Public Sector · Transportation

Autonomous transport moves at machine speed.
Your communications must be sovereign.

From air traffic management to self-flying helicopters, autonomous rail to connected vehicles — every safety-critical decision depends on communications that are secure, low-latency, and under your jurisdiction. US cloud infrastructure puts all of that at risk.

Book a sovereign briefing → See the risks
No US jurisdiction NIS2 essential entity compliant GDPR · NIS2 · EASA · UNECE WP.29 aligned
Aviation & UAM
Air traffic management, eVTOL, autonomous air taxis, SESAR digital ATM
Rail & Metro
ERTMS/ETCS signalling, high-speed rail, urban metro, CBTC communications
Automotive & V2X
Connected vehicles, autonomous driving, V2X safety comms, OEM telematics
Autonomous Helicopters
Self-flying rotorcraft, UTM corridors, eVTOL fleet operations, AAM networks
10ms
Maximum safe latency for V2X safety-critical communications — cloud-routed paths through US hyperscalers routinely exceed this threshold, making autonomous collision avoidance structurally unreliable
72h
NIS2 incident reporting window for transport essential entities — aviation, rail, and road operators must notify ENISA and national authorities within 72 hours of significant ICT incidents
25GB
Data generated per hour by a single connected vehicle — processed on US-hosted OEM telematics platforms subject to CLOUD Act compelled disclosure without the driver or operator ever being notified
2030+
EU SESAR 3 digital ATM full deployment — requiring sovereign, encrypted communications for all European airspace management systems; US-hosted ATM infrastructure is categorically excluded
The six risks

Why sovereign communication is
a safety imperative, not just a legal one

Critical · Safety

Air traffic management on US-controlled infrastructure

Air Traffic Management (ATM) data — flight plans, surveillance outputs, sector coordination, conflict detection alerts — is increasingly processed via US-hosted cloud platforms. Under the CLOUD Act (18 U.S.C. § 2713), US authorities can compel disclosure of this operational intelligence without notifying the operator. Beyond the legal exposure, any cloud dependency introduces latency and availability risk into systems where a 200ms delay can be the difference between a resolved conflict and a collision. SESAR 3 explicitly requires sovereign, encrypted communication infrastructure for European airspace — US cloud providers cannot satisfy this mandate.

CLOUD Act § 2713 + SESAR 3 · ATM sovereignty and latency requirements
High Risk · Latency

V2X communications routed through US cloud

Vehicle-to-Everything (V2X) communication is the nervous system of autonomous transport — broadcasting position, speed, hazard detection, and infrastructure status between vehicles, roadside units, and traffic management systems in real time. Safety standards require sub-10ms latency for collision avoidance. US cloud-based V2X platforms introduce both a latency risk and a CLOUD Act exposure: operational data about road conditions, vehicle positions, and traffic management decisions can be compelled by US authorities, creating both a privacy breach and a strategic infrastructure intelligence leak.

ETSI ITS + NIS2 Art. 21 · V2X latency and supply-chain sovereignty
Emerging · UAM

eVTOL and autonomous helicopter operations

The next generation of urban air mobility — autonomous eVTOL aircraft and self-flying helicopters — depends entirely on cloud-connected Unmanned Traffic Management (UTM) for separation, routing, weather integration, and emergency response. Operators including Joby Aviation, Lilium, and Volocopter are building on platforms that, as US entities or US-cloud-dependent systems, are subject to CLOUD Act compelled disclosure. UTM flight corridor data and real-time position feeds for autonomous rotorcraft are safety-critical infrastructure that must operate under exclusively sovereign jurisdiction. EASA's U-space regulation requires that UTM service providers demonstrate data sovereignty and security compliance.

EASA U-space Regulation + CLOUD Act · UTM data sovereignty for AAM
High Risk · Rail

ERTMS signalling and train control sovereignty

The European Rail Traffic Management System (ERTMS) coordinates high-speed, intercity, and freight rail across 30+ countries. Operations centres, signalling management platforms, and inter-operator coordination increasingly use US-hosted cloud infrastructure for scheduling, incident management, and cross-border route coordination. A CLOUD Act order targeting the platform provider can expose real-time train positions, infrastructure vulnerability assessments, and operational response plans — data that represents critical national infrastructure intelligence. The EU 4th Railway Package and NIS2 together require that rail operators treat their ICT supply chains as security-critical.

EU 4th Railway Package + NIS2 Annex I · Rail as essential entity
Structural · Automotive

Connected vehicle telematics and OEM data platforms

Modern connected vehicles generate 25GB of data per hour — sensor feeds, driver behaviour, location history, diagnostics, and over-the-air update logs. The dominant OEM telematics platforms (Tesla, GM, Stellantis, BMW) are US companies operating under US law, or use US-hosted cloud backends. GDPR and the EU Data Act establish strict requirements for passenger data sovereignty. UNECE WP.29 Regulation 155 mandates automotive cybersecurity management systems, and any OEM platform subject to CLOUD Act represents a GDPR-irresolvable conflict: the OEM is simultaneously obligated to protect the data and compellable to disclose it.

UNECE WP.29 R155 + GDPR Art. 48 · OEM telematics sovereignty
Operational · Compliance

NIS2 essential entity obligations across all modes

NIS2 Directive Annex I classifies air transport, rail transport, road transport, and public transport operators as essential entities — subjecting them to Article 21 ICT supply-chain risk management requirements. This means that every communications platform used by a transport operator — for operations, incident response, inter-operator coordination, or management — must be documented as a supply-chain risk and demonstrated to be adequately managed. An operator using Microsoft Teams or Zoom for operations centre communications must assess and document the CLOUD Act exposure this creates. In practice, this risk cannot be adequately mitigated — it can only be eliminated by using platforms outside US jurisdiction.

NIS2 Art. 3 + Annex I · All transport modes are essential entities
The sovereignty gap

What autonomous transport requires vs. what US cloud delivers

The safety, efficiency, and legal compliance of autonomous transportation depends entirely on communications that are trusted, low-latency, and under national control. US cloud infrastructure provides none of these guarantees.

What US cloud infrastructure exposes

Your operational intelligence — accessible, delayed, and legally compromised

  • ATM flight plans, surveillance data, and sector coordination accessible under CLOUD Act without operator notification
  • V2X safety communications routed through US cloud exceed safe latency thresholds for autonomous collision avoidance
  • UTM corridor data for eVTOL and autonomous helicopters stored on US-controlled systems subject to foreign compelled disclosure
  • Passenger and telematics data simultaneously GDPR-protected and CLOUD Act-compellable — an irresolvable legal conflict
  • Rail ERTMS operational data and incident response plans exposed during active security events
VS
What AMVLET provides

Sovereign communications infrastructure for the full transport stack

  • No US jurisdiction — zero CLOUD Act applicability to any AMVLET infrastructure or data
  • Sub-10ms capable architecture for operations that cannot tolerate cloud-introduced latency
  • Air-gapped deployment options for the highest-sensitivity ATM, UTM, and rail signalling environments
  • Cross-operator federation for inter-modal coordination — airline, rail, fleet — with no US routing dependency
  • NIS2 essential entity supply-chain documentation provided — full audit trail and risk assessment support
Five regulatory layers

Every transport mode has a CLOUD Act
exposure problem — and a regulatory obligation

AMVLET is purpose-built to address all transport modes simultaneously under a single sovereign communications platform.

Mode
Regulator
Who it covers
Framework
01
Aviation & UAM
EASA · ICAO · EUROCONTROL
EASA oversees aviation safety and cybersecurity across EU member states, including the U-space regulation for autonomous aircraft. EUROCONTROL manages SESAR 3 digital ATM deployment requiring sovereign communications across all European airspace
Airlines, air navigation service providers (ANSPs), eVTOL operators, UTM providers, and ground handling — all subject to EASA cybersecurity requirements
EASA + NIS2
02
Rail & Metro
ERA · ENISA · national IMs
The EU Agency for Railways (ERA) oversees ERTMS deployment across 30+ countries. NIS2 Annex I classifies all rail operators as essential entities. The 4th Railway Package requires cybersecurity risk management for all safety-critical systems including signalling and CBTC
Infrastructure managers, railway undertakings, metro operators, and ERTMS system providers operating cross-border or in a single member state
ERTMS + NIS2
03
Automotive & V2X
UNECE WP.29 · ENISA · BSI
UNECE WP.29 Regulation 155 mandates Cybersecurity Management Systems (CSMS) for all vehicle OEMs. Regulation 156 governs software update security. ETSI defines V2X communication standards. NIS2 covers road transport operators and connected vehicle infrastructure providers
Vehicle OEMs, telematics providers, V2X infrastructure operators, and autonomous vehicle software developers — globally, for vehicles sold in UNECE markets
WP.29 R155 + NIS2
04
Urban Air Mobility
EASA · national CAAs · ANSP
EASA's U-space regulation (EU 2021/664–666) establishes the framework for autonomous aircraft operations in urban environments. UTM Service Providers must demonstrate data sovereignty, security, and availability. Self-flying helicopters and air taxis require dedicated sovereign communication corridors for real-time separation and safety management
eVTOL manufacturers, air taxi operators, UTM service providers, and AAM network operators building commercial or public autonomous air services
U-space + EASA
05
Passenger & Vehicle Data
EU Data Act · ePrivacy · national CAAs
The EU Data Act (2024) establishes mandatory data access and portability rights for connected vehicle data — including telematics, sensor feeds, and usage records. OEMs must provide data access on fair terms while complying with GDPR for passenger PII and the ePrivacy Directive for in-vehicle communications. US-hosted OEM backends make lawful compliance structurally impossible under CLOUD Act compelled disclosure
All vehicle OEMs, fleet operators, ride-hailing platforms, booking systems, and mobility-as-a-service providers processing EU passenger or vehicle data — regardless of corporate HQ location
EU Data Act + ePrivacy
What is actually at risk

Six categories of transport data
exposed by US cloud infrastructure

Air traffic and flight plan data
Real-time aircraft positions, filed flight plans, conflict detection alerts, and airspace coordination data — if ATM or UTM platforms run on US cloud, this safety-critical data is compellable under CLOUD Act, creating both a security and operational risk.
V2X safety communications and infrastructure status
Hazard broadcasts, emergency vehicle corridors, infrastructure failure alerts, and intersection control signals — the real-time data layer that makes autonomous transport safe. Cloud dependency creates unacceptable latency and a foreign jurisdiction access point in safety-critical communication.
eVTOL and autonomous rotorcraft operational data
UTM corridor assignments, real-time fleet positions, battery status, emergency landing zone availability, and vertiport capacity data for autonomous helicopter and air taxi operations — all requiring sovereign, low-latency communication channels outside US jurisdictional reach.
Passenger PII and travel behavioural data
Names, payment methods, frequent travel routes, biometric data (facial recognition at terminals), seat preferences, and mobility patterns across intermodal journeys — comprehensive personal profiles subject to GDPR Article 5 and ePrivacy, exposed if processed via US booking or CRM platforms.
HD mapping and autonomous vehicle sensor data
High-definition map updates, LiDAR point cloud datasets, camera feed aggregations, and AI training data from autonomous vehicle fleets — strategic intelligence that reveals road infrastructure status, military facility proximity, and national geographic detail, stored on US hyperscalers under CLOUD Act jurisdiction.
Rail signalling and ERTMS control communications
Train movement authorities, track circuit occupancy, ETCS level transitions, and cross-border rail coordination data — the backbone of European rail safety. Operations centre communications, infrastructure vulnerability assessments, and incident response plans exposed if managed via US-controlled platforms.
Common questions

Transport sovereignty: what operators are asking

Does the CLOUD Act apply to European transport operators using US fleet management or ATM platforms?+
Yes. The CLOUD Act applies based on the nationality of the cloud provider, not the location of the data or the operator. If a European airline uses a US-origin operations management system, or a rail operator uses Microsoft Azure for its ERTMS control data, or an eVTOL operator uses AWS for UTM services, the data is accessible to US law enforcement under a CLOUD Act order — regardless of whether it is stored in Frankfurt, Dublin, or Amsterdam. The provider has no legal basis under US law to refuse. This directly conflicts with GDPR Article 48, which prohibits handing EU personal and operational data to foreign authorities without an international agreement. As of 2026, no such agreement resolves this conflict. European transport operators using US platforms are permanently in a state of irresolvable legal uncertainty.
Are transport operators essential entities under NIS2, and what does that mean for their communications?+
Yes — all major transport modes are explicitly listed in NIS2 Annex I as essential entities: air transport, rail transport, road transport, and water transport. This is the strictest classification under NIS2. As essential entities, transport operators must implement comprehensive ICT supply-chain risk management under Article 21, including for all communications platforms used in operations — not just operational technology (OT) systems. This means that the messaging platform used by an operations centre, the coordination tools used between rail operators, or the communications system used by a UTM provider are all within scope of Article 21 risk management. An operator using a US-controlled platform must document the CLOUD Act exposure this creates and demonstrate that it is adequately managed. Given that the CLOUD Act exposure cannot be resolved legally under GDPR Article 48, the only adequate mitigation is to use communications infrastructure outside US jurisdiction entirely.
Why is V2X communication sovereignty a safety issue, not just a legal compliance matter?+
V2X safety communications have hard real-time requirements that cloud infrastructure — by its architectural nature — cannot reliably satisfy. Collision avoidance broadcasts, hazard detection alerts, and emergency vehicle priority signals must be communicated in under 10 milliseconds to be actionable by an autonomous vehicle's safety systems. Cloud-routed communications, even via regional data centres, routinely experience latency spikes of 30–200ms due to routing variability, congestion, and processing delays. This is not a configuration problem — it is a structural limitation of wide-area cloud routing. When V2X management platforms run on US hyperscalers, the problem is compounded: the CLOUD Act exposure means that the data layer powering autonomous collision avoidance is simultaneously a foreign intelligence asset. Sovereign communications infrastructure — locally deployed, edge-first, and outside foreign jurisdiction — is the only architecture that satisfies both the latency and the sovereignty requirements simultaneously.
What does EASA's U-space regulation require for autonomous helicopter and eVTOL communications?+
EASA's U-space regulation (EU 2021/664, 665, and 666) establishes a mandatory framework for autonomous aircraft operations in urban airspace. UTM Service Providers (U-SSPs) must obtain certification from national competent authorities and demonstrate data sovereignty, security, availability, and performance. The regulation requires that UTM communications — flight corridor assignments, real-time position broadcasts, emergency procedures — are conducted over certified, secure, and available infrastructure. As autonomous helicopter operators (including emerging air taxi services) expand into European cities, the UTM data layer they depend on must be hosted on infrastructure that cannot be compelled by a foreign government without judicial review under European law. US-hosted UTM services cannot satisfy this requirement. The practical implication is that commercially viable autonomous air mobility in Europe requires European-sovereign or self-hosted UTM communication infrastructure from the outset.
What does AMVLET provide specifically for transport operators across aviation, rail, automotive, and UAM?+
AMVLET provides sovereign communications infrastructure for the full transport stack — from air traffic coordination and UTM operations through to rail control centre communications, V2X management, and autonomous fleet operations. The platform operates entirely outside US jurisdiction, with cryptographic keys held exclusively by your organisation. Deployments are available on EU-sovereign cloud infrastructure, on-premises within your own operational environment, or fully air-gapped for the highest-security ATM, rail signalling, and defence-adjacent transport applications. For eVTOL and autonomous helicopter operators, AMVLET provides the secure, low-latency communication backbone needed for UTM data exchange and fleet coordination — compliant with EASA U-space requirements. For rail and road transport authorities, AMVLET provides the NIS2 Article 21 supply-chain documentation and risk assessment support required for essential entity compliance. We work directly with legal, compliance, and technical teams across all transport modes to design and certify sovereign communication architectures tailored to your specific operational and regulatory requirements.

The future of transport is autonomous.
Its communications must be sovereign.

Talk to our transport team about a sovereign communications deployment tailored to your mode, your regulatory environment, and your safety requirements.

Book a sovereign briefing → Explore Air-Gapped