Operational sovereignty in the processing of personal data
The impact suffered by one of the main cloud service providers on 20 October 2025, which affected global services from its region in the US. The US has highlighted a technical reality that often goes unnoticed in compliance analyses: critical operational dependence on the means of treatment. This event highlights the importance of controllers assessing the operational sovereignty of their processing means as an integral part of the security measures and safeguards required by the General Data Protection Regulation (GDPR).
Was my data not in Europe?
Following the incident, many managers wondered why their apps, hosted in data centres in the European Union (such as Madrid, Paris, Frankfurt or Dublin) to comply with location regulations, stopped functioning due to a technical failure in Virginia (USA).
The answer lies in cloud architecture. While data storage may be regionally localised, the management of those resources (management of the processing means), i.e. who has permission to access, how servers are scaled or how encryption keys are managed, often depends on centralised services in the provider’s home region.
If the identity management service (IAM), the global DNS or any similar fails at source, the ability to process data regionally is compromised, affecting availability and resilience, two of the key pillars for security in personal data processing.
Availability and resilience as an obligation of the GDPR
Article 32 of the GDPR lays down the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This explicitly includes:
“The ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services”.
A processing of personal data that stops because its authentication infrastructure depends on a third country, not only suffers from a technical problem; it suffers from an availability breach that can affect citizens’ rights and freedoms (e.g. by preventing access to a medical record or a banking service).
From Data Sovereignty to Operational Sovereignty
It is not enough to check a checkbox that says "Region: Europe "on the cloud system configuration panel. True digital sovereignty implies real operational sovereignty: the ability to operate and manage processing systems autonomously, without critical dependencies on infrastructure located outside the European Economic Area (EEA) that may be affected by technical impacts or legal decisions in third countries.
Recommendations for data controllers
In light of these developments, organisations using cloud services should:
- Review impact assessments (DPIAs): Analyse whether risks of cross-border dependencies have been addressed in the availability of the service.
- Requiring transparency in architecture: Ask providers for clear information on which services are “global” and which are truly “regional”. Can your database authenticate users if the cable is cut with the US?
- Design for disconnection: Implement architectures that can operate in island or degraded mode, keeping critical functions locally active even if the central control plan fails.
- Diversification: Consider multi-cloud or hybrid strategies to avoid systemic single points of failure.
The cloud offers undoubted advantages, but responsibility for processing always remains with those who decide on the purposes and means. Ensuring resilience to global failures is more than ever a duty of compliance.
In today’s digital ecosystem, certain infrastructure and software providers are de facto standards, presenting a high exit barrier or being difficult to substitute. The purpose of this analysis is not to identify as inherently non-compliant organisations that legitimately use such services.
On the contrary, the focus lies on the accountability principle that the GDPR requires from the controller. When faced with a critical dependency on a non-substitutable supplier, in line with obligations under supply chain control security regulations, the controller should demonstrate due diligence in managing that risk before it materialises. This includes having identified and analysed it in its impact assessment, having required the provider to have maximum transparency on its own resilience and, crucially, having designed and implemented realistic mitigation measures as part of a contingency plan. Such measures, such as architectures allowing to operate in ‘degraded mode’ or process continuity strategies, should allow to maintain, even in case of provider failure, at least those essential operations in treatments that can have a high impact on fundamental rights.
This post is related to other materials published by the Innovation and Technology Division of the AEPD, such as:
- Personal Data Breach: Security focused on processing
- Personal data breaches: Ransomware and risk management
- Personal data breaches: online productivity platforms
- Personal data security breaches: Top 5 technical measures
- Data breach: communication to the data subject
- Data breaches: protect yourself against the loss or theft of a portable device
- Personal data breaches: what they are and how to respond
- Personal data breaches: protect yourself against ransomware
