CLOUD Act

Security & Compliance intermediate

The US CLOUD Act lets US authorities compel American technology companies to hand over data they hold, regardless of where in the world the data is physically stored.

Summary

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a 2018 US federal law. It clarifies that US authorities can compel US-based technology companies to disclose data they control, even when that data is stored outside the United States.

What is the CLOUD Act?

Before the CLOUD Act, US providers argued that data physically stored in foreign data centres lay beyond the reach of US warrants. The law removes that ambiguity: a US-incorporated company must produce data in its custody on a valid US legal order, regardless of where the bytes physically reside. The law also creates a framework for "executive agreements" with allied governments to streamline cross-border requests.

For European customers this raises a structural concern. A hyperscaler with EU data centres, EU-resident customer data, and EU-based staff is still a US company. Under the CLOUD Act it can be required to hand data over to US authorities, potentially without informing the customer. This conflict with GDPR transfer principles is precisely what Schrems II built on.

The practical response has been a wave of "EU sovereignty" architectures: choose providers that are not subject to extraterritorial laws, hold encryption keys in the EU, run sovereign or self-hosted control planes, and contractually separate operations into independent EU entities. NetBird, Zitadel, and similar EU-built tools position themselves explicitly as CLOUD-Act-free alternatives.

Why is the CLOUD Act relevant?

  • Sovereignty pivot: A primary reason European customers reconsider US-headquartered vendors
  • Vendor assessment: Standard question in NIS2, DORA, and Schrems II reviews
  • Architecture impact: Drives decisions about where keys and control planes are placed
  • GDPR tension: A core element in the legal conflict at the heart of EU–US data transfers
  • Schrems II: EU ruling whose risk analysis cites the CLOUD Act directly
  • GDPR: Regulation whose principles are in tension with extraterritorial US law
  • NIS2 Directive: Triggers supply-chain reviews that surface CLOUD Act exposure
  • DORA: Financial-sector regulation that pushes the same vendor-sovereignty questions

Similar Solutions

For Regulated Industries

<b>Regulated industries don’t fail audits because they lack policies. They fail because compliance requires skills, not certificates.</b> We works with organizations that operate under continuous regulatory pressure, including NIS2, ISO 27001, and sector-specific requirements. We’ve supported teams across multiple audits, security reviews, and compliance programs, always focusing on operational reality instead of theory.

Discover more

NIS2 & ISO 27001 preparations

Compliance requires skills, not certificates. Our trainings can help you achieve exactly that. So you’re never "chicken" again when audits, incidents, or regulators come knocking.

Discover more

Related Terms

Schrems II

Schrems II is the 2020 ruling of the EU Court of Justice that invalidated the EU–US Privacy Shield and tightened the conditions for transferring personal data outside the EU.

Discover more

GDPR (General Data Protection Regulation)

GDPR is the EU regulation governing the collection, processing, and storage of personal data of EU residents.

Discover more

NIS2 Directive

The NIS2 Directive is an EU regulation setting minimum cybersecurity standards for critical and important sectors, significantly expanding scope beyond its predecessor.

Discover more

DORA (Digital Operational Resilience Act)

DORA is an EU regulation requiring financial sector organizations to ensure resilience of their ICT systems against disruptions and cyberattacks.

Discover more

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us