A password manager is the single point of failure for almost every credential a team holds. The vendor controlling that vault implicitly controls the operational keys to every connected system, even if it never sees the plaintext data itself.
That makes the choice of provider not just a security decision but a procurement and jurisdiction decision. Where the vault is hosted, what national legal regime applies to the operator, and whether the encryption model permits any vendor-side access are all questions worth resolving before deployment, not after.
End-to-end encrypted vaults reduce the exposure dramatically by ensuring that the vendor cannot read user secrets at all, even under legal compulsion. Open-source projects such as Bitwarden, Passbolt, and Vaultwarden allow this guarantee to be independently verified, and self-hostable deployments let security teams keep the entire vault inside their own EU-hosted infrastructure.
For organizations subject to NIS2, the upcoming Cyber Resilience Act, or sector-specific mandates such as DORA, choosing a password manager with publicly verifiable encryption properties and a clear EU operating story is increasingly part of the baseline rather than an upgrade.