Article-level mapping, not marketing bullets.
For each EU framework: what the text requires, and the exact technical mechanism cloudtaser provides. Where the cryptography meets the statute.
Split scope - be honest with your DPIA.
cloudtaser's technical supplementary measures apply to the workload plane. The Kubernetes control plane remains operated by your cloud provider. A DPIA that pretends otherwise won't survive a regulator review; one that names the split clearly is defensible.
cloudtaser keeps your secrets, data at rest, and (on confidential compute) data in use outside the provider's jurisdictional reach. Your Kubernetes control plane - etcd, API server, scheduler, audit logs - remains operated by the provider. Your DPIA must reflect this split scope.
In practice this means: document the confidential-compute substrate (SEV-SNP / TDX / Nitro) you deploy onto, the attestation evidence your operator records, and the control-plane processor agreement with your provider. The cryptographic boundary is between the workload and the provider - not between the cluster and the provider.
GDPR · Articles 44–49.
The General Data Protection Regulation restricts transfers of personal data to third countries that do not provide an adequate level of protection. After the Schrems II ruling invalidated the EU–US Privacy Shield, the EDPB issued Recommendations 01/2020 requiring "effective supplementary technical measures" for data transfers.
What GDPR requires
- Article 44 - any transfer of personal data to a third country shall take place only if the conditions in Chapter V are complied with.
- Article 46 - in the absence of an adequacy decision, transfers may take place with appropriate safeguards and enforceable rights.
- Article 49 - derogations for specific situations, but not applicable for systematic transfers to US cloud providers.
- EDPB Recommendations 01/2020, Use Case 2 - "Transfer to cloud service providers which require access to data in the clear." Recommends encryption where the importer does not hold keys.
How cloudtaser satisfies this
- Client-side encryption with EU-held keys is the EDPB-recommended supplementary measure - the cloud provider physically cannot access plaintext.
- Encryption keys stored in EU-jurisdiction OpenBao under customer control.
- The wrapper's secret store delivers secrets into process memory via memfd - never written to disk, etcd, or K8s Secrets. The wrapped application's runtime (JVM heap dumps, kernel coredumps) is governed by host policy — see the per-runtime hardening matrix.
- Provider sees only ciphertext - court orders yield nothing decryptable.
- Secret store audit logs provide tamper-proof evidence of data access for DPA inquiries.
Schrems II · the ruling that invented the requirement.
The July 2020 ruling by the Court of Justice of the EU invalidated the EU–US Privacy Shield and created the legal requirement for supplementary technical measures when transferring data to the US. The court found that US surveillance laws (FISA Section 702, EO 12333) are incompatible with EU fundamental rights.
What Schrems II requires
- Standard Contractual Clauses (SCCs) alone are insufficient - technical measures must complement them.
- The supplementary measures must ensure US authorities cannot access the data, even if the cloud provider is compelled.
- The current EU–US Data Privacy Framework (DPF) faces legal challenges; the PCLOB, cited 31 times in the DPF adequacy decision, was gutted in January 2025.
How cloudtaser maps to Schrems II supplementary measures
No product "satisfies Schrems II" - deployments do, and auditors want attestation quotes, kernel configs, OpenBao access logs, and substrate MSAs, not a marketing framework table. What cloudtaser provides is the set of technical primitives EDPB Recommendations 01/2020 lists as "effective supplementary technical measures":
- Client-side encryption - the data is encrypted before it reaches the cloud provider.
- Keys held in customer-controlled OpenBao on an EU-sovereign substrate (Frankfurt, Amsterdam, Dublin, London) - not on an AWS Frankfurt / GCP europe-west / Azure North-Europe region label, which remains under US jurisdiction irrespective of where the bits physically live.
- Even when the cloud provider is compelled under the CLOUD Act, they can only hand over ciphertext.
- The cryptographic boundary survives legal framework churn - if the DPF is invalidated tomorrow, your posture does not change.
Whether your deployment meets the Schrems II bar depends on substrate choices - OpenBao hosting, compute SKU, attestation posture - that the Sovereign Deployment Guide walks through. The product gives you the artefacts auditors ask for; the deployment gives you the legal posture.
DORA · AWS, GCP, Azure are now Critical ICT Third-Party Providers.
DORA establishes a framework for ICT risk management, third-party risk assessment, incident reporting, and resilience testing for EU financial entities. In November 2025, AWS, Google, and Azure were designated as Critical ICT Third-Party Providers, subjecting financial entities using them to heightened scrutiny.
What DORA requires
- Chapter II (Articles 5–16) - ICT risk management framework: identify, protect, detect, respond, recover.
- Article 28 - risk concentration from dependencies on critical ICT third-party service providers.
- Article 30 - key contractual provisions: data location, processing, protection requirements.
- Chapter IV - digital operational resilience testing, including threat-led penetration testing.
How cloudtaser satisfies this
- eBPF monitoring provides real-time incident detection - satisfies the "detect" and "respond" requirements of the ICT risk management framework.
- Secret store audit logs provide tamper-proof access records for third-party risk assessment.
- S3 proxy encryption provides data-at-rest protection - cloud provider stores only ciphertext.
- Portable secret store + standard K8s enables the mandated exit strategy - migrate between providers without re-architecting.
- cloudtaser reduces concentration risk by making the provider unable to access sensitive data, even if compelled.
NIS2 · cloud providers as essential entities.
NIS2 came into effect in October 2024. Cloud providers are classified as essential entities, subject to cybersecurity risk management requirements, supply chain security obligations, and incident reporting mandates. Fines reach up to €10M or 2% of global annual turnover.
What NIS2 requires
- Article 21 - cybersecurity risk-management measures including policies on cryptography and encryption.
- Article 21(2)(e) - security in acquisition, development, maintenance; vulnerability handling and disclosure.
- Article 21(2)(d) - supply chain security; security-related aspects with direct suppliers.
- Article 23 - incident reporting: 24-hour initial notification, 72-hour detailed report.
How cloudtaser satisfies this
- eBPF kernel-level monitoring with 35+ detection vectors provides real-time intrusion detection. Synchronous blocking requires
CONFIG_BPF_KPROBE_OVERRIDE=y; BPF-LSM active enforcement ships in v0.6. - 7 Prometheus metrics at
/metricsenable real-time alerting for incident reporting. - Encrypted secrets not on disk - reduces the attack surface for supply chain attacks.
- Runtime detection mode logs unauthorized access attempts to protected processes in real time. Synchronous blocking is active on kernels with
CONFIG_BPF_KPROBE_OVERRIDE=y; BPF-LSM enforcement (default-on for kernel 5.15+) ships in v0.6. - Cosign-signed images, SBOMs, and Trivy scanning satisfy supply chain security requirements.
EUCS · what the certification scheme dropped, cloudtaser delivers.
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) has been in development for over four years and remains unadopted. Critically, the latest revision removed sovereignty / immunity requirements from the highest assurance tier - eliminating the mandate for EU-only data storage and key management. The EU Digital SME Alliance and others have argued this puts EU citizens' data at risk and favours US hyperscalers.
What EUCS requires
- Status - still unadopted. The latest revision removed sovereignty / immunity requirements from the "High+" tier, eliminating mandatory EU data storage.
- High assurance level - originally required immunity from non-EU jurisdiction access - dropped under industry pressure.
- Data localisation - no longer mandatory in the current draft.
- Cybersecurity Act review - proposed January 2026, but meaningful sovereignty enforcement remains absent.
How cloudtaser satisfies this
- EUCS failed to mandate what cloudtaser delivers. The certification scheme dropped sovereignty requirements - cloudtaser provides the cryptographic guarantee the regulation left out.
- Client-side encryption with EU-hosted keys satisfies the data sovereignty requirement EUCS was supposed to enforce.
- Encryption keys stored in EU-jurisdiction OpenBao, never accessible to the cloud provider.
- eBPF runtime monitoring and Prometheus metrics satisfy continuous monitoring and incident detection.
- cloudtaser provides the technical layer that was always needed - whether or not EUCS eventually requires it.
EU Data Act · Chapter VII.
The EU Data Act entered into application in September 2025. Chapter VII specifically addresses unlawful third-country government access to non-personal data held in the Union. Cloud service providers must take "all reasonable technical, legal, and organisational measures" to prevent such access.
What the EU Data Act requires
- Article 32 - cloud providers must take reasonable technical measures to prevent unlawful third-country government access to non-personal data.
- Article 33 - providers must notify affected customers when they receive third-country government access requests.
- Covers non-personal data - which GDPR does not protect - closing a significant gap.
How cloudtaser satisfies this
- Client-side encryption makes data inaccessible to the provider regardless of government demands.
- Transient DEKs mean no persistent key material on provider infrastructure.
- Covers both personal and non-personal data - encryption is applied to all objects.
- Codifies what cloudtaser enables technically - the regulation now requires what was previously a best practice.
EHDS · European Health Data Space.
The EHDS regulation (EU 2025/327) was published on 5 March 2025 and entered into force on 26 March 2025. It establishes a framework for health data exchange across the EU, with mandatory primary-use obligations from March 2029. Member states may require health data to be stored and processed exclusively within the EU.
What EHDS requires
- Primary use - mandatory patient-record exchange via MyHealth@EU from March 2029.
- Secondary use - research and analytics only on pseudonymised or anonymised data in secure processing environments - no raw personal health data can be downloaded.
- Data localisation - member states may require health data stored and processed exclusively within the EU unless an adequacy decision exists.
- Breach notification - GDPR breach notification for healthcare shortened from 72 to 48 hours under 2025 updates.
- Penalties - up to €20M or 4% of global annual turnover.
How cloudtaser satisfies this
- Database connection strings, API keys, and patient-data encryption keys never pass through the cloud provider's key management plane.
- DB proxy provides transparent field-level AES-256-GCM encryption for patient records - the cloud provider stores only ciphertext.
- EU-hosted secret store satisfies the data-localisation requirement for encryption keys, even when workloads run on US cloud.
- eBPF runtime enforcement creates audit evidence that keys were never exposed to the cloud provider.
- Secret store audit logs provide tamper-proof access records for the enhanced breach-notification timeline.
Industry-specific and national certification crosswalks.
| Framework | Requirement | How cloudtaser helps |
|---|---|---|
| PCI DSS 4.0 | Protect stored cardholder data. Encrypt transmission across open networks. Restrict access by business need-to-know. | Secrets in memory (not on disk), AES-256-GCM object encryption, eBPF access monitoring enforces need-to-know at kernel level. |
| ISO 27001:2022 (A.8.24, A.8.11) | Use of cryptography. Data masking. Protection of information in cloud services. | Envelope encryption with transient keys, EU-jurisdiction key management, per-object unique DEKs, secret store audit trail. |
| SOC 2 Type II | Security, availability, processing integrity, confidentiality, privacy criteria for service organisations. | Demonstrates encryption controls, access monitoring (eBPF logs), key management practices, and data residency. |
| German C5 | Cloud Computing Compliance Criteria Catalogue by BSI. Required for German public sector cloud procurement. | EU-hosted key management, client-side encryption, runtime monitoring satisfy C5 data-sovereignty and encryption requirements. |
| France SecNumCloud | ANSSI qualification for cloud providers handling sensitive data. Requires immunity from non-EU laws. | The technical layer makes US-hosted infrastructure functionally immune to CLOUD Act access - data is ciphertext, keys are in EU. |
Every year the legal case gets harder to ignore.
Key events that created the need for cloudtaser. The legal ground under EU–US data transfers gets shakier every year.
| Date | Event | What happened | cloudtaser relevance |
|---|---|---|---|
| Mar 2018 | US CLOUD Act | US providers must hand over data regardless of where stored - including EU data centres. Source | Provider cannot hand over what they cannot decrypt |
| Jul 2020 | Schrems II | CJEU invalidated EU–US Privacy Shield. Transfers require "effective supplementary measures." Source | The ruling that created the legal requirement for what cloudtaser does |
| Jul 2022 | Denmark bans Google Workspace | Datatilsynet banned Google Workspace in schools. Expanded nationwide Jan 2024. Source | "Encryption at rest" is insufficient when the provider holds the keys |
| May 2023 | Meta fined €1.2B | Largest GDPR fine ever - SCCs without adequate protections. Source | SCCs alone are not enough - cloudtaser is the supplementary measure |
| Mar 2024 | EDPS: Commission's M365 use illegal | EU Commission itself found violating data-protection law using Microsoft 365. Source | If the Commission cannot comply without technical measures, nobody can |
| Apr 2024 | FISA 702 expanded | Broadened "electronic communication service provider" definition. Source | More providers can be compelled - more workloads need protection |
| Oct 2024 | NIS2 transposition deadline | Cloud providers classified as essential entities. Fines up to €10M or 2% revenue. Source | eBPF monitoring + encrypted secrets satisfies cybersecurity requirements |
| Jan 2025 | PCLOB gutted | All Democratic members fired, DPF compliance review suspended. Source | Key DPF safeguard gone - technical measures are the only reliable fallback |
| Feb 2025 | Norway DPA: prepare exit strategies | First national DPA to formally advise US cloud exit planning. Denmark, Germany followed. Source | cloudtaser is the alternative to exit - stay on US cloud, remove the risk |
| Mar 2025 | EHDS published | European Health Data Space regulation enters force. Member states may require EU-only health data processing. Source | Health data on US cloud needs EU-controlled key management |
| Mar 2025 | Dutch Parliament: cut US cloud | Motions passed requiring reduced US cloud dependence and "full Dutch management" of government cloud. Source | Comply without migrating off US cloud |
| Jun 2025 | Microsoft admits sovereignty gap | Microsoft France's GM testifies under oath: "I cannot guarantee" EU data won't be transmitted to US authorities. Source | The hyperscaler itself confirmed the risk cloudtaser is built to eliminate |
| Sep 2025 | EU Data Act enters application | Chapter VII blocks unlawful third-country government access. Source | Codifies what cloudtaser enables technically |
| Oct 2025 | EC €180M sovereign cloud tender | Cloud Sovereignty Framework published with 8 objectives. €180M tender launched. Source | EU key management is an explicit sovereignty objective |
| Nov 2025 | DORA: hyperscalers designated critical | AWS, Google, Azure classified as Critical ICT Third-Party Providers. Source | Financial sector must demonstrate third-party risk management |
| Nov 2025 | France–Germany sovereignty summit | Joint task force to reduce US cloud dependence. Procurement restrictions expected. Source | Comply without migrating off US cloud |
Get cloudtaser on your workload.
Protect regulated workloads with EU-controlled encryption. One command (target check, then install). Three annotations. Audit-ready from day one.