European Cloud Hosting and the US Hyperscaler Question
European cloud hosting has become a compliance question as much as an infrastructure decision. Many teams suspect that relying on US hyperscalers could expose them to GDPR, but verifying the legal reality is difficult.
Today, Amazon, Microsoft and Google control roughly 70% of Europe’s €61-billion cloud market, while European providers collectively hold about 15% despite rapid growth since 2017.
Additionally, the EU–US Data Privacy Framework survived its first legal challenge in September 2025, yet the unresolved tension between GDPR and the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) continues to fuel uncertainty for compliance teams.
The core confusion comes from treating data residency and data sovereignty as the same thing, but they are not.
In this article, we’ll explain the difference and provide a framework for evaluating European cloud hosting providers against your organization’s actual regulatory requirements.
Why "hosted in Europe" doesn't mean what most buyers think
Many organizations searching for European cloud hosting assume that choosing servers located in the EU automatically solves their general data protection regulation (GDPR) concerns. In reality, server location alone does not determine whether a cloud provider meets your compliance requirements.
What matters is which legal jurisdiction governs the company operating the infrastructure. A platform can store data in Frankfurt, Paris or Amsterdam and still be subject to foreign government access requests if the company running those servers is incorporated elsewhere.
This misunderstanding appears frequently when teams evaluate alternatives to hyperscale providers such as Amazon Web Services, Google Cloud and Microsoft Azure. Many services marketed as “EU hosting” simply mean the infrastructure is physically located within Europe. That may improve latency and help with certain regulatory assurances, but it does not automatically change the legal obligations of the provider itself.
Understanding this difference requires examining the legal framework governing cross-border data access.
How the CLOUD Act reaches data stored in Europe
The mechanism most often discussed is the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), enacted in the United States in 2018. The law allows US authorities to compel any US-incorporated company to provide data under its control, even if that data is stored outside the United States.
This creates tension with the General Data Protection Regulation. GDPR Article 48 prohibits transferring EU personal data based solely on a foreign court order unless an international agreement authorizes it.
In practice, this can create a dilemma for European organizations using US-headquartered cloud providers: complying with a CLOUD Act order could conflict with GDPR obligations.
Even the EU headquarters does not always eliminate jurisdictional exposure. In a 2024–2025 investigation, Canadian authorities used a court order against the Canadian subsidiary of OVHcloud to access data stored in Europe. The case illustrated that corporate structure, not just server location, can determine which legal authorities can reach your data.
Data residency vs data sovereignty
These legal dynamics explain why cloud compliance discussions increasingly distinguish between data residency and data sovereignty:
- Data residency means data physically resides within a geographic boundary, such as servers located in Germany. Providers headquartered outside the EU can still offer this.
- Data sovereignty means the provider is governed entirely by the jurisdiction where the data resides and is structurally insulated from foreign government access.
Importantly, the GDPR does not require that data be stored in the EU. It requires appropriate protection for personal data wherever it is processed.
For some organizations, EU data residency is sufficient. Others, particularly government bodies and regulated industries, require full sovereignty. Understanding which category your organization falls into is the starting point for evaluating any European cloud provider.
What the AWS European Sovereign Cloud actually changes
In January 2026, Amazon Web Services introduced the AWS European Sovereign Cloud, a new deployment model designed specifically for organizations with strict European compliance requirements.
The first region launched in Brandenburg, Germany and is designed to operate separately from standard AWS regions. The environment is physically and logically isolated, run by dedicated legal entities under German law and operated exclusively by EU residents – with a planned transition to EU citizens only. AWS also committed roughly €7.8 billion to the initiative.
Technically, the environment introduces several controls intended to limit external access. The sovereign cloud uses separate identity and access management systems, independent billing infrastructure and dedicated DNS through European-only Route 53 nameservers. Access from outside the EU is restricted. Importantly, AWS says the environment will provide a broad set of core AWS services, including tools such as SageMaker, Bedrock, EKS, Lambda, Aurora and DynamoDB, with additional services added over time.
This development complicates the traditional “European provider vs US hyperscaler” framing. Instead of simply asking where a company is headquartered, organizations now need to evaluate operational sovereignty controls – EU-based staff, EU-only access paths and EU-governed operating entities.
Whether these protections provide equivalent assurance to full legal sovereignty depends on the organization’s compliance profile and regulatory obligations.
How European cloud providers compare on compliance and capability
For organizations that require data sovereignty, the provider shortlist changes quickly. Instead of evaluating global hyperscalers, the focus shifts to infrastructure providers headquartered and governed within Europe. The five platforms most frequently evaluated in this category are OVHcloud, Scaleway, Hetzner, IONOS and Exoscale.
Each of these companies operates under European jurisdiction and positions itself as an alternative to hyperscale platforms such as Amazon Web Services or Google Cloud. However, they differ significantly in geographic footprint, certifications, managed services and pricing models.
Here’s a comparison of the criteria that typically matter most for compliance-driven infrastructure decisions:
| Provider | Headquarters / Jurisdiction | CLOUD Act exposure | Certifications | Regions / AZs | Managed Kubernetes | Managed Databases | Egress pricing |
| OVHcloud | France | 2024–2025 Canadian case showed courts may assert jurisdiction over OVHcloud’s French parent. | ISO 27001, SecNumCloud (selected services) | 44 data centers globally | Yes – OVH Managed Kubernetes | Yes – PostgreSQL, MySQL, MongoDB | Tiered |
| Scaleway | France (Iliad Group) | No | ISO 27001, HDS | 3 regions, 9 AZs | Yes – Scaleway Kubernetes Kapsule | Yes – PostgreSQL, MySQL, Redis | No egress fees on many services |
| Hetzner | Germany | No | Limited certifications | Germany, Finland regions | Yes – Hetzner Kubernetes | Basic managed DB options | Very low-cost egress |
| IONOS | Germany | No | ISO 27001, BSI C5 | Multiple EU regions | Yes – Managed Kubernetes | Yes – MySQL, PostgreSQL | Tiered |
| Exoscale | Switzerland / Austria (A1 Telekom Austria Group) | No | ISO 27001, ISO 27018, CSA STAR | EU + CH regions | Yes – Exoscale SKS | Yes – PostgreSQL, MySQL | Standard |
A few patterns stand out immediately:
- Hetzner consistently leads on price-to-performance, with independent February 2026 benchmarks showing significantly better value per euro compared with hyperscalers.
- Scaleway stands out for its no-egress-fee model on many products, which simplifies cost planning for data-heavy workloads.
- Exoscale differentiates with several managed services rarely found in European IaaS offerings, including managed Kafka and OpenSearch.
Where the managed services gap is real and where it's closing
On core infrastructure, the gap between European providers and hyperscalers is smaller than many teams expect. Compute, block and object storage, networking, managed Kubernetes and managed databases are widely available across these platforms.
The real difference appears in the long tail of platform services. Hyperscalers offer dozens of tightly integrated capabilities – serverless runtimes, proprietary AI/ML tooling, advanced observability stacks and hundreds of managed services.
European providers typically focus on the fundamentals of infrastructure rather than reproducing that entire ecosystem. Teams that rely heavily on 15–20 specialized cloud services from hyperscale platforms will likely encounter gaps.
For many workloads, however, this tradeoff is acceptable because the core infrastructure layer is already strong and cost-competitive. The operational consequences become clearer when the workload involves large CMS environments such as WordPress or Drupal – where infrastructure alone does not solve the full operational problem.
Where enterprise CMS teams hit a wall with European IaaS
For many organizations evaluating European cloud hosting, providers like Hetzner or Scaleway solve the sovereignty question. But for enterprise CMS teams running large portfolios of WordPress or Drupal sites, infrastructure compliance is only one part of the problem.
European IaaS providers generally cover the core infrastructure layer well: compute, storage, networking, managed Kubernetes and basic database services. What they typically do not provide is CMS-specific operational tooling.
Teams still need to build deployment pipelines, create staging environments, manage automated updates, coordinate releases across multiple sites and implement testing workflows. For organizations running dozens or hundreds of CMS properties, that means designing and maintaining DevOps processes internally.
This is where you should explore a managed WebOps platform like Pantheon.
For organizations whose compliance profile allows EU residency, not full data sovereignty, the operational benefits can be significant. Pantheon’s EU region runs on Google Cloud infrastructure, with data residency across all major platform components, including application containers, databases, Redis cache, Solr indexes, backups and job workers. Additionally, Pantheon maintains certifications including SOC 2 Type II, GDPR compliance practices and FERPA support. Hosting workloads in the EU region also delivers measurable performance improvements for European users, including roughly 100ms lower latency per request and up to four times faster time to first byte compared with US-hosted origins.
Matching your compliance profile to the right provider
Choosing a European cloud hosting provider ultimately comes down to which compliance model your organization requires.
If your requirement is data residency – for example, demonstrating GDPR compliance and ensuring data stays within the EU – your options remain broad. US hyperscalers with EU regions, the AWS European Sovereign Cloud and managed platforms like Pantheon can all meet this requirement, depending on the workload.
For enterprise WordPress and Drupal teams whose compliance profile aligns with EU data residency, Pantheon’s managed WebOps platform provides a way to run high-performance CMS workloads in Europe without building the operational layer yourself.
Start with Pantheon’s EU region on Google Cloud today!
Frequently asked questions about European cloud hosting
Is OVHcloud European?
Yes, OVHcloud is a French cloud provider founded in 1999 and publicly listed on Euronext. With €1.084 billion in revenue in FY2025, it is currently Europe’s largest cloud provider by revenue.
However, organizational structure matters when evaluating sovereignty. In a 2024–2025 investigation, Canadian authorities used a court order against OVHcloud’s Canadian subsidiary to access customer data stored in Europe. The case illustrated that subsidiaries outside the EU can create jurisdictional exposure even when the parent company is European. Organizations requiring full sovereignty should review a provider’s global corporate structure before assuming complete legal insulation.
What do developer communities recommend for European cloud hosting?
Across developer forums such as r/selfhosted, r/devops and r/cscareerquestionsEU, Hetzner consistently emerges as the most recommended European cloud provider. Developers frequently highlight its price-to-performance ratio, a reputation supported by independent infrastructure benchmarks.
OVHcloud and Scaleway are common runner-ups, often praised for broader infrastructure offerings and European data centre footprints.
Community recommendations tend to prioritize developer experience, pricing and infrastructure performance. Organizations with strict regulatory or sovereignty requirements should evaluate those suggestions against the compliance criteria outlined in the comparison table earlier in this article.