EU-Based CAD: GDPR and Data Sovereignty

Every major CAD platform used by European engineers today is American. SolidWorks (Dassault Systemes is French, but 3DEXPERIENCE cloud runs on AWS). Onshape is PTC, headquartered in Boston. Fusion 360 is Autodesk, San Francisco. NX is Siemens, nominally German, but its cloud infrastructure increasingly runs on US hyperscaler platforms.

For many European companies, this has been a non-issue. CAD geometry is not personal data. GDPR primarily concerns personal data. So what is the problem?

The problem is broader than GDPR. It encompasses data sovereignty, export control, strategic autonomy, and procurement requirements that are increasingly defining how European industry selects technology providers.

Data Sovereignty Is Not Just About GDPR

GDPR protects personal data of EU residents. Engineering CAD files typically do not contain personal data (names, addresses, biometrics). But data sovereignty extends beyond GDPR to several overlapping regulatory frameworks:

The EU Data Act (2024)

The EU Data Act, effective September 2025, establishes rules for access to and use of data generated by connected products and related services. For companies using cloud CAD, the data generated (models, collaboration logs, usage patterns) is subject to these rules. The Data Act requires that cloud service providers enable effective data portability and cannot impose unreasonable obstacles to switching providers.

Export Control and ITAR

European defense and aerospace companies are subject to both EU dual-use regulations (EU Regulation 2021/821) and, when working with US-origin technology, ITAR (International Traffic in Arms Regulations). ITAR restricts the sharing of defense-related technical data with non-US persons, but it also creates complex compliance requirements when using US-headquartered cloud services.

A European defense contractor using Onshape must verify that their model data, stored on PTC’s US-managed cloud infrastructure, does not create an inadvertent ITAR export. The legal analysis is non-trivial and the compliance burden is real.

Schrems II and Data Transfers

The Schrems II ruling (2020) invalidated the EU-US Privacy Shield and imposed strict requirements on data transfers to the US. The EU-US Data Privacy Framework (2023) partially addressed this, but its adequacy decision is subject to future challenge. European companies with conservative legal departments treat US data transfers as a compliance risk that must be actively managed.

National Security Regulations

Several EU member states have national regulations restricting where sensitive industrial data can be stored. France’s SecNumCloud certification, Germany’s C5 attestation, and similar frameworks create compliance requirements that US-headquartered cloud providers must specifically address.

The US CLOUD Act Problem

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in 2018, allows US law enforcement to compel US-headquartered technology companies to produce data stored anywhere in the world. This means that engineering data stored on Autodesk’s, PTC’s, or Dassault’s US-managed cloud infrastructure is potentially accessible to US government agencies, regardless of the physical server location.

For European companies working on sensitive projects (defense, critical infrastructure, competitive IP), this is a tangible risk. The CLOUD Act creates a legal pathway for accessing their engineering data that does not exist under EU law.

The practical risk may be low for most companies. But risk tolerance varies, and for defense contractors, automotive OEMs with competitive IP concerns, and companies subject to tender requirements, even a theoretical risk may be disqualifying.

Client-Side Computation: An Architectural Answer

The data sovereignty concern is fundamentally about where data is processed and stored. Server-side CAD architectures inherently create data residency issues because geometry must be transmitted to and stored on the vendor’s servers.

Client-side computation eliminates this concern at the architectural level. If the CAD kernel runs in the user’s browser via WebAssembly, and geometry data never leaves the user’s machine unless explicitly shared, there is no data transfer to govern. The server never sees the engineering data.

NeuroCAD’s architecture implements this principle. The implicit geometry kernel compiles to WebAssembly and executes entirely in the browser. Model data is stored locally by default. Cloud synchronization, when opted into, can be directed to user-specified infrastructure, including on-premises servers or EU-based cloud providers.

This is not just a privacy feature. It is an architectural decision that removes an entire category of compliance burden. The legal question “where is our engineering data stored and who can access it?” has a simple answer: on your machines, accessible only to you.

EU Public Procurement

European public procurement directives increasingly consider data sovereignty and digital autonomy. The trend is accelerating:

Digital Sovereignty Requirements

Multiple EU member states now include digital sovereignty criteria in public procurement for sensitive sectors. France’s government agencies must use solutions certified under SecNumCloud for sensitive data. Germany’s public sector IT procurement guidelines favor EU-based solutions for data processing.

Gaia-X and European Cloud Standards

The Gaia-X initiative establishes a framework for a federated, transparent European data infrastructure. While not yet a hard procurement requirement, Gaia-X compliance is increasingly a differentiator in public sector tenders. CAD tools that can demonstrate data processing within Gaia-X-compatible infrastructure have an advantage.

Defense Procurement

European Defence Fund (EDF) projects and Permanent Structured Cooperation (PESCO) initiatives require that participating companies use tools and infrastructure that do not create dependencies on non-EU entities for sensitive capabilities. Using a US-headquartered cloud CAD platform in an EDF-funded defense project creates a dependency that procurement evaluators will question.

SME Competitiveness

European SMEs competing for public contracts need to demonstrate compliance with these evolving requirements. An EU-based CAD platform simplifies compliance documentation and removes a potential disqualification risk.

The Practical Cost of Non-Compliance

The cost of data sovereignty non-compliance is not just fines. It includes:

Procurement disqualification. Losing a public tender because the CAD platform cannot demonstrate compliant data handling.

Legal review overhead. Every contract renewal and every new project requires legal review of data processing agreements, standard contractual clauses, and transfer impact assessments.

Supply chain friction. Partners and customers increasingly include data sovereignty clauses in contracts. Using non-compliant tools creates negotiation friction.

Strategic risk. Dependence on a single-country technology ecosystem for critical engineering infrastructure is a strategic risk that boards and investors increasingly scrutinize.

What EU-Based Means in Practice

Claiming “EU-based” requires specifics:

Company incorporation. The legal entity providing the service is incorporated in an EU member state and subject to EU jurisdiction.

Data processing. All data processing occurs within EU borders on infrastructure operated by EU-jurisdiction entities.

No CLOUD Act exposure. The corporate structure does not include a US parent company or subsidiary that would create CLOUD Act jurisdiction.

Code transparency. Open-source or auditable code base that allows customers to verify data handling claims.

Certifications. Relevant certifications for the target market: ISO 27001, SOC 2, SecNumCloud (France), C5 (Germany), as applicable.

NeuroCAD meets these criteria as a product of an EU-incorporated company with client-side computation architecture. Engineering data never transits non-EU infrastructure. The Rust/WebAssembly kernel is auditable. No US corporate entity has jurisdiction over the data.

The Strategic Picture

Europe’s digital sovereignty agenda is not slowing down. The AI Act, the Data Act, the Cyber Resilience Act, and evolving procurement directives are creating an environment where data sovereignty is moving from a nice-to-have to a hard requirement for many sectors.

For European engineering companies, the choice of CAD platform is increasingly a compliance and strategic decision, not just a feature comparison. An EU-based, client-side-computing CAD platform eliminates an entire category of regulatory risk.

This does not mean European companies must abandon US-headquartered tools overnight. It means that when evaluating CAD platforms, data sovereignty belongs on the requirements list alongside features, performance, and cost. For a growing number of European companies, it is becoming the deciding factor.