All Posts

Remote Access

7 min

 min read

June 29, 2026

Sovereign PAM solution: 7 criteria for choosing one

Looking for a sovereign PAM solution? Seven criteria to tell whether a privileged access management vendor is truly European and free from the US CLOUD Act.

Jan Zeppernick - Amitego CEO

Jan Zeppernick

Management

Introduction

Every company has crown jewels: design data, production control, customer databases, financial systems, intellectual property. Remote Privileged Access Management decides who reaches exactly those systems from the outside, as an administrator or external service provider, and what gets recorded along the way. That makes it one of the most far-reaching systems in your IT. So choosing one is not only about features and price. It raises a question that rarely makes the requirements list: which law governs the vendor, and where does control over the access data actually sit?

This guide gives you seven concrete criteria to tell a sovereign, European PAM solution apart from one that carries hidden dependencies. At the end you will see how to check these criteria in practice.

Key Takeaways

  • Remote Privileged Access Management (RPAM) is the most sensitive layer of your IT: whoever runs it sees and controls privileged access to every critical system.
  • Sovereignty is decided by the legal jurisdiction of the vendor and its owners, not by the server location. The US CLOUD Act reaches data even in European data centres.
  • NIS-2 (Section 30 BSIG), ISO 27001 and Art. 32 GDPR require strict, verifiable control of privileged access. Logs and session recordings must stay auditable in house.
  • Seven criteria separate a sovereign solution from a dependent one: jurisdiction, ownership, operating model, data residency, auditability, implementation and ongoing development.
  • VISULOX by amitego meets all seven: developed, operated and hosted in Germany, on-premise, and subject to German law only.

Why choosing a PAM solution is a question of sovereignty

Privileged Access Management manages the most powerful accounts in the network: administrator logins, service accounts, and remote maintenance by external providers. Through these accounts you can do almost anything, from changing configurations to exfiltrating data. The RPAM solution itself records the most sensitive activity in your organisation. Our primer on PAM, PIM and IAM explains how they differ.

Who runs this system, and which law the vendor answers to, is therefore not a purely technical decision. The seven criteria below help you examine that question properly in a tender or selection process, instead of leaving it to chance. For a deeper start, see our PAM beginner's guide.

Criterion 1: The vendor's jurisdiction

The first question is the most important: which law governs the company? A vendor subject to US law falls under the US CLOUD Act of 2018. It obliges US companies to hand over data on the order of US authorities, regardless of where in the world that data sits. A data centre in Frankfurt does not protect you if the vendor itself is exposed to a foreign jurisdiction.

So check first whether the vendor is subject to European law only. Everything else builds on that.

Criterion 2: Ownership and group structure

Jurisdiction does not depend on the registered office alone, but also on the owners. A European company majority-owned by a US group or US private equity firm can fall under US law indirectly. Ask specifically about the parent company and the ownership structure, not just the address on the letterhead.

Criterion 3: An operating model without forced cloud

Many modern RPAM products require a connection to the vendor's cloud. That concentrates control and risk in one place beyond your reach. A sovereign solution runs fully on-premise and under your own control, without session data inevitably landing with the vendor. Check whether a pure on-premise deployment is possible, or whether the cloud connection stays mandatory.

Criterion 4: Keeping data in house

An RPAM solution processes the access keys and session recordings of your most critical systems. That data should never leave your jurisdiction. Clarify where logs, recordings and credentials are stored, and who can technically access them. The conflict between US access rights and the GDPR has been unresolved since the Court of Justice's Schrems II ruling (C-311/18) of 2020, and the EU Data Act (Regulation 2023/2854), applicable since September 2025, now explicitly requires cloud providers to prevent unlawful access by third countries.

Criterion 5: Auditability for NIS-2, ISO 27001 and GDPR

NIS-2 (Section 30 BSIG), ISO 27001 and Art. 32 GDPR require verifiable control of privileged access. A good solution delivers tamper-proof session recording and complete logs that stay audit-ready in house. Ask whether every privileged access can be traced down to the individual session, and whether the records hold up in external audits. Our GDPR whitepaper, the NIS-2 whitepaper and our NIS-2 checklist for mid-sized companies go through the individual requirements.

Criterion 6: Implementation without external dependency

How does the solution get into the network, and who needs access to put it there? Agentless approaches reduce the attack surface, because no extra software runs on the target systems. Also look at how long deployment takes and whether it works without permanent remote access by the vendor. When it comes to securing third-party access for external providers, this point decides whether they reach your systems under control or not.

Criterion 7: Development and support in Europe

Sovereignty does not end at purchase. Maintenance, support and ongoing development should also happen in Europe, so you do not slip back into dependency through the back door. Check where the development team sits and who actually looks at your systems in a support case.

VISULOX measured against the seven criteria

VISULOX by amitego has been developed, operated and hosted in Germany for more than 20 years and is subject to German data protection law only. There is no US parent company and no CLOUD Act lever. The solution runs on-premise and is deployed agentlessly, often in under two days. Privileged internal and external access runs through a single access point with multi-factor authentication, just-in-time approvals and tamper-proof recording. That covers all seven criteria, without access data ever leaving German jurisdiction.

If you want a deeper primer on the discipline, see our guide to Privileged Access Management for 2026.

What this means for any company with crown jewels

Controlling privileged access is not a question of industry or size. Anyone who can reach your most critical systems remotely effectively holds the master key to your crown jewels, whether you are a mid-sized firm, a family business or a corporation. The seven points above drop straight into your selection or procurement process. The first question belongs at the start, not the end: which law governs the vendor of our RPAM solution, including parent company and owners? You can model what a switch would cost in a few minutes with our pricing and licence calculator.

Frequently asked questions about sovereign PAM solutions

What is a sovereign PAM solution?
A sovereign PAM solution is a privileged access management system whose vendor is subject to European law only and which can run without access by third countries. The deciding factors are jurisdiction, ownership structure and an on-premise operating model that keeps access data in house.

Does a server location in Germany protect against the CLOUD Act?
No. The US CLOUD Act reaches US vendors and their subsidiaries regardless of where the data is stored. A data centre in Germany does not protect you if the vendor or its parent company is subject to US law.

Which rules require control of privileged access?
NIS-2 (Section 30 BSIG), ISO 27001 and Art. 32 GDPR require privileged access to be controlled and logged in a verifiable, complete way. The records must stay audit-proof and available for audits.

Contact

Your Direct Path to Secure Remote Access

Speak directly with a cybersecurity expert.

Personal Meeting
Personal Meeting
Personal Meeting

Conclusion

With Remote Privileged Access Management you are not just buying software. You are deciding who controls the most sensitive layer of your IT. The seven criteria, jurisdiction, ownership, operating model, data residency, auditability, implementation and ongoing development, turn a gut feeling into a checkable decision. VISULOX is built for all seven: developed in Germany, operated on-premise, and subject to German law only. Talk to us about a sovereign migration, or download the PAM beginner's guide. (This article does not constitute legal advice.)

Jan Zeppernick - Amitego CEO

Jan Zeppernick

Management

Jan verfügt über mehr als 12 Jahre Beratungserfahrung bei PwC und Ernst & Young, mit Schwerpunkt auf Informationssicherheit und Compliance für kritische Infrastrukturen und die Automobilbranche. Als zertifizierter ISO 27001 Lead Auditor und Strategieexperte berät er Organisationen beim Aufbau und der Auditierung von Sicherheitsmanagementsystemen nach ISO 27001 und TISAX.