---
canonical: https://enum.co/kubernetes-nis2-dora
locale: en
---
**Sovereign Kubernetes**

# Sovereign Kubernetes for NIS2 and DORA.

What the regulations require of your cloud infrastructure, and how a sovereign European Kubernetes platform satisfies them by construction.

NIS2 and DORA require operators of essential and financial entities to manage ICT third-party risk, keep data inside a legally defensible jurisdiction, and avoid dependencies that a foreign government can compel. A sovereign European Kubernetes platform operated by a German GmbH under German and EU law, with no US parent and no US subprocessors, satisfies these requirements structurally rather than contractually. enum Kubernetes Engine is such a platform: upstream Kubernetes with an HA control plane, run in Frankfurt, with no US CLOUD Act exposure.


### Frequently asked questions


**Does NIS2 require cloud providers to be EU-based?**
NIS2 does not explicitly mandate EU-based providers, but it makes operators of essential services responsible for the security of their supply chain, including cloud. A provider subject to the US CLOUD Act introduces a jurisdictional risk the operator cannot fully control. A sovereign EU provider like enum removes that risk structurally, which is the defensible posture under NIS2.

**Is enum Kubernetes Engine DORA-compliant?**
DORA does not certify products; it imposes obligations on financial entities and their ICT providers. enum is a German GmbH operating in Frankfurt under German and EU law, with no US subprocessors and no transatlantic data flows, which aligns structurally with DORA's ICT third-party risk, audit, and exit-planning requirements. enum is a platform you can build a DORA-compliant posture on, not a DORA certification holder.

**What is the difference between an EU region and a EU provider?**
An EU region is a data-center location. A EU provider is a company whose corporate jurisdiction sits inside the EU. The US CLOUD Act and FISA Section 702 apply to the corporate entity, not the region, so a US company's EU region is still subject to US lawful-access mechanisms. enum is a German GmbH with no US entity, so its Frankfurt region is covered by German and EU law only.

**How does enum help with DORA exit planning?**
DORA requires financial entities to plan for exiting an ICT provider without disruption. enum runs upstream, unmodified Kubernetes, so manifests, Helm charts, and GitOps pipelines are portable and not locked into a proprietary API. enum object storage is S3-API compatible, so data is movable with standard tools. Portability is the foundation of a credible exit plan.

**Does enum hold ISO 27001 or BSI C5 certification?**
enum's Frankfurt data center is a Tier III+ facility with ISO 27001 and EN50600 certification at the facility level. enum's own ISO 27001 certification is in progress with a target of Q4 2026, and BSI C5 is on the roadmap. We do not state either as achieved until the audit is complete.

**Can regulated workloads run on enum today?**
Yes. enum is a German GmbH operating in Frankfurt under German and EU law, with an HA Kubernetes control plane, own network (AS215998), and no US dependencies. Teams in FinTech, HealthTech, and public-sector-adjacent sectors run regulated workloads on enum today. NIS2 and DORA readiness is a structural property of where the company and data sit.

### Sovereignty is structural, not contractual

The difference between a promise and a guarantee is where the company and the data sit.

- **German GmbH, German contracts**: enum is operated by enum GmbH under German and EU law. Contracts, governance, and lawful-access regime all sit inside the EU.
- **Frankfurt data center**: Data resides in a Tier III+ facility in Frankfurt, Germany. The physical location, the corporate jurisdiction, and the network are all EU-only.
- **CNCF Silver Member**: enum is a CNCF Silver Member and a Linux Foundation member, anchored in the open-source standards that make Kubernetes portable and auditable.

Selecting an EU region at a US-headquartered provider does not change the jurisdiction of the company holding the data. The US CLOUD Act and FISA Section 702 apply to the corporate entity, not the region. For a workload governed by NIS2 or DORA, the defensible posture is a provider whose entire corporate structure sits inside the EU. enum is such a provider: a German GmbH, in Frankfurt, with no US entity and no US subprocessors.


### What NIS2 and DORA require of cloud infrastructure

Both regulations put the infrastructure layer at the centre of compliance, not at the edge.

- **ICT third-party risk (DORA)**: DORA makes financial entities responsible for the ICT services they depend on. A Kubernetes platform must be operable under a contract that lets the entity meet DORA's audit, incident-reporting, and exit-planning obligations, and the provider must not introduce jurisdictional risk the entity cannot control.
- **Supply-chain security (NIS2)**: NIS2 holds operators of essential services accountable for the security of their supply chain, including cloud providers. The provider's corporate jurisdiction and data location become part of the operator's risk surface, not a detail outsourced to procurement.
- **Data location and lawful access**: Both frameworks expect data to sit in a jurisdiction whose lawful-access regime is compatible with EU law. A provider subject to the US CLOUD Act or FISA Section 702 can be compelled to hand over data stored in the EU, which is hard to reconcile with a defensible NIS2 or DORA posture.
- **Resilience and incident response**: NIS2 and DORA both require resilience and fast incident response. The underlying platform must offer high availability, clear escalation paths, and an infrastructure operator you can reach under EU law.

### How a sovereign EU Kubernetes platform satisfies them

enum maps each requirement to a structural property of the platform.

- **Jurisdiction by construction**: enum is a German GmbH (HRB 121362, Cologne) operating in Frankfurt under German and EU law only, with no US parent and no US subprocessors. The jurisdiction is the company, not a region selection.
- **No CLOUD Act, no FISA 702**: Because enum has no US entity, it is not subject to the US CLOUD Act or FISA Section 702. Foreign authorities cannot compel access to data held by enum through US legal mechanisms.
- **EU-only data flows**: All infrastructure runs in a Tier III+ data center in Frankfurt. No transatlantic data flows, no Schrems II exposure, no reliance on adequacy decisions or Standard Contractual Clauses that can be invalidated.
- **HA control plane included**: Every cluster gets an isolated, highly available control plane across independent failure domains, with automatic failover and zero-downtime upgrades, at no per-cluster-hour charge. Resilience is built in, not a paid tier.
- **Own network, EU peering**: enum operates its own Autonomous System (AS215998, RIPE NCC) with own IP ranges and direct peering at European Internet Exchanges. Network control sits inside the EU and is publicly verifiable on PeeringDB.
- **Upstream Kubernetes, no fork**: Standard upstream Kubernetes with no fork means portable workloads, no lock-in, and an exit path that DORA's resolution-and-exit-planning requirements expect. Manifests, Helm charts, and GitOps pipelines move with you.

### Sovereignty is structural, not contractual

The difference between a promise and a guarantee is where the company and the data sit.

- **German GmbH, German contracts**: enum is operated by enum GmbH under German and EU law. Contracts, governance, and lawful-access regime all sit inside the EU.
- **Frankfurt data center**: Data resides in a Tier III+ facility in Frankfurt, Germany. The physical location, the corporate jurisdiction, and the network are all EU-only.
- **CNCF Silver Member**: enum is a CNCF Silver Member and a Linux Foundation member, anchored in the open-source standards that make Kubernetes portable and auditable.

Selecting an EU region at a US-headquartered provider does not change the jurisdiction of the company holding the data. The US CLOUD Act and FISA Section 702 apply to the corporate entity, not the region. For a workload governed by NIS2 or DORA, the defensible posture is a provider whose entire corporate structure sits inside the EU. enum is such a provider: a German GmbH, in Frankfurt, with no US entity and no US subprocessors.


### Frequently asked questions


**Does NIS2 require cloud providers to be EU-based?**
NIS2 does not explicitly mandate EU-based providers, but it makes operators of essential services responsible for the security of their supply chain, including cloud. A provider subject to the US CLOUD Act introduces a jurisdictional risk the operator cannot fully control. A sovereign EU provider like enum removes that risk structurally, which is the defensible posture under NIS2.

**Is enum Kubernetes Engine DORA-compliant?**
DORA does not certify products; it imposes obligations on financial entities and their ICT providers. enum is a German GmbH operating in Frankfurt under German and EU law, with no US subprocessors and no transatlantic data flows, which aligns structurally with DORA's ICT third-party risk, audit, and exit-planning requirements. enum is a platform you can build a DORA-compliant posture on, not a DORA certification holder.

**What is the difference between an EU region and a EU provider?**
An EU region is a data-center location. A EU provider is a company whose corporate jurisdiction sits inside the EU. The US CLOUD Act and FISA Section 702 apply to the corporate entity, not the region, so a US company's EU region is still subject to US lawful-access mechanisms. enum is a German GmbH with no US entity, so its Frankfurt region is covered by German and EU law only.

**How does enum help with DORA exit planning?**
DORA requires financial entities to plan for exiting an ICT provider without disruption. enum runs upstream, unmodified Kubernetes, so manifests, Helm charts, and GitOps pipelines are portable and not locked into a proprietary API. enum object storage is S3-API compatible, so data is movable with standard tools. Portability is the foundation of a credible exit plan.

**Does enum hold ISO 27001 or BSI C5 certification?**
enum's Frankfurt data center is a Tier III+ facility with ISO 27001 and EN50600 certification at the facility level. enum's own ISO 27001 certification is in progress with a target of Q4 2026, and BSI C5 is on the roadmap. We do not state either as achieved until the audit is complete.

**Can regulated workloads run on enum today?**
Yes. enum is a German GmbH operating in Frankfurt under German and EU law, with an HA Kubernetes control plane, own network (AS215998), and no US dependencies. Teams in FinTech, HealthTech, and public-sector-adjacent sectors run regulated workloads on enum today. NIS2 and DORA readiness is a structural property of where the company and data sit.