Luxembourg
— EU financial-services jurisdiction.

Luxembourg is one of the five jurisdictions in our network and the one our regulated-industry clients ask about most. The reasons we operate here are deliberate. The combination is unusual in our market — an EU member state with a banking-grade legal infrastructure, a regulator that genuinely enforces GDPR, and a constitutional environment that does not have the kind of special-relationship intelligence-sharing arrangements with the United States that quietly weaken legal protection in other jurisdictions. Procurement teams in financial services recognise the Luxembourg jurisdiction without explanation. Roughly 38 percent of our offshore-dedicated deployments land here, the highest concentration of any single jurisdiction in our base, and the legal frame is the reason.

The CNPD (Commission Nationale pour la Protection des Données) is the supervisory authority. The 2018 Luxembourg Act on the organisation of the CNPD sets out the body's tasks alongside its powers and operating procedures — which include the maximum fines under GDPR Article 83(5): up to €20 million or 4% of annual worldwide turnover, whichever is greater. The CNPD has used these powers. The €349 million fine imposed on Amazon Europe Core S.à r.l. in July 2021 remains the largest GDPR fine ever issued in Europe and was upheld through the Luxembourg administrative court system. The signal it sent to the market was unambiguous: enforcement here is not theatre.

For our customers with Luxembourg-hosted workloads, what this means in operational terms is that data processed on this infrastructure is governed by Luxembourg law and supervised by Luxembourg's regulator. Lawful interception requires a Luxembourg judge. Foreign government requests must come through the Mutual Legal Assistance Treaty channel that involves the Luxembourg justice ministry and the relevant local courts. There is no shortcut, no unilateral compliance with non-EU subpoenas, no parent company in California whose discretion can be compelled by a U.S. agency.

The case began in April 2024 with a routine production order issued to OVH's Canadian subsidiary. OVH argued that the Canadian entity did not have access to the requested data — the data was held by group entities outside Canada — and that complying would force OVH to violate French data protection law. The court was unpersuaded. On 25 September 2025, Judge Heather Perkins-McVey ruled OVH must produce the data. OVH has applied for judicial review, but the ruling stands: a French EU-domiciled cloud provider was forced by a Canadian court to extract customer data held in Europe and hand it to Canadian law enforcement, with no MLAT process, no GDPR safeguards, no notification to the data subject.

The lesson for buyers is uncomfortable. "Hosted in the EU" is not a defence if the provider has subsidiaries in jurisdictions where extraterritorial production orders are enforceable against the corporate group. The CLOUD Act is the well-known version of this risk for U.S.-domiciled providers — but the OVH Canada case demonstrates that the same mechanism applies to any EU provider with a presence in any jurisdiction whose courts can issue compelled-disclosure orders. France, Germany, Sweden, Ireland — none of them are immune if the provider's group has a foothold in the wrong court's reach.

Our corporate structure is deliberately narrow on this. BIG BOX Hosting d.o.o. is incorporated in Slovenia, owned by a Slovenian natural person, and has no subsidiaries, branch offices, or registered presence outside the EU and Switzerland. We have no Canadian entity. We have no U.S. entity. We have no UK entity. The legal mechanism that compelled OVH to comply with the Ontario order does not exist for us — there is no group company a Canadian (or U.S., or U.K.) court can serve. The MLAT process via the Slovenian Ministry of Justice remains the only lawful route to our corporate counterparty for data we hold under direct contract. For data hosted in Luxembourg, the chain still terminates in a Luxembourg court applying Luxembourg law — the corporate structure of the host does not change that, but it does prevent a foreign court from reaching our group from a different angle.

For prospective customers in regulated sectors — financial services, healthcare, government, legal — this corporate-structure question is now the load-bearing element of the sovereignty conversation. Data location is necessary but not sufficient. The provider's group structure determines which courts can compel disclosure, regardless of where the data physically sits.

Article 41 of the Loi du 5 avril 1993 relative au secteur financier — the Luxembourg professional secrecy statute — is the legal anchor most foreign procurement teams hear about and few read directly. The statute is short. It is sharper than the equivalents in other EU jurisdictions. Article 41(1) extends professional secrecy obligations to "the members of the administrative, management and supervisory bodies of credit institutions, financial sector professionals, and persons employed by them," with the obligation surviving termination of the relationship indefinitely. Breaches carry criminal liability under Article 458 of the Luxembourg Penal Code, with prison sentences up to two years and fines up to €1.25 million.

What the statute covers in the data hosting context is narrower than marketing pages typically suggest, and broader than competitors typically admit. It covers information that the credit institution or financial sector professional acquired in the exercise of their professional activity, which the courts have interpreted to include hosted data when the host is itself a financial sector professional under the meaning of the law. It does not cover information acquired outside that professional capacity. It does not provide blanket protection against all disclosure obligations — Luxembourg banking secrecy has been progressively limited by AML directives, FATCA implementation, and CRS automatic exchange agreements. What it still protects with weight that survives litigation is the disclosure of customer data outside formal MLAT channels and outside the specific statutory carve-outs.

The question every prospect asks. Does Article 41 actually cover a hosted data arrangement with us? The answer depends on whether we qualify as a financial sector professional within the meaning of the statute. We do not. We are a hosting provider, not a credit institution or PSF. What we hold for clients is governed by ordinary commercial confidentiality and contractual undertakings, not by Article 41 directly. Where Article 41 becomes relevant is when our client is itself a Luxembourg financial sector entity, in which case their internal data — including data we host on their behalf — falls under their own Article 41 obligations, and the statutory protection extends through the chain of custody. For non-financial clients, Luxembourg's value is the EU jurisdiction plus the predictable rule of law, not Article 41 specifically.

• Senders running European customer lists who want their primary deliverability infrastructure in the EU jurisdiction with the strongest GDPR enforcement track record in Europe.
• Financial-tech platforms whose subscriber data overlaps with banking-related processing and who benefit from the Article 41 cultural framework.
• ESPs and SaaS platforms with EU recipients whose compliance teams want a Data Protection Impact Assessment that does not need to characterise a third-country transfer.
• Any operation whose primary concern is jurisdictional drift away from EU legal protection — Luxembourg is the EU jurisdiction with the deepest enforcement record and the cleanest separation from non-EU intelligence-sharing arrangements.

The second bullet — financial-tech and banking-adjacent processing — is the largest single buyer category in our Luxembourg PoP, accounting for roughly 38 percent of offshore-dedicated revenue. The financial services vertical brief walks through the regulatory frame — FCA SYSC, MiFID II Article 16(7), PSD2 Article 95, Loi 1993 banking secrecy — including the specific jurisdictional fit between Luxembourg and Switzerland for regulated-finance workloads.

Three things Luxembourg does not protect you against. The jurisdiction is strong inside its operational scope and weak outside it, and procurement teams who confuse the two end up with false confidence about scenarios the legal frame does not actually cover. The list below is what we tell prospects on the discovery call when they ask if Luxembourg is the right answer for their specific exposure profile.

The first is constitutional press freedom protection. Luxembourg's free expression provisions follow the EU Charter and the European Convention on Human Rights, with no specific constitutional carve-out for journalism beyond the standard EU baseline. Investigative journalism teams hosting their data in Luxembourg get the EU baseline. They do not get the IMMI-grade protections that Iceland's 2010 Information Act provides, and they do not get the Tryckfrihetsförordningen anchor that has held Sweden's press freedom position since 1766. For journalism use cases, Luxembourg is competent. It is not the strongest jurisdiction we offer.

The second is single-jurisdiction concentration risk. A single Luxembourg deployment puts all the data eggs in one regulatory basket. EU regulatory expectations have tightened steadily since 2018 and there is no reason to expect the trend to reverse. A buyer who needs legal-diversification redundancy — meaning hedge against any single jurisdiction's regulatory regime tightening unexpectedly — should pair Luxembourg with a non-EU jurisdiction in our network. Switzerland is the natural pairing. Iceland works for journalism. Slovenia does not, since it shares the EU regulatory frame.

The third is end-to-end disclosure protection. Luxembourg's professional secrecy framework is statutory and survives most disclosure scenarios, but it does not survive every scenario. AML directives, FATCA implementation, automatic tax information exchange under CRS, and judicial cooperation under EU regulations create disclosure pathways that the statute does not block. Buyers who need protection against all disclosure scenarios — including from EU member states themselves — need a non-EU jurisdiction. Switzerland again. The 1970s-era Swiss banking secrecy is also progressively narrowed, but the non-EU territorial scope means that EU-internal cooperation regulations do not directly apply, which produces a different (not stronger, but different) disclosure profile.