Email infrastructure for public-sector bodies that need to answer "no" to the third-country-law question
Public-sector procurement in 2026 is dominated by one question: is the provider subject to a third-country law with extraterritorial reach? The October 2025 EU Cloud Sovereignty Framework codified the question into eight specific sovereignty objectives. SecNumCloud in France, C5 in Germany, and Gaia-X across the EU make the same demand from different angles. The CLOUD Act 2018 means the answer for any US-owned provider — including AWS Frankfurt and Azure Germany — is "yes, US courts can compel disclosure of data stored on EU soil." Authorize Hosting is a Swedish-incorporated entity with no US ownership in its corporate chain, infrastructure in Stockholm and Frankfurt, and a procurement profile structured for public-sector buyers across the EU and LATAM jurisdictions adopting equivalent sovereignty frameworks.
Schrems II rewired what "EU data residency" means. The CLOUD Act made the rewiring permanent. Public-sector buyers absorbed both.
On July 16, 2020, the Court of Justice of the European Union ruled in Schrems II that the EU-US Privacy Shield was invalid because US surveillance law — FISA Section 702 and Executive Order 12333 — did not provide essential equivalence to EU data protection. The court preserved Standard Contractual Clauses (SCCs) as a transfer mechanism but added a critical condition: the data exporter must conduct a Transfer Impact Assessment (TIA) and add "supplementary measures" if the destination's surveillance laws fail the proportionality test. The November 2020 EDPB Recommendations 01/2020 listed example supplementary measures — pseudonymization, end-to-end encryption with keys controlled outside the destination, splitting data across jurisdictions so no single processor can reconstruct it.
The EU-US Data Privacy Framework adopted in 2023 replaced Privacy Shield with a new adequacy decision, but the underlying surveillance laws didn't change. The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) signed in March 2018 still allows US law enforcement to compel any US-owned electronic communications service provider — wherever the data is physically located — to disclose stored content. AWS Frankfurt, Azure Germany, Google Cloud Belgium are all US-owned, all subject to US law, all extraterritorially reachable by US courts. The data center is in the EU; the legal entity that operates it is in the US. EU data residency without sovereign legal entity is data localization, not sovereignty.
For public-sector buyers, this distinction became procurement policy in October 2025 when the European Commission published the EU Cloud Sovereignty Framework. The Framework defines eight sovereignty objectives for EU institutions procuring cloud services: jurisdictional sovereignty (legal entity outside third-country law reach), operational sovereignty (key personnel and operational controls in the EU), data sovereignty (data location, transit, and processing all within the EU), technological sovereignty (technology stack not dependent on third-country IP), supply-chain sovereignty (no critical components from third-country suppliers), economic sovereignty (avoiding lock-in to non-EU economic dependence), security sovereignty (alignment with EU cybersecurity standards including NIS2), and access sovereignty (no third-country law-enforcement compulsion).
SecNumCloud in France (ANSSI's qualification standard for cloud services handling sensitive government data) and C5 in Germany (BSI's audit standard) operationalize parts of this framework with specific technical and contractual requirements. Gaia-X, the EU-wide federation initiative, provides interoperability standards rather than a centralized cloud, allowing sovereign EU providers to connect while preserving their independence. The result is that public-sector RFPs across the EU in 2026 routinely require providers to be "not subject to third-country law with extraterritorial reach" — a contractual term that simply cannot be satisfied by US-owned providers regardless of their EU data center investments.
What this means in practice for email infrastructure: government correspondence, citizen communications, internal civil-service email, tax notifications, healthcare communications from public hospitals, judicial notifications, defense procurement — all of these workloads are increasingly procured under sovereignty-framework-aligned RFPs that exclude US-owned providers by contractual definition. Authorize Hosting was incorporated in Sweden in 2003 with no US ownership in the corporate chain; the operational base is Stockholm with secondary infrastructure in Frankfurt; key personnel are EU citizens; the technology stack is open-source (PowerMTA being the one exception, but operated under our own license from an EU jurisdiction); subprocessors are EU-jurisdictional. The profile matches the sovereignty framework by structural design, not by adapted marketing.
How much of your email estate is exposed to third-country law right now
Move the sliders to model your situation. The math maps your sending estate against the eight sovereignty objectives from the EU Cloud Sovereignty Framework. The output is the percentage of your estate that fails the typical 2026 public-sector RFP "no third-country law with extraterritorial reach" test, and what it would take to remediate.
Math: estate exposure = (volume × tier weight × provider mult). Tier weights: Low/Tier C = 0.05; Mixed = 0.30; Half Tier A = 0.60; All Tier A = 1.0. Provider multipliers (relative to the 8 sovereignty objectives): US hyperscaler = 1.0 (fails on 6 of 8); US ESP = 0.85 (fails on 5 of 8); Mixed EU = 0.30 (fails on 2 of 8); EU sovereign = 0.05 (passes 8 of 8). Migration urgency is non-linear past 18 months given typical procurement cycles and the time required for IP warmup, contract negotiation, and stakeholder alignment.
Move to EU sovereign and exposure drops to ~5%, satisfying all 8 sovereignty objectives. A typical migration to our infrastructure for a public-sector buyer takes 90-120 days end-to-end: 30 days for procurement-readiness review, 30 days for IP warmup and DMARC progression, 30 days for parallel-run validation, 30 days for full cutover and decommissioning. Faster is possible if the RFP clock is shorter than the typical cycle.
How Authorize Hosting maps to the October 2025 EU Cloud Sovereignty Framework
The Framework defines eight sovereignty objectives that EU institutions are encouraged (and increasingly required) to evaluate when procuring cloud services. Below: how each maps to a US-owned email provider versus our infrastructure. The honest comparison.
Legal entity outside third-country law reach
Authorize Hosting is a Swedish-incorporated entity (Stockholm, established 2003), with no US ownership in the corporate chain. Not subject to CLOUD Act, FISA 702, or Executive Order 12333.
US-owned alternative: Subject to CLOUD Act regardless of EU data center location. Adequacy decision (DPF) does not override compelled-access risk.
Key personnel and operational controls in the EU
Operations team is EU-resident (Sweden, Germany, Spain). On-call rotation is Stockholm-Frankfurt. Root access to production infrastructure requires EU-citizen credentialing. No US-based admin access in any normal operational path.
US-owned alternative: Engineering and product teams typically US-based; "EU sovereign cloud" variants offer EU support staff but the architecture and root credentials still flow through US corporate.
Data location, transit, and processing all within the EU
Primary infrastructure in Stockholm; secondary in Frankfurt. Both are EU jurisdictions. Default routing keeps the message inside the EU for every step of its lifecycle, including bounce-handling, FBL processing, and audit log retention.
US-owned alternative: EU data center available; spam filtering, abuse handling, and operational telemetry typically flow through US-based services.
Technology stack not dependent on third-country IP
Stack is AlmaLinux + Dovecot + Postfix + PowerMTA + custom EU-built tooling. PowerMTA is the one US-origin component (now Bird-owned, but the license terms permit operation by EU entities); the rest is open-source and EU-replaceable. Migration off PowerMTA to KumoMTA (Apache 2.0, Rust) is feasible if procurement requires zero US-IP exposure.
US-owned alternative: Architecture is proprietary; vendor lock-in is structural.
No critical components from third-country suppliers
Hardware is enterprise Xeon (Intel, US-origin) — the universal exception that no EU cloud can avoid today. CPU sovereignty is the open problem the European Chips Act is addressing on a multi-year horizon. Everything else in the stack — networking, storage, software — has EU alternatives in active use.
US-owned alternative: Same CPU dependency, plus US-controlled networking, US-controlled software supply chain.
Avoiding lock-in to non-EU economic dependence
Pricing in EUR, contracts under Swedish or German law, EU VAT compliance, no third-country audit obligations. Revenue is European; corporate tax is paid in the EU; the supply-side and demand-side economics stay inside the EU economic zone.
US-owned alternative: EU revenue flows back to US parent; corporate tax via Irish/Luxembourg structures; the economic dependency is transatlantic by design.
Alignment with EU cybersecurity standards (NIS2)
NIS2-aligned operational controls, incident reporting workflows that satisfy the 24-hour early warning and 72-hour notification cadence, ISO 27001 ISMS documented, alignment with C5 control areas for procurement evaluation.
US-owned alternative: NIS2 compliance possible but with the underlying jurisdictional question still unresolved.
No third-country law-enforcement compulsion
This is the bright-line objective. Authorize Hosting is not subject to compelled disclosure under CLOUD Act, FISA 702, Executive Order 12333, National Security Letters, or equivalent provisions in any jurisdiction outside the EU. Disclosure requests follow EU legal process — Swedish criminal procedure, EU mutual legal assistance treaties — which are subject to EU constitutional protections.
US-owned alternative: CLOUD Act directly applies. The Microsoft Ireland case (Microsoft Corp. v. United States, 2018) was rendered moot by the CLOUD Act's passage, which extended US warrant authority to overseas data held by US providers.
How public-sector procurement framings vary by jurisdiction — and where we fit
| Jurisdiction | Standard | Authority | Email-touchpoint requirement | Our alignment |
|---|---|---|---|---|
| EU institutions | EU Cloud Sovereignty Framework (Oct 2025) | European Commission DG CNECT | 8 sovereignty objectives, all 8 required for sensitive workloads | 8 of 8 satisfied (CPU sovereignty caveat noted) |
| France | SecNumCloud 3.2 | ANSSI | Qualification required for sensitive government data; immunity to non-EU law | Aligned in profile; SecNumCloud qualification is a French national process we participate in for relevant deployments |
| Germany | C5 (Cloud Computing Compliance Criteria Catalogue) | BSI | 17 control areas; BSI-certified providers preferred for federal procurement | Aligned in controls; C5 audit available for federal/Land-level engagements |
| Spain | ENS (Esquema Nacional de Seguridad) | CCN-CERT | Three levels (Basic/Medium/High); High required for sensitive citizen data | Aligned with ENS Medium baseline; High-level engagements supported with additional contractual controls |
| EU-wide federation | Gaia-X | Gaia-X AISBL | Interoperability standards + sovereignty labels (Label Levels 1, 2, 3) | Aligned with Gaia-X principles; sovereignty labels available as data-space participation requires |
| EU NIS2 | NIS2 Directive transposition | National competent authorities | Cybersecurity baseline for essential and important entities; cloud providers in scope | NIS2-aligned; incident reporting workflow per Art. 23 + national thresholds |
| LATAM (Mexico) | MAAGTICSI | Secretaría de la Función Pública | ICT security framework for federal agencies | Aligned; LATAM public-sector engagements typically pair our EU routing with local DPA equivalents |
Standards verified against current published documentation: EU Cloud Sovereignty Framework (European Commission Oct 2025), SecNumCloud 3.2 (ANSSI 2024 update), C5 Cloud Computing Compliance Criteria Catalogue 2020 (BSI), ENS (Real Decreto 311/2022, Spain), Gaia-X AISBL Trust Framework, NIS2 Directive (EU 2022/2555), MAAGTICSI (Mexico SFP 2018). Edition references and audit-cycle dates available on request.
The infrastructure pieces and contractual framework that satisfy the sovereignty objectives
What we provide for public-sector buyers is the regulated sending layer plus the procurement-ready documentation package. We don't replace your collaboration suite (Microsoft 365 or Google Workspace for staff productivity remains the choice of most public sector bodies even where sovereignty matters), but we do replace the SMTP infrastructure for citizen-facing email, transactional notifications, and any high-sensitivity correspondence where the sovereignty framework applies.
- EU-only routing in Stockholm and Frankfurt, with documented data flows Primary infrastructure in Stockholm, secondary in Frankfurt. The data-flow diagram for any message — from API/SMTP submission, through queue management, through outbound delivery, through bounce-handling and FBL processing — is documented for procurement review. Every step stays inside the EU jurisdiction; no transit through US POPs; no third-country processing for spam filtering or abuse handling.
- DPA Art. 28 GDPR + procurement-ready supplementary measures (Schrems II compliant) Pre-drafted DPA aligned with Art. 28, with the supplementary measures from EDPB Recommendations 01/2020 documented for the (rare) case of any cross-border processing. Sub-processor list with each sub-processor's DPA and jurisdictional analysis. Transfer Impact Assessment template pre-completed for the EU-only baseline scenario; no transfer to third countries in normal operation.
- Per-domain SLA with named contacts and operational escalation tree Named operational contact in EU business hours; on-call rotation with documented response times for severity 1, 2, and 3 incidents; quarterly service review with the procuring authority's named point of contact. The SLA is structured to satisfy NIS2 incident-reporting expectations and the supervisory cadence that EU public-sector bodies are accustomed to.
- Audit and exit-assistance framework Right-to-audit clause supporting both procurement-side audits and supervisory-authority audits (BfDI, AEPD, CNIL, ANSSI, BSI). Exit assistance documented in the master agreement: at termination, all stored data is exported in standard formats, sub-processor relationships are unwound on a defined timeline, and operational handover to a successor provider is supported for up to 90 days.
- Per-ministry / per-agency reputation isolation A typical national government has 20-40 ministries and agencies, each with its own sending domain, citizen base, and operational profile. We isolate each on its own sending domain with its own DKIM keys and (where volume warrants) its own dedicated IPs. A spam incident in one ministry's outreach campaign doesn't degrade the deliverability of another ministry's tax notifications.
- Citizen-data-handling alignment with GDPR Art. 6(1)(e) Public-sector processing of citizen data under Art. 6(1)(e) (performance of a task carried out in the public interest or in the exercise of official authority) requires specific safeguards. Our system maintains audit logs of every citizen communication, supports the right of access (Art. 15) and rectification (Art. 16) for any data we process on the public body's behalf, and provides the documented data-handling diagram that supervisory authorities expect to see in inspections.
- NIS2 incident reporting workflow for cloud providers in scope As an EU-resident cloud provider, we are in scope for NIS2 as an "important entity" in most member states' transposition. Our incident-reporting workflow follows the 24-hour early warning + 72-hour notification + 1-month final report cadence that NIS2 Art. 23 requires, with the technical evidence package structured for direct submission to your national CSIRT and supervisory authority.
- Procurement documentation package (procurement-ready Day 1) For RFPs and competitive procurements, we provide the pre-filled documentation set: corporate structure (no US ownership), data-flow diagrams, sub-processor list, DPA + TIA package, sovereignty objective mapping (8 of 8 with the documented CPU caveat), security control matrix mapped to C5 / ENS / SecNumCloud / Gaia-X, financial-stability documentation, references from comparable public-sector engagements. The package is what most procurement teams spend 4-6 weeks compiling from a non-aligned provider.
How public-sector engagements typically size
SMTP Relay Pro + DPA · €749/mo
20 dedicated IPs, full DPA + TIA package, EU-only routing documented, NIS2 incident workflow. The configuration for municipal services, regional agencies, and smaller national bodies handling routine citizen communications.
See SMTP RelayPowerMTA Pro + Managed Deliverability · €2,699/mo
PowerMTA Pro (€1,499) + Managed Deliverability (€1,200). 20 dedicated IPs, 150K msg/hr, named procurement and operational contacts, quarterly service review, full sovereignty objective documentation refresh. Settling tier for most ministries and regional governments.
See Managed DeliverabilityCustom · from €7,500/mo
Multi-server architecture across Stockholm + Frankfurt, dedicated /24 IP space, per-ministry isolation, SecNumCloud or C5 audit support, ENS High alignment, custom DPA negotiated with the procuring authority's legal team, defense-grade segregation where the deployment includes restricted-handling workloads.
Open the procurement conversationWhat procurement teams ask before issuing the contract notice
Do you have SecNumCloud / C5 / ENS High certification today?
+
The honest answer: we are aligned with the controls but not blanket-certified on all three. SecNumCloud 3.2 is a French national qualification process tied to specific service offerings; we pursue it on a per-engagement basis when the procuring authority requires it, with typical preparation timeline of 4-6 months. C5 is closer to a control-area audit framework; we maintain documentation aligned with the C5 control areas and can offer a C5 audit at the procuring authority's request, typically completing within 3 months. ENS Medium is our baseline alignment for Spanish public-sector engagements; ENS High is achievable with additional contractual controls.
The pattern we recommend for procurement teams: include the certification as a contract-condition rather than a tender-precondition. This lets you select the best-fit provider on technical and sovereignty grounds, then condition the contract award on certification completion within a defined timeline. The alternative — requiring certification as a tender precondition — typically narrows the field to providers who already have the certification for a specific service variant, and those service variants may not match your operational requirements.
What's your position on the CPU sovereignty exception?
+
Honest: every cloud provider operating in Europe today depends on US-origin or East-Asian-origin CPUs at the silicon layer. Intel Xeon and AMD EPYC for server compute; the network and storage controllers similarly originate outside the EU. The European Chips Act adopted in 2023 is on a 5-10 year horizon to establish indigenous European silicon manufacturing capacity at scale; until that horizon arrives, all of us share this dependency.
What this means for sovereignty framework alignment: Objective 5 (supply-chain sovereignty) is the one objective where no current EU cloud provider can claim full compliance. The Framework acknowledges this implicitly by treating supply-chain sovereignty as a graduated objective rather than a bright-line test. Our position with procurement teams is to disclose the dependency clearly, document the mitigations (hardware lifecycle management, supply-chain diversification, secure boot and firmware verification), and treat the CPU question as a sector-wide architectural concern rather than a provider-specific risk.
How does your DPA handle the Schrems II Transfer Impact Assessment requirement?
+
Schrems II and the EDPB Recommendations 01/2020 require any data exporter using SCCs to a third-country provider to run a TIA and add supplementary measures if needed. For our customer base this question typically inverts: our customers are EU controllers, we are EU processors, no third-country transfer occurs in normal operation, so the TIA question doesn't fire at all.
We include a pre-completed TIA template in our DPA package documenting the EU-only baseline, the operational data flows, the sub-processor jurisdictional analysis, and the technical and contractual measures in place. For the rare case of any cross-border processing (typically only when a customer explicitly opts in to a non-EU sub-processor for a specific use case), the TIA is updated with the additional supplementary measures from EDPB Recommendations 01/2020 — pseudonymization, encryption with customer-controlled keys, data splitting — to satisfy the proportionality test the EDPB requires.
What's the realistic migration timeline from an incumbent US-owned ESP?
+
90-120 days end-to-end for a typical national-ministry-scale migration. The breakdown: 30 days for procurement readiness and contract execution; 30 days for technical onboarding including DNS preparation, DKIM key generation, DMARC progression to p=quarantine, IP warmup; 30 days for parallel-run validation where a portion of traffic flows through both providers; 30 days for full cutover, decommissioning of the legacy provider, and final DMARC progression to p=reject.
For larger cross-ministry deployments (multi-agency, multi-domain) the timeline extends to 6-9 months. The procurement side typically takes longer than the technical side: EU public-sector contracts above the threshold require formal tender procedures with mandatory standstill periods, which set the minimum elapsed time regardless of how fast both sides can move technically.
How does NIS2 incident reporting interact with our internal escalation procedures?
+
NIS2 (Directive EU 2022/2555) requires "essential" and "important" entities to report significant incidents to their national competent authority within 24 hours (early warning), 72 hours (incident notification), and one month (final report). As a cloud provider serving public-sector customers, we are in scope as an important entity in most national transpositions; our customers, depending on their sector, may be in scope as essential entities.
The interaction model: when an incident occurs on our infrastructure that may affect your operations, we notify your named operational contact within an hour during EU business hours (2-3 hours off-hours), with the technical evidence package structured for your internal classification team to determine whether the incident meets your NIS2 threshold. If it does, you proceed with your own notification under your sector's competent authority; we provide additional evidence on request through the standard NIS2 information-sharing channels.
What about classified or restricted-handling workloads?
+
For most public-sector workloads — citizen-facing email, tax notifications, healthcare communications, judicial notifications, educational communications — our standard infrastructure with the procurement-ready documentation package is sufficient. For classified or formally restricted-handling workloads (EU RESTRICTED, EU CONFIDENTIAL, member-state national classification equivalents like Bundesregierung NfD, Restreint UE), the requirements escalate substantially and the appropriate model is dedicated deployment with member-state-specific certifications.
Practically: for EU RESTRICTED and below, our infrastructure can be configured with additional controls (dedicated IP allocation, segregated DNS, enhanced operational segregation, classified-handling-trained personnel) to support the use case. For EU CONFIDENTIAL and above, the standard answer is to direct the procuring authority to the relevant member-state national cloud (Bundescloud in Germany, Cloud Souverain in France) rather than attempt to fit a sovereignty-aligned commercial cloud into a classification level it wasn't designed for. We're honest about where our infrastructure fits and where it doesn't.
How does this look for LATAM public-sector procurement?
+
LATAM public-sector procurement increasingly mirrors the EU sovereignty framing but with different jurisdictional anchors. Mexico's MAAGTICSI sets ICT security requirements for federal agencies; the SAT (tax authority) and IMSS (social security) have explicit data-residency and provider-sovereignty expectations. Brazil's LGPD plus the Marco Civil da Internet establishes citizen-data sovereignty principles; the ANPD has issued specific guidance on cross-border processing of public-sector data. Colombia under Ley 1581 plus the Plan TIC 2026 emphasizes Colombian operational sovereignty. Chile under Ley 19.628 (reformed 2024) and Argentina under Ley 25.326 have similar profiles.
The procurement model that works for LATAM public-sector buyers engaging us: data routing remains in our EU infrastructure (which satisfies most LATAM cross-border-processing requirements with appropriate contractual safeguards), the contractual chain includes a local LATAM legal entity for VAT and procurement compliance, and the sovereignty framing is documented in the equivalent of the EU's 8 objectives translated to the LATAM jurisdictional context. We have engagements with public-sector buyers in Mexico, Colombia, and Brazil structured this way.
Procurement-ready conversation
Tell us about your procuring authority: jurisdiction, the standards you need to satisfy (EU Cloud Sovereignty Framework, SecNumCloud, C5, ENS, Gaia-X, MAAGTICSI), the workload sensitivity tier, the procurement clock. We'll come back with a sized proposal, the documentation package, and the DPA pre-aligned to your jurisdiction.