Software escrow and compliance


Escrow is not a niche product. It is a concrete way of meeting obligations that follow from European and international laws and regulations. Below, for each framework, is the relevant obligation and why an escrow at Softcrow contributes to it directly.

FrameworkApplies toCore obligationEscrow as a measure
DORAFinancial entities (banks, insurers, payment service providers)Manage ICT third-party risk, set the exit strategy contractually (art. 28 and 30)Direct way of meeting the exit strategy and continuity obligation
NIS2Essential and important entities in critical sectorsSupply chain risk management, continuity measures for critical ICTDemonstrable measure towards regulators and auditors
ISO 22301Organisations with a business continuity management systemIdentify critical resources and put recovery measures in placeConcrete evidence of a control for software dependencies
ISO 27001Organisations with an ISMSManage supplier relationships, safeguard access to software assets (Annex A)Addresses the supplier risk control
CRAManufacturers and buyers of products with digital elementsAccess to source code on end-of-life or failure of the manufacturerAlternative access path, including for software with AI components
BIODutch government organisationsManage supplier risks on the basis of ISO 27001Demonstrable control of continuity risks for ICT applications

DORA: Digital Operational Resilience Act

DORA is an EU regulation that has applied to financial entities since January 2025: banks, insurance companies, investment firms, payment service providers, crypto-asset service providers and other ICT-dependent financial parties.

DORA requires financial entities to manage ICT third-party risk. That means: demonstrably mapping which critical processes depend on external ICT suppliers, and putting measures in place for the situation where that supplier falls away or no longer performs.

Articles 28 and 30 of DORA require contractual provisions on access to data, exit strategies and continuity on termination of the ICT service. An escrow agreement is a direct and demonstrable way of meeting this obligation: the source code or cloud environment is available to the beneficiary as soon as the release conditions are met, regardless of the state of the supplier.

DORA therefore makes escrow non-optional for financial entities that depend on critical software suppliers. The regulator (in the NL: De Nederlandsche Bank) expects demonstrable measures.


NIS2: Network and Information Security Directive

NIS2 is the successor to the NIS Directive and has been transposed in the Netherlands into the revised Network and Information Systems Security Act (Wbni). The directive applies to essential and important entities in critical sectors, including energy, transport, finance, healthcare, digital infrastructure and government.

NIS2 requires organisations to carry out supply chain risk management, including dependencies on software suppliers. Continuity measures for critical ICT applications are an explicit part of the duty of care.

Escrow provides a demonstrable measure: on failure or bankruptcy of the supplier, the source code is available for recovery or further development. That strengthens demonstrability towards regulators and auditors.


ISO 22301: Business Continuity Management

ISO 22301 is the international standard for business continuity. The standard requires organisations to identify critical resources and put recovery measures in place for the situation where those resources fall away.

Proprietary software whose source code rests solely with the supplier is a critical dependency that belongs in a business continuity plan. Escrow is the direct measure: the source code is available for recovery, further development or transfer to another party if the supplier no longer functions.

For ISO 22301 certification, escrow is concrete and verifiable evidence of controls for software dependencies.


ISO 27001: Information Security

ISO 27001 requires, in Annex A, control of supplier relationships and the risks arising from dependencies on external parties. Retaining access to critical software assets on termination of the supplier relationship is a standard point of attention in ISMS audits.

Escrow addresses this control: the source code remains accessible to the beneficiary, regardless of the commercial or operational status of the supplier.


CRA: Cyber Resilience Act

The EU Cyber Resilience Act sets cybersecurity requirements for products with digital elements, both for manufacturers and for buyers that integrate these products into their processes. The CRA emphasises the importance of lifecycle management, vulnerability management and access to software after end-of-life.

For buyers of proprietary software the rule is: if the manufacturer stops maintenance or can no longer be reached, there must be an alternative path to access the source code. Escrow provides for this, including for software with AI components, whose model weights and training logic can be deposited.


BIO: Baseline Information Security Government

The BIO is the mandatory framework for information security at Dutch government organisations, based on ISO 27001. Government bodies that depend on software from external suppliers are required to map and manage supplier risks.

Softcrow provides escrow to government organisations and their software suppliers. An escrow agreement in the BIO context offers demonstrable control of the continuity risks of ICT applications.


Data residency and sovereignty: beyond the US CLOUD Act

For DORA, NIS2 and the GDPR, it is relevant not only that there is a continuity measure, but also where and under which legal system the data is stored. The US CLOUD Act obliges US companies to hand over data to US authorities, even if that data physically resides in the EU and also via foreign subsidiaries. A choice of law in a contract offers no protection against this.

Softcrow’s storage infrastructure, SecureStorage, is hosted entirely within the EU, under EU law and the GDPR, and falls outside US jurisdiction. The CLOUD Act and the USA PATRIOT Act do not apply to it: Softcrow is an independent Dutch company without a US parent company or incorporation. For a GDPR processor assessment and for the DORA and NIS2 requirements around ICT third-party risk, that means demonstrably sovereign, CLOUD- and USA PATRIOT Act-free storage.

On top of that comes the zero-knowledge architecture. Softcrow holds no keys, so the data is mathematically unreadable for Softcrow and for the hosting parties. Sovereign storage and zero-knowledge reinforce each other: the data does not fall under a foreign legal system, and were the storage to be requested under duress after all, then without the key there is nothing meaningful to hand over.


Escrow as a demonstrable measure

What all these frameworks have in common: they require organisations to have demonstrable control over their dependencies on external software suppliers. Escrow is not a paper measure. At Softcrow it is a zero-knowledge deposit with periodic integrity checks, an optional verification audit by an independent NOREA IT auditor and a legally watertight transfer structure under Dutch law. The underlying storage, SecureStorage, is hosted entirely in the EU and is CLOUD- and USA PATRIOT Act-free.

Verification audit → Pricing → Get in touch →