{"id":15641,"date":"2026-05-23T08:39:37","date_gmt":"2026-05-23T08:39:37","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/05\/25\/nis2-trifft-cloud-act-wer-haftet-fuer-die-drittstaaten\/"},"modified":"2026-06-17T15:47:23","modified_gmt":"2026-06-17T15:47:23","slug":"nis2-meets-cloud-act-who-is-liable-for-the-third-country-gap","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/05\/23\/nis2-meets-cloud-act-who-is-liable-for-the-third-country-gap\/","title":{"rendered":"NIS2 meets CLOUD Act: Who is liable for the third-country gap?"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">8 min read<\/p>\n<p><strong>NIS2 forces German operators to audit their supply chains-just as the US CLOUD Act simultaneously undermines that effort. Running German data on a US hyperscaler means two authorities can demand contradictory access. By 2026, liability for any breach will sit not with procurement, but with the CEO.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Personal liability for executives.<\/strong> NIS2 turns supply-chain security into a documented executive decision. Passing the buck to the CISO does not absolve the CEO.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">US CLOUD Act quietly overrides Schrems II.<\/strong> Signing AWS, Azure or GCP standard contractual clauses? The conflict clauses are right there in your contract. They are documented-and ignored.<\/li>\n<li><strong style=\"color:#69d8ed;\">Third-country risk is not just the USA.<\/strong> Cloud services with sub-operators in India, Israel or the Philippines face the same dilemma. NIS2 demands a risk view that includes those sub-suppliers.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#666;margin:20px 0 32px 0;border-top:1px solid #e5e5e5;border-bottom:1px solid #e5e5e5;padding:10px 0;\"><span style=\"color:#004a59;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related:<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/18\/nis2-compliance-in-medium-sized-businesses-achievable-steps-avoidable-mistakes\/\" style=\"color:#333;text-decoration:underline;\">NIS2 compliance for SMEs: practical steps<\/a>&nbsp;&nbsp;<span style=\"color:#ccc;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/?p=15326\" style=\"color:#333;text-decoration:underline;\">DORA &#038; NIS2: why bank audits collide in 2026<\/a><\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">What NIS2\u2019s supply-chain duty really demands<\/h2>\n<p><strong>What does \u201csupply chain security\u201d mean under NIS2?<\/strong> Within the NIS2 framework, affected entities must systematically assess, document and contractually secure the security posture of every supplier and service provider-cloud vendors, managed-service outfits and software suppliers alike. Responsibility rests with the executive suite and cannot be delegated.<\/p>\n<p>Article 21(2)(d) of the NIS2 Directive and its transposition in the NIS2UmsuCG explicitly require supply-chain security to be folded into risk management. The law names four concrete points: vulnerabilities of direct providers, supplier security practices, incident response within the chain, and the ongoing reliability of each supplier relationship throughout the contract term.<\/p>\n<p>In practice, that means answering a question you can no longer dodge: which cloud providers sit inside your supply chain, and which subcontractors have they brought in? During an audit, the answer \u201cwe use Azure\u201d is no longer enough. NIS2 wants visibility two layers deep.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Where the US CLOUD Act Overrides European Data Protection<\/h2>\n<p>The US Clarifying Lawful Overseas Use of Data Act of 2018 allows US law enforcement agencies to demand data from US providers, regardless of where that data is stored. AWS, Microsoft, and Google are US providers. A German region changes nothing. The provider is obligated to cooperate, and in many cases the German client is not informed.<\/p>\n<p>This is no secret. It\u2019s spelled out in the data-processing contracts of the hyperscalers, typically under \u201cGovernment Access Requests\u201d or \u201cLaw Enforcement Demands.\u201d Anyone who hasn\u2019t read it hasn\u2019t met their supplier-diligence obligations. Anyone who has read it and ignored it faces a different problem: they know their Schrems-II-compliant standard contractual clauses will buckle in a conflict and have signed anyway.<\/p>\n<p>The European Court of Justice ruled in the 2020 Schrems-II decision that standard contractual clauses are only sufficient if the level of protection in the third country is in fact equivalent. The CLOUD Act makes it anything but equivalent. The 2023 EU-US Data Privacy Framework softens the impact at the application level, but it doesn\u2019t resolve the structural conflict. Data-protection and supervisory authorities assess the situation differently, leaving the compliance path anything but straightforward.<\/p>\n<blockquote style=\"border-left:4px solid #69d8ed;background:linear-gradient(135deg,#f0fcff 0%,#e0f7fa 100%);padding:24px 28px;margin:32px 0;font-style:italic;font-size:1.1em;color:#003340;border-radius:4px;\"><p>\nUsing a US hyperscaler means you contractually accept a clause that grants authorities access-one that clashes with European data-protection law. That\u2019s a deliberate risk transfer, not a technical shortcoming.<\/p><\/blockquote>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Third countries aren\u2019t just the USA<\/h2>\n<p>The public debate often centers on US providers. Yet supply-chain reality is far broader. A managed SOC operated by a German MSSP frequently employs analysts in India, a cloud-backup vendor stores data in Poland and backups in Israel, and a SaaS HR-software provider runs development hubs in Vietnam. Each of these locations has its own government-access logic and its own interpretation of data export.<\/p>\n<div style=\"overflow-x:auto;-webkit-overflow-scrolling:touch;margin:16px 0 32px 0;\">\n<table style=\"width:100%;min-width:560px;border-collapse:collapse;font-size:0.95em;\">\n<thead>\n<tr style=\"background:#003340;color:#fff;\">\n<th style=\"padding:12px 16px;text-align:left;border:1px solid #003340;\">Region<\/th>\n<th style=\"padding:12px 16px;text-align:left;border:1px solid #003340;\">Government Access (short)<\/th>\n<th style=\"padding:12px 16px;text-align:left;border:1px solid #003340;\">NIS2 Assessment in the Data Room<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\"><strong>USA<\/strong><\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\">CLOUD Act, FISA 702<\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;color:#003340;font-weight:600;\">High, residual conflict with Schrems II<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\"><strong>UK<\/strong><\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\">Investigatory Powers Act, EU adequacy decision<\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;color:#003340;font-weight:600;\">Medium, adequacy under review<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\"><strong>India<\/strong><\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\">IT Act Section 69, DPDP Act 2023<\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;color:#003340;font-weight:600;\">High, no adequacy decision<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\"><strong>Israel<\/strong><\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\">Privacy Protection Law, EU adequacy decision<\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;color:#003340;font-weight:600;\">Medium, sector-specific residual risks<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\"><strong>Philippines<\/strong><\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;\">Data Privacy Act, government access via AML framework<\/td>\n<td style=\"padding:12px 16px;border:1px solid #ddd;color:#003340;font-weight:600;\">High, frequent sub-contractor without contract<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p style=\"font-size:0.8em;color:#888;margin-top:8px;\">Source: Internal NIS2UmsuCG analysis plus EU Commission adequacy decisions, status May 2026.<\/p>\n<p>A risk register that omits this view is exposed in a NIS2 audit. The regulator does not ask about favorite vendors; it asks for the evaluation methodology. If you have five sub-contractors in three third countries and no written assessment of government-access risk, you have formally failed NIS2 due-diligence.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Where personal liability for executives really kicks in<\/h2>\n<p>Three situations make personal liability for senior management tangible in practice. First, after a security incident with data exfiltration: if the investigation reveals the supply chain was never evaluated, that\u2019s a breach of the duty of care. Second, during an audit without an incident: a regulator can sanction missing documentation even absent harm. Third, in civil litigation: when customer data is compromised through a third-country transfer, damage claims scale directly with the volume of data exposed.<\/p>\n<div style=\"background:#003340;color:#fff;text-align:center;padding:40px 24px;margin:32px 0;border-radius:8px;\">\n<div style=\"font-size:3.4em;font-weight:800;color:#69d8ed;letter-spacing:-0.03em;line-height:1;\">10 Mio. \u20ac<\/div>\n<div style=\"font-size:1em;color:rgba(255,255,255,0.88);margin-top:12px;max-width:520px;margin-left:auto;margin-right:auto;line-height:1.5;\">or 2 percent of group revenue-whichever is higher-is the maximum fine under NIS2 for essential entities in systemic breaches. Supply-chain oversights fall squarely within this scope.<\/div>\n<div style=\"font-size:0.78em;color:rgba(255,255,255,0.5);margin-top:12px;\">Source: NIS2UmsuCG draft, Bundesgesetzblatt publication 2024.<\/div>\n<\/div>\n<p>Hyperscalers won\u2019t be the main defendants in these cases. Their contracts clearly delineate what they deliver and what they don\u2019t. The primary defendants are the customers who signed without contractually closing the gaps. That\u2019s the construction NIS2 now explicitly targets.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Four concrete steps that must now appear in your risk register<\/h2>\n<p>Step one: supplier inventory with third-country connections. Which vendor, which contract, which actual processing location, which sub-processors. If you can reduce this to an Excel sheet, you must be able to present it to a supervisory authority.<\/p>\n<p>Step two: written risk assessment per supplier. Not \u201cwe trust AWS,\u201d but: what government access rights exist, which data categories are affected, what measures mitigate the risk. Customer-key encryption is one measure, geographic restriction another. Both must be documented.<\/p>\n<p>Step three: contractual tightening. Standard contractual clauses plus additional safeguards are mandatory, not optional. Specifically: encryption controls, audit rights, mandatory reporting of government access, exit clauses with data-transfer paths.<\/p>\n<p>Step four: executive-board resolution. The choice of supplier and the residual-risk assessment must be recorded in a formal board decision. Not in a cloud-strategy slide deck. In minutes that a regulator can follow.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">When switching to European providers becomes realistic<\/h2>\n<p>The honest answer: not for every workload, not right away. The European Open Cloud Initiative and sovereign offerings such as OVHcloud, Open Telekom Cloud or Stackit cover a growing range, yet they do not replicate every technical feature of a hyperscaler. If you need Bedrock-equivalent inference, Aurora Serverless or specific Microsoft-Identity functions, there is no one-to-one replacement today.<\/p>\n<p>That is no reason to keep the status quo. It is a reason for a differentiated architecture. Sensitive data categories move to European providers or stay on-premises. Generic workloads remain on the hyperscaler, with documented safeguards. The 2026 platform architecture is polyglot, not either-or.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<h3>Is the EU-US Data Privacy Framework a sufficient basis for using US clouds?<\/h3>\n<p>The 2023 framework restored the adequacy decision and is the current legal basis. Several data-protection authorities and legal opinions, however, anticipate a new CJEU proceeding that will reassess its validity. Relying on the framework alone means accepting the risk of a Schrems-III ruling. A more robust approach combines the framework with additional technical measures-especially customer-key encryption.<\/p>\n<h3>Does server-side encryption on the hyperscaler protect against the CLOUD Act?<\/h3>\n<p>Provider-managed encryption is insufficient because the provider holds the keys and can be compelled to surrender them under US law. Bring-Your-Own-Key or Hold-Your-Own-Key solutions with external key management close the gap technically, provided the key custodian itself is not subject to US jurisdiction. Note that not every provider offers HYOK for all services.<\/p>\n<h3>What happens if a hyperscaler receives a CLOUD Act demand?<\/h3>\n<p>The provider is legally required to hand over the requested data. It may file an objection, but in practice this rarely succeeds. Customers are often not notified because the order can include a gagging clause. The data subject may only learn of the disclosure later, during subsequent legal proceedings.<\/p>\n<h3>Do small companies have to perform NIS2 supply-chain checks?<\/h3>\n<p>NIS2 obligations apply above a certain size threshold or in regulated sectors. Smaller firms are generally not directly bound, yet they are contractually pulled into the checks by NIS2-bound customers. The duty effectively shifts into the supply chain. If your SME serves a NIS2-bound client, you must be able to provide the required information.<\/p>\n<div style=\"margin:40px 0;padding:0;border-top:2px solid #004a59;\"><\/div>\n<h3 style=\"margin:0;padding:16px 0 8px 0;font-size:0.78em;font-weight:700;text-transform:uppercase;letter-spacing:0.18em;color:#004a59;\">Editor\u2019s Reading Picks<\/h3>\n<ul style=\"list-style:none;margin:0;padding:0;\">\n<li style=\"padding:10px 0;border-bottom:1px solid #eee;\"><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/18\/nis2-compliance-in-medium-sized-businesses-achievable-steps-avoidable-mistakes\/\" style=\"color:#1a1a1a;text-decoration:none;\">NIS2 compliance for SMEs: practical steps<\/a><\/li>\n<li style=\"padding:10px 0;border-bottom:1px solid #eee;\"><a href=\"https:\/\/www.securitytoday.de\/en\/?p=15326\" style=\"color:#1a1a1a;text-decoration:none;\">DORA and NIS2: why bank audits are now colliding<\/a><\/li>\n<li style=\"padding:10px 0;\"><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/17\/72-percent-of-cyber-defense-comes-from-abroad\/\" style=\"color:#1a1a1a;text-decoration:none;\">72 % of cyber-defence capabilities originate abroad<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"margin:40px 0 24px 0;\">\n<p style=\"margin:0 0 12px 0;font-size:0.78em;font-weight:700;text-transform:uppercase;letter-spacing:0.18em;color:#666;\">More from the MBF Media Network<\/p>\n<div style=\"padding:14px 18px;border-left:3px solid #0bb7fd;background:#fafafa;margin-bottom:6px;\">\n<div style=\"font-size:0.7em;font-weight:700;color:#0bb7fd;text-transform:uppercase;letter-spacing:0.12em;margin-bottom:4px;\">cloudmagazin<\/div>\n<p>  <a href=\"https:\/\/www.cloudmagazin.com\/2026\/05\/23\/eks-1-36-wird-teuer-wenn-die-finops-disziplin-fehlt\/\" style=\"font-weight:600;line-height:1.4;color:#1a1a1a;text-decoration:none;\">EKS 1.36 becomes costly when FinOps discipline is missing<\/a>\n <\/div>\n<div style=\"padding:14px 18px;border-left:3px solid #F21F05;background:#fafafa;margin-bottom:6px;\">\n<div style=\"font-size:0.7em;font-weight:700;color:#F21F05;text-transform:uppercase;letter-spacing:0.12em;margin-bottom:4px;\">mybusinessfuture<\/div>\n<p>  <a href=\"https:\/\/mybusinessfuture.com\/wer-drei-tage-braucht-hat-den-lead-schon-verloren\/\" style=\"font-weight:600;line-height:1.4;color:#1a1a1a;text-decoration:none;\">If it takes three days, the lead is already lost<\/a>\n <\/div>\n<div style=\"padding:14px 18px;border-left:3px solid #d65663;background:#fafafa;\">\n<div style=\"font-size:0.7em;font-weight:700;color:#d65663;text-transform:uppercase;letter-spacing:0.12em;margin-bottom:4px;\">digital-chiefs<\/div>\n<p>  <a href=\"https:\/\/www.digital-chiefs.de\/dax-konzerne-verlieren-tech-talent-an-den-mittelstand\/\" style=\"font-weight:600;line-height:1.4;color:#1a1a1a;text-decoration:none;\">DAX groups losing tech talent to SMEs<\/a>\n <\/div>\n<\/div>\n<p style=\"text-align:right;color:#868e96;font-size:0.85em;margin-top:48px;\"><em>Image source: AI-generated (May 2026), C2PA certificate embedded in image<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"NIS2 is forcing supply chain security, but the US CLOUD Act undermines European protections.","protected":false},"author":10,"featured_media":15398,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"","_yoast_wpseo_title":"NIS2 meets CLOUD Act: Who is liable for the third-country gap?","_yoast_wpseo_metadesc":"NIS2 demands supply chain security, but the US CLOUD Act undermines it. Executives face personal liability. Four steps to risk register compliance.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":["nis2-trifft-cloud-act-wer-haftet-fuer-die-drittstaaten"],"footnotes":""},"categories":[251,259],"tags":[],"class_list":["post-15641","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-strategie-governance-en"],"evm_reading_time_minutes":9,"wpml_language":"en","wpml_translation_of":15393,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/15641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=15641"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/15641\/revisions"}],"predecessor-version":[{"id":16503,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/15641\/revisions\/16503"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/15398"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=15641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=15641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=15641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}