Methodology / Framework
EU residency vs EU sovereignty: the two-tier framework
In brief
EU residency (Tier 1) means personal data physically stays in the EU. EU sovereignty (Tier 2) means every entity that can access the data answers to EU jurisdiction alone. An EU region of a US-owned cloud passes Tier 1 while retaining Tier 2 transfer exposure under the US CLOUD Act and the Schrems II ruling. Oblixio audits assess both tiers and keep them strictly separate.
What is the difference between EU residency and EU sovereignty?
EU residency (Tier 1) means personal data physically stays in the EU: it is stored, processed, and backed up on infrastructure located in EU member states, across every step of the data path.
EU sovereignty (Tier 2) is the stronger claim: the data not only stays in the EU physically, but every entity that can access it answers to EU jurisdiction alone. A stack can be fully EU-resident and still fail the sovereignty test, because physical location and legal control are different axes.
Oblixio audits assess both tiers and keep them strictly separate. The distinction is not pedantry; it is precisely where residency claims collapse under procurement scrutiny.
The canonical example: an EU region of a US-owned cloud
Take a product hosted entirely in a Frankfurt region of a US-owned cloud provider. Every byte of customer data sits on servers in Germany.
- Tier 1: pass. The data is physically resident in the EU.
- Tier 2: exposure remains. The operating company is subject to US law. The US CLOUD Act allows US authorities to compel providers subject to US jurisdiction to produce data in their possession or control, regardless of where that data is stored. The Schrems II judgment (CJEU Case C-311/18) turned on closely related concerns about US government access to data held by US companies.
Neither fact means the setup is unlawful. It means the setup carries transfer-adjacent exposure that a careful buyer will ask about, and that a one-word "EU-hosted" answer does not address.
Does passing Tier 1 matter if Tier 2 exposure remains?
Yes, substantially. Tier 1 residency eliminates the most common and most scrutinised category of risk: routine, systematic transfers of personal data to third countries as part of normal operation. What remains at Tier 2 is a narrower, lower-probability exposure related to jurisdiction and compelled access.
Buyers treat the two very differently. Failing Tier 1 (data routinely leaving the EU without a clear mechanism) can block a deal outright. Documented Tier 2 exposure, honestly mapped with mitigations, is usually a discussion point, not a blocker. The failure mode is claiming Tier 2 while only meeting Tier 1, and being caught.
How common is Tier 2 exposure?
Nearly universal. Most modern stacks, including well-intentioned EU-built ones, carry some US-owned dependency: the cloud platform, the CDN, the error tracker, the model provider, the email service. An audit that pretended otherwise would be describing a stack that barely exists.
This is why the Oblixio sovereignty matrix maps Tier 2 exposure per dependency rather than moralising about it. The deliverable is an honest jurisdiction map: which cells of your data path are EU-owned, which are EU-hosted but US-owned, and what data each one can actually access. A CTO can then make deliberate decisions, and procurement gets an answer that survives follow-up questions.
Why anchor this in GDPR transfer law rather than the AI Act?
Because transfer enforcement is settled, current, and durable. Chapter V of the GDPR has governed third-country transfers since 2018, Schrems II has shaped transfer assessments since 2020, and European supervisory authorities have issued real decisions against real companies on transfer grounds, including findings against the use of US-based analytics services. A compliance posture built on this foundation does not expire with a regulatory news cycle.
Deadline-driven urgency ages badly and invites cynicism. Jurisdiction and transfer exposure are structural properties of your stack; they will matter in every enterprise deal for the foreseeable future, whatever happens to any particular regulation's timeline.
How do the two tiers appear in an Oblixio deliverable?
Every cell of the sovereignty matrix records both facts separately: physical processing location (the residency axis) and the operating entity's jurisdiction (the sovereignty axis). The signed attestation states the Tier 1 conclusion explicitly and summarises Tier 2 exposure by dependency. Nothing is averaged into a single score, because the two claims are useful to a buyer precisely when they are kept distinct.
Methodology version: OAM v0.1 (draft). Every Oblixio deliverable is stamped with the methodology version it was produced under.