Can I store customer data in a US cloud?
Since the EU-US Data Privacy Framework (July 2023), yes, provided the US vendor has self-certified. Without DPF, you fall back on SCCs plus supplementary measures.
Try this first
- 1Check whether the vendor is on the DPF list (dataprivacyframework.gov). Microsoft, Google, AWS, Salesforce are; many smaller ones are not.
- 2On the list: log "transfer under DPF" in the processing register. That is sufficient basis.
- 3Not on the list: use the European Commission Standard Contractual Clauses (2021 version or later). Usually already in the DPA.
- 4Run a Transfer Impact Assessment. Short form: what data, what country, which laws may compel access (FISA 702, CLOUD Act), what supplementary measures (encryption, EU-only key management).
- 5File the TIA with the DPA. The AP can ask for it.
When to bring us in
Special-category data or large scale make a TIA hard to land. Get legal advice.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.