All Posts
7 min
min read
June 29, 2026
Looking for a sovereign PAM solution? Seven criteria to tell whether a privileged access management vendor is truly European and free from the US CLOUD Act.
.jpg)
Every company has crown jewels: design data, production control, customer databases, financial systems, intellectual property. Remote Privileged Access Management decides who reaches exactly those systems from the outside, as an administrator or external service provider, and what gets recorded along the way. That makes it one of the most far-reaching systems in your IT. So choosing one is not only about features and price. It raises a question that rarely makes the requirements list: which law governs the vendor, and where does control over the access data actually sit?
This guide gives you seven concrete criteria to tell a sovereign, European PAM solution apart from one that carries hidden dependencies. At the end you will see how to check these criteria in practice.
Key Takeaways
Privileged Access Management manages the most powerful accounts in the network: administrator logins, service accounts, and remote maintenance by external providers. Through these accounts you can do almost anything, from changing configurations to exfiltrating data. The RPAM solution itself records the most sensitive activity in your organisation. Our primer on PAM, PIM and IAM explains how they differ.
Who runs this system, and which law the vendor answers to, is therefore not a purely technical decision. The seven criteria below help you examine that question properly in a tender or selection process, instead of leaving it to chance. For a deeper start, see our PAM beginner's guide.
The first question is the most important: which law governs the company? A vendor subject to US law falls under the US CLOUD Act of 2018. It obliges US companies to hand over data on the order of US authorities, regardless of where in the world that data sits. A data centre in Frankfurt does not protect you if the vendor itself is exposed to a foreign jurisdiction.
So check first whether the vendor is subject to European law only. Everything else builds on that.
Jurisdiction does not depend on the registered office alone, but also on the owners. A European company majority-owned by a US group or US private equity firm can fall under US law indirectly. Ask specifically about the parent company and the ownership structure, not just the address on the letterhead.
Many modern RPAM products require a connection to the vendor's cloud. That concentrates control and risk in one place beyond your reach. A sovereign solution runs fully on-premise and under your own control, without session data inevitably landing with the vendor. Check whether a pure on-premise deployment is possible, or whether the cloud connection stays mandatory.
An RPAM solution processes the access keys and session recordings of your most critical systems. That data should never leave your jurisdiction. Clarify where logs, recordings and credentials are stored, and who can technically access them. The conflict between US access rights and the GDPR has been unresolved since the Court of Justice's Schrems II ruling (C-311/18) of 2020, and the EU Data Act (Regulation 2023/2854), applicable since September 2025, now explicitly requires cloud providers to prevent unlawful access by third countries.
NIS-2 (Section 30 BSIG), ISO 27001 and Art. 32 GDPR require verifiable control of privileged access. A good solution delivers tamper-proof session recording and complete logs that stay audit-ready in house. Ask whether every privileged access can be traced down to the individual session, and whether the records hold up in external audits. Our GDPR whitepaper, the NIS-2 whitepaper and our NIS-2 checklist for mid-sized companies go through the individual requirements.
How does the solution get into the network, and who needs access to put it there? Agentless approaches reduce the attack surface, because no extra software runs on the target systems. Also look at how long deployment takes and whether it works without permanent remote access by the vendor. When it comes to securing third-party access for external providers, this point decides whether they reach your systems under control or not.
Sovereignty does not end at purchase. Maintenance, support and ongoing development should also happen in Europe, so you do not slip back into dependency through the back door. Check where the development team sits and who actually looks at your systems in a support case.
VISULOX by amitego has been developed, operated and hosted in Germany for more than 20 years and is subject to German data protection law only. There is no US parent company and no CLOUD Act lever. The solution runs on-premise and is deployed agentlessly, often in under two days. Privileged internal and external access runs through a single access point with multi-factor authentication, just-in-time approvals and tamper-proof recording. That covers all seven criteria, without access data ever leaving German jurisdiction.
If you want a deeper primer on the discipline, see our guide to Privileged Access Management for 2026.
Controlling privileged access is not a question of industry or size. Anyone who can reach your most critical systems remotely effectively holds the master key to your crown jewels, whether you are a mid-sized firm, a family business or a corporation. The seven points above drop straight into your selection or procurement process. The first question belongs at the start, not the end: which law governs the vendor of our RPAM solution, including parent company and owners? You can model what a switch would cost in a few minutes with our pricing and licence calculator.
What is a sovereign PAM solution?
A sovereign PAM solution is a privileged access management system whose vendor is subject to European law only and which can run without access by third countries. The deciding factors are jurisdiction, ownership structure and an on-premise operating model that keeps access data in house.
Does a server location in Germany protect against the CLOUD Act?
No. The US CLOUD Act reaches US vendors and their subsidiaries regardless of where the data is stored. A data centre in Germany does not protect you if the vendor or its parent company is subject to US law.
Which rules require control of privileged access?
NIS-2 (Section 30 BSIG), ISO 27001 and Art. 32 GDPR require privileged access to be controlled and logged in a verifiable, complete way. The records must stay audit-proof and available for audits.
Contact
Speak directly with a cybersecurity expert.
With Remote Privileged Access Management you are not just buying software. You are deciding who controls the most sensitive layer of your IT. The seven criteria, jurisdiction, ownership, operating model, data residency, auditability, implementation and ongoing development, turn a gut feeling into a checkable decision. VISULOX is built for all seven: developed in Germany, operated on-premise, and subject to German law only. Talk to us about a sovereign migration, or download the PAM beginner's guide. (This article does not constitute legal advice.)
Table Of Content:
Talk to Our Experts
Speak directly with a VISULOX security expert and find out how to protect your infrastructure.
Share:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Expert knowledge, practical tips, and the latest trends in PAM, compliance, and secure remote work — straight from the amitego team.