Choosing a credential manager for a European enterprise in 2026 is a compliance decision as much as it is a product decision. 

Credential abuse remains one of the most common paths into corporate environments. Verizon's 2026 Data Breach Investigations Report confirms that 50% of ransomware victims had a credential or infostealer event within 95 days before the attack. 

At the same time, GDPR enforcement has real teeth. In April 2026, Italy's Garante fined a consulting firm Ambrosetti €85,000 for storing passwords in cleartext and using MD5 hashing, explicitly citing GDPR Article 32 as the basis. NIS2 is no longer a draft: 23 out of 27 EU member states have transposed it into national law, according to the ECSO transposition tracker. 

When evaluating solutions like Passwork and 1Password, factors beyond features start to matter. This article compares both products from that perspective: jurisdiction, data sovereignty, deployment flexibility, audit readiness, long-term compliance with GDPR and NIS2, and total cost of ownership.


The compliance battlefield: Data residency vs. data sovereignty

European organizations evaluating password managers need to distinguish between data residency and data sovereignty. Data residency defines where data is stored. Data sovereignty defines which legal system governs it. A cloud-based solution can offer EU data residency while still being subject to non-EU jurisdiction. Self-hosted solutions eliminate that gap by keeping credential data entirely within the organization's own infrastructure, under a single, predictable legal framework.

1Password offers EU data residency: customers can select a European hosting region, and vault data sits on servers inside the EU. It does not, however, by itself resolve all jurisdictional concerns for organizations with strict sovereignty requirements.

What cross-border data access means for cloud vendors

When a cloud-based credential manager is operated by a company outside the EU, the key compliance question is not where the servers are located, but which legal system can compel that company to disclose data.

Any non-EU provider can receive lawful requests from authorities in its home jurisdiction. The applicable law depends on where the provider is incorporated, not where the data is stored.

The U.S. CLOUD Act (2018) is the best-known example. It allows U.S. law enforcement to require U.S.-incorporated providers to produce data stored anywhere in the world.

1Password is not a U.S. company. AgileBits Inc. is incorporated in Canada, so the CLOUD Act does not apply in the same way it does to U.S. providers. Canada, however, participates in international law enforcement cooperation frameworks such as Five Eyes, meaning cross-border legal requests remain a consideration.

GDPR Article 48 states that a foreign court order alone is not a valid legal basis for transferring personal data from the EU. That restriction primarily applies to your organization as the data controller.

Like any cloud-based credential manager operated by a non-EU entity, 1Password introduces a layer of jurisdictional complexity that a self-hosted deployment does not.

How on-premise deployment closes the gap

Passwork's self-hosted model means no third party holds your credential data. Deployed on your own infrastructure within EU jurisdiction, vault contents never leave your environment. No external company can receive a foreign government order for data it doesn't have access to. The laws that govern your data are the laws of the jurisdiction where your servers sit.

Passwork is available as a self-hosted solution and in a sovereign EU cloud, giving you full control over your data and infrastructure. Explore deployment options — passwork.pro


Feature comparison: Passwork vs 1Password

Passwork and 1Password at the Business tier share a common baseline: AES-256 encryption, RBAC, SSO, and developer tooling. The differences emerge at the architectural level. Passwork’s self-hosted deployment gives the organization direct control over encryption keys, audit logs, and the admin perimeter with no dependency on vendor infrastructure or outbound connectivity to external services.

Security architecture

1Password's Secret Key architecture requires a 128-bit key encoded as a 34-character string generated on device setup, combined with the master password, to derive the encryption key. Even if 1Password's servers were compromised, encrypted vaults would be computationally infeasible to crack without the Secret Key. It is a well-designed cloud security model.

Passwork uses client-side, zero-knowledge encryption on a self-hosted instance. Encryption and decryption happen on the client (user device). The server stores only ciphertext. Because you host the platform, you maintain complete control over the application server, encryption keys, and audit logs. This deployment guarantees an isolated environment, free from shared infrastructure, multi-tenant risks, or reliance on vendor key management.

Enterprise administration: RBAC, AD/LDAP, and SSO

Both platforms cover the enterprise administration features IT teams expect.

1Password Business includes SCIM provisioning, SSO integration via Okta and Azure AD, and a mature admin console. Its Extended Access Management product (available as a separately licensed add-on) extends device trust and application access controls beyond the password vault itself.

Passwork provides granular role-based access control (RBAC), native Active Directory and LDAP integration for user provisioning and group sync, and SAML SSO. To simplify management at scale, Passwork separates data access from administrative privileges through two distinct mechanisms:

  • User groups control data access — Administrators assign permissions to vaults and folders at the group level. When users are added to a group, they automatically inherit access to the corresponding passwords and credentials. 
  • Roles define system privileges — Predefined and custom roles manage access to system settings, user directories, and audit logs. This ensures standard users only interact with their assigned vaults, while administrators manage the infrastructure without having access to actual passwords under the Zero-Knowledge model.

For organizations running AD-based identity infrastructure (the majority of European enterprises) the LDAP integration means onboarding and offboarding run through existing directory workflows. Security groups sync automatically, ensuring that vault permissions and administrative roles remain aligned with your central directory.

One practical difference worth noting: because Passwork is self-hosted, the admin console, audit logs, and user directory all sit within your own network perimeter. Administrative operations have no dependency on a vendor's availability SLA.

Feature

Passwork

1Password Business

SSO

SAML 2.0 SSO

SAML 2.0 / OIDC (Unlock with SSO)

User provisioning

Native AD/LDAP integration

SCIM provisioning (requires deploying a self-hosted SCIM Bridge)

Group sync

Direct AD / LDAP group sync

Synchronization via SCIM Bridge

Access control

Granular RBAC (vault, folder, and item-level permissions)

Role-based permissions (vault and group-level access)

Device trust / app access controls

Extended Access Management (add-on, separate license)

Admin console location

Within your own network perimeter

Vendor cloud

Audit logs location

Local database (within your perimeter)

Vendor cloud

Vendor availability dependency

None (fully operational offline)

Yes (requires connection to 1Password cloud)

DevOps and secrets management

1Password has invested heavily in developer tooling. Its CLI (op), Secrets Automation, and native integrations with GitHub Actions, Kubernetes, and CI/CD pipelines make it a capable secrets manager for cloud-native teams. The developer experience is polished.

Passwork offers a full REST API and CLI tools for DevOps workflows: injecting secrets into pipelines, rotating credentials programmatically, managing API keys and database credentials alongside human passwords in a unified vault.

For teams operating in air-gapped or strictly perimeter-controlled environments, the architectural difference matters. 1Password does offer a self-hosted Connect Server that caches secrets locally and reduces dependency on the 1Password API, but initial setup and periodic synchronisation still require outbound connectivity to 1Password's cloud infrastructure. 

Passwork requires no such dependency at any stage: the entire stack runs inside company’s own perimeter from day one, with no calls to external services. For organisations where outbound traffic to a vendor's cloud is not permitted by policy or architecture, that distinction is a hard requirement.

Feature

Passwork

1Password Business

CLI

Yes

Yes (op)

REST API

Yes

Yes

Secrets automation

Yes

Yes

CI/CD integrations

Yes

Yes

Unified vault (passwords + secrets)

Yes

Yes

Self-hosted secrets cache

Yes (full self-hosted deployment)

Connect Server (add-on)

Outbound connectivity to vendor cloud

Never required

Required for initial setup and periodic sync

Air-gapped environment support

Full

Partial


Future-proofing: NIS2 and the 2027 post-quantum mandate

NIS2 added a clause vendors would prefer you not notice

NIS2 Article 21 puts the security of your ICT service providers on your risk register. Not theirs — yours. A cloud-based password manager is an ICT service provider. Under NIS2, your organization is responsible for evaluating whether that vendor's security posture — including its legal jurisdiction and incident response obligations — meets your risk threshold.

If a breach at your password manager vendor exposes your credentials, NIS2 incident reporting obligations may be triggered on your side: initial notification within 24 hours, detailed report within 72 hours.

Deploying a self-hosted solution shifts that risk profile. The attack surface is your infrastructure, governed by your security controls, audited by your team. NIS2 supply chain risk assessments become substantially simpler when the "supply chain" for credential storage is internal.

The ANSSI 2027 quantum-safe mandate

France's national cybersecurity agency, ANSSI, announced it will stop certifying security products (including password managers) that lack quantum-resistant encryption starting in 2027. By 2030, ANSSI expects all business procurement to require quantum-safe cryptography. For organizations in France and across the EU, this creates a hard certification deadline within the next 12–18 months.

The relevant question for procurement teams is not only whether a vendor supports PQC, but whether the organization controls when and how that transition happens.

With a cloud-based password manager, the migration of the vault encryption layer occurs on the vendor's schedule, across shared infrastructure. With a self-hosted deployment, your organization applies cryptographic updates (including NIST-standardized PQC algorithms) on your own timeline, without dependency on a vendor's release cycle.

See how Passwork handles enterprise access control, audit logging, and self-hosted deployment — passwork.pro

Pricing and total cost of ownership

Headline pricing

1Password Business is priced at $7.99 per user per month (billed annually). The Teams plan sits at $4.99/user/month. Enterprise pricing requires a custom quote.

Passwork's pricing is structured for European buyers:

Plan

Price

Key inclusions

Standard

€3/user/month

Core vault, RBAC, AD/LDAP

Advanced

€4.5/user/month

API access, advanced audit, SSO

Enterprise

Custom

On-premise, dedicated support, SLA

At 100 users, Passwork Standard runs €3,600/year versus 1Password Business at approximately $9,588/year. The gap widens at scale.

TCO beyond the license fee

On-premise deployment requires server infrastructure, maintenance, and internal operational overhead. For organizations that already run on-premises infrastructure (most European enterprises in regulated sectors) the marginal cost of adding a self-hosted Passwork instance is low. For organizations with no on-premises footprint, the infrastructure overhead is a real consideration and should be scoped honestly before signing.

The TCO calculation also needs a line for compliance risk. A breach involving a cloud-based credential store can trigger GDPR Article 83 fines of up to €10 million or 2% of global annual turnover for violations of Article 32 security requirements. GDPR fines have cumulatively exceeded €6,31 billion by 2026. The Ambrosetti case (€85,000 for MD5-hashed passwords) illustrates that DPAs are now auditing cryptographic implementation directly, not just breach notification timelines.


Verdict: Which password manager fits EU-based organization

Choosing a password manager for enterprise use comes down to the question: where does your compliance perimeter end? Cloud-native teams with modern identity stacks will find a natural fit in deep ecosystem integrations and cross-platform UX. Organizations operating under GDPR, NIS2, or DORA face a different constraint — not usability, but jurisdiction. 

Choose 1Password Business if:

  • Your team is globally distributed and cloud-native
  • You prioritize developer experience and cross-platform UX above compliance architecture
  • Your regulatory environment does not require strict data sovereignty
  • You need Extended Access Management or deep integration with a modern cloud identity stack

Choose Passwork if:

  • Your organization is subject to GDPR, NIS2, or DORA and needs to demonstrate data sovereignty
  • You operate in critical infrastructure, financial services, healthcare, or the public sector
  • You need AD/LDAP-native integration within an existing on-premises identity environment
  • You are preparing for ANSSI certification or EU public sector procurement
  • Your security team needs full control over the encryption layer, audit logs, and key management

For European enterprises in regulated sectors, the architecture that answers "yes" to all five of those criteria is self-hosted, on-premise, and jurisdictionally clean. 

Passwork gives European IT teams a self-hosted, GDPR-ready credential vault with full audit logging, AD/LDAP integration, and zero-knowledge encryption — all within your own infrastructure. Request a demo or explore the self-hosted deployment guide — passwork.pro


Frequently asked questions

What is the difference between Passwork and 1Password?

The core difference is deployment model and jurisdiction. 1Password is a cloud-based SaaS product with optional EU data residency, headquartered in Canada. Passwork is a self-hosted enterprise password manager that runs on your own infrastructure, giving your organization full legal and technical control over credential data. Passwork also offers a cloud option, but its primary value for European enterprises is on-premise deployment.

Is 1Password GDPR compliant?

1Password offers EU data residency: vault data can be stored on servers within the EU. However, as a Canadian-headquartered company, it remains subject to Canadian law and potential cooperation with US authorities. GDPR Article 48 does not recognize a foreign court order as a lawful transfer basis, but that constraint applies to your organization as data controller — not to the vendor receiving the order.

What is the best European password manager for NIS2 compliance?

NIS2 Article 21 requires covered organizations to manage supply chain ICT risk. A self-hosted password manager eliminates third-party vendor risk for credential storage entirely. For NIS2-covered entities, on-premise deployment with full audit logging and AD/LDAP integration is the architecturally defensible choice. Passwork is built specifically for that requirement.

What is data sovereignty and why does it matter for password managers?

Data sovereignty means your data is subject exclusively to the laws of your jurisdiction — not just physically located there. For a password manager, it means no foreign government can compel the vendor to produce your vault contents. Self-hosted deployment achieves this because no external vendor holds your data. Cloud deployment with EU data residency achieves physical location compliance but not full legal sovereignty.

How does the ANSSI 2027 mandate affect password manager procurement?

From 2027, ANSSI will not certify security products lacking quantum-resistant encryption. Organizations procuring for French government contracts or regulated sectors will need vendors with a credible post-quantum cryptography roadmap. By 2030, ANSSI expects all business purchases to require quantum-safe cryptography — affecting any European organization that uses ANSSI certification as a procurement benchmark.

Is Passwork ISO 27001 certified?

Yes, Passwork holds ISO 27001 certification. The architecture is zero-knowledge: AES-256, client-side encryption, ciphertext-only on the server. Keys don't touch the server. For deployment specs and certification details, see passwork.pro.