hyggecloud / data protection & compliance

What EU hosting really changes legally

This topic is wrapped in marketing myths — in both directions. Some promise "GDPR compliance by changing servers", others claim US clouds are entirely unproblematic. Both are wrong. Here's the honest version, sorted for humans.

The legal landscape

Three terms you should know

/01 — US CLOUD Act (2018)

US law follows the company, not the server

The CLOUD Act obliges US providers to give US authorities access to data they control — regardless of where it is stored. A Frankfurt AWS data centre changes nothing: Amazon is a US company, so US jurisdiction applies.

/02 — Schrems II (CJEU 2020)

The structural conflict is court-confirmed

The CJEU struck down the Privacy Shield agreement because US surveillance law and EU fundamental rights collide. Its successor (the Data Privacy Framework) stands on similarly shaky legal ground — another invalidation is a realistic scenario worth being prepared for.

/03 — NIS2 (since 2024/25)

Resilience becomes a duty, not a virtue

The NIS2 directive obliges far more companies to do risk management, incident reporting and supply-chain security. Dependence on a single non-European provider is a risk you must assess and justify.

Honest balance

What the move solves — and what it doesn't

✓ What EU hosting changes

Off the table: the structural risk

  • No CLOUD Act access — your provider is outside US jurisdiction
  • No third-country transfer for your infrastructure data — Schrems debates no longer concern you
  • A DPA with an EU company under EU law — easier to review, easier to defend
  • Sanction and kill-switch risk drastically reduced
  • Simpler answers in your enterprise customers' security questionnaires
  • Certified providers (BSI C5, ISO 27001) as a solid basis for your own evidence
✗ What remains your job

Still on the table: your processes

  • Legal bases of your data processing (Art. 6 GDPR) — server location doesn't change them
  • Data subject rights: access, deletion, portability — your application must support them
  • US SaaS in daily use: US analytics tools just move the transfer elsewhere
  • TOMs: access concepts, encryption, logging within your application
  • Records of processing activities & DPIAs where required
  • Training and processes for your team
Important — not legal advice: We are infrastructure specialists, not a law firm. We build the technical and documentary foundation (architecture, provider DPAs, infrastructure-level TOMs, deletion concepts) and gladly work directly with your DPO or counsel. The legal assessment of your individual case belongs in legal hands.

Our contribution

What you concretely get from us

🗺️

Data flow map

In the Hygge Check we document what data lives where and where it flows — including the US services that snuck into your stack (analytics, mail, CDN, fonts). Often the first complete overview a company has ever had.

📋

Compliance package with the migration

Provider DPAs, a description of infrastructure-level TOMs, encryption and backup concepts, a deletion concept — documentation your DPO can use directly.

🔐

Security by default

Encryption at rest and in transit, SSO/2FA access, audit logs, network segmentation, automatic patches. Not a paid add-on, but the standard of every environment we build.

Common misconceptions

Three sentences we interrupt

  • "We use the EU region, so we're safe." — The region determines latency, not jurisdiction. What matters is who owns the provider and which law applies to it.
  • "Encryption at rest solves the CLOUD Act problem." — Only if the provider never sees the keys. With the provider's standard KMS, it holds them. Honest key management is architecture work.
  • "The new data transfer deal sorts this out." — Until the next court ruling. Building your architecture on a politically negotiable agreement is building on sand. Sovereignty is the more robust strategy.

"Data protection isn't a sales pitch with paragraph decorations for us.

It's the simple question: can you explain to your customers in one sentence where their data lives and who can access it?

After a migration with us: yes."

— The HyggeCloud principle

Your DPO asks uncomfortable questions? Good.

Bring them to the intro call. We provide the technical answers — together it becomes a setup that lets both sides sleep again.

→ Book an intro call

With your DPO if you like · not legal advice