WithSecure (F-Secure) 2026: EU-Native Endpoint Security With 4/25 CLOUD Act Risk

Post #1201 in the sota.io EU Cyber Compliance Series

After analyzing VMware Carbon Black (19/25), Trellix (19/25), and Sophos (16/25) in this series, a pattern is clear: every major endpoint security vendor with a US parent company carries substantial CLOUD Act exposure that no EU data residency clause can fully eliminate. Endpoint Detection and Response agents run at kernel level, collecting complete process telemetry, file activity, and network metadata from every device they protect. Under NIS2 Art.21(2)(g), this is exactly the visibility you need — but the question is whether that telemetry is reachable by US law enforcement under 18 U.S.C. § 2713.

WithSecure Corporation changes the calculation. Incorporated in Finland under Finnish company law, listed on Nasdaq Helsinki (ticker: WITH), and without a US parent or controlling shareholder, WithSecure scores 4/25 on the CLOUD Act Risk Matrix. The four points are honest: AWS Frankfurt serves as a cloud infrastructure sub-processor, and global threat intelligence sharing creates partial US-infrastructure dependencies. But the legal entity receiving your endpoint telemetry is Finnish — subject to Finnish law, Finnish courts, and the Finnish Data Protection Authority (Tietosuojavaltuutettu), not the US District Court for the Eastern District of Virginia.

Corporate Profile: WithSecure Corporation (Oyj)

WithSecure began as Data Fellows in Helsinki in 1988, founded by Petri Allas and Risto Siilasmaa. The company renamed to F-Secure Corporation in 1999 and grew into one of Europe's most recognized cybersecurity brands, eventually listing on Nasdaq Helsinki. In 2022, F-Secure split into two distinct entities: F-Secure retained the consumer security business (antivirus, VPN, identity protection), while the enterprise security division demerged as WithSecure Corporation.

The demerger was a strategic decision, not a distress signal. Enterprise cybersecurity and consumer security require fundamentally different go-to-market motions, sales cycles, and R&D priorities. The split allowed each entity to focus without internal resource competition.

Key corporate facts:

The largest shareholders are Finnish institutional investors (pension funds, OP Financial Group, Evli) and individual Finnish shareholders. There is no US private equity owner comparable to Thoma Bravo (Sophos), Symphony Technology Group (Trellix), or Francisco Partners (Carbon Black via Broadcom acquisition chain). WithSecure's strategic decisions are made in Helsinki under Finnish corporate governance, with a Finnish board.

CLOUD Act Risk Score: 4/25

The CLOUD Act Risk Matrix evaluates five dimensions, each scored on potential US compellability:

Dimension 1: US Corporate Jurisdiction (0/4) WithSecure Corporation is incorporated in Finland under the Finnish Limited Liability Companies Act (Osakeyhtiölaki). The US CLOUD Act (18 U.S.C. § 2713) applies to "providers of electronic communication service or remote computing service" that are subject to US court jurisdiction. A Finnish company with no US incorporation, no US subsidiary holding data, and no presence triggering US long-arm jurisdiction is not a CLOUD Act target. Score: 0.

Dimension 2: US Ownership or Controlling Shareholder (0/4) Unlike Sophos (Thoma Bravo US PE), Trellix (Symphony Technology Group US PE), or VMware Carbon Black (Broadcom Inc. Delaware), WithSecure has no US entity controlling corporate direction. Nasdaq Helsinki listing means Finnish securities law governs shareholder obligations. Score: 0.

Dimension 3: US Government Contracts and FedRAMP (0/4) WithSecure holds no FedRAMP authorization, no US Department of Defense contracts, and no documented relationships with US intelligence community programs. The company has no IC-adjacent products or federal civilian agency deployments that would create entanglement with US government data access frameworks. Score: 0.

Dimension 4: FISA Section 702 and Secret Court Orders (0/5) FISA Section 702 authorizes compelled collection from US electronic communication service providers. A Finnish company with Finnish corporate officers and Finnish data processing agreements falls outside FISA jurisdiction. Score: 0.

Dimension 5: Sub-Processor Infrastructure and Threat Intelligence (4/12) This is where honest scoring diverges from the simple "Finnish company = 0 risk" narrative:

• AWS Frankfurt (eu-central-1): WithSecure Elements cloud platform runs on AWS Frankfurt. AWS Inc. is a US company subject to CLOUD Act. AWS has published legal commitments to challenge overly broad government demands and notify customers where legally permitted, but AWS as a US company could theoretically be compelled to produce data it holds. The practical risk is low — EU data staying in EU regions under an EU data controller's instructions — but it is not zero. (+2 points)

• Global Threat Intelligence Infrastructure: WithSecure Security Cloud (threat reputation backend) aggregates telemetry from sensors globally. Some routing and processing touches non-EU infrastructure for real-time lookups. The raw endpoint telemetry from EU customers stays EU-bound, but threat intelligence enrichment creates partial global infrastructure dependencies. (+2 points)

Total CLOUD Act Risk Score: 4/25

For comparison in this series: Carbon Black 19/25, Trellix 19/25, Sophos 16/25. WithSecure's 4/25 represents a fundamentally different risk class — one where GDPR-compliant data processing is the baseline, not an exception configured through EU data residency add-ons.

GDPR and NIS2 Compliance Advantages

Art.28 Data Processing Agreement: When a German hospital, Dutch utility, or Polish bank signs a DPA with WithSecure, they are signing with a Finnish EU-incorporated entity. The DPA is EU-to-EU. Standard Contractual Clauses (SCCs) under GDPR Chapter V are not required for the controller-to-processor relationship — both parties are subject to GDPR directly. This simplifies Data Protection Impact Assessments (DPIAs) significantly.

Transfer Impact Assessment: Under the Schrems II ruling, organizations must conduct Transfer Impact Assessments (TIAs) when transferring personal data to third countries. WithSecure's corporate structure means no mandatory TIA for the WithSecure relationship itself. A TIA is still advisable for the AWS Frankfurt sub-processor leg — but this is a narrow scope compared to assessing CrowdStrike (US company, US servers, PRISM program participant) or Carbon Black (Broadcom Delaware subsidiary chain).

Art.13/14 Transparency: WithSecure's privacy notices reference Finnish law and the Finnish DPA as supervisory authority. Employees covered by the organization's endpoint protection can access their rights under Finnish/EU law without navigating US privacy frameworks or Privacy Shield successor mechanisms.

NIS2 Art.21(2)(d) — Supply Chain Security: NIS2 requires essential and important entities to assess and manage security risks in their supply chains. Choosing an EU-incorporated endpoint security vendor with no US parent simplifies this assessment. There is no third-country data transfer in the supply chain that requires special justification. DPAs with Finnish counterparties do not require adequacy decisions.

NIS2 Art.21(2)(g) — Incident Detection and Handling: WithSecure Elements EDR provides the kernel-level visibility NIS2 requires. Unlike US vendors where incident data may flow to US-based SOC analysts, WithSecure Countercept MDR operates from European locations (Helsinki, London), and incident response engagements are conducted under European legal frameworks.

DORA (Financial Sector): For financial entities subject to DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554), the ICT third-party risk register requires documenting concentration risk. An EU-incorporated EDR vendor without CLOUD Act exposure simplifies the DORA due diligence cycle compared to US vendors requiring extensive sub-processor reviews.

Product Capabilities

WithSecure's enterprise portfolio covers the full endpoint security lifecycle:

WithSecure Elements Platform

The cloud-native management console for SMEs and mid-market organizations. It includes:

Elements EPP (Endpoint Protection Platform) Traditional signature-based malware prevention combined with behavioral analysis, exploit prevention, and device control. Covers Windows, macOS, and Linux. The prevention layer blocks known threats without requiring EDR telemetry; this matters for environments with strict data minimization requirements.

Elements EDR (Endpoint Detection and Response) Behavioral threat detection using the WithSecure Broad Context Detection engine. Key capabilities:

• Process lineage analysis (parent-child relationships, memory injection detection)
• MITRE ATT&CK technique mapping with automatic tactic classification
• Guided response actions (isolate host, collect forensics, kill process)
• 90-day telemetry retention for investigation pivoting
• Integration with WithSecure Security Cloud for real-time reputation lookups

Elements Vulnerability Management Authenticated network scanning and agent-based asset discovery. Identifies missing patches, misconfigurations, and exposed services. Prioritizes findings by CVSS score and exploit availability. Relevant for NIS2 Art.21(2)(e) (vulnerability handling and disclosure policy).

Elements Collaboration Protection Microsoft 365 security — scans SharePoint, OneDrive, Teams, and Exchange Online for malware, business email compromise, and phishing. Without this layer, M365 metadata flows to Microsoft US regardless of licensing. WithSecure intercepts at the content level before classification.

Elements Identity Security Identity threat detection for Active Directory and Azure AD environments. Detects Pass-the-Hash, Kerberoasting, DCSync, and other identity-based TTPs. Complements EDR telemetry with identity plane visibility.

WithSecure Countercept

Countercept is WithSecure's 24/7 co-managed MDR (Managed Detection and Response) service. Originally acquired when F-Secure bought UK-based MWR InfoSecurity in 2018, Countercept has maintained its threat hunting reputation through the demerger. Key characteristics:

• Human-led threat hunting by WithSecure analysts (not outsourced to offshore SOC)
• European analyst locations (Helsinki, London, Kuala Lumpur)
• Average time-to-detect for sophisticated intrusions: under 30 minutes
• MDR with containment authority (analysts can isolate endpoints on customer authorization)
• Red team + MDR combined service available

The Countercept model differs from US-vendor MDR in one important respect: when WithSecure analysts access your endpoint telemetry during a threat hunt, they operate under EU employment contracts and EU data protection obligations. There is no incident response scenario that creates a pipeline for US law enforcement to access your data through the MDR provider.

WithSecure Sphere

For large enterprises (2,000+ endpoints), Sphere provides dedicated cloud infrastructure with additional compliance controls. It includes a dedicated WithSecure Security Cloud instance and enhanced audit logging. Organizations with strict data sovereignty requirements can negotiate dedicated EU-hosted deployments under Sphere.

MITRE ATT&CK Evaluation Performance

WithSecure has participated in MITRE ATT&CK Enterprise evaluations. The evaluations test detection coverage against real-world adversary simulations (APT29, APT3, Carbanak, Wizard Spider, etc.). WithSecure's detection performance in MITRE evaluations has consistently demonstrated coverage of the majority of ATT&CK techniques. For NIS2 entities assessing vendor capabilities, MITRE ATT&CK evaluation results provide vendor-neutral performance data that is harder to manipulate than marketing materials.

Vendor Comparison: EU-ENDPOINT-SECURITY-SERIE Summary

The table reveals the fundamental choice EU security architects face: US/UK-headquartered vendors with competitive feature sets but CLOUD Act exposure between 16 and 19 out of 25, versus EU-incorporated vendors (WithSecure, G DATA, ESET, Bitdefender) with scores between 0 and 8 out of 25.

Feature parity: For most enterprises, WithSecure Elements EDR + Countercept MDR covers the same use cases as CrowdStrike Falcon Complete or Carbon Black Cloud Enterprise EDR. The gap is primarily in market share and ecosystem integrations — not in detection capability.

Migration Guide: From Carbon Black, Trellix, or Sophos to WithSecure

Phase 1: Architecture Assessment (Weeks 1–3)

Map current endpoint agent deployment:

• Count Windows/macOS/Linux endpoints by site and business unit
• Identify high-sensitivity systems (domain controllers, file servers, jump hosts, OT/ICS connections)
• Document current SIEM integrations (QRadar, Sentinel, Splunk) receiving EDR telemetry
• Confirm Microsoft 365 usage scope for Collaboration Protection sizing

WithSecure Elements supports REST API export of detections and telemetry in CEF format. If your SIEM ingests Carbon Black or Trellix alerts today, the integration change is a parser configuration — not an architecture replacement.

Phase 2: WithSecure Elements Onboarding (Weeks 2–5)

WithSecure provides:

• Elements Security Center (web console) — cloud-hosted, EU region
• WithSecure Elements Agent installer for all supported platforms
• Policy templates for EPP, EDR, Vulnerability Management
• API documentation for SIEM/SOAR integration

Start with a non-production environment or a single site. Deploy the Elements Agent alongside the existing agent for 2–3 weeks to validate detection coverage before full migration.

Phase 3: Parallel Run and Tuning (Weeks 4–10)

Run WithSecure Elements EDR in detection-only mode (no response actions) alongside the incumbent agent. Compare detections:

• Does WithSecure detect the same threats the incumbent flags?
• Are there false positive rates that require tuning?
• Does the detection latency meet your NIS2 incident reporting timeline requirements?

For organizations using Countercept MDR, this is when the 24/7 analyst team onboards to your environment — reviewing alert baselines, learning crown jewel systems, and calibrating detection thresholds.

Phase 4: Full Migration (Weeks 8–18)

Remove incumbent agents by priority:

1. Standard workstations (bulk deployment via SCCM, Intune, or Ansible)
2. Servers and infrastructure nodes (one datacenter/site at a time)
3. Domain controllers (always last — validate directory service stability)
4. OT/ICS adjacent systems (pilot group with OT team review)

Decommission the old management console only after confirming 30 days of clean operation with no rollback incidents.

Regulatory Documentation Updates

After migration:

• Update Art.30 GDPR Record of Processing Activities: replace previous vendor's DPA reference with WithSecure DPA (EU entity, Finnish law)
• Update NIS2 ICT third-party supplier register: change CLOUD Act risk from 19/25 (Carbon Black) or 16/25 (Sophos) to 4/25 (WithSecure)
• Issue updated DPIA if the previous DPIA flagged Schrems II transfer concerns — the new DPA may not require Chapter V transfer mechanisms
• Notify DPA if you had previously disclosed the US-parent transfer risk under Art.13/14 — updated disclosure may be simpler

When WithSecure Is the Right Choice

Choose WithSecure when:

• Your legal/compliance team has raised concerns about US jurisdiction on endpoint telemetry
• You are an essential or important entity under NIS2 with elevated supply chain security scrutiny
• Your DPIA flagged the CLOUD Act as a risk requiring mitigation
• You are subject to DORA and building your ICT third-party risk register
• You need MDR with European analyst access to sensitive incident data
• You are migrating away from a Thoma Bravo portfolio vendor (Sophos, Proofpoint, Barracuda) due to portfolio concentration risk
• Your sector (healthcare, finance, critical infrastructure) has strict data localization or national security requirements

Consider alternatives when:

• Your primary concern is market ecosystem integrations (CrowdStrike's 800+ Falcon platform integrations are unmatched)
• You already have a well-functioning Carbon Black or Trellix deployment and cannot justify migration costs
• Your organization primarily uses US cloud infrastructure and has already accepted CLOUD Act exposure in the cloud layer
• You need FedRAMP-authorized endpoint security for US government work

Conclusion

WithSecure Corporation is the largest EU-incorporated endpoint security company with a complete EDR/MDR stack. Its 4/25 CLOUD Act Risk Score reflects honest scoring of AWS sub-processor usage — but the fundamental legal structure is different from every US-parent vendor evaluated in this series. The controller relationship is Finnish, the corporate governance is Finnish, and the regulatory supervision is Finnish.

For EU organizations building NIS2-compliant security programs, WithSecure closes the gap between GDPR-aligned procurement and enterprise-grade detection capability. The migration path from Carbon Black, Trellix, or Sophos is well-defined, and the product coverage — EPP, EDR, Vulnerability Management, M365 protection, and MDR — matches what most organizations need.

Post 1202 in this series will complete the EU-Endpoint-Security analysis with a full comparison finale: Carbon Black 19/25 vs Trellix 19/25 vs Sophos 16/25 vs WithSecure 4/25 vs G DATA 0/25, including procurement decision framework, TCO comparison, and the final GDPR-compliant stack recommendation for EU enterprises.

sota.io helps EU developers and security teams deploy on infrastructure that never crosses the Atlantic. Start your free trial →