2026-04-27·11 min read·sota.io team

Is Northflank Really EU? UK Jurisdiction, CLOUD Act Exposure, and GDPR Compliance Explained

Northflank markets itself as a European PaaS provider. Their website lists EU infrastructure regions. Their blog post "Best European PaaS Providers 2026" positions them alongside French and German providers.

What that post does not mention: Northflank is incorporated in England and Wales. The United Kingdom left the European Union on 31 January 2020. Since Brexit, UK incorporation is not EU legal jurisdiction — and for GDPR Art.44, NIS2 Art.21(2)(d), and DORA outsourcing compliance, that distinction is not a formality. It determines which legal framework governs your data, which authorities can compel disclosure, and which courts have jurisdiction over your provider.

This guide breaks down exactly what UK jurisdiction means for developers and CTOs using or evaluating Northflank — and what to look for in a genuinely EU-native alternative.

The Legal Status of Northflank

Northflank Limited is a private company incorporated in England and Wales (Companies House). Its registered office and operational headquarters are in London.

Key legal consequences:

Governing law: Northflank's contracts and data processing agreements are subject to UK law, not EU law. Disputes are resolved in UK courts.
Data protection regulator: Northflank is regulated by the UK Information Commissioner's Office (ICO) under UK GDPR — a post-Brexit domestic adaptation of the EU GDPR. ICO enforcement decisions do not bind EU supervisory authorities and vice versa.
GDPR Art.44 international transfer: Sending personal data from an EU controller or processor to a UK provider constitutes a third-country transfer under GDPR Art.44. It requires a legal transfer mechanism.

The Transfer Mechanism Problem

When you use Northflank as an EU-based business or developer processing EU personal data, your data flows to a UK entity. That transfer requires one of:

UK adequacy decision (Commission Decision 2021/1772)
Standard Contractual Clauses (SCCs, Module 2 or 3)
Binding Corporate Rules (not applicable for a provider of this size)

The Adequacy Decision Risk

The UK adequacy decision — adopted in June 2021 — is currently valid but contains a built-in expiry mechanism. It must be reviewed every four years and can be revoked if UK data protection law diverges materially from EU standards.

The UK adequacy decision is set to expire in June 2027.

The renewal is not guaranteed. The EDPB has previously flagged two specific risks:

UK Investigatory Powers Act 2016 (IPA): Grants UK intelligence services broad bulk data collection powers without judicial pre-authorisation, which EDPB considers potentially incompatible with GDPR Art.52(1) necessity and proportionality requirements.
UK reforms to UK GDPR: The UK government's Data (Use and Access) Act 2025 introduced some divergences from EU GDPR — including broader research exceptions and modified consent requirements — that the EDPB is monitoring.

If the adequacy decision is not renewed in June 2027, UK transfers revert to SCCs. If the IPA issue is not resolved, the EDPB could take a restrictive position on UK SCCs (similar to the original Schrems II position on US SCCs). This creates a forward compliance risk that does not exist with EU-incorporated providers.

The Investigatory Powers Act: UK's Equivalent of FISA 702

The US CLOUD Act (18 U.S.C. § 2703) gets significant attention for enabling US government access to data held by US companies globally. UK law contains a comparable mechanism.

The UK Investigatory Powers Act 2016 (IPA) allows:

UK intelligence services (GCHQ, MI5, MI6) to issue bulk interception warrants covering communications transiting or stored in UK-incorporated entities
Equipment interference warrants targeting specific devices or networks
Bulk personal dataset warrants allowing collection of large datasets from third parties
Access requests served on UK entities for data held anywhere in the world

For a UK-incorporated PaaS provider like Northflank:

UK government can serve a data access demand on Northflank Ltd for any data Northflank processes, regardless of where the data is stored physically
UK-incorporated subsidiaries of Northflank in EU countries would similarly be subject to IPA demands via their UK parent
There is no equivalent of US First Amendment prior restraint on UK demands — UK National Security Letters carry a non-disclosure obligation similar to US NSLs

The practical risk profile is different from CLOUD Act (UK intelligence focus vs US law enforcement + intelligence), but the structural mechanism is the same: physical data location does not determine legal exposure when the corporate entity is subject to UK law.

ICO vs EU DPA: Enforcement Divergence

Since Brexit, ICO and EU DPAs operate independently:

Dimension	ICO (UK)	EU DPAs (Germany, France, etc.)
Legal basis	UK GDPR + DPA 2018	EU GDPR (2016/679)
Fines	Up to £17.5M or 4% global turnover	Up to €20M or 4% global turnover
Cross-border coordination	Not GDPR Art.60-76 one-stop-shop	Full EDPB cooperation mechanism
AI Act jurisdiction	Not applicable (UK not in AI Act scope)	Full AI Act scope (Art.2)
NIS2 reporting	NCSC / NCA under UK NIS Regs 2018	National CAs under NIS2 (Directive 2022/2555)

This has practical implications:

If Northflank suffers a data breach affecting EU residents, they notify ICO under UK GDPR Art.33 — not your EU DPA. You, as the controller, still have your own 72-hour notification obligation to your EU supervisory authority.
GDPR enforcement actions by EU DPAs cannot be directly enforced against UK-based Northflank. You would need to pursue remedies under SCCs or adequacy-based transfer mechanisms.
For AI Act Art.3(7) ("established in the Union"), UK providers are not EU-established. They are covered by Art.2(1)(c) if they place products on the EU market or target EU users, but the compliance and enforcement pathways differ.

NIS2 Art.21(2)(d): Supply Chain Security

NIS2 Directive Art.21(2)(d) requires essential and important entities to implement measures covering "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

For cloud infrastructure specifically, this means assessing:

Jurisdiction of the provider: Is the provider subject to legal systems that could compel data disclosure?
Physical data location: Are data centres in EU territory?
Legal transfer mechanisms: What SCCs or adequacy instruments apply?
Enforcement accountability: Which DPA has jurisdiction over the provider?

UK-incorporated providers like Northflank require a Transfer Impact Assessment (TIA) as part of your NIS2 supply chain assessment. EU-incorporated providers (Germany, France, Netherlands, etc.) do not require a TIA — they are subject to the same legal framework as your organisation.

NIS2 first compliance audits are expected from 30 June 2026 (63 days from now). NCAs in Germany (BSI), France (ANSSI), and the Netherlands (NCSC-NL) are developing audit frameworks that specifically assess cloud supply chain risk under Art.21(2)(d).

DORA Art.28: ICT Third-Party Risk

For financial services firms subject to DORA (Regulation 2022/2554), outsourcing to UK providers adds documentation requirements under Art.28 (ICT third-party risk management):

Art.28(2): ICT third-party service providers must be assessed for legal and operational risks in all relevant jurisdictions.
Art.28(4): Contracts must include jurisdiction and governing law clauses — which for a UK entity means UK law, creating a cross-border enforcement asymmetry.
Art.28(7): Financial entities must assess exit strategies from ICT providers — a UK provider post-June-2027 (if adequacy lapses) triggers enhanced exit planning obligations.

ESA technical standards under DORA Art.28 are pending. Early guidance from EBA and ECB suggests that jurisdictional risk should be explicitly addressed in ICT third-party assessments. UK providers are likely to require a higher documentation burden than EU-incorporated equivalents.

What "EU-Native" Actually Means

An EU-native PaaS provider is:

Incorporated in an EU member state (Germany, France, Netherlands, etc.)
Regulated by an EU DPA (BfDI, CNIL, AP, etc.)
Subject to EU law — including EU AI Act, NIS2, GDPR directly
No jurisdictional bridge to non-EU legal systems for compelled disclosure

This is different from:

EU region on a US provider (AWS Frankfurt, Azure Amsterdam) — US CLOUD Act still applies
EU infrastructure from a UK provider (Northflank EU data centres) — IPA still applies to the UK parent
EU subsidiary of a US/UK provider — parent company can be compelled to direct the subsidiary

from dataclasses import dataclass
from enum import Enum
from typing import Optional

class JurisdictionRisk(Enum):
    CLEAN = "CLEAN"        # EU-incorporated, no third-country bridge
    WATCH = "WATCH"        # Adequacy-dependent, monitor renewal
    REVIEW = "REVIEW"      # SCC required, TIA recommended
    HIGH = "HIGH"          # Active legal conflict risk

@dataclass
class PaaSJurisdictionProfile:
    name: str
    incorporation_country: str
    eu_member_state: bool
    dpa: str
    adequacy_or_scc: Optional[str]
    compelled_disclosure_law: Optional[str]
    ai_act_established_in_eu: bool
    nis2_tia_required: bool
    risk: JurisdictionRisk
    note: str

def evaluate_jurisdiction(profile: PaaSJurisdictionProfile) -> dict:
    issues = []
    
    if not profile.eu_member_state:
        issues.append(f"Not EU-incorporated: {profile.incorporation_country}")
    
    if profile.nis2_tia_required:
        issues.append("NIS2 Art.21(2)(d) Transfer Impact Assessment required")
    
    if profile.adequacy_or_scc == "adequacy" and profile.incorporation_country == "UK":
        issues.append("UK adequacy decision expires June 2027 — renewal uncertain")
    
    if profile.compelled_disclosure_law:
        issues.append(f"Compelled disclosure exposure: {profile.compelled_disclosure_law}")
    
    if not profile.ai_act_established_in_eu:
        issues.append("Not 'established in the Union' under AI Act Art.3(7)")
    
    return {
        "provider": profile.name,
        "risk": profile.risk.value,
        "issues": issues,
        "transfer_mechanism": profile.adequacy_or_scc or "None required (EU)",
        "dpa": profile.dpa,
    }

providers = [
    PaaSJurisdictionProfile(
        name="Northflank",
        incorporation_country="England and Wales (UK)",
        eu_member_state=False,
        dpa="ICO (UK) — not EU DPA",
        adequacy_or_scc="adequacy (expires June 2027)",
        compelled_disclosure_law="Investigatory Powers Act 2016",
        ai_act_established_in_eu=False,
        nis2_tia_required=True,
        risk=JurisdictionRisk.WATCH,
        note="UK adequacy expiry 2027 creates forward compliance risk"
    ),
    PaaSJurisdictionProfile(
        name="Clever Cloud",
        incorporation_country="France",
        eu_member_state=True,
        dpa="CNIL (France)",
        adequacy_or_scc=None,
        compelled_disclosure_law=None,
        ai_act_established_in_eu=True,
        nis2_tia_required=False,
        risk=JurisdictionRisk.CLEAN,
        note="EU-incorporated; no transfer mechanism required"
    ),
    PaaSJurisdictionProfile(
        name="sota.io",
        incorporation_country="Germany",
        eu_member_state=True,
        dpa="BfDI / LfDI Baden-Württemberg",
        adequacy_or_scc=None,
        compelled_disclosure_law=None,
        ai_act_established_in_eu=True,
        nis2_tia_required=False,
        risk=JurisdictionRisk.CLEAN,
        note="German GmbH; EU-native infrastructure; no CLOUD Act / IPA exposure"
    ),
    PaaSJurisdictionProfile(
        name="AWS (Frankfurt region)",
        incorporation_country="USA (Delaware)",
        eu_member_state=False,
        dpa="N/A — regulated by FTC / DOJ",
        adequacy_or_scc="SCCs + AWS DPA",
        compelled_disclosure_law="US CLOUD Act (18 U.S.C. §2703) + FISA 702",
        ai_act_established_in_eu=False,
        nis2_tia_required=True,
        risk=JurisdictionRisk.REVIEW,
        note="Physical EU region does not remove US legal jurisdiction"
    ),
]

for provider in providers:
    result = evaluate_jurisdiction(provider)
    print(f"\n{result['provider']} [{result['risk']}]")
    print(f"  DPA: {result['dpa']}")
    print(f"  Transfer mechanism: {result['transfer_mechanism']}")
    for issue in result['issues']:
        print(f"  ⚠ {issue}")

15-Item EU Jurisdiction Checklist

Before selecting a PaaS provider for workloads processing EU personal data:

Incorporation and Legal Framework

1. Provider incorporated in an EU member state (check company registry, not just HQ address)
2. Governing law clause in DPA references EU law, not UK or US law
3. Disputes subject to EU courts or member state courts
4. Regulated DPA is an EU supervisory authority (EDPB member), not ICO or FTC

GDPR Transfer Compliance

5. No GDPR Art.44 international transfer required (EU incorporation) — or SCCs/adequacy explicitly documented
6. If adequacy-based: adequacy decision reviewed and renewal status assessed for planning horizon
7. Transfer Impact Assessment completed if SCCs required (NIS2 Art.21(2)(d))
8. Sub-processors listed in DPA are also EU-incorporated (or separately assessed)

Compelled Disclosure Risk

9. Provider not subject to CLOUD Act (18 U.S.C. §2703) via US parent or incorporation
10. Provider not subject to UK Investigatory Powers Act 2016 via UK incorporation
11. Provider not subject to equivalent third-country intelligence access laws (CN PIPL, RU SORM, etc.)

NIS2 and AI Act Compliance

12. NIS2 Art.21(2)(d) supply chain assessment completed for provider jurisdiction
13. AI Act Art.3(7) "established in the Union" status verified if relevant to AI system compliance pathway
14. Incident reporting obligations aligned: provider notifies EU authority, not foreign regulator only

Documentation and Exit Planning

15. Exit plan documents adequacy-lapse contingency (June 2027 for UK providers)

The June 2027 Adequacy Cliff

If you deploy on Northflank today and the UK adequacy decision lapses in June 2027 without renewal:

You immediately need SCCs in place for continued data transfers
Your Transfer Impact Assessment must assess whether SCCs are adequate given the IPA
If the EDPB determines IPA-based UK SCCs are inadequate (a risk the EDPB has foreshadowed), UK-incorporated providers become high-risk for EU personal data

Planning a 3-year infrastructure strategy? UK adequacy expiry in June 2027 is a known risk event that EU-native infrastructure eliminates entirely.

Northflank for Non-Personal-Data Workloads

If your workload does not process EU personal data — open-source builds, public static assets, development environments with synthetic data — UK jurisdiction creates no GDPR compliance risk. Northflank's developer experience and pricing may be appropriate for those workloads.

The jurisdictional analysis above applies specifically to workloads where GDPR, NIS2, DORA, or the EU AI Act creates regulatory obligations around the legal framework governing your infrastructure provider.

EU-Native PaaS: What the Alternative Looks Like

An EU-native PaaS provider incorporated in Germany, France, or the Netherlands gives you:

Zero GDPR Art.44 transfer overhead — same legal framework as your organisation
EU DPA as the competent supervisory authority
No IPA or CLOUD Act compelled disclosure exposure
AI Act Art.3(7) "established in the Union" status
NIS2 Art.21(2)(d) supply chain assessment with no jurisdictional risk flag
No adequacy-expiry contingency planning required

sota.io is a managed PaaS provider incorporated in Germany. EU-native infrastructure, no US or UK parent company, regulated under EU GDPR with BfDI as the competent authority. Managed Docker and PostgreSQL deployments from €9/month — with the jurisdictional clean-slate that EU compliance requires.