in the common market: it covers GDPR, NIS2 and DORA without the rigid constraints of SOV-IT, significantly reducing the risks of non-EU transfers (though not eliminating them entirely when the provider is of non-European origin).

// Where the data resides

Where the data physically resides

Datacenter

EU regions of Hetzner, OVH, Scaleway, AWS Frankfurt, Azure NL

Backup

Replicas in EU regions different from the primary

Operations

Access contractually restricted to EU personnel · tracked and audited (actual level depends on the provider)

CDN

Edge nodes only in European PoPs

Telemetry

Logs and metrics collected in the EU

// When to choose it / when not to

✓ Choose it when

▸ EU companies serving European customers that must guarantee strict GDPR compliance
▸ Regulated sectors: fintech (DORA), telco, energy, private healthcare
▸ European B2B SaaS products with enterprise clients requiring EU data residency
▸ Italian SMEs that want a modern cloud but without non-EU exposure

✕ Avoid it when

▸ When the client explicitly requires Italian jurisdiction (see SOV-IT)
▸ Global workloads with users predominantly outside the EU: EU-only latency becomes a disadvantage
▸ AI services requiring proprietary models hosted outside the EU

// Compliance and standards

Regulatory references and standards applicable to the SOV-EU sovereignty level.

GDPR

EU Regulation 2016/679 — primary regulatory basis

NIS2

Cybersecurity for essential and important entities

DORA

Digital operational resilience for the EU financial sector

EU Data Act

Regulation on data access and portability

EUCS

European Cybersecurity Certification Scheme for Cloud Services (framework being finalized · not all providers are certified at the top levels)

// Specific FAQ

Are American hyperscalers with EU regions enough to be SOV-EU?

The data physically resides in the EU, but the parent company remains subject to the US CLOUD Act and to extraterritorial orders: for this reason, even in SOV-EU on US hyperscalers in an EU region, post-Schrems II it is standard practice to add SCC and a Transfer Impact Assessment. SOV-EU accepts these configurations with explicit disclosure to the client; those who want to exclude any non-EU exposure must choose European sovereign providers (OVH, Scaleway, Hetzner, Aruba) or SOV-IT.

Practical difference between SOV-EU and SOV-IT?

SOV-EU allows pan-European clouds and managed services of hyperscalers in EU regions. SOV-IT prohibits anything not on Italian territory and typically excludes global hyperscalers.