May 2026 update. “Data sovereignty” appears in almost every tender and security questionnaire. In the Netherlands the bar is rising: not only EU hosting, but demonstrable control over flows, encryption and vendor access outside the EEA.
What buyers mean
- primary storage and backups inside the EU/EEA;
- no silent replication to the US without contract and risk rationale;
- transparency on subprocessors and support access;
- evidence that privacy notices, DPAs and technical config tell the same story.
EU Data Act and the cloud market
The EU Data Act strengthens interoperability and exit paths. In practice, buyers ask about portability, exit timelines and what data remains yours on termination. Vendors should document supported APIs and formats — contract negotiations in 2026 reflect that.
Five questions to answer this week
- Where do primary data and backups live (region + tenant config)?
- Which logging/SIEM aggregation leaves the EU?
- Who has remote support access and under what terms?
- Which subprocessors are in your chain (CDN, email, analytics)?
- Does your privacy posture match reality?
ISO 27001 and NIS2
Data sovereignty is not a separate standard. You embed it in ISO 27001 scope and suppliers, GDPR transfers and DPIAs, and NIS2 supply-chain risk. Deep dive: EU hosting and data residency and vendor management pages.
Educational article — not legal advice.