AWS European Sovereign Cloud receives first compliance certifications
The AWS European Sovereign Cloud has received SOC-2 and C5 reports, as well as seven ISO certifications. The attestations cover 69 services.
(Image: heise medien)
The AWS European Sovereign Cloud, available since January 2026, has reached its first compliance milestone. Amazon Web Services (AWS) has obtained SOC-2 and C5 Type 1 attestations, along with seven ISO certifications for the cloud platform, which is physically and logically separated from regular AWS regions. The attestations cover a total of 69 services.
As AWS explains in a post on the AWS Security Blog, the SOC-2 Type 1 report covers the criteria of security, availability, and confidentiality. The auditors also mapped the controls to the in-house Sovereign Reference Framework (ESC-SRF), which covers governance, operations, data residency, and isolation. The C5 Type 1 report attests conformity with the Cloud Computing Compliance Controls Catalogue of the Federal Office for Information Security (BSI) – both basic and additional criteria were audited.
Seven ISO Certifications at Once
In addition to the attestation reports, AWS has simultaneously obtained seven ISO certifications for the European Sovereign Cloud: ISO 27001:2022 (Information Security), ISO 27017:2015 (Cloud Security), ISO 27018:2019 (Protection of Personally Identifiable Information in Public Clouds), ISO 27701:2019 (Privacy Management), ISO 22301:2019 (Business Continuity), ISO 20000-1:2018 (IT Service Management), and ISO 9001:2015 (Quality Management). All reports and certificates are available to customers via AWS Artifact.
The certifications are particularly relevant for authorities and regulated industries in Europe that need to use cloud services under strict data residency and security requirements. The BSI's C5 catalogue is considered a key standard in Germany for evaluating cloud providers.
Videos by heise
Separate Infrastructure with EU Personnel
The European Sovereign Cloud is set up as its own partition (aws-eusc) with the region eusc-de-east-1 in Brandenburg. It features separate IAM accounts, its own billing systems in Euros, and a dedicated Security Operations Center staffed exclusively by EU residents. There is no cross-region data traffic to other AWS partitions; even metadata remains within the EU infrastructure.
However, whether the complete decoupling of the Sovereign Cloud meets the BSI's requirements in practice has not yet been independently verified. The certifications presented now are Type 1 reports, which assess the design and implementation of controls at a specific point in time. The more complex Type 2 audits, which demonstrate operational effectiveness over a longer period, are still pending.
AWS described the certifications as proof that the company is striving to earn customer trust. The company has announced that it will continuously expand the compliance portfolio for the European Sovereign Cloud.
(fo)
