EU PAM Comparison 2026: CyberArk vs BeyondTrust vs Delinea vs HashiCorp Vault — CLOUD Act Scores Ranked
Post #5/5 (Finale) in the sota.io EU PAM Serie
Privileged Access Management is the single most sensitive security layer in your EU infrastructure. PAM systems hold the keys to everything: production databases, cloud consoles, cryptographic secrets, audit trails of every administrator action. Under GDPR Article 4(1), every session recording of an EU employee is personal data. Under NIS2 Article 21(2)(i) and DORA Article 9(4)(d), PAM controls are mandatory for essential entities and financial institutions — not optional best practice, but enforceable compliance.
Yet every dominant PAM vendor — CyberArk, BeyondTrust, Delinea, and now HashiCorp Vault under IBM ownership — is a US company subject to the CLOUD Act. That means US law enforcement can compel access to your vault credentials, session recordings, and privileged account inventories without notifying your organisation, without a European court order, and without GDPR compatibility.
This comparison series covered each vendor in depth. This finale ranks them head-to-head on CLOUD Act exposure, GDPR risk vectors, and total cost of EU sovereignty.
The PAM CLOUD Act Scoreboard
Each score reflects cumulative US-law exposure: parent company jurisdiction, PE/investor chains, federal contractor relationships, cloud control-plane architecture, and intelligence-community partnerships.
| Vendor | CLOUD Act Score | Parent / Owner | Headquarters | Key Risk |
|---|---|---|---|---|
| HashiCorp Vault | 20/25 | IBM Corp. (acquired 2024) | Armonk NY + HCP control plane | IBM federal contractor; HCP Vault SaaS = US-jurisdiction keystore |
| CyberArk | 19/25 | CyberArk Software Inc. (NASDAQ: CYBR) | Newton MA / Delaware | Dual-listed US corp; Privilege Cloud SaaS control plane in US |
| BeyondTrust | 17/25 | Francisco Partners PE (San Francisco) | Atlanta GA | PE-owned = opaque governance; Cloud-based access paths |
| Delinea | 16/25 | Delinea Inc. (Thycotic + Centrify merger) | Redwood City CA | Merger complexity; Secret Server Cloud SaaS US-hosted |
Key finding: All four vendors score 16–20 out of 25. There is no "safe" US PAM vendor for EU data — only degrees of exposure.
Dimension-by-Dimension Breakdown
1. Company Jurisdiction & Intelligence Relationships
HashiCorp Vault (IBM): 20/25 — IBM Corp. holds contracts with the NSA, CIA, DoD, and FBI. After the 2024 acquisition of HashiCorp, the entire Vault product line — including HCP Vault (cloud), Vault Enterprise, and the open-source fork governance — falls under IBM's US federal contractor obligations. A National Security Letter (NSL) to IBM does not require notification to HashiCorp, EU customers, or European data protection authorities.
CyberArk: 19/25 — A Delaware corporation publicly traded on Nasdaq (CYBR), CyberArk has no EU parent entity. Its Privilege Cloud SaaS and Identity Security Platform are US-jurisdiction services. CyberArk cooperates with US law enforcement under ECPA, PRISM, and CLOUD Act frameworks. Its federal government division serves DHS, DoD, and civilian agencies.
BeyondTrust: 17/25 — Owned by Francisco Partners, a San Francisco-based private equity firm with opaque portfolio governance. PE ownership adds a layer of structural opacity: jurisdiction of LP investors, data-sharing provisions in fund documents, and governance of subsidiary entities are not publicly disclosed. BeyondTrust's Privileged Remote Access and Password Safe cloud products are operated under US service agreements.
Delinea: 16/25 — The merger of Thycotic (Washington DC) and Centrify (Sunnyvale CA) in 2021 created layered jurisdictional complexity. Delinea Inc. is incorporated in California/Delaware. Secret Server Cloud is US-hosted. The merger also created multiple legacy data-processing agreements whose EU-compliance status has not been independently audited since the combination.
2. SaaS vs Self-Hosted Architecture Risk
The most critical architectural distinction for EU sovereignty is whether the PAM control plane runs inside your EU perimeter or in a US-operated cloud.
| Vendor | SaaS Offering | Self-Hosted Option | Control Plane Location |
|---|---|---|---|
| HashiCorp Vault | HCP Vault (AWS us-east-1 primary) | Vault CE / Enterprise | US (HCP) / EU if self-hosted |
| CyberArk | Privilege Cloud (AWS/Azure) | CyberArk PAS on-prem | US primary (EU region available but IBM/AWS jurisdiction) |
| BeyondTrust | Privileged Remote Access Cloud | BeyondTrust PRA on-prem | US primary |
| Delinea | Secret Server Cloud | Secret Server on-prem | US |
GDPR implication: Even when a vendor offers EU cloud regions, the control plane — authentication services, licensing servers, update infrastructure — may remain in US jurisdiction. A CLOUD Act order can target the control plane independently of where data is stored.
Self-hosted verdict: All four vendors support self-hosted deployment on EU infrastructure. For EU organisations requiring GDPR Article 44 compliance, self-hosted deployment behind EU infrastructure is the minimum viable configuration — but it does not eliminate software supply chain risk (updates, license calls, telemetry).
3. Session Recording & GDPR Article 4(1)
PAM session recordings are the highest-risk personal data category in enterprise IT:
- Every keystroke, command, screen capture of an EU administrator session = personal data under GDPR Article 4(1)
- Session recordings must be retained for audit purposes (NIS2, DORA, ISO 27001)
- Storage location, access controls, and third-party compellability must be documented in the ROPA
What this means by vendor:
HashiCorp Vault: Vault itself does not natively record sessions — it manages secrets and credentials, not sessions. However, Vault's audit device logs every API call including which identity accessed which secret. Under IBM ownership, these audit logs at HCP Vault level are US-jurisdiction personal data.
CyberArk Privilege Cloud: Includes session recording (Privileged Session Manager). Session videos and logs stored in Privilege Cloud SaaS are under US jurisdiction even if your CyberArk environment is in an EU AWS region. The "Vault" component of PSM still reports to the US-operated control plane.
BeyondTrust: Privileged Remote Access includes session recording. Under the PE governance of Francisco Partners, data-sharing obligations to fund LPs are not publicly documented. GDPR Art. 28 DPA review should cover parent-company data access rights.
Delinea: Connection Manager (session recording) logs stored in Secret Server Cloud are US-hosted. On-premises Secret Server can be configured to store recordings in EU storage, but licensing telemetry still contacts Delinea US infrastructure.
4. NIS2 and DORA Compliance Gap Analysis
NIS2 Article 21(2)(i): Essential entities must implement "access control policies, including privileged access management." This mandates PAM tooling — but does not specify that the PAM vendor must be EU-based. However, NIS2 Article 21(2)(f) requires securing "supply chain" integrity, which includes the software and services used in your security stack.
DORA Article 9(4)(d): Financial entities must implement "privileged access management" with specific requirements for "access right management" and segregation of duties. DORA Article 28 on third-party risk requires that ICT service providers (including PAM vendors) meet contractual standards that regulators can enforce — which is harder when the vendor is a US company subject to CLOUD Act.
EBA/ESMA supervisory risk: European banking regulators have flagged concentration risk in US-controlled security tooling. PAM systems sit at the apex of the security control hierarchy — a compelled access to your PAM SaaS is functionally equivalent to compelled access to your entire infrastructure.
5. CLOUD Act Score: Detailed Justification
HashiCorp Vault (IBM): 20/25
| Risk Category | Score | Justification |
|---|---|---|
| Parent company jurisdiction | 4/4 | IBM Corp. Delaware/NY, NYSE-listed US corporation |
| Federal contractor status | 4/4 | IBM: NSA, CIA, DoD, FBI contracts (active) |
| Cloud control plane | 3/4 | HCP Vault on AWS us-east-1; EU region = shared global control plane |
| Investor/governance chain | 2/4 | Public company; clear governance but US-only board |
| FISA/intelligence exposure | 4/4 | IBM = PRISM-confirmed partner; Section 702 FISA |
| Supply chain telemetry | 3/5 | Vault CE has audit log, HCP Vault sends full telemetry to IBM |
Total: 20/25
CyberArk: 19/25
| Risk Category | Score | Justification |
|---|---|---|
| Parent company jurisdiction | 4/4 | CyberArk Software Inc., Delaware/Nasdaq |
| Federal contractor status | 3/4 | DHS, DoD, civilian agencies (not NSA/CIA direct) |
| Cloud control plane | 4/4 | Privilege Cloud SaaS — US-hosted control plane mandatory for cloud tier |
| Investor/governance chain | 2/4 | Public company; institutional US investors dominant |
| FISA/intelligence exposure | 3/4 | No confirmed PRISM partnership, but subject to FISA 702 as US corp |
| Supply chain telemetry | 3/5 | Privilege Cloud mandatory telemetry; on-prem more limited |
Total: 19/25
BeyondTrust: 17/25
| Risk Category | Score | Justification |
|---|---|---|
| Parent company jurisdiction | 3/4 | BeyondTrust Corp., Atlanta GA / Delaware |
| Federal contractor status | 2/4 | Federal clients but not Tier-1 intel contractor |
| Cloud control plane | 3/4 | PRA Cloud US-hosted; EU region partial |
| Investor/governance chain | 4/4 | Francisco Partners PE — LP data-sharing obligations opaque |
| FISA/intelligence exposure | 2/4 | Standard US-corp exposure without confirmed intel contracts |
| Supply chain telemetry | 3/5 | Cloud products: significant telemetry; on-prem: license calls |
Total: 17/25
Delinea: 16/25
| Risk Category | Score | Justification |
|---|---|---|
| Parent company jurisdiction | 3/4 | Delinea Inc., California/Delaware corp |
| Federal contractor status | 2/4 | Some federal clients via legacy Centrify |
| Cloud control plane | 3/4 | Secret Server Cloud US-hosted; EU region limited |
| Investor/governance chain | 3/4 | TA Associates PE + merger complexity |
| FISA/intelligence exposure | 2/4 | Standard US-corp exposure |
| Supply chain telemetry | 3/5 | Cloud: mandatory; on-prem: license phone-home |
Total: 16/25
EU-Native PAM Alternatives: 0/25 Options
The following vendors have EU headquarters, EU-only data processing, and no US parent company — resulting in CLOUD Act scores of 0–3/25.
Wallix Bastion — 0/25 ⭐ Top Pick
Company: Wallix Group SA, Paris, France (Euronext Growth: ALWAL)
Headquarters: Paris, France
CLOUD Act exposure: 0/25 — pure French company, no US investors in governance chain, no US cloud infrastructure
Why it matters:
- ANSSI CSPN certified (French National Cybersecurity Agency)
- BSI C5 certified (German Federal Office for Information Security)
- Listed as NIS2 and DORA compliant by ANSSI
- Session Manager, Password Manager, Access Manager — full PAM feature parity
- Available as SaaS (EU-hosted, OVHcloud infrastructure) or self-hosted
- Listed in French and German government procurement frameworks
Feature comparison vs CyberArk:
- Session recording: yes (RDP, SSH, web)
- Privileged password vault: yes
- Dynamic secrets: limited (vs HashiCorp Vault)
- MFA enforcement: yes (FIDO2, TOTP, smart card)
- LDAP/AD integration: yes
- API access management: yes
Pricing: Starts at ~€15–25/user/month for SaaS (vs CyberArk Privilege Cloud €40–80/user/month). On-premises licensing available.
OpenBao — 0/25 (HashiCorp Vault Fork)
Company: Linux Foundation project (no single corporate owner)
Fork origin: HashiCorp Vault, post-IBM acquisition (BSL license conflict → Mozilla Public License 2.0)
CLOUD Act exposure: 0/25 — community governance, no US corporate parent
Why it matters:
- 100% API-compatible with HashiCorp Vault — migration is drop-in for most configurations
- Mozilla Public License 2.0 — permanently open source, no IBM BSL restrictions
- Linux Foundation governance — no single company can compel access or change licensing
- Ideal for organisations running self-hosted Vault who want to eliminate IBM supply chain risk
Limitations vs HashiCorp Vault Enterprise:
- No Vault Enterprise features (HSM auto-unseal, namespaces at scale)
- Smaller community, slower patch cadence for edge cases
- HCP Vault replacement: not yet — pure self-hosted
Best for: Organisations running Vault CE/Enterprise self-hosted on EU infrastructure who want to eliminate IBM/HashiCorp vendor lock-in and supply chain risk post-acquisition.
Teleport Community Edition — 0/25 (Self-Hosted)
Company: Gravitational Inc., San Francisco CA
CLOUD Act exposure (cloud): ~12/25 (US company)
CLOUD Act exposure (self-hosted CE): 0/25 — open source Apache 2.0, EU-self-hosted
Important distinction: Teleport Cloud (gravitational.io hosted) is a US SaaS product with standard CLOUD Act exposure. Teleport CE self-hosted on EU infrastructure is a different product with 0/25 exposure.
Why Teleport CE self-hosted matters:
- SSH, Kubernetes, database, application access management — infrastructure PAM
- Phishing-resistant MFA with hardware key support (FIDO2, WebAuthn)
- Session recording built-in with S3-compatible storage (use EU object storage)
- Apache 2.0 license — no commercial restrictions, no phone-home
- SOC2 Type II audit infrastructure (your own deployment)
Limitation: No privileged password vault (unlike CyberArk or Delinea). Best for infrastructure access management, not secret storage.
PrivX Community Edition — ~1/25
Company: SSH Communications Security Oyj, Helsinki, Finland (Nasdaq Helsinki: SSH1V)
CLOUD Act exposure: ~1/25 — Finnish company, EU-listed, minor US investor exposure
Why it matters:
- SSH Communications Security invented the SSH protocol in 1995
- PrivX is a zero-standing-privilege PAM solution — no permanent credentials, just-in-time access
- ANSSI and BSI relationships through Finnish/EU security certification ecosystem
- Community Edition is free for up to 20 targets
Feature strength: Just-in-time access (JIT) is stronger than CyberArk's approach — credentials exist only for the duration of the session. This eliminates the "sleeping credentials" attack vector that caused multiple major PAM breaches.
Migration Decision Framework
When to choose Wallix Bastion
- You need EU-certified PAM (ANSSI CSPN, BSI C5) for NIS2 essential entity compliance
- You're in a regulated sector (finance, energy, healthcare) with DPA audit risk
- You need SaaS deployment without building EU self-hosted infrastructure
- You require French or German government procurement compliance
When to choose OpenBao
- You're already running HashiCorp Vault CE/Enterprise self-hosted
- Post-IBM acquisition, you want to eliminate supply chain risk
- Dynamic secrets and PKI are core to your infrastructure
- You have engineering capacity to manage a self-hosted secrets engine
When to choose Teleport CE (self-hosted)
- Your primary use case is infrastructure access (SSH, K8s, databases)
- You have an EU self-hosted environment you control
- You want zero-trust access without standing credentials
- You need a Vault-independent solution focused on access paths, not secret storage
When to stay with a US vendor (with mitigations)
- Contract obligations prevent switching for 12+ months
- Mitigation: Enforce on-premises or EU-hosted deployment, disable cloud sync/telemetry, encrypt all session recordings with EU-held keys, document in ROPA, ensure SCCs in place
Total Cost of Sovereignty: Switching from US PAM to EU-Native
Real migration costs (estimates, 2026 market rates)
| Item | US Vendor (CyberArk Cloud) | Wallix Bastion SaaS | OpenBao Self-Hosted |
|---|---|---|---|
| License/SaaS | €40–80/user/month | €15–25/user/month | Free (OSS) |
| Implementation | €50–200K (systems integrator) | €20–80K | €30–60K (internal + consulting) |
| Training | €10–30K | €5–15K | €5–10K (community resources) |
| EU hosting (self-hosted) | N/A (cloud) | Included | €500–2K/month (Hetzner/OVHcloud) |
| Ongoing support | Included in license | Included / Wallix support tiers | Community + optional commercial |
| 5-year TCO (100 users) | €300–600K | €100–200K | €80–150K |
Bottom line: EU-native PAM is significantly cheaper than US enterprise PAM, while eliminating CLOUD Act exposure entirely.
GDPR Articles You Need to Address Before PAM Renewal
Article 44 (Transfers to third countries): Any PAM SaaS with a US control plane constitutes a transfer of personal data (session recording = admin personal data) to the US. Standard Contractual Clauses (SCCs) are required — but SCCs do not protect against CLOUD Act orders.
Article 28 (Processor agreements): Your PAM vendor is a data processor. The DPA must cover session recording retention, deletion rights, sub-processor disclosure, and audit rights. US PAM vendors' standard DPAs frequently exempt intelligence-community access.
Article 32 (Security of processing): Privileged access logs and session recordings are Article 32(1)(a) "appropriate technical measures." Storing these in a US-controlled SaaS undermines the Article 32 obligation to protect personal data against "unauthorised access."
Article 35 (DPIA): A PAM system handling privileged access to the entire infrastructure qualifies for mandatory DPIA under Article 35(3)(b) (large-scale processing of sensitive data) if it handles EU employee personal data. The DPIA must document the US jurisdiction risk.
The PAM Series: Complete CLOUD Act Picture
This five-part series analysed the four dominant US PAM vendors:
| Post | Vendor | CLOUD Act | Key Finding |
|---|---|---|---|
| #1/5: CyberArk | CyberArk Software Inc. | 19/25 | Privilege Cloud SaaS = mandatory US control plane; DHS/DoD federal contractor |
| #2/5: BeyondTrust | BeyondTrust (Francisco Partners) | 17/25 | PE-owned opacity; PRA Cloud US-hosted; LP governance undisclosed |
| #3/5: Delinea | Delinea Inc. (Thycotic+Centrify) | 16/25 | Merger complexity; Secret Server Cloud US; legacy DPA gaps |
| #4/5: HashiCorp Vault | HashiCorp/IBM Corp. | 20/25 | IBM NSA/CIA contracts; HCP Vault = US-jurisdiction keystore; OpenBao fork available |
| #5/5: This Comparison | All four | 16–20/25 | No safe US PAM vendor — EU-native or self-hosted required for GDPR Art.44 |
Verdict
There is no safe US PAM vendor for EU-regulated organisations. CyberArk, BeyondTrust, Delinea, and HashiCorp Vault all score 16–20 out of 25 on CLOUD Act exposure — meaning all four present material risk that a US government order could compel access to your most sensitive infrastructure layer.
The path to GDPR Article 44 compliance for PAM is binary:
Option A: EU-native vendor (Wallix Bastion, PrivX) — full sovereign control, EU certification, simpler DPA
Option B: Self-hosted OSS on EU infrastructure (OpenBao, Teleport CE) — zero CLOUD Act exposure, engineering investment required
For NIS2 essential entities and DORA-regulated financial institutions, Option A is the path of least regulatory resistance. For engineering-led organisations already running self-hosted infrastructure, Option B offers maximum flexibility at lowest software cost.
The question is no longer "should we switch?" — it's "when, and at what pace?"
sota.io helps EU teams build sovereign cloud infrastructure without US jurisdiction risk. Start your free trial →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.