Skip to main content

Why European Data Sovereignty Is Reshaping the Data Catalog Decision

Samuel Nagy
Samuel Nagy
VP of Strategic Growth

For European organizations, where a data catalog runs and who can be compelled to open it has become a real decision criterion, not a procurement footnote. Sovereign deployment is now one of the main reasons teams move off US-headquartered platforms, and the legal ground under cross-border data transfers keeps shifting.

From Nice-to-Have to Decision Criterion

For a long time, where a data catalog ran was a question for the infrastructure team, settled after the features were chosen. In Europe, that order has reversed. Increasingly, the first question a buyer asks is not what the catalog does, but where it can run and who can be compelled to open it.

The shift is practical, not ideological. Teams evaluating a move off a US-headquartered platform now cite sovereign deployment as a primary driver, ahead of price or features. When a vendor cannot run inside a customer-controlled European environment, or when its connectors assume a public SaaS model that a private or regulated cloud will not allow, the evaluation ends there. The catalog holds the map of an organization's entire data estate, so where that map lives, and whose law reaches it, is not a detail.

Two forces pushed sovereignty up the list. The legal basis for moving European data to US-controlled systems keeps being challenged in court. And European policy has turned sovereignty from a preference into a measurable procurement standard. Both are worth understanding before choosing a catalog you will run for years.

What "Sovereign" Actually Means for a Data Catalog

Sovereignty is often flattened to "the data sits in an EU region." That is necessary but not sufficient. Data sovereignty means your data is subject only to the laws of the jurisdiction you choose, and that no foreign authority can quietly compel access to it. For a catalog, four separate tests decide whether that holds.

The first is ownership: who owns the company behind the product. The second is operation: who actually runs the platform and holds the keys. The third is data location: where the data and the metadata physically live. The fourth, and the one most often missed, is legal jurisdiction: whose law the operating company must answer to when an order arrives.

A catalog can pass the data-location test and still fail the others. A US-headquartered vendor can store your metadata in Frankfurt and remain subject to US jurisdiction. That gap between "data in the EU" and "outside foreign legal reach" is the whole point, and it is where the legal exposure lives.

Four tests of a sovereign data catalog FOUR TESTS OF A SOVEREIGN DATA CATALOG US-headquartered SaaS catalog European deployable catalog OWNERSHIP Foreign-owned vendor European-owned OPERATION Vendor-operated SaaS only Operated by you, in your tenant DATA LOCATION EU region, foreign control Your EU tenant or on-premise LEGAL JURISDICTION Subject to foreign law (CLOUD Act) Subject only to EU law
Click to enlarge

The Legal Exposure Behind the SaaS Catalog

The concrete risk has a name. The US CLOUD Act, passed in 2018, lets US authorities compel a US-based provider to produce data it has possession, custody, or control of, regardless of where that data is physically stored. Storing metadata in an EU data center does not place it out of reach if the operating company is subject to US jurisdiction. The obligation can extend to a US company and, depending on the control it holds, its subsidiaries.

For a European organization, this creates a direct conflict with GDPR. If a US provider discloses your data to US authorities under a CLOUD Act order, that transfer can itself breach GDPR, leaving you exposed on both sides. The catalog is a sensitive target here, because it describes what data you hold, where it flows, and who owns it. That is a map worth protecting.

The usual reassurance is the EU-US Data Privacy Framework, the adequacy decision that has covered these transfers since July 2023. Its footing is contested. On 29 June 2026, a US Supreme Court ruling in Trump v. Slaughter weakened the independence of the redress mechanism the framework relies on, and the privacy group noyb signaled a fresh challenge widely called Schrems III. The two arrangements that came before it, Safe Harbor and Privacy Shield, were both struck down by the Court of Justice of the EU. The framework remains valid today, but building a multi-year data platform on a mechanism with that history is a bet a growing number of European teams decline to make.

How a foreign legal order reaches your data WHO CAN BE COMPELLED TO OPEN THE CATALOG US-headquartered SaaS US legal order (CLOUD Act) US-headquartered provider has custody or control Data inUS region Data inEU region reachable either way European, deployed by you Foreign legal order no reach Your EU tenant or on-premise European vendor, EU jurisdiction data stays under your control
Click to enlarge

Sovereignty Is Becoming a Procurement Standard

None of this is theoretical policy debate anymore. European institutions are turning sovereignty into something measurable and buying against it. In June 2026 the European Commission set out a Cloud Sovereignty Framework that scores providers across eight objectives, from legal and jurisdictional control to supply chain, security, and environmental sustainability, and grades them on Sovereignty Effectiveness Assurance Levels up to SEAL-4, its full-sovereignty tier.

The spending is following the framework. In April 2026 the Commission awarded a sovereign cloud contract worth 180 million euro over six years to four European providers, with a SEAL-2 sovereignty level as the entry requirement. Industrial initiatives such as EuroStack are pushing to build out a European alternative across cloud, AI, and identity.

A realistic note belongs here. No serious analyst expects European enterprises to abandon US hyperscalers wholesale in 2026, and few will. The point is narrower and it is already true: sovereignty has become a scored, funded criterion, and it is moving down from public institutions into regulated industries and private buyers. A data catalog chosen today will be judged against it for years.

What a Sovereign Data Catalog Looks Like

Put the four tests together and the shape of a sovereign catalog is clear. It is built and owned by a company inside the EU, so no foreign parent can be compelled on its behalf. It can be operated by you, inside infrastructure you control, rather than only as a public SaaS. Its data and metadata live where you decide, in an EU jurisdiction or on your own premises. And the company behind it answers to EU law.

Two engineering choices make that practical rather than aspirational. The first is deployment flexibility: the same catalog should run as managed SaaS, in a private cloud inside your own EU tenant, or fully on-premise, without a different product for each. The second is a metadata-only, single-tenant design. In hybrid setups, only metadata leaves your environment while sensitive data stays put, and each customer gets a separate metadata store rather than a shared multitenant database. That combination supports GDPR, ISO 27001, and SOC 2 obligations, and it keeps classification and governance inside your perimeter.

This is where many established, US-headquartered catalogs run into friction. A SaaS-first architecture is hard to fit into a private or air-gapped European cloud, and connectors built for a public model can fail against a locked-down private one. We compare the trade-offs in detail on our Dawiso versus Collibra page. The gap is rarely about capability. It is about whether the platform can live where a sovereign buyer needs it to live.

Where Dawiso Fits

Dawiso was built by a European company and is operated by Europeans, and it is designed to run wherever your sovereignty requirements point. You can deploy it in a private cloud inside your own Azure, Google, or AWS tenant, or fully on-premise, so the platform and your data stay within an environment and a jurisdiction you control. A managed SaaS option on Azure exists for teams that want it, but the sovereign path does not depend on it.

The architecture matches the deployment story. In hybrid setups only metadata is transferred, your sensitive data never leaves your side, and every customer has a separate metadata store rather than a shared multitenant database, which supports GDPR, ISO 27001, and SOC 2. On top of that runs the full governance stack: a data catalog, a business glossary, and interactive data lineage, plus a context layer that serves governed meaning to AI. You get modern, AI-ready data governance without conceding control over where it lives or whose law reaches it.

For European buyers, sovereignty and capability no longer have to trade off. The catalog can be business-friendly, AI-ready, and fully within your control at the same time. That is the combination the market is starting to demand, and it is the ground worth building on.

FAQ

What does data sovereignty mean for a data catalog?
Data sovereignty means your data is subject only to the laws of the jurisdiction you choose, and that no foreign authority can compel access to it. For a data catalog, four things decide this: who owns the vendor, who operates the platform, where the data and metadata physically live, and whose law the operating company answers to. A catalog is sovereign for a European organization when it can run entirely inside an environment you control, in an EU jurisdiction, operated by a company that is not reachable by a non-EU legal order.
Does the US CLOUD Act apply to data stored in the EU?
Yes, when the provider is US-based. The CLOUD Act, passed in 2018, lets US authorities compel US providers to produce data they have possession, custody, or control of, regardless of where that data is physically stored, including in EU data centers. Storing data in a European region does not remove it from reach if the operating company is subject to US jurisdiction. This is also why a CLOUD Act order can put a European organization in direct conflict with GDPR.
Is the EU-US Data Privacy Framework a reliable basis for transfers?
It is in force, but its stability is contested. The framework has been the legal basis for EU-US transfers since July 2023, yet a US Supreme Court ruling on 29 June 2026 weakened the independence argument at the center of its redress mechanism, and noyb has signaled a fresh challenge often called Schrems III. Two previous transfer arrangements, Safe Harbor and Privacy Shield, were struck down by the Court of Justice of the EU. Planning a data platform around a mechanism with that track record is a risk many European teams no longer want to carry.
Can Dawiso run without any dependence on US-controlled infrastructure?
Yes. Dawiso is European-owned and European-operated, and it can run in private cloud inside your own EU tenant or fully on-premise, so the platform and your data stay within an environment and a jurisdiction you control. In hybrid setups only metadata is transferred, and each customer has a separate metadata store rather than a shared multitenant database. A managed SaaS option on Azure also exists for teams that prefer it, but the sovereign path does not depend on it.

See it in action

Deploy a Catalog You Control

Run Dawiso in private cloud inside your own EU tenant or fully on-premise, operated by a European company. Governed data, on your terms.