Data Residency is Not Sovereignty

The terms "data residency" and "data sovereignty" are frequently used interchangeably. However, for the Content Delivery Network (CDN) market, conflating these two concepts is an architectural error.

As organisations move to meet the requirements of the NIS2 Directive and GDPR, they are often met with "sovereign cloud" marketing from US-headquartered hyperscalers. These providers point to data centres in Frankfurt, Paris, or Dublin as proof of compliance. This post examines why physical residency is an insufficient proxy for legal sovereignty, and why jurisdictional control is the only metric that truly matters for NIS2 compliance.

Data location is a technicality; jurisdiction is the reality.

The Extraterritorial Reality: The US CLOUD Act

The fundamental disconnect lies in the clash of jurisdictions created by the US CLOUD Act. Passed in 2018, this law shifted the focus from where the data resides to the legal jurisdiction of the entity controlling it.

If a CDN provider is a US-based entity, or a subsidiary of one, they are legally compelled to comply with US warrants and subpoenas for data, regardless of whether that data is stored in Europe. Physical residency in a German data centre does not shield the data from US legal reach. This creates a direct conflict with GDPR Article 48, which stipulates that a foreign court order is only recognised if it is based on an international agreement, such as a Mutual Legal Assistance Treaty (MLAT).

According to a detailed analysis by the European Data Protection Board (EDPB), supplementary measures (such as encryption where the provider does not hold the keys) are often the only way to mitigate this risk when using non-sovereign providers. In the context of a CDN, where the provider must have access to the data to cache, transform, and deliver it at the edge, traditional encryption-at-rest is rarely a total solution.

Strategic Risk: "Go Dark" Actions and Policy Volatility

Beyond the legal discovery of data, there is the matter of operational continuity. When an infrastructure stack is tied to a US-headquartered provider, it is inherently subject to the foreign policy and executive orders of the United States.

We have seen "go dark" actions where services were restricted or cut off in specific regions due to shifting political climates. For entities identified as "Essential" under NIS2, this represents a critical vulnerability in the digital supply chain. Relying on a provider that can be compelled to withdraw service due to third-party political decisions is a failure of the availability and resilience pillars of modern compliance.

Structural Sovereignty: The Varnish CDN Approach

True sovereignty is achieved only when the infrastructure provider is a 100% European entity, with no US parent company and no exposure to US extraterritorial laws. This is sovereignty by design.

This is the Varnish CDN approach. Varnish CDN provides a world-class delivery network operated by a European entity with no US parent company, utilising nodes situated in major European internet hubs. Because the entity is not subject to the US CLOUD Act, the No-CLOUD-Act guarantee is a legal reality. This architecture ensures that:

• Legal discovery is handled exclusively through European courts.
• Metadata and logs (often the most overlooked PII in a CDN) remain under local protection.
• Operational stability is insulated from the policy volatility of non-European governments.

Sovereignty is meaningless if it cannot scale. Varnish CDN operates on a massive, high-availability European backbone with a total network capacity of 300 Tbps, with 90% of users served within a 20–35 ms window. This scale also allows the network to mitigate multi-terabit DDoS attacks without impacting performance.

An Actual Sovereign Cloud

A total rip and replace of global infrastructure is not an attractive proposition. A pragmatic approach is to deploy a sovereign layer dedicated to European traffic. By using Varnish CDN to handle data within the EU/EEA, organisations ensure that their most sensitive logs, user metadata, and content transformations occur within a protected jurisdictional bubble.

As a fully managed SaaS offering, Varnish CDN removes any operational overheads of manual server management, for an architectural transition that is frictionless and fast. This hybrid strategy allows engineers to leverage the best of global scale while isolating their compliance risk.

Conclusion

Data residency is a technical detail; data sovereignty is a legal and strategic status. For the modern CISO or CTO, acknowledging this distinction is the first step toward building a truly resilient, compliant, and future-proof delivery stack. As the regulatory environment tightens, the value of an infrastructure that answers only to European law will only continue to grow.