Part III: Sovereignty by Design: How Self-Hosting Puts European Businesses Back in Control

In the first two posts in this series (which you can read here and here), we laid out the case Europe has been quietly making to itself: that “where the bytes sit on disk” is no longer a sufficient definition of sovereignty, and that for businesses operating in or selling into the EU, dependence on a small number of US-headquartered providers has become a strategic, regulatory, and operational risk all at once.

This post is about what to do about it — specifically at the secure access layer, where the cost of getting it wrong is high, and the cost of getting it right is surprisingly low.

What self-hosted actually buys you

When most people hear “self-hosted,” they think of a server humming under a desk. That hasn’t been an accurate picture for a long time.

A modern self-hosted VPN, like Access Server, is software you deploy and operate on infrastructure you control. That infrastructure can be a server in your own data center, a Linux VM in a European sovereign cloud provider, a hyperscaler region you’ve already committed to, an on-premises appliance, a private cloud, or a hybrid mix of all of the above. The shape of the deployment is your call. What matters is what stays inside your perimeter.

With Access Server, that includes:

• The management layer. The Admin Web UI, your access control policies, your authentication integrations — all running on infrastructure you own and operate.
• The certificates and authentication. Certificate authority, authentication, and configuration data stay under your operation control. Access Server manages VPN certificates locally by default, can integrate with your own PKI, and supports the identity systems you choose..
• The logs. You decide what is collected, where it is stored, and how long it is retained. That is a GDPR position, an NIS2 position, and a Data Act position all at the same time.
• The traffic. VPN tunnel sessions travel directly between your users and your Access Server. There is no SaaS control plane sitting in a foreign jurisdiction that has to terminate, broker, or even see your traffic.

That is what “sovereign by design” looks like at the access layer. It isn’t a fluffy marketing claim that someone came up with. Rather, it’s a list of things that physically and legally cannot be touched by anyone you have not granted access to.

How it maps to the European regulatory environment

Each of the major regulations we covered in the previous posts touches the secure access layer in concrete ways. However, our self-hosted Access Server deployment gives you defensible answers in each case.

• GDPR and the EU Data Act. Because the system runs inside your jurisdiction and your control, you do not depend on a third-country provider’s commitments to keep personal data from being unlawfully accessed by a foreign government. The CLOUD Act problem we covered in post two simply does not apply to infrastructure that no US-controlled vendor has authority over. Read about OpenVPN’s GDPR posture.

• NIS2. The directive’s supply chain security expectations get easier to meet when your secure access vendor relationship is software, not service. Access Server is built on open-source code, which means independent audit is possible (and done often) — which is useful for both procurement questionnaires and internal risk reviews. Incident reporting timelines (24-hour early warning, 72-hour notification) are easier to hit when your security team has full visibility into the systems sitting between users and applications, instead of waiting on a SaaS vendor’s status page. See our full compliance summary.

• The Cloud Sovereignty Framework. The Commission’s framework scores providers across criteria, including legal jurisdiction, operational control, and supply chain transparency. A self-hosted deployment running on EU infrastructure under your operational control scores well on the dimensions that matter most.
• Vendor switching and lock-in. Because Access Server is built on the open-source OpenVPN protocol — the same protocol supported by virtually every modern firewall, router, and operating system — your secure access infrastructure does not become a one-way trip. Plus, OpenVPN is a point solution, not part of a greater platform that locks you in. You have flexibility in every aspect available. The EU Data Act’s switching provisions push the rest of your stack in this direction. Your VPN should already be there.

What you actually get, in practical terms

The product specifics matter because “sovereign” can’t come at the cost of “usable.” Access Server is designed for businesses that need to run a real network, at real scale, without an outsized operations team or major slowdowns (hello DCO!)

A few of the capabilities that tend to matter most in sovereignty-driven deployments:

• Zero Trust capabilities. Per-user, per-group access policies that limit each session to exactly the resources it needs — supporting network segmentation patterns that map cleanly to NIS2 expectations. See our overview of Zero Trust Network Access and 7 ZTNA best practices for SMBs for more information.
• Domain routing. Introduced in Access Server 3.1.0, you can define access policies by domain name to simplify secure access to SaaS, cloud-hosted, and internal applications without having to maintain brittle IP allowlists.
• Clustering and high availability. Multi-node clustering keeps the service running through hardware failures and maintenance windows — important when your VPN is the front door to everything. Plus, DCO makes VPN encryption run in the kernel space, so there are fewer context switches which results in lower CPU overhead, higher throughput, and lower latency.

Unlock the full potential of your Access Server deployment.

• Flexible authentication. Integration with your existing identity provider (including major EU-headquartered identity vendors), MFA, and certificate-based authentication.
• Deploy where you want. On-prem, in your own data center, in a European sovereign cloud, on AWS or Azure if those are where your workloads happen to live, or any combination. The deployment target is your decision, not the vendor’s.
• A clear commercial model. Standard subscription licensing, plus pay-as-you-go options on AWS Marketplace and Microsoft Marketplace for teams who want to start small, scale up, and draw down existing committed spend through a single cloud invoice. No control plane to lose access to if a renewal stalls.

The point is not that Access Server is the only piece of a sovereign architecture. It is that it is one of the few places in a typical enterprise stack where you can move from “dependent” to “in control” without rebuilding your business. You can even see for yourself here how one regulated business did it.

A pragmatic place to start

Most European businesses we talk to are not planning to rip out their hyperscaler footprint overnight, and they shouldn’t. The transition to a more sovereign architecture is a multi-year program, and the pieces that get tackled first should be the ones where the risk-to-effort ratio is best.

The secure access layer is consistently near the top of that list, for three reasons.

First, the blast radius is large. Every employee, every contractor, every site-to-site tunnel, every cloud workload’s management plane — all of it flows through this layer. Getting it inside your perimeter removes a category of risk that touches everything else.

Second, the migration is bounded. Unlike replatforming a customer database or switching identity providers, replacing a SaaS VPN with a self-hosted one is a project a competent IT team can plan, execute, and close out in weeks, not quarters.

Third, the regulatory wind is at your back. Procurement teams across the EU are increasingly being asked to score vendors on jurisdictional exposure. A self-hosted access architecture is one of the clearest, easiest-to-explain answers you can give them.

The bottom line

The European market is no longer asking businesses whether they are compliant. It is asking whether they are in control.

Sovereignty by design is not about turning your back on the global cloud — it is about being deliberate about which layers of your stack you are willing to outsource and which ones you are not. For a growing number of European IT and business leaders, secure access has moved firmly into the second category.

If you are working through that decision right now, we’d like to help. Access Server is built for exactly this conversation: a self-hosted, business-grade secure access solution that runs on your infrastructure, under your control, on your terms.

The European sovereignty story in 2026 is, in the end, about who gets to make the decisions that shape your business. We think that should be you.