At the beginning of February, the Federal Chamber of Notaries created a comprehensive framework for cloud use in the notary's office for the first time with Circular No. 1/2026. Cloud is generally permitted - but only under strict conditions. And when it comes to choosing a provider, the BNotK is remarkably direct in its advice for European solutions.
This is what we call the "new normal": in May 2025, the Microsoft account of the chief prosecutor at the International Criminal Court in The Hague was blocked - as a result of US sanctions under President Trump. The ICC then initiated a complete switch from Microsoft to the European open source solution openDesk. WirtschaftsWoche ran the apt headline: "Microsoft caught in the Trump trap".
A single incident - but one with a signal effect. What happens to an international judicial authority can, in principle, happen to anyone who operates their infrastructure with a US provider.
Against this backdrop, Circular No. 1/2026 from the Federal Chamber of Notaries reads like a targeted response to a changed risk situation. It is addressed to all 21 chambers of notaries and thus indirectly to almost 7,000 notaries throughout Germany.
The Federal Chamber of Notaries (BNotK) clarifies that professional law does not fundamentally prevent the use of the cloud. However, there are strict limits.
Files and directories belong in the office
According to Section 35 (4) BNotO, electronic files and directories may only be kept in the BNotK's office or electronic notarial file repository. Outsourcing to a cloud is not permitted here.
Cloud data is considered an "aid"
Everything else - draft files, working copies, backup copies - falls under the term "aids" within the meaning of section 35 (2) sentence 2 BNotO. Cloud storage is permitted for these, provided that data protection and notarial confidentiality are maintained.
Back up locally at least weekly
The BNotK formulates a clear obligation: Tools stored in the cloud must be backed up at least once a week on a server or storage medium in the office. The reason for this is that operations must be able to continue even if the cloud services fail completely.
Confidentiality and data protection as a prerequisite
Access to information subject to confidentiality may only be granted insofar as this is necessary for the respective service (Section 26a BNotO). In addition: a confidentiality agreement in text form, an order processing contract in accordance with Art. 28 GDPR, technical and organizational measures in accordance with Art. 32 GDPR - and, if necessary, a data protection impact assessment.
The most important passage of the circular concerns the choice of provider. The BNotK is unusually clear here: when selecting cloud solutions, a "systematic and regularly recurring review of European providers should be carried out".
And: If European providers meet the requirements, they should be given preference over non-European providers - "especially in sensitive application areas".
There are reasons for the BNotK's clear wording: The circular breaks down the risks of US cloud providers in detail - from the Cloud Act and the fragile legal basis of the EU-US Data Privacy Framework to specific cases in which US services have been blocked for European users.
The US Cloud Act of 2018 obliges US service providers to hand over data to US authorities in the event of a valid court order - even if the servers are located outside the USA. This also explicitly applies to data hosted by AWS, Microsoft or Google in German data centers.
The decisive factor here is not the physical storage location, but the legal domicile of the provider. A German data center alone therefore does not protect against a US claim for disclosure. This connection has also been confirmed by an expert opinion by the University of Cologne on behalf of the Federal Ministry of the Interior.
This is particularly tricky for notary's offices. This is not about marketing data or product catalogs. It's about wills, inheritance contracts, property purchase agreements, company formations, powers of attorney - information that falls under the strictest form of professional confidentiality.
Isn't that an exaggeration? What exactly does this mean in practice? Three scenarios illustrate the implications:
1. data access by US authorities. A notary's office uses Microsoft 365 to process drafts. A US court issues an order for disclosure under the CLOUD Act. Microsoft would be obliged to comply - without the notary's office or the clients concerned having to find out about it. The notarial duty of confidentiality pursuant to Section 18 (1) BNotO would be effectively undermined.
2. suspension from office through sanctions. What happened at the ICC can, in principle, happen to anyone who relies on US infrastructure. In its circular, the BNotK refers to cases in which "services from third country providers in Europe have been temporarily blocked - even for a short time". For a notary's office, such an outage means: no draft processing, no access to working copies, possibly complete operational standstill(more on this so-called "kill switch risk"here).
3. loss of the legal basis. The current EU-US Data Privacy Framework (DPF) allows data to be transferred to the USA. However, the two predecessors - Safe Harbor and Privacy Shield - were both declared invalid by the ECJ. Although the European Court of Justice confirmed the DPF in September 2025, it also emphasized that the equivalence of the level of data protection must be reviewed on an ongoing basis.
If the DPF also falls, any ongoing data transfer to the USA would have no legal basis from one day to the next. The portal datenschutz-notizen.de also recently analyzed this uncertainty in detail.
The BNotK devotes a separate section to the topic of Microsoft 365 - a sign of how widespread the solution is in notary's offices.
The core statement: The use of Microsoft 365 in compliance with professional law is generally possible according to the current status. However, this is only possible if the "Additional agreement for professional secrecy holders" is concluded with Microsoft, the contractual conditions are checked individually and the configuration is adapted. According to the BNotK, the default settings of Microsoft 365 are "optimized for maximum functionality, but not geared towards confidential work".
In addition, there is a permanent effort: every patch from Microsoft can require configuration changes or change the handling of data - without the user having any influence on this. Various data protection officers at federal, state and EU level continue to see structural problems with Microsoft 365, particularly in terms of transparency and data transfer to the USA, as the Hessian data protection officer explained in November 2025.
The BNotK leaves it up to notaries to weigh up the options: Is it worth the effort - or is a classic Office installation that is operated locally and does not require a US cloud connection sufficient?
One aspect that the circular does not explicitly address, but which is closely related to it, is the growing use of AI tools in the day-to-day work of law firms. More and more providers are advertising that their AI solutions are "EU-hosted" and therefore GDPR-compliant - even for persons subject to professional secrecy.
If you take a closer look, most of these applications run on Azure or AWS - i.e. on Microsoft and Amazon infrastructure. A European server location therefore does not change the fact that the operator is subject to the US Cloud Act. The BNotK circular takes a critical view of precisely this.
Does this mean that notary's offices should do without AI? On the contrary. The tools are too powerful to ignore. But solutions are needed to ensure that no client data ends up with a US provider. Approaches such as data anonymization before AI processing start right here: Sensitive information is removed before it reaches an AI interface. Any model can then be used - without breaching confidentiality obligations.
A common counterargument is that switching from established US services to European alternatives is too costly. This is not true across the board.
For pure cloud storage - filing, sharing and collaborative editing of files - switching is comparatively easy. European providers with BSI C5 certification offer encrypted storage with data centers and company headquarters in Germany, without technical or legal access options from third countries.
Microsoft also recently announced that it would stop selling standalone SharePoint and OneDrive licenses - which makes the switch even more attractive for many organizations anyway.
It is more complex with fully integrated systems such as Microsoft 365, where email, calendar, collaboration and document processing are interlinked. A step-by-step approach is recommended here: first move the sensitive data - drafts, client information, confidential communication - to a European cloud. At the same time, check which components of the US stack can be replaced by European alternatives.
The circular itself recommends that notaries "consult with their IT service provider and notary software provider" when making their selection.
Circular no. 1/2026 is more than just legal guidance. It is a clear signal to around 7,000 notary's offices in Germany: Check your cloud strategy. Check your providers. And give preference to European solutions wherever possible.
The BNotK also provides the reasons: the US Cloud Act, the uncertain future of the EU-US Data Privacy Framework, the risk of temporary service blocks - and the simple fact that notarial documents are some of the most sensitive data there is. European alternatives are often even more economically attractive.
Anyone who relies on US cloud services today without having taken the precautions described in the circular is treading on thin ice in terms of professional and data protection law. And anyone who thinks the issue only affects large law firms: The requirements apply to every single notary's office - regardless of size and location.