- Data sovereignty means that you have full control at all times over where your data resides, who accesses it, and under which legal jurisdiction it is stored.
- Cloud solutions offer a quick start and low operational overhead but require trust in the provider and their infrastructure.
- Self-hosted solutions give you maximum control over data and infrastructure but demand your own IT resources for operations and maintenance.
- Regulatory requirements such as DSGVO (GDPR), Schrems II, and NIS2 impose concrete requirements on data storage that must be considered in the hosting decision.
- The right choice depends on your regulatory requirements, available IT resources, and the sensitivity of the data being managed.
What Data Sovereignty Actually Means
The term data sovereignty is frequently used but seldom precisely defined. At its core, it concerns three dimensions of control over your data:
Physical control: You know where your data is physically stored and can determine that location. That sounds self-evident, but with many cloud services it isn't. Data may be distributed across multiple data centers, and the exact storage location may change dynamically.
Legal control: The data is subject to a legal jurisdiction that you know and accept. When your data resides in an EU data center of a US company, it may still be subject to the US CLOUD Act — meaning US authorities can demand access under certain circumstances.
Technical control: You determine who can access the data. This includes not just your own employees but also the software vendor, the hosting provider, and their staff.
For ordinary office software, the question of data sovereignty may be secondary. For compliance software, the situation is different. An ISMS tool contains a detailed inventory of your security risks, your vulnerabilities, your protective measures, and their effectiveness. It documents where your organization is vulnerable. This information is at least as valuable to attackers as it is to you.
Additionally, there are audit results that reveal deficiencies, incident reports that describe past security breaches, and action plans that disclose which gaps have not yet been closed. This is not ordinary business data — it's essentially a security map of your organization.
Cloud Solutions: Advantages and Limitations
Cloud-based compliance software — SaaS solutions where the provider operates the infrastructure — dominates the market. There are good reasons for this, but it also comes with specific limitations.
Advantages of Cloud Solutions
Quick start. You sign up, set up your account, and can start working immediately. No server installation, no infrastructure planning, no coordination with the IT department. For organizations that need to move quickly — for example because a certification deadline is approaching or regulatory timelines are pressing — this is a real advantage.
Low operational overhead. Updates, backups, monitoring, scaling, and security patches are handled by the provider. You don't need an internal team dedicated to running the software. Especially for small IT departments that are already stretched thin, this is significant relief.
Automatic updates. New features, bug fixes, and security patches are deployed by the provider without any action on your part. You always work with the current version, which can also be an advantage from a security perspective.
Scalability. Cloud solutions generally scale seamlessly. As your organization grows or you add more users, the infrastructure adapts automatically.
Location-independent access. Cloud software is accessible from anywhere, which is practical for distributed teams or organizations with multiple locations.
Limitations of Cloud Solutions
Data with a third party. The most obvious limitation: your ISMS data resides on the provider's infrastructure. You trust that the provider has their own security under control, that their employees don't take unauthorized access, and that their subcontractors are equally trustworthy.
Vendor dependency. If the provider discontinues their service, drastically raises prices, or gets acquired, you have a problem. While you should be able to export your data, migrating to another platform always involves effort. This dependency — often referred to as vendor lock-in — is particularly sensitive with compliance software because an outage or forced migration in the middle of an audit cycle can have significant consequences.
Limited control over infrastructure. You typically can't determine which specific hardware runs your data, what disk-level encryption is used, or how the provider's network segmentation is configured. You must rely on the provider's statements and, where applicable, their certifications.
Multi-tenancy. Most SaaS solutions use a multi-tenant architecture: multiple customers share the same infrastructure, with separation at the software level. This is technically standard and secure when properly implemented, but it means that a vulnerability in tenant isolation could potentially affect multiple customers' data.
Legal jurisdiction and data access. If the provider is headquartered outside the EU, foreign authorities may be able to demand access to your data under certain circumstances — even if the servers are physically located in the EU. The US CLOUD Act is the most prominent example, but similar regulations exist in other countries.
Self-Hosted Solutions: Advantages and Limitations
Self-hosted means you operate the software on your own infrastructure. That can be a physical server in your own data center, a virtual machine with a hosting provider of your choice, or a container installation in your own cloud environment.
Advantages of Self-Hosting
Full data control. You know exactly where your data resides because you chose the storage location yourself. No third party has access unless you explicitly permit it. For organizations in regulated industries or with strict internal data storage policies, this is often a fundamental requirement.
No dependency on a third party's availability. If the software vendor discontinues their cloud service, with a self-hosted solution you still have your running installation with all data. You're not reliant on the provider keeping their servers running.
Own security architecture. You integrate the software into your existing security infrastructure: your own firewall rules, your own monitoring, your own backup strategy, your own access controls. This yields a consistent security concept that you control yourself.
Compliance with strict data residency requirements. Some regulatory requirements or contractual agreements stipulate that certain data must not leave the company network or a defined geographic area. Self-hosting fulfills this requirement by definition.
Cost structure. Self-hosted solutions often have a different cost structure than SaaS: one-time license fees or open-source models instead of ongoing per-user fees. With a growing user count, self-hosting can be more cost-effective in the long run because the marginal cost per user approaches zero. A detailed TCO comparison between SaaS and self-hosted over five years shows how total costs actually develop.
Limitations of Self-Hosting
Own operational overhead. Updates, backups, monitoring, and security patches are your responsibility. You need staff who can handle this and have time for it. When a critical security vulnerability is discovered in the software or a dependency, you have to apply the patch yourself.
Initial setup. Installation and configuration require technical know-how. Depending on the software's complexity, setup can take hours or days, whereas a SaaS solution is immediately usable.
Infrastructure costs. Even if the software license is cheaper, costs for servers, hosting, power, network, and IT personnel still apply. These costs must be included in the total calculation.
Scaling. If your organization grows rapidly, you have to scale the infrastructure yourself. With a SaaS solution this happens automatically; with self-hosting you have to plan and invest.
Ensuring your own security. Self-hosting gives you control but also responsibility. If you don't properly secure your server, your data is less protected than with a professionally operated cloud service. The quality of security depends directly on your own capabilities and resources.
Regulatory Requirements in Detail
The decision between cloud and self-hosted is not just a technical preference — it's increasingly influenced by regulatory requirements. Three regulatory frameworks are particularly relevant for European organizations.
DSGVO (GDPR) and Data Processing
The General Data Protection Regulation governs the handling of personal data. Personal data also arises in an ISMS: names of risk owners, employee contact details. The technical and organizational measures must be documented accordingly — potentially information about security incidents that affect individual persons.
With a cloud solution, the software provider is typically a data processor under GDPR. This requires a data processing agreement (DPA) that governs the scope of processing, the technical and organizational measures, and the rights and obligations of both parties.
When evaluating cloud providers, check the following points:
- Is there a DPA, and is it complete?
- Where is the data processed and stored?
- Which sub-processors are involved, and where are they located?
- How is data deletion handled after contract termination?
With self-hosting, data processing by the software vendor is eliminated if the vendor has no access to the running installation. Responsibility for GDPR-compliant processing then lies entirely with you — which means more control on one hand, but also that you must ensure adequate technical and organizational measures yourself.
Schrems II and International Data Transfers
The Schrems II ruling by the ECJ in 2020 significantly complicated the transfer of personal data to the United States. While the EU-US Data Privacy Framework has existed as a new adequacy decision since 2023, its long-term stability is disputed. Some legal experts consider a renewed invalidation likely, which could put organizations relying on US cloud services in a difficult position again.
For compliance software, this means: if you use a cloud provider with a US parent company, you should be aware that the legal basis for data transfer may change. Whether you accept this risk is a business decision, but you should make it consciously rather than discovering a problem after the fact.
Self-hosted solutions on EU infrastructure completely sidestep this issue because no data transfer to third countries takes place. Cloud solutions from European providers with exclusively European infrastructure also offer a high degree of legal certainty, as long as no US sub-processors are involved.
NIS2 and Cybersecurity Requirements
The NIS2 Directive imposes requirements on the cybersecurity of affected organizations, including the security of the IT systems in use and the supply chain. An ISMS tool is part of your IT supply chain, and its security must be assessed as part of your supply chain risk management.
NIS2 requires, among other things:
- Risk management for IT in use, including cloud services
- Consideration of supply chain security
- Incident reporting obligations that may also include incidents at service providers
If your ISMS tool operates as a cloud service, you must include the provider in your supplier management, assess their security measures, and review them regularly. With self-hosting, security responsibility lies with you, which simplifies supplier assessment but increases your own operational responsibility.
When Each Model Fits
The choice between cloud and self-hosted is not a matter of ideology but a pragmatic decision that depends on your organization's specific circumstances. Here are typical scenarios and the matching models.
Cloud Is Probably the Better Choice If...
- Your organization doesn't operate its own IT infrastructure or the IT department is already at capacity.
- You need to start quickly and don't have time for server setup and configuration.
- Your team works remotely and location-independent access is important.
- The managed data is confidential but not highly sensitive (for example, an ISMS in the setup phase without incident reports).
- The provider is demonstrably trustworthy, is headquartered in the EU, and can demonstrate ISO 27001 certification.
Self-Hosted Is Probably the Better Choice If...
- Regulatory or contractual requirements stipulate that certain data must not leave your own network.
- You work in an industry where data sovereignty is particularly critical (defense, healthcare, critical infrastructure, public administration).
- You already have a well-maintained IT infrastructure and adding another service won't cause disproportionate additional effort.
- You want to minimize dependency on an external service provider for your central security management system.
- The long-term costs of a SaaS solution exceed the budget, especially with many users.
It's Not Black and White
In practice, the decision is often less clear-cut than these scenarios suggest. Many organizations find themselves somewhere in between and must weigh which factors matter most in their situation.
Hybrid Approaches
Beyond the pure cloud and pure self-hosted models, there are intermediate forms that attempt to combine the advantages of both worlds.
Managed Hosting
With this model, the software runs on dedicated infrastructure managed by a hosting provider of your choice. You have more control over location and configuration than with a SaaS solution, but you don't have to worry about daily operations yourself. However, you need a trustworthy hosting partner, and responsibilities must be clearly defined.
Your Own Cloud Environment
Some organizations run self-hosted software in their own cloud environment (AWS, Azure, private cloud). This combines the advantages of self-hosting (your own control, your own security policies) with the flexibility and scalability of the cloud. The prerequisite, however, is that the organization already operates a cloud environment and has the expertise to manage it.
Data Residency with Cloud Providers
Some SaaS providers offer the option to choose the region for data storage: EU-only, Germany-only, or even a specific data center. This addresses part of the data sovereignty concerns but doesn't solve the fundamental issue of access by the provider or their legal jurisdiction.
Decision Matrix
To structure the decision, a weighted assessment of the relevant criteria helps. The following matrix is a starting point that you should adapt to your situation.
Regulatory requirements (weight: high) Are there legal or contractual requirements that mandate a specific data storage approach? If so, this may already determine the decision.
Data sensitivity (weight: high) How critical is the data managed in the tool? An ISMS in the setup phase contains less sensitive information than one that has been in production for years and contains detailed incident reports.
Available IT resources (weight: high) Do you have the personnel and technical resources to operate a self-hosted solution permanently? Honesty is important here. A poorly maintained self-hosted server is less secure than a professionally operated cloud solution.
Budget (weight: medium) Calculate total costs over three to five years, including all hidden costs (infrastructure, personnel, migration).
Speed of deployment (weight: medium) How urgently do you need the solution? If ISO 27001 certification is three months away, the faster availability of a cloud solution may tip the scales.
Vendor lock-in (weight: medium) How easy is it to switch vendors? With self-hosted, you have your data locally and can migrate at any time. With cloud solutions, it depends on the export options.
Scalability (weight: low to medium) How much will your ISMS grow in the coming years? With strong growth, the automatic scaling of a cloud solution can be advantageous.
What to Look for with Both Models
Regardless of whether you choose cloud or self-hosted, there are quality characteristics that should be met in any case.
Encryption. Data should be encrypted both in transit (TLS) and at rest (encryption at rest). For cloud solutions, ask who manages the keys. For self-hosted, you're responsible for this yourself.
Access control. Role-based permissions that ensure each user can only access the data relevant to them. Multi-factor authentication should be available at minimum as an option.
Backup and recovery. How are backups created, where are they stored, and how quickly can restoration occur in an emergency? With cloud solutions, this is often included; with self-hosted, you must set it up yourself.
Audit trail. Who changed what and when? A complete change history is important not only for audits but also for internal traceability.
Full data export. Regardless of the hosting model, you must be able to export all data completely and in an open format. This criterion is non-negotiable.
ISMS Lite takes a consistent self-hosted approach: the software runs on your infrastructure, your data doesn't leave your network, and you retain full control over operations and data storage. At 500€/Jahr for a subscription or 2.500€ as a one-time purchase, it's priced well below most SaaS alternatives, with no seat licenses or hidden costs. Whether this model fits your situation depends on the factors described above.
Conclusion: Making a Conscious Decision
The question of the hosting model for compliance software is not a side issue and not a purely IT topic. It's about where the most sensitive information about your organization's security posture is stored, who can access it, and under what legal framework this happens.
Both models have their merits. A cloud solution with a trustworthy European provider with proven security competence can be an excellent choice. A self-hosted solution on well-maintained, in-house infrastructure equally so. It only becomes problematic when the decision is made unreflectively — when cloud is chosen because it's "easier" without considering the implications for data sovereignty, or when self-hosting is chosen even though the resources for secure operations are lacking.
Take the time to evaluate the relevant factors for your organization. Involve not only IT but also the data protection officer, the legal department, and management. The decision about the data sovereignty of your compliance infrastructure is a strategic decision that deserves attention at the right level.
Further Reading
- Choosing ISMS Software: What Matters in the Evaluation
- What Does an ISMS Cost? Realistically Estimating Budget, Effort, and ROI
- Reviewing Data Processing Agreements and Evaluating Service Providers
- Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
- NIS2 for Mid-Market Companies: What You Need to Know and What to Do Now