U.S. authorities can require U.S.-controlled cloud providers to disclose or enable access to data about non‑U.S. persons, even when hosted in EU regions, via FISA Section 702 and the CLOUD Act, creating sovereignty, GDPR, and contractual risk for Swiss workloads on Microsoft and AWS. Physical location is not a shield because extraterritorial orders follow provider control and remote access capabilities rather than where the server sits.

Provider security features are necessary but not sufficient. Even with AWS Nitro’s no‑operator‑access design, legal obligations can still require a provider to assist or produce data within its control or to facilitate access under lawful process.

This session offers a pragmatic resilience playbook: sovereignty-by-design data placement and routing; client-side key custody with separation of duties, confidential computing with hardware attestation to protect data in use and sharpened contractual safeguards.

About the speaker

Tomas Kokolevsky

Tomas is an Information Security Officer with over 13 years of experience specializing in cybersecurity risk management within complex, regulated environments across aerospace, healthcare, and fintech sectors. He currently supports Beyond Gravity, a Swiss space manufacturing company, where he manages enterprise-wide security risk and navigates international data sovereignty and compliance requirements related to cloud and datacenter services. Tomas drives critical cybersecurity risk management strategies that safeguard sensitive enterprise assets, ensure compliance across international jurisdictions, and fortify operational resilience against evolving cyber threats. He advances cybersecurity through knowledge sharing and community involvement.
Read more …