Your data is in a datacenter in Amsterdam. Safe, right? Not necessarily. Where your data physically sits and who can legally access it are two very different things.
Over the past few years, 'digital sovereignty' has shifted from an abstract policy concept to a concrete business question. Not just for governments, but for any organisation that processes customer data, trade secrets or medical records. And there's a reason this is happening now.
What is digital sovereignty?
At its core, it comes down to this: do you, as an organisation, actually control your own data and digital infrastructure? Sounds like a yes-or-no question, but in practice there are shades of grey.
Control means knowing where data sits. But also: knowing who has access, which legislation that data falls under, and what happens when a foreign government knocks on your cloud provider's door. That last question is less hypothetical than it sounds.
The CLOUD Act and FISA 702: why data location isn't enough
The US CLOUD Act (2018) gives American authorities the right to request data from American companies, regardless of where that data is physically stored. Your Microsoft 365 environment might run in a datacenter in Amsterdam-Zuidoost, but if Microsoft receives a request from a US court, they're legally obliged to comply.
FISA Section 702 goes further. Under this law, US intelligence agencies don't need a court order to request data on non-Americans outside the US. As long as the subject isn't a US citizen, internal approval is enough.
For Dutch companies using AWS, Azure, Google Cloud or other American providers, this has direct consequences. The data may sit in Europe, but the provider falls under American law.
The Data Privacy Framework (DPF) that the EU and US agreed on in 2023 doesn't solve this. The DPF sets rules for data transfers, but doesn't block CLOUD Act or FISA requests. Those run through a different legal track.
The jurisdiction problem visualised
Physical location β legal protection. The nationality of your provider determines which legislation applies.
e-Evidence: the playing field is changing within Europe too
From August 2026, the European e-Evidence regulation comes into force. It allows law enforcement agencies from EU member states to directly request data from service providers in other member states, without involvement from the organisation that owns that data.
Concretely: a Romanian prosecutor will soon be able to approach a Dutch hosting provider for customer data, with a response deadline of 10 days. In urgent cases, just 8 hours.
This shows that digital sovereignty isn't purely a transatlantic story. New routes to data that currently sits behind closed doors are emerging within Europe too.
NIS2 and the Cybersecurity Act: compliance becomes mandatory
In parallel, the NIS2 directive is being transposed into the Dutch Cybersecurity Act (Cyberbeveiligingswet), with expected implementation in the second quarter of 2026. This law brings significantly more organisations under a mandatory cybersecurity regime.
Where the old WBNI (Network and Information Systems Security Act) was limited to a handful of vital sectors, NIS2 affects a much broader group: energy, transport, healthcare, digital infrastructure, but also managed service providers, datacenter operators and manufacturers of network equipment.
The obligations are concrete: risk management, incident reporting, supply chain security and demonstrable measures. Board members become personally responsible.
What this means for Dutch businesses
The combination of these developments forces organisations to look beyond "our data is in the Netherlands". Three questions are now relevant:
Who is your provider, and what legislation do they fall under?
A datacenter in Amsterdam is a good start, but if the provider is American, the data potentially falls under the CLOUD Act. Choose deliberately for a Dutch or European provider, and you limit that risk.
What data is truly sensitive?
Not everything needs to be in a vault. A marketing website has different requirements than a patient file or financial data. Classify your data and adjust your infrastructure choices accordingly.
What does your supply chain look like?
Data doesn't only leak through your primary provider. Backups at an MSP, SaaS tools for HR or finance, disaster recovery through a third party: each of those links can be a weak point.
Timeline: legislation affecting your data
Parliament is moving in the same direction
The political wind is blowing the same way. In June 2025, the Dutch Parliament passed a motion stating that by 2029 at least 30% of all cloud storage services and applications used by central government must come from Dutch-European providers. The motion, introduced by GroenLinks-PvdA and NSC, received broad support.
That percentage seems modest, but given current dependence on Microsoft and other American hyperscalers, it's a significant course change. And where government goes, the market often follows.
Practical steps
Digital sovereignty doesn't have to be an all-or-nothing project. A few concrete steps to start with:
1. Map your data flows
Where does your data sit? Which providers do you use? What jurisdiction do they fall under? This sounds basic, but the Uniserver study among 1,023 IT decision-makers (2026) shows many organisations don't have a complete picture here.
2. Classify your data
Distinguish between public, internal and confidential data. Confidential data (personal data, financial records, medical files) deserves a provider that operates entirely under European law.
3. Evaluate your providers
Ask yourself: is my cloud provider subject to the CLOUD Act? Where are their servers? Who has access? And do they have the right certifications (ISO 27001, NEN 7510, SOC 2)?
4. Look beyond storage
Backups, disaster recovery and SaaS tools are part of your data chain. If your primary hosting is sovereign but your backups sit with an American party, you have a blind spot.
5. Prepare for NIS2
The Cybersecurity Act is coming. Start with a gap analysis: where do you stand now, and what still needs to happen? The NCSC offers a self-assessment tool to determine whether your organisation falls under the law.
The shift: from cloud-first to control-first
The trend is clear. Organisations are shifting from "we're going to the cloud" to "we're choosing the right cloud, under the right conditions". Private cloud and hybrid models are gaining ground, not because public cloud is bad, but because businesses want to choose more deliberately which data sits where and who can access it.
The Uniserver study shows that private cloud is now the most used form of data storage, followed by hybrid environments. Fully public cloud is in the minority. A large majority indicates that digital autonomy is explicitly part of their IT strategy.
That's not just a technical shift. It's a governance choice that touches on risk management, compliance and business continuity.
Conclusion
Digital sovereignty is no longer an abstract policy theme. It directly affects the choices you make as an organisation about hosting, cloud providers and data management. The combination of the CLOUD Act, e-Evidence, NIS2 and political pressure from The Hague means that "we're in a Dutch datacenter" no longer suffices as an answer.
The question isn't whether you need to act on this, but when you start.