RSA Archer GRC EU Alternative 2026: The DORA Art. 28 Self-Reference Paradox

Post #2 in the sota.io EU GRC Tools Series

The Platform Behind the Compliance Frameworks

Walk into the risk management function of any major European bank and you will likely find RSA Archer. It is the de facto standard for enterprise Governance, Risk, and Compliance (GRC) in financial services — the platform where DORA ICT risk registers live, where NIS2 vendor assessments are documented, where GDPR Article 32 Technical and Organisational Measures are tracked, where audit findings accumulate, and where the complete operational resilience evidence trail is maintained.

When the European Banking Authority (EBA) or a national competent authority reviews a bank's DORA compliance, they are effectively auditing content that lives in Archer. The compliance infrastructure of European finance runs on a platform owned by a US-based private equity firm.

This is the Archer paradox.

Corporate Structure: Symphony Technology Group

RSA Archer's ownership trail begins with an acquisition that fundamentally changed its risk profile for European customers.

2001–2010: Archer Technologies (Overland Park, Kansas) develops the GRC platform independently.

2010: EMC Corporation (Hopkinton, Massachusetts) acquires Archer Technologies and integrates it into RSA Security — EMC's cybersecurity division.

2016: Dell Technologies acquires EMC for $67 billion. RSA Security, including Archer, becomes part of Dell.

September 2020: Symphony Technology Group (STG) acquires RSA Security from Dell Technologies for approximately $2.075 billion. RSA becomes a standalone company under PE ownership.

RSA Security LLC is incorporated in Delaware — the operative entity is a US limited liability company under STG's control.

Symphony Technology Group is headquartered in Menlo Park, California. STG is a technology-focused private equity firm with a portfolio of cybersecurity and enterprise software companies. STG's other holdings include NetWitness (SIEM/threat intelligence) and previously McAfee Enterprise. This portfolio concentration matters: multiple security data streams from a single European organization could theoretically be in STG-affiliated US-jurisdiction entities simultaneously.

CLOUD Act Exposure Score: 18/25

We apply our five-dimension CLOUD Act framework — the same methodology used across this series — to evaluate the realistic risk of US government access to Archer-hosted data.

D1 — Corporate Jurisdiction: 5/5

RSA Security LLC is a Delaware limited liability company. Symphony Technology Group is a US-based PE firm. There is no European parent entity, no EU holding company structure, and no jurisdictional firebreak. Any US Department of Justice order under the CLOUD Act targets RSA Security LLC directly.

Score: 5/5 — Unambiguous US corporate structure.

D2 — Government Exposure: 3/5

RSA's government exposure is significant but concentrated in specific products rather than Archer GRC directly.

RSA SecurID (multi-factor authentication) has been a standard across US federal agencies for decades. RSA NetWitness holds active contracts with the DoD, intelligence community, and CISA. Archer GRC itself is deployed at multiple US federal agencies — including in financial regulatory oversight contexts — though it does not carry a standalone FedRAMP High authorization at the Archer platform level.

The government exposure creates a relevant dynamic: RSA's relationship with US government agencies means the company is a known, trusted partner of US law enforcement and intelligence services. The friction for a DOJ CLOUD Act request targeting RSA is lower than it would be for a vendor with no existing government relationship.

Score: 3/5 — Material legacy government exposure primarily through adjacent RSA products; Archer deployed in federal GRC contexts.

D3 — Data Sensitivity: 5/5

This dimension is where Archer reaches the ceiling — and where the consequences of CLOUD Act exposure are most severe.

Archer stores the complete GRC evidence trail of an enterprise:

• DORA ICT Risk Register (Art. 6): Every identified ICT risk, impact assessment, and control — the entire ICT risk management framework documentation required by DORA Article 6(8)
• DORA Operational Resilience Plans (Art. 11): Business continuity and disaster recovery plans, recovery time objectives, recovery point objectives, and test results
• DORA Third-Party Risk Assessments (Art. 28): Complete due diligence files on all ICT third-party providers — including security assessments, concentration risk analyses, and exit strategies
• NIS2 Compliance Workflows: Risk management measures under Art. 21, supply chain security assessments under Art. 21(2)(d), incident response procedures
• GDPR Article 32 TOMs: Technical and Organisational Measures documentation, data protection impact assessments, processing records
• Audit Findings and Remediation: Complete internal audit trails including identified deficiencies, open findings, management responses, and remediation timelines
• Policy Exception Register: Every approved policy deviation — a detailed map of where controls are not operating as designed
• Board Reporting Packages: Risk dashboards, key risk indicator trends, and executive escalations prepared for board-level consumption

The aggregation of this data represents something more dangerous than any individual category: it is the institutional knowledge of an organization's weaknesses. A DOJ subpoena for Archer data is not just a request for compliance documents — it is a request for a comprehensive vulnerability assessment, a catalogue of known control failures, and a roadmap of operational risk concentrations.

Score: 5/5 — Maximum data sensitivity. GRC platform data represents the highest-value intelligence target in the enterprise risk landscape.

D4 — Cloud Infrastructure: 3/5

Archer is delivered as a SaaS platform with AWS-hosted infrastructure. EU regional deployment options exist, allowing customer data to be stored in European AWS regions.

However, the control plane, authentication services, telemetry infrastructure, and platform management functions remain US-hosted. This is the architectural reality of most US SaaS platforms: data residency in the EU does not equal sovereignty over the platform.

On-premises deployment of Archer remains available as an enterprise option. For organizations that self-host, D4 exposure is mitigated significantly — but on-premises deployment requires substantial internal infrastructure capacity and is increasingly rare in new deployments.

Score: 3/5 — EU data residency available but US control plane and platform management.

D5 — Encryption Controls: 2/5

Customer-managed encryption key (CMK) support is available in Archer but as an enterprise-tier feature requiring specific configuration. Default deployments use RSA-managed encryption.

For the majority of Archer customers — even large financial institutions — encryption is managed by RSA rather than the customer. This means RSA (and by extension, a compliant US government order) can access plaintext data.

Score: 2/5 — CMK available but not default; most deployments use RSA-managed encryption.

Total CLOUD Act Score: 18/25

The Three Paradoxes of Archer in European Financial Services

Paradox 1: The DORA Art. 28 Self-Reference Paradox

This is the most legally significant paradox in the EU GRC Tools Series.

DORA Article 28 requires European financial entities to maintain a comprehensive ICT third-party risk management framework. This includes due diligence on all ICT third-party providers, ongoing monitoring, concentration risk assessment, and documented exit strategies.

For many European banks, that third-party risk register lives in Archer.

Which means: Archer's own third-party risk assessment is stored in Archer.

The DORA Art. 28 requirements for assessing RSA Archer — the impact assessment of Archer on the institution's operational resilience, the dependency analysis, the concentration risk flag, the exit strategy — all documented inside the platform being assessed. A DOJ CLOUD Act subpoena targeting RSA would retrieve not only the institution's compliance evidence, but also the institution's internal assessment of RSA itself: the known risks, the identified gaps, the exit planning (or lack thereof).

This is not a hypothetical concern. Under DORA's supervision framework, national competent authorities (NCAs) and the Joint Examination Teams (JETs) for critical ICT third-party providers have powers to inspect third-party risk management documentation. The DORA framework creates a situation where:

1. The NCA reviews the bank's third-party risk management → sees that Archer is a critical dependency
2. DORA Art. 31 designates critical ICT third-party providers → RSA Archer could qualify
3. The JET has oversight powers over designated providers → but the CLOUD Act operates independently of EU supervisory frameworks
4. A parallel DOJ proceeding under the CLOUD Act would face no EU supervisory override mechanism

Paradox 2: The Regulatory Evidence Paradox

European financial regulators (EBA, ECB SSM, national competent authorities) are building their DORA supervisory infrastructure. They will review compliance by examining the documented evidence of risk management — the ICT risk register, the resilience testing results, the third-party assessments.

That evidence lives in Archer.

A DOJ CLOUD Act order targeting RSA Security LLC would retrieve, potentially, the complete compliance evidence base of European systemically important financial institutions (SIFIs) — the same evidence that EU regulators are reviewing for supervisory purposes.

This creates a situation where US government access to European financial regulatory compliance evidence is technically feasible through a commercial SaaS contract, without any notification requirement to EU supervisory authorities.

The EU-US Data Privacy Framework (DPF) covers commercial data transfers but does not constrain law enforcement access. The CLOUD Act operates on a separate legal track — it is not subject to adequacy decisions.

Paradox 3: The STG Portfolio Concentration Risk

Symphony Technology Group's portfolio includes multiple security-adjacent companies. STG previously owned McAfee Enterprise (sold to Musarubra/Trellix). STG currently owns NetWitness — RSA's SIEM and threat intelligence platform.

For organizations that use both Archer GRC and NetWitness SIEM:

• Archer holds the GRC evidence trail (what compliance looks like on paper)
• NetWitness holds the security telemetry (what is actually happening in the environment)

Both are owned by the same US private equity firm. Both are subject to CLOUD Act orders targeting RSA Security LLC.

The correlation of compliance documentation and real-time security telemetry represents a comprehensive intelligence picture of an organization's security posture — risks documented, controls implemented (or not), and the actual threat landscape as observed by the SIEM.

DORA Regulatory Context: Why This Matters Now

DORA became applicable on January 17, 2025. European financial entities subject to DORA (banks, investment firms, insurance companies, payment institutions, crypto-asset service providers under MiCA, and others) are now operating under legal obligations that directly implicate their ICT risk management platforms.

Key DORA provisions generating GRC data:

Art. 6 — ICT Risk Management Framework: Required documentation of the ICT risk framework, IT asset inventory, exposure and dependency mapping, risk tolerance settings. This is foundational Archer content.

Art. 9 — Protection: Network and information systems protection measures, access control policies, encryption requirements. Archer Policy & Compliance module tracks implementation status.

Art. 11 — Response and Recovery: Business continuity plans, disaster recovery plans, communication plans for ICT incidents. Archer Business Continuity module stores these.

Art. 13 — Learning and Evolving: Post-incident analysis, lessons learned, corrective measures. Archer tracks the complete incident lifecycle.

Art. 28 — General ICT Third-Party Risk Management Principles: The register of all ICT third-party providers, due diligence documentation, concentration risk assessment, exit strategies. This is the Self-Reference Paradox dimension.

Art. 30 — Key Contractual Provisions: Contract review results, SLA documentation, audit rights provisions, termination conditions. Archer Contract Management stores these.

For many institutions, Archer is the single platform consolidating compliance evidence across all six articles above. That consolidation — efficient as it is operationally — creates a single jurisdictional point of failure.

EU-Native Alternative: SAP GRC

For European financial entities seeking to move GRC infrastructure to EU jurisdiction, SAP GRC is the credible enterprise-grade alternative.

Corporate structure: SAP SE is incorporated as an Aktiengesellschaft (AG) under German law, headquartered in Walldorf, Baden-Württemberg. SAP is listed on the Frankfurt Stock Exchange (DAX) and is subject to German corporate law and EU regulatory frameworks. There is no US corporate entity in the ownership chain with access to SAP SE data.

CLOUD Act score: 0/25 — SAP SE has no US corporate jurisdiction exposure, no FedRAMP/DoD government contracts that would establish US law enforcement relationships, and European cloud infrastructure through SAP RISE with EU sovereign cloud options.

SAP GRC capabilities relevant to DORA/NIS2:

• SAP Process Control: Continuous compliance monitoring, automated control testing, policy management — maps directly to DORA Art. 6 framework requirements
• SAP Risk Management: Quantitative risk assessment, risk appetite framework, key risk indicators — maps to DORA Art. 6 and NIS2 Art. 21
• SAP Audit Management: Internal audit planning, finding tracking, remediation monitoring — maps to DORA audit evidence requirements
• SAP Third-Party Risk Management (via ARIBA integration): Vendor due diligence workflows, supplier risk scoring — relevant to DORA Art. 28

Deployment options: SAP RISE with SAP on EU cloud infrastructure (AWS EU, Azure EU, or SAP's own data centers in EU) with EU data processing and no US data transfer requirements. On-premise deployment also available for maximum sovereignty.

Open-source alternative: ERAMBA (eramba.org) — a GRC platform operated by a Swiss-based non-profit entity. Self-hosted deployment maintains complete data sovereignty. ERAMBA supports ISO 27001, GDPR, NIS2, and can be configured for DORA workflows. Community and enterprise editions available. Not a like-for-like enterprise replacement for large financial institutions, but viable for mid-market and public sector organizations.

CLOUD Act score: 0/25 — Self-hosted ERAMBA with no SaaS data transfer creates zero CLOUD Act exposure.

Migration Considerations for DORA-Regulated Entities

Migrating a GRC platform is operationally complex — risk registers, audit histories, and policy frameworks accumulated over years are not trivial to transfer. For European financial institutions evaluating this decision, the key considerations are:

Regulatory timeline pressure: DORA is already in force. Supervisory assessments will intensify through 2025-2026. The question is not whether to address third-party concentration risk in GRC infrastructure, but when.

Art. 28 compliance: If Archer is classified as a critical ICT third-party provider under DORA Art. 31, the institution faces enhanced oversight obligations for that dependency. This creates a regulatory incentive to reduce or restructure the dependency.

Data portability: Enterprise GRC platforms typically offer data export capabilities. Structured migration programs exist — the complexity is organizational (retraining, process redesign) more than technical.

Transition risk: Running parallel systems during migration is operationally intensive but reduces the risk of compliance evidence gaps during transition. A phased approach by module (risk first, then audit, then policy) reduces migration complexity.

What the EBA and ECB Are Watching

The European Banking Authority's DORA technical standards and the ECB's supervisory expectations create a clear audit trail of what regulators will examine. For institutions using Archer:

The 2025-2026 DORA supervisory cycle will include reviews of ICT third-party risk management frameworks. Supervisors will ask where the third-party risk register lives. If the answer is Archer — a US PE-owned platform — the follow-up questions will address CLOUD Act risk, data residency, and the Art. 28 exit strategy for Archer itself.

Regulators are not blind to the irony of Archer as an unmanaged ICT third-party dependency inside the third-party risk management system.

Conclusion: Compliance Infrastructure Requires Jurisdictional Integrity

RSA Archer's 18/25 CLOUD Act score reflects a genuine institutional risk for European financial entities: the platform holding their DORA compliance evidence trail is owned by a US Delaware LLC under PE control, with legacy government relationships and default RSA-managed encryption.

The self-reference paradox — DORA Art. 28 risk assessments of ICT vendors stored in an ICT vendor — is not a theoretical concern. It is a structural consequence of consolidating GRC evidence in a non-EU-sovereign platform in an era of extraterritorial data access law.

SAP GRC offers the enterprise-grade alternative with 0/25 CLOUD Act exposure, German corporate structure, and DORA/NIS2-aligned capabilities. For financial institutions where operational sovereignty of compliance infrastructure matters — and DORA makes clear that it should — the evaluation of EU-native GRC infrastructure deserves board-level attention, not just IT procurement consideration.

CLOUD Act Scores in the EU GRC Tools Series

The EU GRC Tools Series evaluates integrated risk management platforms through the lens of EU data sovereignty under the US CLOUD Act. All scores use the same five-dimension methodology: D1 Corporate Structure + D2 Government Exposure + D3 Data Sensitivity + D4 Infrastructure + D5 Encryption.

sota.io helps European businesses evaluate technology sovereignty risk. The CLOUD Act scoring methodology is consistent across all posts in this series. Corporate structures and government relationships verified from public sources including SEC filings, GSAeBuy, FedRAMP marketplace, and company press releases.