Wasabi Hot Cloud Storage has become a popular choice among systems administrators and IT managers looking to reduce the cost of backup storage. The pitch is straightforward: full compatibility with the Amazon S3 API, no egress charges, and a flat price that can be up to five times lower than AWS S3. For many projects, it is a valid and sensible option.
However, if your organisation belongs to the Spanish public sector, manages critical infrastructure, or provides services to an administration that requires compliance with the Esquema Nacional de Seguridad (ENS) at its High category (Alto), Wasabi is not a valid option as a backup storage destination. This is not a matter of technical preference or performance: it is a structural incompatibility with the regulatory requirements that ENS Alto imposes.
In this article we analyse in detail the technical and legal reasons why Wasabi falls outside the ENS Alto compliance perimeter, and what alternatives exist that do meet all the requirements of the Spanish regulatory framework.
What Is ENS Alto and What Does It Require from Cloud Providers?
The Esquema Nacional de Seguridad (ENS), regulated by Royal Decree 311/2022, establishes the minimum security principles and requirements for information systems of Spanish public administrations. The High category (Alto) is the most demanding and applies to systems whose disruption would have a very serious impact on critical State functions, sensitive personal data or essential infrastructure.
When an organisation subject to ENS Alto outsources storage or backup services to a cloud provider, that provider becomes a service provider under the organisation's responsibility and must comply with a series of requirements that the ENS details in its op.ext controls (management of external providers). The most relevant for backup storage are:
- policy op.ext.1 — Contracting and service level agreements: the contract must explicitly include ENS security requirements and the provider must accept them in a binding way.
- policy op.ext.2 — Supplier management: the organisation must maintain a supplier register and periodically verify their regulatory compliance.
- policy mp.info.3 — Information encryption: stored data must be encrypted and encryption keys must be under the exclusive control of the organisation or of an audited provider.
- policy mp.info.5 — Certified deletion and destruction: it must be guaranteed that data is deleted securely and in a certified manner at the end of the service.
- policy Data sovereignty and jurisdiction: data must be protected against unauthorised access from third countries, including extraterritorial legislation from non-EU states.
Additionally, the CCN (National Cryptologic Centre) publishes guides such as CCN-STIC-823 and maintains a catalogue of qualified cloud services, which identifies which providers have demonstrated ENS compliance. Using a non-qualified provider in ENS Alto systems poses an audit risk with potential consequences for the system's certification.
What Is Wasabi and Why Does It Appeal to IT Teams?
Wasabi Technologies, Inc. is a US company headquartered in Boston, Massachusetts, founded in 2017. It offers object storage compatible with the Amazon S3 API at a flat price of approximately 7 USD/TB/month, with no data egress charges and no API request fees. It has European regions in Amsterdam (eu-central-1), Frankfurt (eu-central-2) and London (eu-west-1), but has no datacentre in Spain.
Its certifications include ISO 27001, SOC 2 Type II and CSA STAR. It is natively compatible with Veeam Backup & Replication as a Scale-Out Backup Repository (SOBR), which makes it technically attractive for teams already using Veeam. The cost savings versus AWS S3 Standard can exceed 70% for high-retention backup workloads.
Wasabi at a glance
~$7
per TB/month
$0
data egress
3
EU regions
0
datacentres in Spain
All these attributes are genuinely positive for private projects, startups, SMEs without specific compliance requirements, or any scenario where price and compatibility are the deciding factors. The problem arises when trying to fit Wasabi into a context of ENS Alto compliance, where factors come into play that go far beyond price or technical compatibility.
Why Wasabi Does Not Comply with ENS Alto: The Specific Reasons
1. The CLOUD Act makes Wasabi a structural legal risk
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), enacted in the United States in 2018, allows US authorities — FBI, DEA, NSA and others — to legally compel any US company to hand over data stored in any country in the world, without needing to notify the data subject or the state where the data is physically held.
Wasabi Technologies, Inc. is a US company. Therefore, it is subject to the CLOUD Act regardless of which region you store your data in. Even if you use the Amsterdam datacentre, US authorities can compel Wasabi to hand over your backups without Wasabi being able to refuse and, in many cases, without being able to inform you.
Direct impact on ENS Alto
ENS Alto requires that data be protected against access from third-country states. The CLOUD Act creates an extraterritorial legal obligation for Wasabi that structurally breaks this guarantee, regardless of any contractual clauses you may sign with the provider.
The Court of Justice of the European Union already declared in the Schrems I (2015) and Schrems II (2020) rulings that data transfers to the US could not be guaranteed as safe precisely because of this type of mass surveillance legislation. Although the Data Privacy Framework (DPF) of 2023 has partially restored transfer mechanisms, the CLOUD Act itself has not changed and remains a recognised source of risk acknowledged by the European Data Protection Board.
2. Wasabi is not certified by the CCN and does not appear in the qualified services catalogue
The National Cryptologic Centre (CCN) maintains a catalogue of qualified cloud services listing providers that have passed the ENS evaluation process. For a cloud storage provider to be acceptable in an ENS Alto system, it must appear in this catalogue or, at minimum, have formally initiated the qualification process.
Wasabi does not appear in the CCN catalogue and has not publicly initiated any ENS certification process. Its certifications (ISO 27001, SOC 2) are internationally recognised but are not equivalent to the ENS and do not substitute the CCN evaluation. The CCN-STIC-823 guide is explicit on this point: the use of non-qualified cloud services in High category systems requires a documented risk assessment approved by management, with a high likelihood that an auditor will not accept it as sufficient.
3. No datacentres in Spain
For certain data types in ENS Alto systems — particularly sensitive personal data, classified information or critical infrastructure data — there is a recommendation and, in some contexts, an obligation that data reside on Spanish territory.
Wasabi operates no datacentre in Spain. Its closest European regions are Amsterdam and Frankfurt. This not only implies a potential breach of data residency requirements, but also introduces higher latency in disaster recovery processes and exposure to additional local legislation (Dutch or German intelligence law, for example) that may have their own data access mechanisms.
4. No real audit rights
ENS Alto, under control op.ext.2, requires that the organisation be able to verify its external providers' compliance with security measures. In practice, this means audit rights: the ability to inspect on-site or remotely the provider's facilities, processes and controls, or to demand up-to-date independent audit reports.
Wasabi, as a mass-scale commodity storage provider, does not offer individualised audit rights to its customers. Its standard contracts do not include clauses that allow a Spanish organisation to directly and bindingly verify compliance with ENS controls. This is a structural limitation of generic public cloud providers, not a specific deficiency of Wasabi.
5. Key management does not meet ENS Alto standards
ENS Alto control mp.info.3 requires that information encryption uses approved algorithms and that keys are under the exclusive control of the organisation or a provider with adequate guarantees. In practice, for ENS Alto, this typically requires the use of certified HSMs (Hardware Security Modules), such as those complying with FIPS 140-2 Level 3 or higher.
Wasabi supports server-side encryption with Wasabi-managed keys (SSE-W) or customer-provided keys (SSE-C). Client-side encryption (where Veeam encrypts before sending) is technically possible and reduces risk. However, Wasabi does not offer a key management service (KMS) certified under standards recognised by the CCN for ENS Alto, nor does it provide auditable evidence of the key custody chain in formats acceptable for an ENS audit.
6. Wasabi's DPA is not adapted to ENS
Backups of systems that process personal data require a Data Processing Agreement (DPA) compliant with the GDPR. Wasabi's DPA is a standard document designed for the global market, incorporating the European Commission's Standard Contractual Clauses (SCCs) for international transfers.
However, for ENS Alto systems processing special category data, the DPA must include specific commitments aligned with ENS security measures: breach notification procedures within less than 72 hours, certified deletion mechanisms, and sub-processor restrictions. Wasabi's generic DPA does not capture these commitments in sufficient detail to pass an ENS Alto audit.
Summary Table: Wasabi vs ENS Alto Requirements
| ENS Alto Requirement | Wasabi | Compliant |
|---|---|---|
| No US extraterritorial jurisdiction | US company, subject to CLOUD Act | No |
| CCN certification / qualified catalogue | Not listed in CCN catalogue | No |
| Datacentre in Spain (recommended for critical data) | EU only: Amsterdam, Frankfurt, London | No |
| Audit rights (op.ext.2) | Not offered in standard contract | No |
| Certified HSM key management (mp.info.3) | SSE-C possible, no ENS-certified KMS | Partial |
| DPA adapted to ENS and Spanish GDPR | Generic global DPA, no ENS commitments | No |
| Certified deletion at end of service (mp.info.5) | No auditable secure deletion certificate | No |
| Object Lock / immutability | Technically supported | Yes |
| International certifications | ISO 27001, SOC 2 Type II | Yes (not equivalent to ENS) |
As can be seen, Wasabi meets basic technical requirements (Object Lock, international certifications) but fails on the specific legal and regulatory aspects of ENS Alto that precisely determine whether a provider is acceptable for a High category system.
Alternatives That Do Comply with ENS Alto for Backup
The Spanish market has object storage providers that operate from national territory, are subject exclusively to Spanish and European legislation, and have the certifications and audit capabilities required for ENS Alto environments. The characteristics to look for are:
- check_circle Spanish company or EU-domiciled entity, not subject to extraterritorial legislation from the US or from third countries without an EU adequacy agreement.
- check_circle Datacentres in Spain with at least Tier III availability to guarantee service continuity in line with ENS SLAs.
- check_circle ENS certification or a formally initiated qualification process before the CCN, with evidence available for the auditor.
- check_circle Contractual audit rights: ability to inspect or receive independent audit reports aligned with ENS controls.
- check_circle DPA specific to ENS and Spanish GDPR, with explicit commitments on breach notification, certified deletion and sub-processor restrictions.
- check_circle Object Lock / immutability compatible with Veeam to protect backups against ransomware.
At EasyDataHost we offer Object Storage S3 operated entirely from our Tier III+ datacentre in Madrid, with registered offices in Spain and no ownership or control relationship with third-country companies. Our service includes native Object Lock compatible with Veeam, a DPA adapted to ENS and GDPR, and audit rights available to public bodies and certified organisations. For complete offsite backup management, our Veeam Cloud Connect service complements storage with managed repositories, immutability enabled by default and 24/7 support.
For systems that also require disaster recovery, our DRaaS with Veeam service enables RPO and RTO definitions in line with ENS Alto availability requirements, with all infrastructure on Spanish territory.
Conclusion: Price vs Compliance
Wasabi is an excellent object storage provider for projects without specific regulatory requirements. Its value for money is hard to beat on the global market. But ENS Alto is not a regulatory framework that admits exceptions on economic grounds: the requirements for data sovereignty, jurisdiction, audit and certification are necessary conditions, not optional ones.
Using Wasabi as a backup destination in an ENS Alto system means accepting risks that no CCN auditor will accept without a documented risk assessment, and almost certainly without requiring compensatory measures that will push costs and operational complexity well above the initial savings that Wasabi provided.
- arrow_right The CLOUD Act makes any US provider a structural legal risk for ENS Alto, regardless of where the data is physically stored.
- arrow_right The absence of CCN certification prevents Wasabi from being validated as a provider in an ENS Alto audit without additional compensatory measures.
- arrow_right The lack of datacentres in Spain and the inability to exercise real audit rights complete the picture of non-compliance.
- arrow_right There are national alternatives that offer full Veeam compatibility, Object Lock and competitive pricing, without Wasabi's compliance issues.