Qualys EU Alternative 2026: CLOUD Act 19/25 and NIS2 Vulnerability Management Compliance
Post #1184 in the sota.io EU Cyber Compliance Series — EU Vulnerability Management Serie #2/5
NIS2 Article 21(2)(g) mandates structured vulnerability management for all essential and important entities across the EU. DORA Article 9(4)(c) mirrors this requirement for the financial sector. Organisations that do not continuously assess, prioritise, and remediate vulnerabilities are now in active breach of EU law — not merely behind on best practices.
The challenge for European IT and security teams is that the vulnerability management market is dominated by US SaaS platforms. Qualys is one of the most widely deployed: the Qualys Cloud Platform runs on hundreds of millions of assets globally, and its VMDR (Vulnerability Management, Detection and Response) product is embedded in enterprise security programmes across every regulated sector in the EU.
The problem is structural. Qualys Inc. is incorporated in Delaware, headquartered in Foster City, California, and publicly listed on NASDAQ (QLYS). Its Cloud Platform operates on infrastructure under US corporate control. It holds FedRAMP Authorization — which signals not reduced government access, but rather the opposite: Qualys has already satisfied US federal government security vetting requirements, establishing exactly the kind of relationship that CLOUD Act subpoenas are designed to exploit.
When EU organisations run Qualys Cloud Platform, their vulnerability scan data — asset inventories, CVE exposure lists, patch gaps, software bill of materials, configuration compliance failures — flows to a system that US authorities can compel Qualys to disclose. That data is a complete picture of your organisation's security posture. The CLOUD Act does not require prior notice to the data subject or to the EU supervisory authority.
What Qualys Actually Is
Qualys was founded in 1999 by Philippe Courtot and Gerhard Eschelbeck. It was the first company to deliver vulnerability scanning as a cloud-based SaaS service — a significant architectural bet at a time when most security tooling was installed on-premises. The company IPO'd on NASDAQ in 2012 and remains independent, unlike many peers that have been acquired by private equity.
Today Qualys offers a unified Cloud Platform with the following principal modules:
- VMDR (Vulnerability Management, Detection and Response) — continuous discovery, assessment, prioritisation, and remediation tracking across on-premises, cloud, and container environments
- CSAM (CyberSecurity Asset Management) — complete asset inventory including unmanaged/unknown assets discovered via passive traffic analysis
- WAS (Web Application Scanning) — dynamic application security testing for web applications and APIs
- Container Security — image scanning and runtime protection for container workloads
- FIM (File Integrity Monitoring) — real-time detection of unauthorised file and configuration changes
- PM (Patch Management) — automated patch deployment integrated with vulnerability data
- TotalCloud — cloud workload protection for AWS, Azure, and GCP environments
The core delivery mechanism is the Qualys Cloud Agent: a lightweight sensor deployed on every managed endpoint that continuously collects configuration data, installed software inventory, and system metadata. Cloud Agents communicate directly to the Qualys Cloud Platform — including to EU-hosted infrastructure — but the parent corporate entity that controls and operates that infrastructure is incorporated in the United States.
CLOUD Act Score: 19 / 25
| Risk Factor | Score | Reasoning |
|---|---|---|
| US corporate entity (Delaware) | 5/5 | Qualys Inc., Foster City CA, NASDAQ:QLYS |
| Publicly traded US company | 3/5 | Listed on NASDAQ, SEC reporting obligations |
| FedRAMP Authorization | 4/5 | FedRAMP High authorized, used by DHS, DoD, DISA |
| US government partnerships | 3/5 | CISA JCDC member, DISA APL listed, NSA/CSS partner |
| Cloud architecture (US control plane) | 2/5 | EU data centres exist but corporate control is US |
| No EU sovereignty certification | 2/5 | No BSI C5, no ANSSI SecNumCloud, no EUCS Level 3 |
| Total | 19/25 | High CLOUD Act exposure |
For comparison: Greenbone (EU-native) scores 0/25. A Qualys-alternative running on EU infrastructure under an EU entity would score 0-2/25.
5 GDPR Risks Specific to Qualys
1. Cloud Agent Telemetry as Personal Data
The Qualys Cloud Agent collects from each endpoint: installed software inventory, running processes, open network connections, file system structure, user account information, and patch compliance status. Under GDPR Article 4(1), data that can be linked — even indirectly — to an identified or identifiable natural person constitutes personal data. A device that belongs to a named employee is traceable to that person.
This telemetry flows to Qualys infrastructure. EU customers can configure EU-hosted nodes (Frankfurt, Amsterdam), but the legal entity operating those nodes is Qualys Inc. — a US corporation subject to CLOUD Act jurisdiction. The fact that data is stored in Frankfurt does not change the corporate structure of the entity that controls access to it.
The CLOUD Act covers cloud data held by US providers regardless of where it is physically stored. A compelled disclosure order issued to Qualys Inc. in California covers data in all Qualys data centres globally.
2. CSAM Asset Inventory as Structured PII Dataset
The CyberSecurity Asset Management module builds a complete inventory of every asset in your environment, including associations between devices and user accounts. This creates a structured, searchable database of employee-to-device relationships — precisely the category of data that GDPR Article 5(1)(b) limits to specific, explicit purposes and Article 25 restricts through data minimisation.
When this inventory resides in a US-controlled cloud, the entire employee-device correlation table is subject to CLOUD Act production orders. For organisations in healthcare, finance, or critical infrastructure, this represents a significant regulatory risk that is rarely modelled in standard vulnerability management procurement assessments.
3. FedRAMP Authorization and Government Oversight Channels
Qualys holds FedRAMP High Authorization — the highest tier of US federal government cloud security certification. This means Qualys has been assessed, approved, and is actively used by US defence and intelligence-adjacent agencies (DISA, DHS, DoD contractors).
FedRAMP is often cited as a security credential in procurement conversations. From a CLOUD Act analysis, it should be treated with caution: FedRAMP authorisation means that US government agencies are contractually integrated into Qualys's operational processes. The oversight and access relationships established for federal customers create institutional channels that are structurally distinct from a pure commercial cloud provider.
4. TruRisk AI Scoring — Cross-Customer Model Training
Qualys uses machine learning to power its TruRisk vulnerability prioritisation system. TruRisk scores are calculated using vulnerability data from across the Qualys customer base, combined with real-time threat intelligence. This implies that your organisation's vulnerability exposure data contributes — in anonymised form — to models trained on aggregate customer data.
GDPR Article 22 and Recital 71 regulate automated decision-making. When a vulnerability management platform uses cross-customer ML to assign risk scores that drive remediation priority decisions, the lawfulness of that processing depends on whether a valid legal basis exists. For many EU organisations, legitimate interest assessments have not been completed for this type of secondary analytics processing.
5. Third-Party Integration Chain
Qualys integrates natively with ServiceNow (US, CLOUD Act 20/25), Splunk (US, acquired by Cisco), Palo Alto XSOAR (US), Jira (now Atlassian, AUS but US infrastructure), and the major US hyperscaler security hubs (AWS Security Hub, Microsoft Defender, Google Security Command Centre). Each integration adds a node in the data flow where vulnerability data — your CVE exposure inventory, patch status, asset records — is accessible to an additional US-controlled system.
GDPR data transfer risk compounds across integration chains. An EU organisation that routes Qualys scan results into ServiceNow for ticketing and Splunk for SIEM correlation has created three separate CLOUD Act-exposed systems holding copies of the same vulnerability data.
EU-Native Alternatives
Greenbone AG — 0/25 CLOUD Act Exposure
Greenbone AG is headquartered in Osnabrück, Germany. It is the primary commercial sponsor of OpenVAS (Open Vulnerability Assessment System) and the Greenbone Vulnerability Manager (GVM), which it develops under a combination of GPL and commercial licences.
Why 0/25: Greenbone AG is a German GmbH, not subject to US jurisdiction. There is no US parent company, no US private equity ownership, no US federal contracts. Vulnerability scan data processed on Greenbone Community Edition or Greenbone Enterprise self-hosted deployments does not leave EU jurisdiction.
Products:
- Greenbone Community Edition — fully open source (OpenVAS/GVM), deployable on any EU VPS or on-premises, 0/25 CLOUD Act
- Greenbone Enterprise Appliance — hardware-based or VM appliance running Greenbone OS, available in multiple sizes from GSOC to GCE-400
- Greenbone Cloud Services — managed service hosted in Germany, still German corporate entity
BSI Recognition: Greenbone is certified under the BSI IT-Grundschutz scheme. The German Federal Office for Information Security (BSI) recommends OpenVAS/GVM as a component in NIS2-aligned vulnerability management frameworks.
NVT Feed: Greenbone maintains its own NVT (Network Vulnerability Tests) feed — over 175,000 tests covering CVEs across all major platforms. The Enterprise feed is updated daily. Community Edition users access the Greenbone Community Feed, which has a slightly smaller and less frequently updated NVT set than the Enterprise feed.
Migration from Qualys: The primary configuration shift is from agent-based to credential-based scanning (though Greenbone also supports agents in newer versions). VMDR workflows translate to GVM scan configurations and task schedules. Report formats are compatible with most SIEM and ticketing integrations. The Qualys API has significantly richer functionality — expect a period of tooling adaptation.
Pricing: Greenbone Enterprise appliances start at approximately €5,000/year for small deployments. The Community Edition is free. Greenbone Cloud Services pricing is available on request.
Wazuh — 0/25 (Self-Hosted EU)
Wazuh is an open-source security platform combining SIEM, HIDS (host-based intrusion detection), and vulnerability detection. When deployed on EU infrastructure under an EU-incorporated entity's control, it scores 0/25 on the CLOUD Act framework.
Wazuh agents installed on endpoints collect vulnerability data using the OS package manager and compare against NVD/CVE databases. This is less comprehensive than Qualys VMDR's network scanning but covers the majority of patch-gap exposure for Linux and Windows environments.
Limitation vs. Qualys: Wazuh does not perform network-layer vulnerability scanning (open port discovery, service banner fingerprinting, unauthenticated CVE checks). It is agent-based only. For organisations that need network topology scanning, Wazuh alone is insufficient and should be combined with OpenVAS/Greenbone.
Wazuh Inc. is a US company (San Jose, CA). Self-hosted deployments on EU infrastructure do not have data flows to Wazuh Inc. servers. However, procuring a Wazuh SaaS offering from Wazuh Inc. would reintroduce CLOUD Act exposure. Use Community Edition self-hosted only.
OpenVAS / GVM — 0/25 (Self-Hosted EU)
OpenVAS is the open-source fork of Nessus that was created when Tenable commercialised the scanner in 2005. It is developed and maintained by Greenbone as the open-source component of their commercial stack.
Self-hosted OpenVAS on EU infrastructure (Hetzner CX22 at €6/month, OVH, Scaleway) provides vulnerability scanning with no CLOUD Act exposure. The GVM (Greenbone Vulnerability Manager) framework includes:
- OpenVAS scanner
- GVM daemon (gvmd) for centralised management
- Greenbone Security Assistant (GSA) web interface
- PostgreSQL database for findings storage
For organisations with in-house security capacity, a self-hosted OpenVAS stack provides feature parity with Qualys for network-based scanning at infrastructure cost only.
NIS2 Compliance Comparison
| Requirement | Qualys Cloud Platform | Greenbone Enterprise (EU) | Self-hosted OpenVAS |
|---|---|---|---|
| Continuous vulnerability scanning | ✅ Yes | ✅ Yes | ✅ Yes |
| Asset discovery | ✅ CSAM full | ✅ GVM asset DB | ✅ Basic |
| Patch management integration | ✅ Native PM module | ⚠️ Via integration | ❌ Manual |
| GDPR Art. 44 compliant | ❌ US jurisdiction | ✅ German entity | ✅ Self-hosted |
| CLOUD Act risk | 19/25 | 0/25 | 0/25 |
| NIS2 Art. 21(2)(g) | ✅ Technical capability | ✅ Technical capability | ✅ Technical capability |
| NVT/plugin coverage | 97,000+ QIDs | 175,000+ NVTs | 85,000+ NVTs (community) |
| EU data sovereignty | ❌ No | ✅ Yes | ✅ Yes |
| BSI C5 / EUCS | ❌ None | ✅ BSI IT-Grundschutz | N/A |
| FedRAMP | ✅ High | ❌ N/A | N/A |
GDPR Article 44 Transfer Analysis
Running Qualys Cloud Platform for an EU organisation constitutes a transfer of personal data to a third country under GDPR Chapter V. Qualys Inc. is incorporated in the United States, which is not an EU adequate country under GDPR Article 45 in the post-Schrems II environment.
Available transfer mechanisms:
- SCCs (Standard Contractual Clauses): Qualys offers SCCs in their Data Processing Agreement. However, the EDPB Opinion 14/2019 and subsequent Schrems II guidance require a transfer impact assessment (TIA) to be completed. Given Qualys's FedRAMP status and federal government contracts, a TIA will identify a high residual risk that SCCs cannot fully address.
- Adequacy Decision: There is a US adequacy framework (Data Privacy Framework, adopted July 2023), but this covers only voluntary self-certified US companies. Qualys participates in the DPF. However, the DPF is under challenge before the Court of Justice of the EU and may be invalidated as Schrems I and II were.
- Legitimate Interest: Does not apply to international data transfers under GDPR Chapter V.
Practical implication: EU organisations running Qualys Cloud Platform should complete a documented TIA before or shortly after NIS2 implementation. If the TIA concludes that the residual risk to data subjects is not acceptable, the organisation must either switch to an EU-native solution or implement supplementary technical measures (encryption with EU-held keys — difficult to operationalise with an agent-based platform like Qualys).
Migration Path: Qualys → Greenbone Enterprise
For NIS2-scoped EU organisations currently running Qualys Cloud Platform, a structured migration to Greenbone Enterprise is achievable in four phases:
Phase 1 (Weeks 1–4): Parallel deployment Deploy Greenbone Enterprise alongside Qualys. Run both scanners against the same asset scope. Compare vulnerability findings to assess coverage gaps. Greenbone's NVT feed is generally broader for Linux/open-source assets; Qualys has deeper coverage for Windows Server and some enterprise network appliances.
Phase 2 (Weeks 5–8): Integration migration Rebuild SIEM integrations (Splunk, Elastic, Wazuh) to consume Greenbone XML/JSON report output. Rebuild ticketing integrations (Jira, ServiceNow) using Greenbone's API. Qualys's RESTful API is more mature than Greenbone's at present — budget extra time for integration migration.
Phase 3 (Weeks 9–12): Agent migration If using Qualys Cloud Agents on endpoints, evaluate Greenbone's agent deployment or transition to credential-based scanning. For Windows endpoints in Active Directory environments, credential-based scanning with a dedicated service account is standard. For Linux endpoints, SSH-key-based scanning is equivalent in coverage.
Phase 4 (Weeks 13–16): Decommission and documentation Remove Qualys Cloud Agents, document the new data flow architecture for GDPR Art. 30 Records of Processing Activities, update the DPA with your new processor (Greenbone AG or self-hosted with no third-party processor). Notify supervisory authority if required under your incident notification framework.
Qualys CLOUD Act Exposure: Key Takeaways
Qualys Inc. is a Delaware corporation with FedRAMP High Authorization and active deployment across US federal agencies. Vulnerability scan data processed on Qualys Cloud Platform — including asset inventories, CVE exposure records, software bill of materials, and patch-gap histories — is subject to CLOUD Act production orders issued to Qualys in California.
For EU organisations under NIS2, DORA, or other sector regulations that require documented third-party data transfer assessments, Qualys Cloud Platform requires a Transfer Impact Assessment with a documented conclusion. Given Qualys's federal government relationships, most TIAs for Qualys will identify high residual transfer risk.
EU-native alternatives exist and are technically capable of meeting NIS2 Article 21(2)(g) requirements:
- Greenbone AG (Germany, 0/25) — commercial support, enterprise appliances, BSI IT-Grundschutz certified
- Self-hosted OpenVAS/GVM (EU VPS, 0/25) — no vendor relationship, full infrastructure control
- Wazuh self-hosted (EU VPS, 0/25) — agent-based, combines SIEM and vulnerability detection
The NIS2 compliance argument for migrating vulnerability management to an EU-native stack is straightforward: the data produced by vulnerability scanning is precisely the data that adversaries and foreign governments most want — a complete map of your organisation's security weaknesses. CLOUD Act jurisdiction over that data is a structural risk that SCCs and adequacy frameworks do not fully resolve.
sota.io is a European cloud hosting platform built for GDPR compliance. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.