Webex EU Alternative 2026: Why Cisco's EU Data Residency Doesn't Solve the CLOUD Act Problem

Post #921 in the sota.io EU Cyber Compliance Series

Cisco Webex is one of the world's largest enterprise video conferencing platforms. With roots in the original WebEx Communications acquisition in 2007, Cisco has invested heavily in Webex as its unified collaboration platform — merging video meetings, messaging, calling, and event hosting under a single brand. Webex is deployed across financial services, healthcare, government agencies, and multinational corporations, many of them in the European Union.

Cisco Systems, Inc. is incorporated in Delaware and headquartered in San Jose, California. Cisco is a US entity listed on Nasdaq. Webex, as a service operated by Cisco, is subject to the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) — the 2018 US federal statute that requires US companies to produce data in response to lawful US government demands, regardless of where that data is stored or which servers it transits.

Webex has invested significantly in EU-relevant security features: Webex offers an EU data residency option for certain customers, provides end-to-end encryption (E2EE) for meetings through its Zero-Trust Security architecture, and maintains a detailed subprocessor list and GDPR Data Processing Agreement. These are genuine operational improvements. None of them changes the legal status of Cisco Systems as a US corporation subject to US legal process. For EU organisations operating under GDPR, DORA, NIS2, or sector-specific data protection frameworks, the distinction between technical data controls and legal jurisdiction is the gap that Cisco's EU data residency cannot close.

Cisco's Legal Architecture: Delaware Incorporation and CLOUD Act Exposure

Cisco Systems, Inc. was incorporated in California in 1984 and reincorporated in Delaware in 1987. Its principal offices are in San Jose, California. The operating entities that run Webex — Cisco Webex LLC and the various Cisco international subsidiaries — are ultimately owned by a Delaware-incorporated US parent.

The CLOUD Act amended the Stored Communications Act to establish that US companies must comply with lawful US government demands for communications data regardless of where that data is stored. A US federal court can issue a warrant or court order requiring Cisco to produce data held anywhere in the world, as long as Cisco has possession, custody, or control of that data — including data stored on EU-based servers operated by Cisco's European subsidiaries on Cisco's behalf.

Cisco's EU data residency offering for Webex allows certain customer data — meeting content, recordings, chat messages — to be stored primarily in EU-based data centres (as of 2026, Cisco operates EU Webex infrastructure in Germany and the Netherlands). This is a meaningful operational control for organisations concerned about data sovereignty in routine operations. It does not affect Cisco's legal obligations when served with lawful US process. If the FBI or another US agency obtains a court order requiring Cisco to produce communications data about a specific Webex account or meeting, Cisco's obligation to comply is not altered by where that data is physically stored.

Additionally, Cisco holds substantial US government contracts. Cisco is a major supplier to the US Department of Defense, federal civilian agencies, and US intelligence community contractors. This relationship does not create additional legal obligations beyond those that apply to any US company, but it illustrates the depth of Cisco's integration into US government infrastructure — a consideration for EU organisations assessing supply chain risk under NIS2 and DORA.

Webex Zero-Trust Security and End-to-End Encryption: What It Protects

Cisco has promoted Webex as offering "Zero-Trust Security" and, for meetings, optional end-to-end encryption. These features are technically substantive and differ meaningfully from standard cloud conferencing security. Understanding precisely what they protect — and what they do not — is essential for compliance assessment.

Standard Webex encryption uses TLS for data in transit and AES-256 for data at rest. Keys are managed by Cisco. In standard mode, Cisco can decrypt meeting content if legally compelled to do so — content protection is limited to confidentiality against third-party interception, not against Cisco itself or US legal process directed at Cisco.

Webex end-to-end encryption (E2EE) is available for meetings when enabled by the host. In E2EE mode, encryption keys are generated on participants' devices and not accessible to Cisco's servers. The Webex E2EE implementation uses the Messaging Layer Security (MLS) protocol, and Cisco has published technical documentation on the key management architecture. When E2EE is properly implemented and enabled, Cisco genuinely cannot decrypt meeting content — which means it cannot comply with government demands for meeting content in E2EE meetings, because it does not hold the decryption keys.

This is a significant protection — comparable in concept to Signal's E2EE model — and for meetings that are configured to require E2EE, the technical barrier against government content access is real.

However, E2EE has important limitations in the Webex context:

E2EE must be explicitly enabled per meeting. Standard Webex meetings do not use E2EE by default. Organisations must configure Webex to require E2EE, and users can still create non-E2EE meetings unless administrators lock down the configuration. In practice, many Webex deployments do not have E2EE enforced uniformly.

E2EE does not protect metadata. Who participated, when, from which IP address, for how long, which features were used — this operational metadata is generated on Cisco's infrastructure and retained regardless of E2EE configuration. Metadata about meeting participants and patterns can be highly sensitive, especially for legal, financial, and government organisations.

E2EE does not apply to Webex features that require cloud processing. Webex AI — including AI-generated meeting summaries, action items, real-time transcription, and the AI Assistant — requires server-side processing. When AI features are enabled, meeting content is processed on Cisco's infrastructure. E2EE and AI features are mutually exclusive for the content that AI processes.

E2EE does not cover Webex Messaging (Teams spaces). End-to-end encryption applies to Webex Meetings — the video conferencing product. Webex Messaging (team spaces, persistent chat) uses standard Cisco-managed encryption, not E2EE. An organisation using Webex for both meetings and team collaboration has asymmetric encryption coverage across its communications.

Cisco retains account metadata and administrative data regardless of E2EE. User account information, subscription data, administrative logs, and service telemetry are retained by Cisco under standard cloud service terms. This data exists outside the E2EE protection boundary.

What Webex Processes About EU Organisations

A comprehensive Webex deployment involves significantly more data than the video and audio of meetings:

Meeting content: Audio, video, and screen-share. In E2EE meetings, this is protected; in standard meetings, Cisco can access this content.

Meeting recordings: Stored in Cisco's Webex cloud infrastructure (or Cisco cloud storage). Recordings are covered by the EU data residency option for eligible customers but are encrypted with Cisco-managed keys unless additional customer key management is configured.

AI-generated content: Meeting transcripts, summaries, action items, and AI Assistant interactions are processed on Cisco's servers. This content reflects the substance of meetings — including confidential business discussions, legal advice, financial decisions, and personnel matters.

Webex Messaging content: Team space messages, files shared in Webex Teams, reactions, and history are retained on Cisco's infrastructure under standard (non-E2EE) encryption.

Participant and organisational metadata: Who attends meetings, organisational hierarchy reflected in meeting invitations, frequency and duration of communication between individuals, network information, and device data. This metadata is available to Cisco regardless of meeting encryption mode.

Integration data: Webex integrates with Microsoft 365, Google Workspace, Salesforce, ServiceNow, and hundreds of other platforms via the Webex App Hub. Each integration involves additional data flows, often to US-entity subprocessors.

Webex Contact Center data: Organisations using Webex Contact Center for customer service operations generate customer interaction data, call recordings, and agent performance data — all processed on Cisco infrastructure.

Webex Events and Webinars: Large-scale meeting formats (Webex Webinars, Webex Events) process attendee registration data, participation metrics, engagement analytics, and Q&A content.

GDPR Obligations for Webex Users in the EU

For EU organisations using Webex, GDPR imposes obligations on both the organisation (as data controller) and Cisco (as data processor):

Article 28 — Data Processing Agreement: Cisco provides a standard Data Processing Agreement (DPA) covering Webex services. The DPA specifies Cisco's processing activities, subprocessors, and security measures. EU organisations must ensure the DPA is executed and that the scope of processing described matches their actual Webex configuration.

Article 46 — International Data Transfers: Webex data may be processed in the United States and other jurisdictions outside the EU. Cisco relies on Standard Contractual Clauses (SCCs, 2021 version) for international data transfers. Following the Schrems II ruling (C-311/18), organisations are required to conduct a Transfer Impact Assessment (TIA) evaluating whether SCCs provide adequate protection in light of US law — including the CLOUD Act. Cisco publishes guidance on its GDPR compliance posture, but the TIA must be conducted by the data controller based on its specific use case and risk tolerance.

Article 35 — Data Protection Impact Assessment: For high-risk processing — including systematic monitoring of employees, processing of special categories of data, or processing at large scale — a DPIA is required before deploying Webex in a new high-risk context. The CLOUD Act exposure identified in a TIA is typically a factor in the DPIA risk assessment.

Article 5(1)(f) — Integrity and Confidentiality: Controllers must implement appropriate technical and organisational measures to protect personal data. The question of whether Webex's encryption and data residency options constitute "appropriate" measures for a given organisation's risk profile is a compliance judgment that must be made in context. Supervisory authority guidance in Germany (DSK), France (CNIL), and the Netherlands (AP) has consistently held that standard cloud encryption from US providers does not constitute sufficient protection where CLOUD Act exposure exists.

DORA Implications for Financial Services Using Webex

The EU Digital Operational Resilience Act (DORA), effective from 17 January 2025, creates specific requirements for financial entities using ICT service providers — including video conferencing platforms where these are classified as critical ICT dependencies.

DORA Article 28 — Management of ICT Third-Party Risk: Financial entities must manage and monitor the risks from ICT third-party service providers. For critical ICT third-party providers, DORA imposes enhanced due diligence, contractual requirements, and exit planning obligations. Webex is typically not a "critical ICT third-party provider" in the formal DORA designation sense — the EU Commission designates CTPP status based on systemic importance assessments. However, if a financial entity is substantially dependent on Webex for critical internal communications (e.g., trading desk coordination, regulatory reporting communications, audit meetings), the systemic dependency assessment under Article 28 may classify it as a critical ICT dependency at the entity level.

DORA Article 30 — Key Contractual Provisions: DORA requires financial entities to include specific provisions in contracts with ICT third-party providers: service level agreements, security standards, data location, audit rights, incident notification, and exit provisions. Cisco's standard Webex terms may not include all DORA-required contractual provisions without negotiation.

DORA Article 45 — Information Sharing: DORA encourages financial entities to share cyber threat intelligence, including threat indicators related to ICT supply chain attacks. Cisco's infrastructure — as a major US ICT provider — is a potential vector for supply chain risk that DORA frameworks are designed to address.

Jurisdictional Risk: DORA's approach to ICT risk explicitly considers jurisdictional risk — the risk that a third-country provider may be compelled by its home country authorities to take actions that could harm EU financial entities. The CLOUD Act creates exactly this category of risk for Cisco Webex.

NIS2 Requirements for Critical Infrastructure Operators Using Webex

The revised Network and Information Security Directive (NIS2), transposed into member state law by October 2024, expands the scope of "essential" and "important" entities subject to cybersecurity requirements. Operators of essential services — energy, transport, water, digital infrastructure, healthcare, banking, financial market infrastructure, and others — face enhanced supply chain security obligations under NIS2 Article 21.

NIS2 Article 21(2)(d) — Supply Chain Security: Essential and important entities must implement security measures addressing supply chain risks, including security in relationships with direct suppliers and service providers. This includes assessing the security posture of video conferencing providers used for operational communications. The CLOUD Act exposure creates a supply chain risk that may be relevant to the NIS2 risk assessment.

NIS2 Article 21(2)(h) — Human Resources Security: NIS2 requires policies covering the security of human resources with access to network and information systems. Webex — used for staff communications, including sensitive internal discussions — is part of the human resources security perimeter.

Supervisory Authority Expectations: NIS2 national implementing legislation in Germany (NIS2UmsuCG), France (LPM), and the Netherlands (Cyberbeveiligingswet) gives national authorities powers to inspect ICT supply chain risk assessments. Auditors reviewing an essential entity's Webex deployment may ask to see a TIA and DPIA documenting the CLOUD Act risk assessment.

The Webex Managed Security Service Provider (MSSP) and Data Residency Programme

Cisco offers a specific EU data residency configuration for Webex. Under this option — available to eligible enterprise customers with contracts specifying EU data residency — Cisco commits to storing certain primary data categories in EU-based data centres (Germany and Netherlands as of 2026) rather than routing them through US infrastructure as a default.

This commitment covers stored data — meeting recordings, Webex Messaging history, and certain other content stored at rest. It does not change the processing architecture for:

• Real-time meeting streams during active calls (these traverse Cisco's global media network for routing optimisation)
• AI features (processed on Cisco's AI infrastructure, not subject to EU data residency commitments)
• Service metadata, telemetry, and administrative data
• Support interactions with Cisco support teams

Organisations that configure EU data residency should verify which specific data types are covered by the residency commitment, what exceptions apply for reliability and security processing, and whether the contractual commitment includes audit rights to verify the data residency configuration.

Cisco's Subprocessor Chain

Webex relies on a network of subprocessors — third-party companies that process customer data on Cisco's behalf. Cisco maintains a Webex subprocessor list available through its Trust Portal. Key categories include:

• Cloud infrastructure providers: Cisco operates its own data centres but also uses public cloud providers for certain Webex services. The EU data residency option is designed to minimise non-EU processing for covered data.
• AI and ML processing: Webex AI features may involve specialised AI infrastructure providers.
• Customer support: Cisco's global support operations involve teams in multiple jurisdictions, including the United States.
• Analytics: Webex analytics and usage data may be processed by analytics subprocessors.
• Authentication and identity: Identity management integrations (SSO, directory services) may involve additional data flows.

Under GDPR Article 28(2), controllers must approve subprocessors in advance (through DPA provisions allowing general authorisation with notification of new subprocessors). Organisations should review Cisco's subprocessor list and assess whether any subprocessors create additional jurisdictional risk beyond the Cisco parent company's CLOUD Act exposure.

EU-Native Video Conferencing Alternatives

For EU organisations that require a video conferencing solution not subject to the CLOUD Act, the following EU-incorporated or EU-operated options address the jurisdictional gap:

Nextcloud Talk Nextcloud GmbH is incorporated in Stuttgart, Germany. Nextcloud Talk provides end-to-end encrypted video conferencing integrated with the Nextcloud collaboration platform. Self-hosted deployments give organisations complete control over data — including where it is stored, who can access it, and how long it is retained. Nextcloud Talk can be deployed on EU-based infrastructure (Hetzner, IONOS, OVHcloud) with no US-entity involvement in data processing. For large calls, Nextcloud integrates with EU-based High Performance Backend (HPB) providers.

OpenTalk OpenTalk is developed by Heinlein Gruppe GmbH in Berlin, Germany. Built specifically for high-security and public sector requirements, OpenTalk supports E2EE natively, operates on EU-based infrastructure, and is designed for GDPR compliance. OpenTalk is used by German federal agencies and public health organisations. The German Federal Office for Information Security (BSI) has engaged with OpenTalk on security certification.

kMeet (Infomaniak) kMeet is operated by Infomaniak Network SA, incorporated in Geneva, Switzerland. Infomaniak is 100% Swiss-owned with no US parent company. Switzerland is not subject to the CLOUD Act, and Infomaniak does not fall within any EU/US data transfer framework — data stays in Swiss data centres. kMeet provides WebRTC-based video conferencing with no accounts required for guests. Switzerland's data protection law (nDSG) aligns with GDPR standards.

Wire for Business Wire Swiss GmbH is incorporated in Zug, Switzerland. Wire provides E2EE messaging and video conferencing with a strong security architecture. Wire has explicit E2EE for both one-to-one and group calls, and is actively used by European government agencies and military organisations requiring high-assurance communications. Wire's source code is publicly audited.

Jitsi Meet (self-hosted) Jitsi is an open-source video conferencing platform originally developed by 8x8 Inc. (a US company). However, the self-hosted Jitsi Meet deployment — running on EU-based infrastructure with no 8x8 cloud involvement — removes the US-entity dependency. EU organisations can deploy Jitsi on Hetzner, Scaleway, or OVHcloud, retaining complete control over data. This requires operational capability to host and maintain the infrastructure.

Whereby Whereby AS is incorporated in Oslo, Norway. Norway is an EEA member and applies GDPR. Whereby operates its infrastructure in EU/EEA data centres and does not have a US parent company. Whereby is designed for simplicity — no app required, browser-based — and is used by thousands of European SMBs and individuals. It is not positioned for large enterprise deployments with advanced admin controls.

STACKFIELD STACKFIELD GmbH is incorporated in Munich, Germany. STACKFIELD provides an integrated team communication platform including video meetings, E2EE messaging, and task management. Data is stored exclusively in Germany, and STACKFIELD is independently certified to BSI C5 (Cloud Computing Compliance Criteria Catalogue). STACKFIELD is designed for compliance-sensitive organisations and has German BSI approval for public sector use.

Tixeo Tixeo SAS is incorporated in Montpellier, France. Tixeo is a French video conferencing platform with ANSSI (French National Cybersecurity Agency) qualification — one of the few video conferencing platforms to achieve formal security qualification from an EU member state cybersecurity authority. Tixeo's E2EE implementation covers all participants including those using web access. Tixeo is used by French and European critical infrastructure operators and defence organisations.

Evaluating the Alternatives: Decision Framework

The right alternative depends on the organisation's specific compliance requirements, technical capacity, and operational constraints:

For organisations where AI-assisted meeting features are critical, the trade-off between functionality and CLOUD Act exposure is explicit: Webex E2EE excludes AI features; EU-native alternatives without AI features eliminate CLOUD Act exposure entirely. The compliance question is whether AI meeting summaries are worth the jurisdictional risk — a judgment that depends on the data processed in those meetings.

Practical Steps for Webex Users Conducting GDPR Risk Assessment

Step 1: Scope the processing. Identify all data types processed through Webex — meeting content, recordings, AI output, messaging history, integration data. Map against GDPR personal data categories and assess which categories are sensitive (special category data, data about employees, data about minors, financial data).

Step 2: Execute the GDPR Transfer Impact Assessment. SCCs alone are not sufficient post-Schrems II. Conduct a TIA that evaluates US surveillance law (CLOUD Act, FISA 702) against the specific data you process in Webex. Document the assessment and the mitigations in place. The TIA must reflect your organisation's actual risk — not Cisco's published guidance.

Step 3: Assess Webex E2EE applicability. If E2EE is technically feasible for your meeting use cases (no AI features, all participants using E2EE-capable clients), assess whether mandatory E2EE configuration reduces the TIA risk to acceptable levels. Document this in your DPIA.

Step 4: Evaluate EU data residency coverage. If Cisco's EU data residency programme is available for your contract tier, assess exactly which data types it covers and verify through contractual audit rights.

Step 5: Consider the migration path. If the TIA or DPIA concludes that Webex's CLOUD Act exposure is unacceptable for your use case, develop a migration roadmap to an EU-native alternative. The migration timeline and cost should be factored into the risk assessment.

Conclusion: EU Data Residency Is Not Legal Sovereignty

Cisco Webex is a mature, feature-rich enterprise video conferencing platform. For organisations where AI features, global scale, and enterprise integrations are priorities, Webex provides capabilities that EU-native alternatives cannot yet fully match.

The compliance gap is structural, not technical. Cisco Systems is a Delaware corporation. No amount of EU data residency configuration, end-to-end encryption, or GDPR contractual commitments changes the fact that US federal authorities can serve lawful process on Cisco in California and require Cisco to produce data it can access — wherever that data physically sits.

For EU organisations in regulated sectors — financial services subject to DORA, critical infrastructure operators under NIS2, healthcare organisations under sector-specific EU frameworks, or public sector bodies operating under national data sovereignty requirements — this legal exposure may be dispositive. The question is not whether Cisco has made compliance efforts, but whether the remaining exposure is acceptable given the sensitivity of communications handled through Webex.

EU-native alternatives — Nextcloud Talk, OpenTalk, Tixeo, Wire — exist and are production-ready for many enterprise use cases. The migration cost is real. The compliance cost of remaining on a CLOUD Act-exposed platform is also real, and increasingly visible to supervisory authorities auditing ICT supply chain risk under NIS2 and DORA.

Want to deploy your application on EU-native infrastructure without CLOUD Act exposure? sota.io is a managed PaaS running on Hetzner Germany — no US parent company, no CLOUD Act, GDPR-native from day one.