With cloud-adoption increasing and global regulatory pressures on the rise, including governmental policies which may also have an impact, it becomes crucial where data is stored, and which jurisdiction will be applicable.

As businesses and organizations face increasing regulatory complexity – ranging from the EU’s GDPR, the expansive NIS2 directive, and the upcoming AI Act to national frameworks such as the Swiss Federal Act on Data Protection (FADP) or the Information Security Act (ISG) –, the concept of data sovereignty has evolved from a mere compliance checkbox to a strategic boardroom priority.  This complexity poses a particular challenge for small and medium-sized enterprises (SMEs), which often lack the resources to navigate and assert themselves confidently across both national and international regulatory landscapes.

At Open Systems, data sovereignty is not just a technical challenge, it’s a strategic commitment. Rooted in Switzerland’s tradition of neutrality and strong privacy protections, our approach combines robust infrastructure with verifiable compliance. Certifications under ISO/IEC 27001, 27017, and 27018, regular SOC 1 Type 2 audits, and alignment with U.S. HIPAA standards, form the backbone of how we protect sensitive data—from storage to access to auditability.

To explore how we bring these commitments to life, we spoke with Thasanee Patklom, General Counsel at Open Systems, about what data sovereignty means in a cloud-native, SASE-driven world. In particular, we discussed how we manage data—whether in the cloud, on-premises, or physically—and the choices we offer our customers to meet today’s compliance challenges with confidence.

1. How do you define data sovereignty in the context of today’s hybrid, cloud-adopting environments?
   Data sovereignty means knowing exactly where your data is stored, who can access it (and from where), and how it can be used. In today’s complex environments, this understanding is critical to ensure compliance, maintain control, and protect data integrity.

At the same time, the move towards Cloud-native architectures – especially in rapidly evolving IT/OT convergence scenarios – requires a greater focus on built-in security mechanisms such as zero trust principles, secure segmentation and continuous access control. These elements not only strengthen sovereignty at a technical level, but also enable resilient, scalable protection.

2. Why is Switzerland’s regulatory environment—especially under the revised Federal Act on Data Protection (FADP)—uniquely positioned to support strong data sovereignty?
   Switzerland offers a unique combination of legal, political, and infrastructural advantages. Its data protection law blends core elements of the EU GDPR—such as transparency, accountability, and data subject rights—with Swiss balance and pragmatism.This creates a regulatory environment that is both robust and business friendly.

In addition, Switzerland’s political and economic stability supports world-class infrastructure, including highly secure data centers, reliable internet connectivity, and power supplies. The country also benefits from a deep pool of highly trained, experienced IT professionals.

3. How would you assess whether a cloud or SASE provider can meet the EU’s data residency and data localization requirements?

A thorough evaluation requires a multidisciplinary approach—combining legal, technical, organizational, and contractual checks:

• Purpose: What exactly are you sharing, and for what use?
• Legal and regulatory compliance: Is the provider headquartered in the EU/EEA or in a country subject to foreign laws with extraterritorial reach (e.g., the U.S. CLOUD Act)?
• Data location and flow control: Where is data physically stored? How are cross-border data flows handled?
• Access control and data sovereignty: What technical and organizational measures are in place to protect access and ensure sovereignty?
• Contracts and certificates: Are appropriate certifications, audit rights, and verification mechanisms in place?

Only by addressing all these dimensions can you ensure your cloud or SASE provider truly meets the EU’s data residency and localization requirements.

4. What are the potential legal or financial consequences—such as multi-million-dollar fines—that organizations can face when they fail to comply with data sovereignty requirements?
   Non-compliance with data sovereignty requirements can expose organizations to significant legal, financial, and commercial risks.
   Under the EU’s GDPR, violations can lead to fines of up to €20 million or 4% of global annual revenue—whichever is higher. Other jurisdictions also impose sanctions for unlawful cross-border data transfers.

Beyond regulatory penalties, companies may face contract breaches, civil liability claims, and the loss of key customer relationships.
Equally critical is the reputational damage, which can erode trust among customers, partners, and investors—sometimes irreversibly.

The takeaway: Data sovereignty is not just a legal checkbox. It represents a strategic risk factor with potentially existential consequences for modern digital businesses.

5. Many organizations are navigating GDPR, FADP, and now NIS2, DORA, EU AI Act simultaneously. How does Open Systems and the SASE offering support them manage that regulatory complexity?

With increasing pressure from regulations, organizations must strengthen security, risk governance, and accountability.

Our Managed Services help customers meet these requirements across key areas:

• Identify: Visibility into critical assets, risks, and dependencies
• Protect: Network-based security controls, access management, and Zero Trust principles
• Detect: Continuous monitoring and anomaly detection via our Network Operations Center (NOC)
• Respond: Rapid response coordination, incident reporting, and technical containment
• Risk Management: Support in identifying and addressing cyber and operational risks
• Third-Party Management: Enhanced visibility and governance of vendor access and dependencies

Our services enable customers to operationalize regulatory compliance – with greater resilience, control, and audit readiness.

6. Cloud Infrastructure & Data Residency: Where is customer data stored and processed in your SASE offering?
   Customer data is currently stored at our physical data centers in Switzerland, or in Microsoft Azure’s Switzerland North region.
7. Are your cloud nodes/data centers located exclusively within the EU? If yes, how do you guarantee this?
   Yes. Microsoft commits to keeping customer data within their defined service boundaries, ensuring compliance with residency requirements.

Open Systems works with Microsoft as our cloud service provider. By default, the data is hosted in Microsoft data centers located in the EU, and Open Systems configures its services to ensure that data residency is maintained within the EU region.

However, certain non-customer-data processing activities (e.g. support or telemetry) may involve access from outside the EU.

Microsoft has launched the EU Data Boundary initiative to ensure that all customer data and most service operations remain within the EU. We are monitoring and aligning with this development where applicable.

8. Where is customer data stored across Open System’s SASE infrastructure, and how do we ensure full control over its residential integrity and access?
   Customer data resides either in on our on-premise datacenters or in our dedicated Microsoft Azure tenant in Switzerland. We maintain strict control over residency and access, aligning with both contractual, technical and organisational safeguards.
9. How do certifications like ISO/IEC 27001, 27017, 27018 and SOC 1 Type 2 reporting reinforce Open Systems commitment to verifiable trust?
   These certifications validate our adherence to recognized security and privacy best practices through independent, external audits. Upon request, we share details of our ISO and SOC certifications with customers or prospects. Additionally, our Legal and Compliance teams are available to address specific concerns and ensure transparency.
10. How would you handle a situation where a cloud or SASE provider is legally compelled by a third country to provide access to EU customer data?
    We comply with lawful requests as required, but where permitted, we inform impacted parties and limit disclosure strictly to what is legally necessary.

We would:

• Assess the legal basis and scope of the request
• Consult with legal counsel to evaluate implications under GDPR and other applicable laws
• Engage with the provider to restrict or limit disclosure, and document the steps taken

11. How does Open Systems manage the risk of foreign access laws—such as the U.S. CLOUD Act—while maintaining global service delivery?
    We mitigate such risks by hosting data in Switzerland or the EU whereever possible and by contracting with Swiss or EU-based legal entities. This ensures that data remains subject to local jurisdiction and benefits from Swiss and/or European data protection standards.

Through contractual and jurisdictional safeguards, we actively minimize cross-border exposure and support GDPR and FADP-compliant data sovereignty – especially in complex, cloud-based service models.

In specific cases—based on customer requirements—services can be exclusively hosted in Switzerland, further reducing the risk of foreign legal access.

In addition, we limit third-country exposure by design and work preferentially with cloud and infrastructure providers that hold ISO/IEC 27001 certification. This ensures that internationally recognized standards for information security management are met and independently audited.

To support lawful operations in sensitive environments such as NGOs or development-focused sectors, we also conduct a careful sanctions and de minimis assessment where relevant, ensuring compliance even in high-risk jurisdictions.

12. Transparency is central to trust. What questions do customers ask most often about data handling, and how do we at Open Systems address them?
    Customers regularly enquire about data handling whether through audits, questionnaires, annual assessments or even ad-hoc queries. The questions often depend on the industry sector of the customer, but most common themes currently include

• Where will the data reside and be processed?
• Who else has access to our (and customers’) data?
• Does Open Systems have a formal data handling policy?
• How do we handle and manage the use of AI?

We address these proactively through clear documentation, open dialogue, and our commitment to transparency and compliance.

13. Looking ahead, what trends or shifts in global regulation are top of mind—and how is Open Systems positioned to respond?
    AI regulation is a major area of focus, with evolving global frameworks. At Open Systems, besides operating our own AI, we use AI responsibly. As the regulatory landscape regarding AI is still evolving, Open Systems ensures to have governance structures in place to align with best practices in order to ensure safe and responsible use.

We are also actively preparing for NIS2 and DORA by analysing requirements and implementing internal measures to ensure compliance. For deeper insights, we offer customer-facing white papers detailing our approach.

Looking further ahead, we are currently in the planning phase for the upcoming EU Cyber Resilience Act, ensuring our services remain compliant as regulations continue to evolve.

In an era where digital trust is currency, data sovereignty is no longer just a legal checkbox—it’s a strategic imperative. As regulations tighten and customers grow more privacy-conscious, organizations need partners who don’t just comply but embed privacy, security, and transparency into the core of their services.

At Open Systems, we don’t see compliance as a burden—we see it as an opportunity to build resilient, future-ready solutions that empower our customers to thrive in even the most regulated environments. Whether it’s GDPR, FADP, NIS2, or what’s next, we’re already there—so our customers can move forward with confidence.