This article is part of the series The journey of a file – The risk of US access.
- Introduction
- Part 1: Internet Network & Hardware and OS
- Part 2: Company network & Identity
- Part 3: Cloud storage & Encryption certificates
In this part of our series we have a look at the next two transit points:
company networks/remote workspaces and the identity access layer.
Transit point 2: Networks/remote workspaces
The shift toward hybrid work has fundamentally changed how corporate data moves,
making the network and remote workspace layer a critical transit point for
sensitive information.
Today, organizations primarily rely on two technological frameworks to
facilitate remote access: Virtual Desktop Infrastructure (VDI) and Virtual
Private Networks (VPNs). While these solutions are often used in combination,
they are based on distinct architectures and introduce different jurisdictional
and operational risk profiles.
In a VDI environment (using platforms such as Citrix Workspace, VMware Horizon
or Microsoft Remote Desktop Services) applications and data typically remain
within a centralized data center or cloud environment. The user’s local device
functions primarily as a terminal, receiving a rendered session rather than
processing data locally. By contrast, a VPN establishes an encrypted tunnel that
allows a remote device to connect directly to the corporate network. Under this
model, data is more frequently accessed, stored, or processed on the employee’s
local machine. While VDI is often preferred for its ability to
centralize data, both approaches rely heavily on vendor-controlled
infrastructure and software layers.
This reliance creates a structural exposure to international legal reach. Many
dominant VDI and VPN providers are headquartered in the United States
and are therefore subject to US legal frameworks such as the CLOUD Act and
Section 702 of the Foreign Intelligence Surveillance Act (FISA). Under these
regimes, US authorities can compel service providers to provide access to data
under their control, including data associated with non-US customers and, in
some cases, data processed or managed outside the United States.
The scope of such access may extend beyond content to include metadata and
operational logs, such as connection timestamps, user identifiers, and session
characteristics. In managed VDI environments, providers may retain visibility
into parts of the management or control plane, which can reveal organizational
structures, access patterns, and workflow dependencies. While this does not
imply routine inspection, it introduces a jurisdictional exposure that may be
invisible to the customer organization.
Operational continuity presents a related but distinct risk. Modern remote
workspace platforms increasingly depend on cloud-verified licenses, identity
services, and periodic validation checks with vendor infrastructure. This design
gives providers the technical ability to suspend or terminate services in
response to legal, contractual, or policy changes. Recent geopolitical
developments and sanctions regimes have demonstrated that software access and
licenses can be revoked at short notice. For European organizations, this
creates a non-theoretical risk that remote work capabilities could be disrupted
due to decisions taken outside their legal or political control.
Market consolidation
These concerns are compounded by significant market consolidation. Many VPN and remote access brands operate under shared ownership
structures, despite presenting themselves as independent services.This
consolidation can enable internal data sharing between subsidiaries and parent
companies under broader corporate privacy policies. In some cases, ownership
overlaps between service providers and review or comparison
platforms further complicate independent risk assessment.
In conclusion, as remote access becomes a permanent component of the corporate
environment, the choice of network and workspace layer is no longer purely
technical. Organizations must balance usability and scale against jurisdictional
exposure and dependency on foreign-controlled infrastructure. Assessing provider
ownership, legal obligations, and architectural control points is essential for
maintaining digital sovereignty in a hybrid work context.
European alternatives
As concerns around jurisdiction, transparency, and long-term control grow, a
diverse European ecosystem has emerged across VPN, VDI, and remote workspace
technologies. Rather than relying on a small number of U.S.-based hyperscalers,
European organizations increasingly turn to providers that operate under EU or
closely aligned legal frameworks, emphasize strict no-logs policies, and
maintain transparent ownership structures.
1. European VPN Alternatives
European VPN providers such as Mullvad (Sweden), Proton VPN
(Switzerland), IVPN (Gibraltar/EU), and AirVPN (Italy) exemplify this approach.
While differing in technical implementation, these providers share common
principles: minimizing data collection, operating under strong European privacy
regimes, and publicly committing to transparency through audits, open
documentation, or activist-driven governance models. Together, they illustrate
that privacy-preserving network transit can be delivered without dependency on
U.S. or Chinese infrastructure.
2. European VDI & Remote Workspace Alternatives
The landscape for Virtual Desktop Infrastructure (VDI) and remote workspaces is
more complex, as these systems require substantial backend infrastructure and
tight integration with enterprise environments. Nonetheless, several
European-based providers offer sovereign or regionally controlled alternatives
to dominant US platforms such as Microsoft and Citrix. Solutions from companies
like UDS Enterprise, OVHcloud, T-Systems, and Scaleway illustrate a growing market for European-owned VDI and remote desktop
offerings. These platforms are typically positioned around “sovereign cloud”
principles, ensuring that software development, hosting infrastructure,
administrative access, and legal accountability remain within European borders.
For regulated industries and public-sector organizations in particular, such
solutions offer a way to maintain remote work capabilities while aligning with
European data-residency and governance requirements.
3. Open-Source and Self-Hosted Options
For organizations seeking the highest degree of control, open-source and
self-hosted solutions provide an additional path toward digital sovereignty.
Technologies such as WireGuard enable enterprises to deploy
high-performance VPN infrastructure entirely on their own hardware, eliminating
reliance on third-party transit providers. Similarly, platforms like Nextcloud
Hub demonstrate how collaboration and productivity environments can
be operated as locally hosted, European-controlled alternatives to US-based SaaS
ecosystems. While these approaches demand greater operational maturity, they
significantly reduce dependency on external vendors and remove the risk of
unilateral service withdrawal or extraterritorial legal interference.
European law proposals (with VPN impact)
However, this risk is no longer confined to the US context. In parallel,
European and UK policymakers are reassessing the role of anonymity, encrypted
transport layers, and location-obscuring technologies within new safety,
law-enforcement, and identity frameworks. While the legal logic differs, recent
developments suggest a growing willingness in Europe to assert regulatory
control over the same network layers that are often assumed to be structurally
sovereign.
VPNs, long positioned as tools for privacy and security, are increasingly viewed
by policymakers as technologies that can undermine new online safety and
enforcement regimes. While neither the UK nor the EU has introduced an outright
ban, both are developing legal frameworks that could significantly affect the
operation of “no-log” VPN services.
United Kingdom: Online Safety and Age Assurance
In the UK, regulatory attention is largely driven by enforcement of the Online
Safety Act (OSA). Since the introduction of mandatory age verification
requirements for certain online services in 2025, authorities have reported a
substantial increase in VPN usage, particularly around enforcement periods.
Regulators interpret this trend as evidence that some users are using VPNs to
bypass location-based age assurance mechanisms.
In response, Ofcom has expanded its monitoring and evidence-gathering
activities, drawing on traffic analysis, platform data, and
third-party market intelligence. A report examining the interaction between VPN
usage and the effectiveness of age assurance measures is expected in May 2026,
followed by a broader review later in the year.
Alongside this, legislative attention has turned to the Children’s Wellbeing and
Schools Bill. Amendments proposed in late 2025 would require VPN providers
operating in the UK to implement “highly effective” age assurance measures. In practice, this could mean identity or age verification
before VPN services can be accessed. While the government has stated that it is
not pursuing a general ban on VPNs, it has warned that services actively
promoting VPN use to circumvent UK law could face enforcement action.
European Union: Metadata Access and Anonymity
In the EU, the regulatory focus is broader and more structural. As part of the
ProtectEU internal security strategy, the European Commission’s June 2025
roadmap includes data retention as a key area for reform, with an
impact assessment completed and a legislative proposal expected around mid-2026.
This proposal would require certain digital service providers (including VPNs)
to retain traffic and location metadata for law-enforcement purposes. If adopted, this would be incompatible with strict “no-log” operating
models.
At the same time, negotiations on the Child Sexual Abuse Regulation (CSAR) have
continued into 2026. While earlier proposals for mandatory scanning of
encrypted communications were softened, the current approach
emphasizes risk mitigation. VPNs are increasingly
discussed as services that may fall into higher-risk categories, potentially
leading to additional obligations to support lawful investigations.
In parallel, the EU is preparing for the rollout of the European Digital
Identity Wallet, which member states must make available by the end
of 2026. The Commission positions the wallet as a standardized mechanism for
identity and age verification. Its broader adoption could
reduce reliance on location-based workarounds, while also making anonymous
access to online services more difficult to sustain.
Conclusion
For VPN providers, 2026 marks a period of strategic uncertainty rather than
immediate prohibition. Both the UK and the EU are moving toward regulatory
models that emphasize age assurance, traceability, and lawful access to
metadata. These developments do not eliminate VPNs, but they do challenge
privacy-maximizing designs, particularly “no-log” architectures. Providers
operating in these jurisdictions may increasingly face a choice between adapting
to verification and retention requirements or limiting their services
geographically.
Example 1: FBI operation against VoltTyphoon botnet
A clear real-world example of network-layer intervention by U.S. authorities is
the 2023–2024 Volt Typhoon case, in which the FBI, under a December 2023 secret
court-authorized warrant issued by a federal magistrate in Texas, remotely
accessed and cleaned malware from hundreds of Cisco and Netgear home and
small-office routers infected with the KV Botnet. The malware had been used by
Chinese state-linked hackers to disguise and relay intrusions into U.S. critical
infrastructure.
In this operation, the FBI deleted the malicious code and blocked its
communications with the botnet’s control servers without the consent of the
device owners, relying on the court order to make the action legal.
While the stated intention was to protect citizens and U.S. infrastructure from
foreign malware, the case also highlights the broader authority that U.S.
government and intelligence agencies can wield at the network layer and
effectively reaching into private network devices to modify or remove software.
Expanding legal definition
This authority was based on an expansion of Federal Rule of Criminal Procedure
41, which traditionally governs search and seizure warrants;
critics argue that using a criminal warrant to authorize nationwide hacking
stretches the original legal framework, since Rule 41 was designed for
probable-cause searches of individual devices, not mass remote access.
The concern is that if such warrants can be used to justify broad interventions
into networked devices, the same legal theory could, in principle, be applied
far beyond serious national-security threats, raising
questions about scope, oversight, and civil liberties.
Example 2: SolarWinds Supply-Chain Attack (2020–2021)
A prominent example illustrating the interaction between the network layer and
the access layer is the SolarWinds supply-chain attack, publicly disclosed in
late 2020 and investigated throughout 2021. SolarWinds’ Orion platform functions
as network-monitoring software deeply embedded in enterprise IT infrastructures,
providing visibility, authentication support, and automated patching across
internal networks and cloud environments.
By compromising SolarWinds’ software update mechanism, the threat actor inserted
malicious code that was digitally signed and distributed to thousands of
customers, granting trusted network-level access inside government agencies and
private companies worldwide. Once inside, the attackers
exploited systemic weaknesses in Windows authentication and identity federation,
allowing lateral movement across internal networks and into cloud environments
while bypassing multifactor authentication, effectively collapsing the boundary
between network trust and access control.
Transparency hesitation
Despite the unprecedented scale and severity of the breach, post-incident
investigations revealed hesitancy among some organizations to fully disclose
details of the intrusion. Witnesses later cited concerns about legal liability
and the risk of “victimizing victims” by publicly naming affected
entities. This reluctance persisted even though the
Cybersecurity Information Sharing Act (CISA) of 2015 explicitly provides
liability protections to encourage companies to share cyber-threat indicators
and defensive measures with government agencies and other firms, provided that
sharing follows statutory protocols. The SolarWinds case therefore highlights
not only technical vulnerabilities at the network and access layers, but also institutional and legal frictions that can limit
transparency, even when legal frameworks are designed
to promote it.
Duality
This SolarWinds incident highlights that private companies operating critical
infrastructure software are not always fully transparent about breaches, even
when legal frameworks such as the Cybersecurity Information Sharing Act
(CISA) exist to encourage disclosure. Because companies may withhold
information, there are risks to broader network security, and political or
regulatory pressures could be used to further incentivize or legally obligate
transparency.
This dynamic creates a duality: expanding governmental access and influence can
help detect intrusions, mitigate systemic cybersecurity risks, and protect both
public and private actors from sophisticated state-sponsored attacks, but it
also introduces potential downsides.
Greater technical and legal reach by the U.S. government can expose European
companies and citizens reliant on U.S.-based technology and cloud
infrastructure, to jurisdictional and political risks, highlighting the tension
between security benefits and concerns over sovereignty, oversight, and
unintended exposure.
Transit Point 3: Identity & Access Management (IAM)
Moving deeper into the architecture of modern digital ecosystems, we arrive at
Transit Point 3: the IAM Layer. If the first transit points of our file that we
are following represents physical and network infrastructure, this IAM transit
point serves as the critical gatekeeper: the intelligent filter that determines
not just who a user is, but exactly what they are permitted to do once they
cross the threshold. In an era where identity is the new perimeter, IAM has become a primary defense against data breaches, as it is far
easier for a malicious actor to steal a credential than to bypass a firewall.
In business contexts, IAM is the “connective tissue” between a digital presence
and operational security. It governs every interaction between humans or
machines and corporate resources: from a remote employee logging into a VPN to a
customer subscribing to a SaaS service. At its core, IAM authentication ensures
the right entities have access to the right resources at the right time for the
right reasons.
Authentication Methods and Risks
To reduce friction for users, organizations increasingly adopt Single Sign-On
(SSO) and social logins (e.g., “Sign in with Google” or “Login with Facebook”).
While these solutions simplify access and improve conversion rates, they
introduce a systemic risk: the “master key” problem. If a user’s primary social
or SSO account is compromised, the breach propagates across all connected
services.
Password-based IAM remains widespread, but many users reuse weak or non-unique
passwords and fail to enable two-factor authentication. To mitigate these risks, modern IAM frameworks integrate secondary
verification methods such as biometrics, time-based one-time passwords (OTP),
and physical hardware tokens (like YubiKeys). These additional
layers help prevent a compromised password from granting unrestricted access.
Increasingly, organizations are adopting passkeys, which replace
shared secrets with device-bound, asymmetric cryptographic credentials. Passkeys
authenticate users through a private key stored locally on the device, often
unlocked with biometrics or a PIN. This eliminates the need for passwords and
significantly reduces exposure to phishing and credential reuse. However, in practice, passkeys ecosystems are tightly integrated
on platform-managed synchronization and recovery services (Apple, Google,
Microsoft), introducing dependencies outside the
organization’s control. While avoiding traditional key escrow, these services
create a de facto escrow-like dependency and concentrate trust in foreign cloud
providers.
Intermediaries and Platform Dependencies
Password managers increasingly function as a critical intermediary, storing
high-entropy passwords or managing passkey private keys across
devices. While they improve usability and security, they
also concentrate trust in a single custody point. Many widely
used solutions are US-based, relying on cloud synchronization services subject
to US jurisdiction. Even with end-to-end encryption, metadata and recovery
mechanisms may fall outside European control. Organizations can reduce this
dependency using European-based or self-hosted password managers (e.g., Proton
Pass, Bitwarden self-hosted, KeePass-based enterprise integrations), maintaining control over key custody and infrastructure.
Similarly, most enterprises now rely on IAM/Identity-as-a-Service (IDaaS)
providers rather than building authentication systems in-house. Leading
platforms like Okta, Auth0, and Microsoft Entra ID offer scalability and robust
security features but are predominantly US-based, placing them under US
jurisdiction. This creates legal tension for European companies:
US authorities may compel data disclosure even when data is stored physically in
Europe, potentially conflicting with GDPR and local sovereignty obligations.
Outsourcing identity management to social login or IDaaS providers also means
ceding control over a core security layer. The provider’s business objectives
may not align with a company’s risk management or privacy policies, further
highlighting the need for careful evaluation.
European Alternatives
To address these challenges, a new generation of European IAM solutions has emerged, including Forgerock, Corma, and Zitadel (we use
self-hosted Zitadel in our Databeamer application). Many are built on
open-source foundations and support on-premises deployment or hosting within
European cloud environments. Choosing such providers is a strategic decision to
de-risk the identity layer, retain auditability, ensure compliance with European
privacy law, and protect against foreign jurisdictional reach.
The European Digital Identity Wallet
Looking ahead, identity at our Transit point 2 is expanding beyond corporate
environments into the public domain with the introduction of the European
Digital Identity Wallet. Enabled by the eIDAS 2.0 regulation, this
initiative reflects the European Union’s effort to strengthen digital
sovereignty by providing every EU citizen and resident with a secure mobile
based identity that is recognized across all 27 member states. The wallet is
designed as a unified digital container that can hold a wide range of verified
attributes, including identity documents, driving licenses, academic
credentials, bank account information, and medical prescriptions.
From a business perspective, the EUDI Wallet significantly reduces cross border
friction. Use of the wallet is free and voluntary for citizens, and physical identity documents remain valid. For the private
sector, however, adoption is mandatory. Very large online platforms and
providers of essential services such as banking, energy, and transport will be
required to accept the wallet for authentication. This establishes a
standardized and high assurance trust layer that reduces reliance on custom
verification solutions or weaker social login mechanisms.
For citizens, the primary benefit lies in selective disclosure. Instead of
revealing full identity details when proving eligibility, users can confirm
specific attributes such as age or license validity without sharing additional
personal data. This privacy by design model shifts control back to the
individual and moves away from data driven identity models toward one where the
user retains ownership of their identity information.
Despite these benefits, the move toward a centralized digital identity also
introduces significant risks. From a citizen perspective, a key
concern is the creation of a single point of failure. If
a smartphone is compromised or the wallet infrastructure is breached, a wide
range of legal, financial, and educational information could be exposed. There
are also persistent concerns about state surveillance and tracking. Although the
regulation states that the wallet cannot be used to monitor daily activities,
critics warn that metadata related to when and where the wallet is used could
still enable detailed profiling over time. In addition, there is a risk of
digital exclusion. As the wallet becomes a standard method for accessing
services such as transportation, rentals, or public benefits, individuals who
lack digital skills or choose not to participate may face reduced access to
essential services.
In a broader context, the EUDI Wallet can be seen as the natural culmination of
Layer 2, shifting digital identity away from private US based intermediaries and
into a regulated European framework. While no system is
without risk, the European model is grounded in democratic oversight, legal
transparency, and a balance of powers across multiple national governments and
institutions. This provides stronger checks and accountability than identity
infrastructures governed by a single foreign jurisdiction. As a result, the EUDI
Wallet aligns with a wider movement toward sovereignty by design, where identity
is treated not as a commercial asset, but as a public good and a fundamental
right deserving of long term protection.
Conclusion
The IAM Layer is a cornerstone of modern cybersecurity, balancing usability,
security, and regulatory compliance. Strong authentication methods, device-bound
credentials, and careful provider selection are essential to protect against
credential compromise, phishing, and lateral movement across networks. At the
same time, reliance on cloud and platform providers introduces dependencies and
jurisdictional considerations that European organizations must manage
strategically. Choosing self-hosted or European-based IAM solutions ensures
greater control over infrastructure, identity governance, and compliance, making
the IAM Layer both a functional and legal safeguard in modern digital
ecosystems.
Examples transit point 3 IAM
In practice, identity and access management (IAM) systems are seldom the direct
trigger for government intervention or service disruption. Rather, they function
as the enforcement layer through which legal mandates, court orders, or national
security directives are executed. IAM platforms provide the mechanisms to grant,
restrict, or revoke access in response to external legal obligations, making
them a critical point of control once a decision has been taken elsewhere.
Within this broader IAM landscape, privileged access management (PAM) plays a
particularly important role. Many incidents involving misuse or unauthorized
access underscore the need to tightly control, monitor, and audit highly
privileged accounts, which have the ability to access sensitive systems and data
across an organization. PAM is therefore essential not only for reducing insider
risk, but also for ensuring accountability when elevated access is required.
Robust auditing and logging capabilities are another foundational aspect of IAM.
Detailed records of who accessed which resources, at what time, and from which
location are central to regulatory compliance, forensic investigation, and the
detection of anomalous behavior. While such logging does not eliminate all forms
of misuse, it provides the visibility necessary to assess risk and respond
effectively when issues arise.
Finally, IAM systems operate within a broader socio-technical context. Even
well-designed access controls can be challenged by human factors, including
social engineering, exploitation of previously unknown vulnerabilities, or
deliberate circumvention by trusted insiders. As a result, IAM should be
understood not as a standalone safeguard, but as one component of a layered
security and governance strategy.
Example 1: ICC Sanctions
For example, when the United States imposed sanctions on the International
Criminal Court in 2025 after it issued arrest warrants for Israeli leaders,
those legal measures had immediate practical consequences that went beyond
traditional diplomatic pressure. The ICC’s Chief Prosecutor, Karim Khan, saw
his official email account with Microsoft suspended and his bank accounts frozen
as a result of the sanctions, and he lost access to standard
communication and financial services linked to U.S. infrastructure.
Canadian ICC judge Kimberly Prost reportedly lost access to her credit
cards and even saw consumer services like Amazon’s Alexa stop
responding because of her inclusion on the sanctions list, illustrating how
legal actions by a foreign government can disrupt everyday digital access when
identity and access services are controlled within that legal jurisdiction.
These outcomes stem from reliance on U.S.-based platforms and financial systems,
and demonstrate how, in a world where identity and access are deeply integrated
with major cloud and service providers, government-mandated legal access or
blocking of accounts can have sweeping effects on individuals’ ability to
function professionally and personally.
Example 2: Slack’s sanctions‑related account blocks In another real‑world
case highlighting the geopolitical risks of relying on foreign‑controlled
identity and access systems, the workplace communication platform Slack
implemented sweeping account blocks in late 2018 to comply with U.S. sanctions
against Iran. In an effort to align with U.S. trade embargoes and export control
regulations, Slack’s automated compliance changes led to the deactivation of
accounts tied (via geolocation data) to Iran and other sanctioned regions, even
when those users were located elsewhere or had only briefly visited those
countries.
Affected individuals suddenly lost access to their accounts, messages, channels,
and files without prior notice, disrupting collaboration and digital life.
Slack later apologized, acknowledged that it had mistakenly
deactivated many accounts, and restored access in most cases, but the incident
underscores how legal mandates tied to a provider’s jurisdiction can translate
into abrupt, far‑reaching service interruptions for individuals around the
world.