July 15, 2026


.jpg)
By:
Joeri Malmberg
Updated on:
July 15, 2026
A boardroom asking "should we move off AWS?" rarely starts random. It starts with a specific trigger: a customer questionnaire that asks where the data physically sits and under whose jurisdiction. A budget review where the cloud line has doubled in two years. A security officer reading the new Cyberbeveiligingswet supplier guidance and flagging the CLOUD Act exposure.
In 2026 the question is on most Dutch CTO desks. DNB announced its move to StackIT in April. The European Commission awarded a €180m sovereign cloud framework to OVHcloud, StackIT, Scaleway and Proximus the same month. AWS launched its European Sovereign Cloud in Brandenburg on 15 January 2026. The Open Cloud Alliantie (KPN, Centric, Info Support, Intermax, Nebul, Previder, Uniserver) published a manifesto from seven Dutch providers.
This article is a decision guide. It walks through what "European cloud" actually means, how it differs from "sovereign cloud", six questions that determine whether moving is right for your business, which regulations apply, what the options are, and what to plan for technically.
The phrase gets used to mean four different things. The differences matter before any decision.
EU-based data centres. AWS, Azure and GCP all qualify. Frankfurt, Dublin, Amsterdam, Stockholm. Physical EU presence. This is the weakest definition and the one hyperscaler marketing leans on. The data sits in Europe; the company operating it does not.
EU-owned company. OVHcloud (France, listed Paris), Scaleway (France, Iliad group), Hetzner (Germany, privately held), Ionos (Germany, listed Frankfurt) and StackIT (Germany, Schwarz Gruppe) all clear this bar. A European company, registered in the EU, owned in the EU.
EU-jurisdiction with no CLOUD Act exposure. The US CLOUD Act allows US authorities to compel data disclosure from US-incorporated companies regardless of where the data sits. An EU subsidiary of a US company is in scope. A US-incorporated company operating an EU data centre is in scope. Only a fully EU-incorporated provider with no US parent or US subsidiary structure is outside the CLOUD Act.
EU-controlled metadata. Even when the data sits in an EU region, the control plane, billing systems, telemetry pipelines and support tickets often route through US infrastructure. A provider can claim EU residency for customer data while the metadata about that data travels across the Atlantic. Techzine has covered this as the recurring weak spot in sovereignty claims.
For the rest of this guide, "European cloud" means definitions 2 and 3 combined: the provider is EU-incorporated and not legally reachable under the CLOUD Act.
No. Sovereign cloud is a stricter category that sits inside European cloud.
A European cloud is a cloud provided by a European company on European infrastructure. A sovereign cloud adds three more requirements:
Every sovereign cloud is European. Not every European cloud is sovereign. Hetzner is European but does not hold sovereign-grade certification. OVHcloud has a SecNumCloud-qualified offering separate from its general public cloud. StackIT positions itself as sovereignty-ready for German and Dutch regulated work.
The practical implication: if your customer or regulator says "European cloud", any of the five major providers qualifies. If they say "sovereign cloud", the shortlist narrows to the certified offerings and the price climbs.
Whether moving is the right call for your business comes down to six questions. Work through them in order. By the end you have your answer.
The same cloud strategy does not fit a 12-person consumer SaaS and a 45-person fintech selling to insurers. Three company patterns matter most:
Your category sets the urgency. It does not yet set the answer.
Different data types attract different obligations. Map your stack against this list:
The most sensitive data type in your stack drives the strictest requirement. A SaaS that handles mostly mundane operational data plus a small set of customer health records is in the health bucket for sovereignty purposes.
The regulations that pull you toward EU-incorporated providers, in 2026 order of effective date:
The underlying issue running through most of this: the US CLOUD Act allows US authorities to access data held by US-incorporated companies even if the data sits in Europe. That creates direct conflict with AVG and EU sovereignty rules. It is the strongest single regulatory argument for choosing a genuinely EU-owned cloud provider.
Three signals to watch in your customer-facing documents:
The question to ask your sales lead this week: how many of our top 25 customers have raised data residency or cloud sovereignty in the last 12 months. If the answer is more than two, the question moves from optional to scheduled.
Some workloads move cheaply. Some workloads do not move at all without a rewrite. The pattern is consistent:
If your stack falls into the first category, the move is hard. If it falls into the others, the move is a project, not a research question.
The EU Data Act prohibits switching charges from 12 January 2027. A three-year AWS commit signed in November 2026 locks you in past the moment the leverage shifts. Read the switching clause in your current contract. Note the renewal date. If your renewal is in 2027 or 2028, the timing is on your side. If your renewal is far away, the question becomes whether the cost or compliance case justifies breaking the contract early.
The contract calendar does not change whether the answer is yes or no. It changes when you act on the answer.
Six pieces of EU legislation shape the cloud conversation in 2026. The full text and case law go deeper; the working summary is below.
AVG / GDPR. In force since 2018. Personal data of EU residents must be processed lawfully, with documented DPAs, DPIAs for high-risk processing, and breach reporting within 72 hours. The CLOUD Act tension is the structural issue: storing personal data on US-incorporated infrastructure creates AVG compliance work that EU-incorporated infrastructure removes.
DORA. In force for financial entities since 17 January 2025. Mandates operational resilience, third-party risk management, and a register of information naming every critical ICT third-party. ICT providers serving financial entities can be designated "critical" and subject to direct supervision.
NIS2 / Cyberbeveiligingswet. In force in NL from 1 July 2026. Covers most critical and important sectors. Article 21(2)(d) supply-chain obligation is the mechanism that pulls non-in-scope suppliers into questionnaires. Maximum fines: €10M / 2% turnover for essentiële entities, €7M / 1.4% for belangrijke.
BIO 2 v1.3. In force in NL since 5 March 2026. Baseline information security for Dutch public-sector and anyone handling public-sector data. Specific controls layered on top of ISO 27001.
EU Data Act. Regulation (EU) 2023/2854. Applies since 12 September 2025. From 12 January 2027, providers may only charge "directly incurred" costs for cloud switching. France banned excessive egress in a 9 January 2026 decree, ahead of the EU deadline.
EU AI Act. Rolling enforcement through 2027 depending on risk classification. Workloads involving AI bring new audit obligations that interact with cloud provider jurisdiction.
The CLOUD Act tension. Running through all of the above: the US CLOUD Act allows US authorities to compel disclosure from US-incorporated companies regardless of where data sits. This is the strongest regulatory argument for moving to a genuinely EU-incorporated provider. AWS, Azure and GCP have all argued that legal protections and customer-managed encryption mitigate this; EU regulators and courts have repeatedly disagreed.
Five European cloud providers cover most of the conversation, plus a sovereign tier above them, plus the Dutch coalition, plus AWS's response.
The five major European providers (covered in detail in our separate provider comparison):
The sovereign tier (when the regulation says "sovereign" rather than "European"):
The Dutch coalition: Open Cloud Alliantie. Seven Dutch providers (KPN, Centric, Info Support, Intermax, Nebul, Previder, Uniserver) plus DINL and TNO. Targeting first MKB and public-sector migrations in 2026. Smaller individual catalogues than the five majors; stronger Dutch jurisdictional story; high-touch operational model.
AWS European Sovereign Cloud. Launched 15 January 2026 in Brandenburg. EU-incorporated operating entity owned by US-incorporated Amazon Web Services Inc. Marketed as a sovereign offering; the CLOUD Act exposure question through the parent-subsidiary structure remains contested.
The European cloud landscape divides into roughly three tiers, and the trade-offs are sharp.
Bigger European providers (Hetzner, OVH, Scaleway, StackIT, Ionos). Broad service catalogues. Mature documentation. Multiple regions. The migration path is well-worn; case studies exist; the engineering team can find answers online when something breaks. Trade-off: less hands-on relationship, support quality varies, the operational style is closer to AWS than to a Dutch ICT partner.
Sovereign-tier offerings (OVH SecNumCloud, T-Systems C5, StackIT regulated). Higher prices, longer procurement, narrower catalogues. The compliance story is bulletproof for regulated work. Trade-off: you pay for the certification overhead even on workloads that do not need it; not every architectural pattern from AWS has a sovereign-tier equivalent.
Smaller Dutch and regional providers (KPN, Centric, Intermax, Nebul, Leaseweb, Previder, regional MSPs). Hands-on relationship, Dutch jurisdiction, Dutch support staff, often genuine partner conversations rather than ticket queues. Trade-off: smaller catalogue (no FaaS, limited managed databases, no native object storage in some cases), the engineering team has to do more of the heavy lifting, the migration depends more on the provider's professional services capability.
Hyperscaler sovereign tiers (AWS ESC, Azure Confidential, GCP Sovereign Controls). Familiar tooling, large catalogues, expensive. The CLOUD Act exposure question for AWS ESC is contested, as covered in the next section.
The right choice depends less on the provider category and more on the questions above. A 25-person MKB SaaS with a small ops team and a few regulated customers usually fits best with a mid-sized European provider that has managed Postgres and reasonable support. A 40-person fintech selling to insurers usually fits best with StackIT or a sovereign-tier OVH offering. A 15-person bandwidth-heavy consumer product usually fits best with Hetzner.
Where AWS, Azure or GCP fills a gap with a managed service, the European providers often do not. Five capability gaps come up in every migration conversation:
Managed Postgres. Hetzner does not have it. Scaleway, OVH, StackIT and Ionos do, with varying maturity. Third-party EU-resident options exist: Aiven (EU regions), Crunchy Bridge (Postgres specialists). Self-host with Patroni if the team has the SRE talent. Plan for two to three weeks of database-layer work in any migration.
FaaS / Lambda-equivalent. Scaleway is the only EU-native provider with a mature serverless story. OVH, Hetzner, StackIT, Ionos do not have it. Alternative: deploy to a small managed Kubernetes cluster (Knative on K8s gets you most of the way). If your architecture is heavy on Lambda, plan a redesign rather than a translation.
IAM granularity. AWS IAM's resource-level permissions with condition keys do not map to any European provider directly. Most offer simpler RBAC. Layer Keycloak or Cloud-IAM if your access model requires the granularity. IAM remodelling typically takes 30-40% of total migration effort and is regularly underestimated.
KMS / Secrets Manager. No drop-in equivalents. Options: OpenBao (Vault fork, MPL 2.0), Infisical, Bitwarden Secrets Manager. Provider-native offerings exist on Scaleway, StackIT, Ionos but with shallower feature sets than AWS KMS.
Threat detection / GuardDuty-equivalent. No EU-native managed alternative. Self-host Wazuh + Falco, or buy commercial CrowdStrike / SentinelOne (which re-introduces a US vendor in the security path). For sovereignty-strict requirements this is the hardest single gap to fill.
Plus three quieter considerations. Egress economics (Hetzner's 20 TB free changes the maths; others tier). Object storage S3-compatibility edge cases (most providers break on some SDK calls, lifecycle rules, or pre-signed URLs). Support model (email-only and German-paced at Hetzner, ticket-based and English at Scaleway, account-managed for enterprise tiers at OVH and StackIT, varied at smaller Dutch providers).
The migration estimate that does not account for these is the migration estimate that ships late.
Most MKB scale-ups should not move in 2026. Specifically:
The decision is not "move or stay" in the abstract. It is "given our workload, our customer profile, our team capacity, and our contract calendar, does the maths and the regulation push us this year".
AWS European Sovereign Cloud went live in Brandenburg on 15 January 2026. AWS describes it as a "legally separate" entity: EU-incorporated operating company, EU-resident staff, EU-only board governance, EU-controlled metadata. The marketing position is that it removes the CLOUD Act question.
The contested part is the parent-company link. AWS European Sovereign Cloud is wholly owned by Amazon Web Services Inc., a US-incorporated company. Legal analysts have argued through 2026 that the CLOUD Act may still apply through the parent-subsidiary relationship, regardless of the local incorporation. The test case has not happened yet. Techzine, FTM and the Dutch IT Leaders investigation have all critiqued AWS ESC as "sovereign-washing"; AWS and a number of legal opinions disagree.
Practical position for a Dutch MKB CTO:
Match the offering to the question being asked.
The pressure is not easing.
1 July 2026. The Cyberbeveiligingswet enters into force. NIS2 supply-chain governance becomes a customer-questionnaire fact rather than a theoretical concern.
12 January 2027. Cloud switching charges prohibited under the EU Data Act. France went first with the 9 January 2026 decree. The Dutch implementation under uitvoeringswet dataverordening is expected during 2026. ACM is the supervising authority since 21 November 2025.
Through 2026 and 2027. More banks, more pension funds, more public sector entities making sovereignty-driven choices. DNB to StackIT was first; it will not be the last. Open Cloud Alliantie members targeting first MKB and public-sector migrations in 2026. AWS ESC expanding planned Local Zones to Belgium, Netherlands and Portugal.
Customer audit pressure. NIS2-covered customers vetting suppliers ask harder questions every quarter. Standard 30-question questionnaires have become 80-question ones.
The decision gets clearer in three steps, not one big project.
Read your current cloud contract. Find the switching clause. Find your renewal date. Note where it sits relative to 12 January 2027. The contract tells you whether 2027 is your year or 2030 is.
Ask your top five customers what their data residency expectations are. Not by email, in a conversation. The answers tell you whether sovereignty is a near-term commercial question for your business or a far-term one. A single "we are updating our DPA for NIS2 next year, expect new questions" answer is worth more than ten white papers.
Cost-model two European providers using your actual data volumes. Compute, storage, egress, and the missing-managed-service gaps. The model does not need to be perfect; it needs to exist before the budget review. Done from scratch this can take a week: workload inventory, IaC translation, pilot deployment, gap analysis. Blackbird builds the cost models and decision frameworks for MKB scale-ups working through this exact question. Whichever route you choose, the model matters more than the tool that built it.
Is European cloud the same as sovereign cloud? No. European cloud means an EU-incorporated provider on EU infrastructure. Sovereign cloud adds certified independence from non-EU jurisdictions, sovereign operations (EU-only staff with the keys), and national security certifications (SecNumCloud in FR, C5 in DE, BIO 2 in NL). Every sovereign cloud is European; not every European cloud is sovereign.
Does AWS European Sovereign Cloud count as a European cloud? For data residency questions, yes. For full CLOUD Act independence, the answer is contested. AWS ESC is wholly owned by US-incorporated Amazon Web Services Inc. For sovereignty-strict requirements, a fully EU-incorporated provider remains a clearer answer.
Will my customers actually ask about this? If you sell B2B to NIS2-covered entities (banks, hospitals, logistics, manufacturing of medical devices, digital infrastructure, public administration), yes, increasingly through 2026 and 2027. If you sell consumer-facing SaaS without regulated end-customers, less so.
How do I know which regulation applies to me? Start from your data and your customers. AVG applies if you process personal data of EU residents. DORA applies if you are a financial entity or a critical ICT third party to one. NIS2 / Cyberbeveiligingswet applies if you are in scope by sector and size, or if you sell to a NIS2-covered customer. BIO 2 applies if you handle Dutch public-sector data. The EU AI Act layers on top for AI workloads.
How long does a move to a European cloud actually take? Typical timelines for an MKB SaaS: 3-6 months for lift-and-shift on compute, 6-9 months when managed services have to be replaced, 9-18 months when the architecture has structural AWS lock-in. The work is rarely smaller than the original estimate.
Should I go with a big European cloud provider or a smaller Dutch one? Big providers (Hetzner, OVH, Scaleway, StackIT, Ionos) give broader catalogues and mature documentation. Smaller Dutch providers (KPN, Centric, Intermax, Nebul, Leaseweb, Previder) give hands-on relationships and clearer Dutch jurisdiction. If your engineering team can self-serve, bigger usually wins on price and feature depth. If your team needs a partner and the workload is moderate, smaller often wins on relationship and clarity.
Can I do a hybrid setup? Yes, and for most MKB scale-ups it is the more sensible path than a full move. Keep AWS for what AWS does well; move bandwidth-heavy or sovereignty-sensitive workloads to a European provider. The architectural pattern requires deliberate decoupling: shared identity, observability that spans both, data flows that are explicit.
What if my company is under 50 FTE and NIS2 does not apply directly? You still get the supplier questionnaires. NIS2 Article 21(2)(d) obliges in-scope customers to vet their suppliers regardless of supplier size. A 12-person SaaS selling to a NIS2-covered hospital gets the same questionnaire a 200-person SaaS gets.
Moving to a European cloud is a real option for the right shape of business in 2026. For more MKB scale-ups than the news headlines suggest, the right answer is still "not yet" or "not for everything". The question is whether your workload, your customers and your contract calendar push you toward the door or hold you back from it.
Blackbird helps MKB scale-ups work through this decision with the cost models, customer-conversation prompts, and architectural assessment that turn an open question into a written plan. If you want to walk through your specific situation, we are running a webinar in late September on the broader EU cloud and migration question for MKB scale-ups [WEBINAR_LINK].
This session is tailored for:
We are the allrounder for complex cloud application with a specific focus on cloud development. We make reliable cloud solutions and integrations so that your cloud is always in order. We love AWS, but also work with Google and Azure.
.jpg)
Senior Cloud Engineer

Lead developer

Senior Software Engineer
.jpg)
Senior Software Engineer