Alok Sahay Country Manager India Saarc

Alok Sahay
Sales Director India & SAARC
+91 8800-67 77 99

Welcome to India!

Hi! My name is Alok and I'm your local representative in India. Looking for a cyber security solution and vulnerability management? Let's talk! 

View products

Book demo

Faurani Ahmad Sales director Southeast Asia

Ahmad Faurani
Sales Director Southeast Asia
+60 19 434 2727

Welcome to Malaysia!

Hi! My name is Ahmad Faurani and I'm your local representative in Malaysia. Looking for a cyber security solution and vulnerability management? Let's talk! 

View products

Book demo


Cristian Miranda
Key Account Manager, Finland
+46 8-550 05 582

Tervetuloa Suomeen!

Hei! Nimeni on Cristian ja olen paikallinen edustajasi Suomessa. Etsitkö tietoturvaratkaisua ja haavoittuvuuksien hallintaa? Puhutaan!

Lue lisää



Victor Bunge Meyer
Key Account Manager, Sverige
+46 08-550 05 582

Holm Security i Sverige

Välkommen till Holm Security i Sverige! Jag heter Victor och är din lokala kontakt. Kontakta mig om du vill veta mera om vår platform för sårbarhetsanalyser. 

Läs mer här

Boka demo


Beth Murrell holm security

Beth Murrell
Account Manager, Benelux
+31-20-238 63 94

Welkom in de Benelux!

Mijn naam is Beth Murrell en ik ben uw lokale vertegenwoordiger in Nederland, België en Luxemburg. Op zoek naar een cyberveiligheidsoplossing en kwetsbaarheidsbeheer? Laten we praten!

Lees verder

Boek een demo

jens dahlkvist holm security

Jens Dahlkvist
Key Account Manager, Norge
+46 8-550 05 582

Holm Security i Norge

Velkommen til Holm Security i Norge! Jeg heter Jens og er din lokale kontaktperson.Kontakt meg hvis du vil vite mer om vår plattform for sårbarhetsanalyser.

Les mer

Personlig demo

Ronnie Jensen

Ronnie Jensen
Country Manager Denmark
+45 31 12 10 05

Holm Security i Danmark

Velkommen til Holm Security i Danmark! Mit navn er Ronnie og jeg er din lokale kontaktperson. Kontakt mig, hvis du vil vide mere om vores sårbarhedsanalyseplatform.

Læs mere

Personlig demo

The impact of Schrems II - is data transfer still safe?

Image of Stefan Thelberg
Stefan Thelberg

November 4, 2020

The Schrems II ruling disqualifies the transfer and processing of personal data from EU countries to the US. But how does this affect cyber security products? Products that store and process far more sensitive data than personal data. It can be data that shows vulnerabilities in internal and business-critical systems of government agencies within the EU. In the wrong hands, this data could pose a risk to national security.

Privacy Shield disqualified

Privacy Shield is a self-certification framework for US companies that allows companies in the US to register with the US Department of Commerce, declaring they've met the requirements of the Privacy Shield. According to a decision by the European Commission, EU data controllers have been allowed to transfer personal data to recipients who have joined the Privacy Shield.

On 16 July 2020, the Court of Justice of the European Union issued its decision on the Schrems II case. The Court ruled that the EU-US Privacy Shield Agreement doesn't provide adequate protection for personal data when transferred to the US. The disqualification of Privacy Shield means that personal data controllers in the EU are no longer allowed to transfer personal data to US recipients.

A clear signal from the EU

”The ruling is a clear signal from the European Court of Justice that the United States doesn't meet the requirements for the processing of personal data. Thus, we can reasonably state that any sensitive data shouldn't be transferred to the United States, to ensure that it doesn't risk falling into the wrong hands," says Stefan Thelberg, CEO Holm Security.

Data stored outside the US also affected

The Cloud Act is a US legislation passed in March 2018 and is an extension of the Stored Communications Act (SCA) which was passed in 1986.

The law gives US authorities the right to request data from US cloud service providers - regardless of where the data is stored. It is therefore irrelevant where the servers on which the data is stored are located physically. If a US company owns the servers and the service, they're bound by the Cloud Act, even if the customers and the customers' data are in another jurisdiction.

Cybersecurity products

Most cybersecurity products handle and store sensitive data. It can be data of critical vulnerabilities in a local network of a European government agency, data that could be used by foreign powers for espionage or sabotage.

Regardless if the supplier is American or not, if the product is provided through infrastructure in e.g. AWS or Google, then the data is still under the control of US authorities.

The Schrems II judgment focuses on personal data, but the ruling clearly shows the risks of the general problems of transferring and storing sensitive data with an American actor. Companies now need to assess their trans-Atlantic and global data transfers based on the court's ruling.



Stefan Thelberg answers questions about the Schrems II ruling.

If data is stored outside the US - is it still in breach of EU regulations?

Yes, it doesn't matter if personal information is stored physically in the United States or if it is under the control of a US company in another part of the world.

Can AWS and Azure be used?

Many US providers have infrastructure and store data in AWS, Azure, Google Cloud, and similar cloud platforms. As soon as personal data is stored in these services, they are no longer secure and in breach of EU regulations.

Can on-premise products from a US supplier be considered safe?

Most products, even if installed in a local data center within the EU, often have connections to the internet for software updates, support, and diagnostics. As these connections go outside the customer premises, the customer loses control over which data is communicated from the product. As a customer, it's often impossible to ensure that personal data, or other sensitive data, isn't transmitted outside the company.

How are organizations outside the EU, for example, in Norway affected?

Since Norway adopts the same regulations as the EU regarding personal data, US companies may not be an option for Norwegian organizations.

What can we expect in the future in the matter? 

The EU has put its foot down properly this time and US companies can expect higher security demands in the future. The United States may have to change some legislation, especially the Foreign Intelligence Surveillance Act, 702A, Executive Order 12333, and probably the Cloud Act before the EU cancels its disqualification. This will most likely be a tedious process.

Why has this not received more attention?

One reason is that the US wants to limit the market's reaction in the short term. It is also difficult for many organizations to action based on Schrems II, simply because they have their entire infrastructure in e.g. Azure or AWS.

Cyber Security Starts Here!

Holm Security delivers unparalleled 360-degree coverage and comprehensive insight to enable you to detect vulnerabilities, assess risk, and prioritize remediation for every asset in your entire infrastructure. We provide an all-in-one platform, covering three layers, with all the tools you need - regardless if you’re consolidating or implementing Vulnerability Management for the first time.

Book demo now