Close
Close
Linkedin
Close
Close

Data sovereignty in 2026: who holds the key to your data?

Data sovereignty is often reduced to one simple question: "Is my data in a European data center?" In reality, it is about something much more fundamental: under what law does your data fall, who can really access it, and who holds the cryptographic key?
Msafe - data sovereign file transfer with private key management

Is my data in a European data center?

Data sovereignty is often reduced to one simple question: “Is my data in a European data center?
In reality, it is about something much more fundamental: under what law does your data fall, who can really access it, and who holds the cryptographic key?

With the advent of NIS2, the Data Act and DORA, data sovereignty is becoming a hard prerequisite for compliance, rather than a nice-to-have. Organizations must have demonstrable control over their data – legally, technically and operationally.

In this long read, we explain:

  • What data sovereignty is and is not;
  • How it is related to GDPR, NIS2, DORA and the Data Act;
  • What role hyperscalers, hardware and key-management play

Data sovereignty = more than data location (Summary for decision makers)

  • Data sovereignty = more than data location. It involves jurisdiction, access, encryption keys, governance and operational control.
  • European regulations (GDPR, NIS2, DORA, Data Act) force organizations to make data sovereignty concrete: who can do what, where, when and under what law?
  • Hyperscalers and international hardware chains remain important, but bring with them legal dependencies (such as the CLOUD Act) that put pressure on data sovereignty.
  • Secure file sharing is often the weakest point: that’s precisely where the most sensitive documents leave your organization.

1. What is data sovereignty (and what is not)?

1.1 Three concepts often mixed up

In discussions of data sovereignty, three terms get mixed up:

  • Data residency
    Where is data physically stored? For example, “in the Netherlands” or “in the EU.”
  • Data localization
    Legal requirement that data cannot leave the country or region.
  • Data sovereignty
    Under what law and authority data ultimately falls, including who can enforce access and who controls the keys.

So you can have an “EU data center” but still fall under non-EU law if the supplier has a parent company in another country, or if encryption keys are outside the EU.

1.2 Why “data in the EU” is not enough

Data sovereignty goes beyond location:

  • What government can demand, directly or indirectly, access to your data?
  • What laws apply to your cloud or service provider?
  • Who manages the encryption keys?
  • Can you demonstrate who had access when?

Until you can answer these questions sharply, you cannot confidently claim to be data sovereign – even if your data center is in the EU.

2. Why data sovereignty is critical to NIS2, GDPR, DORA and the Data Act

Data sovereignty is no longer an abstract political concept, but directly linked to concrete legislation.

2.1 GDPR: basis for data protection

GDPR lays the groundwork for everything to do with personal data:

  • lawful processing;
  • minimal data processing;
  • appropriate technical and organizational measures;
  • and most importantly, accountability – you have to be able to demonstrate that you’ve got it right.

For data sovereignty, this means:

  • know where personal data is located;
  • Know which (sub)processors are being used;
  • and can prove that data does not end up in third countries unchecked.

2.2 NIS2: from policy to demonstrable digital resilience

NIS2 targets vital and important organizations (such as energy, healthcare, transportation, government, digital infrastructure) and takes security to the next level:

  • risk management and security measures mandatory;
  • stricter chain security requirements: suppliers and IT service providers are explicitly within scope;
  • mandatory incident reporting and stricter sanctions.

In practice, this means:

You cannot tell a credible NIS2 story without a clear narrative about data sovereignty: where does your critical data reside, who manages it and how do you ensure secure file transfers?

2.3 DORA: data sovereignty for the financial sector

DORA is focused on digital operational resilience of financial institutions. It explicitly shoves large IT service providers and cloud providers into the spotlight: they are seen as “critical third parties.”

For secure file transfer, this means:

  • you have to show that critical data is not dependent on one non-EU provider;
  • logs, access and encryption in secure file sharing must be in order;
  • auditors want to see hard evidence: who received what file when and under what security.

2.4 EU Data Act: data control and third-country access

The EU Data Act:

  • increases organizations’ control over their own (non-personal) data;
  • Makes it easier to switch between cloud providers (anti-vendor lock-in);
  • and limits unauthorized access by third countries to data in the EU.

This is where data sovereignty comes back very concretely:

  • can you take your data with you when you switch?
  • are you sure that data will not end up with a foreign government without your knowledge?
  • are key materials and access to your secure file sharing environment anchored in Europe?

3. The role of hyperscalers, hardware and key-management

3.1 Hyperscalers: powerful, but not neutral

Microsoft, Amazon, Google and other hyperscalers have become indispensable. They offer:

  • scalability,
  • flexibility,
  • and a rich ecosystem of tools.

But: they are often covered by non-EU legislation, with extraterritorial effect (such as the U.S. CLOUD Act). That means your data sovereignty is not automatically settled, even if you select “EU region.”

Reality:

  • You want to keep the benefits of hyperscalers,
  • but you want to cover crucial data sovereignty and NIS2 risks,
  • especially around critical documents and file transfers.

3.2 Hardware and supply chain: the carpet pad of data sovereignty

The hardware layer also comes into play:

  • Where do your servers, storage and network components come from?
  • Who manages firmware and security updates?
  • Can you audit the chain?

For many organizations, this is difficult to fully control. Therefore, it makes sense to impose strict sovereignty principles at least at the upper layers (encryption, key management, governance, secure file sharing).

3.3 Key management: who holds the key to your data?

Perhaps the most important question of data sovereignty:

Who has the key to your data?

Encryption makes sense only if:

  • the encryption keys do not end up with parties under undesirable jurisdiction;
  • you can enforce who can use keys;
  • and you can demonstrate that keys are not simply shared or misused.

Data sovereignty secure file sharing therefore means:

  • end-to-end encryption;
  • key management within the EU and under the control of your organization and/or an EU-based supplier;
  • no “black box” where you don’t know who can access it.

4. Secure file sharing as a test of data sovereignty

4.1 Where it really goes wrong: email and loose tools

In many organizations, secure file sharing is the Achilles’ heel:

  • Large reports, drawings, customer and patient files are sent as email attachments.
  • Employees use free or consumer file-sharing services “because it’s easy.”
  • Files remain indefinitely downloadable, forwardable and copyable.
  • There is no overview: you no longer know where copies of critical documents are.

For NIS2, GDPR and DORA compliance, this is problematic:

  • You don’t have a clear overview of data flows.
  • You can’t prove who had access to what confidential information.
  • You have no control over retention periods and deletion.

4.2 What a data sovereign secure-file solution must do at a minimum

A solution for data sovereignty-proof secure file sharing should be minimal:

  1. EU jurisdiction & hosting offer
    • Supplier with roots in the EU.
    • Data storage and processing within Europe.
  2. Strong encryption and key control guarantee
    • End-to-end encryption of files.
    • Key management under European jurisdiction.
  3. Control identity, access & audit centrally
    • Integration with existing identity providers (e.g., Microsoft Entra ID).
    • Support for MFA and role-based access control.
    • Complete audit logs of uploads, downloads, shares, revokes and digital signatures.
  4. Seamlessly connect to existing work processes
    • Works from Outlook and/or existing work environments.
    • Minimal extra hassle for end users – otherwise they will find their own way again.

This is exactly the area where Msafe Secure File Transfer positions itself.

5. Practical steps: here’s how to make data sovereignty part of your compliance strategy

Finally, a concrete roadmap that you can include directly as a block or CTA at the bottom of your long read.

5.1 Map critical data flows

  • Which documents are really sensitive (OT configurations, customer data, contracts, reports)?
  • Through what channels are they now leaving your organization (e-mail, WeTransfer-like tools, chats, USB)?

5.2 Test these flows against data sovereignty criteria

  • Where does this data reside (cloud, on-prem, laptops)?
  • Under what jurisdiction do the services used fall?
  • Who manages the encryption keys?
  • What does the audit trail look like?

5.3 Identify quick wins

Secure file transfer is often a relatively defined use-case that can be improved quickly:

  • start in departments with a lot of external exchange (project teams, legal, sales, OT management);
  • Replace insecure attachments and generic tools with Msafe Secure File Transfer.

5.4 Introduce a data sovereign secure-file layer with Msafe

  • Integrate Msafe with your Microsoft environment (Outlook, Entra ID).
  • Set policies for MFA, expiration dates, access rights and audit logs.
  • Create clear guidelines: “sensitive documents always go through Msafe.”

5.5 Use Msafe in your NIS2, DORA and GDPR filings.

  • Link Msafe reports to your risk register.
  • Use audit logs as evidence in internal and external audits.
  • Explicitly anchor Msafe in policies and procedures around data breaches, vendor management and data classification.

Next step: make secure file sharing data sovereign

Want to know where your organization stands on data sovereignty and secure file transfer?

If so, please contact Hennie Jansen for an informal conversation.

Share:

More Posts

How do companies comply with GDPR guidelines
Blog

How do companies comply with GDPR guidelines? And why secure file transfer is essential in this

To comply with GDPR guidelines, a privacy statement or secure tool is not enough. Companies must process personal data lawfully, respect privacy rights, take appropriate security measures, manage data breaches and be able to demonstrate that they have their processes in order. The Personal Data Authority lists foundations, privacy rights, security, DPIAs in high-risk situations and accountability among the core components of AVG compliance.

Read More »
20/04/2026
provable-compliance-without-complexity-hennie-jansen
Blog

Proving compliance without complexity: interview with Hennie Jansen, CCO of Msafe

Following our Compliance Summit, ITinsight conducted an interview with Hennie Jansen, Msafe’s CCO. The theme is provable compliance without complexity. Hennie Jansen indicates that it is not a slogan. “It’s a way to bring security, compliance and business closer together. And organizations that get that right in 2026 are building not only better audits, but also more trust, more control and more operational peace of mind.”

Read More »
09/04/2026
KPMG research- why compliance in 2026 calls for Secure File Sharing
Blog

KPMG study: why compliance in 2026 calls for Secure File Sharing

Why is a Secure File Sharing solution indispensable in a good compliance policy? KPMG says in essence, organizations are facing more compliance pressures, increased privacy and cybersecurity requirements, and a growing need for monitoring, reporting and control. Our Msafe Secure File Transfer solution is perfect for an environment where sensitive files are exchanged encrypted, access-controlled and fully traceable.

Read More »
26/03/2026
Automate secure file sharing with the Msafe API
Blog

Automate secure file sharing with the Msafe API

More and more organizations want to automate file sharing. No longer manually uploading, sending and storing, but rather integrating secure file sharing directly into existing processes and systems. Msafe’s API makes this possible. Through an API, applications can automatically upload, share and link files to internal systems such as CRM or document management systems.

Read More »
12/03/2026
Can the US simply access Msafe data
Blog

Can the US just access Msafe data?

Your data resides with Msafe on Microsoft Azure in the Netherlands, with Microsoft Ireland as the contracting party. Yet we often hear the question: can U.S. legislation, such as the U.S. CLOUD Act, affect the sovereignty of customer data? In this article we clearly explain what the U.S. can and cannot enforce, why data location is not the same as jurisdiction, and how often this occurs in practice. We also show what measures Msafe deploys to minimize risk: EU hosting, client-side/end-to-end encryption, strict access with MFA and policies, and full audit trails. So that you can share securely and remain demonstrably compliant.

Read More »
26/02/2026
why email is obsolete technology
Blog

Why email is obsolete technology

Email is still the default channel in virtually every organization, but it was technically and organizationally designed for an Internet where “trust” was the default. In 2026, the reality is different: email is at once productivity inhibitor, risk accelerator and compliance headache.

Read More »
12/02/2026