A boardroom asking "should we move off AWS?" rarely starts random. It starts with a specific trigger: a budget review where the cloud line has doubled in two years, a sovereignty concern raised by a security officer reading the latest NIS2 guidance, or a customer questionnaire asking, in writing, whether the data sits with a provider subject to the US CLOUD Act. The question that follows is the same: is one of the European clouds viable for what we run?

‍

In April 2026, De Nederlandsche Bank moved public-facing workloads to StackIT, the cloud arm of Schwarz Gruppe (Lidl, Kaufland). The same month, the European Commission awarded a €180m sovereign cloud framework to OVHcloud, StackIT, Scaleway and Proximus. The Open Cloud Alliantie (KPN, Centric, Intermax, Nebul, Info Support) published a manifesto arguing that Dutch public-sector workloads belong on Dutch infrastructure. On 15 January 2026, AWS went GA with its European Sovereign Cloud in Brandenburg, a legally separated entity meant to address the CLOUD Act question.

‍

This article covers what "European cloud" actually means, which workloads have a real case to switch, what the five providers most teams shortlist (Hetzner, Scaleway, OVHcloud, StackIT, Ionos) offer, where the capability gaps sit, and what the costs and compliance picture look like in 2026.

‍

What does "European cloud" actually mean?

Four definitions get conflated.

‍

EU-based data centres. AWS, Azure and GCP all qualify. Frankfurt (eu-central-1), Dublin (eu-west-1), Amsterdam, Stockholm. The weakest definition, and the one hyperscaler marketing leans on.

‍

EU-owned company. OVHcloud (France, listed Paris), Scaleway (France, Iliad group), Hetzner (Germany, privately held), Ionos (Germany, listed Frankfurt) and StackIT (Germany, Schwarz Gruppe) all clear this bar.

‍

EU-jurisdiction with no CLOUD Act exposure. A US-incorporated company, or any EU subsidiary of one, sits in scope of the US CLOUD Act regardless of where the servers physically sit.

‍

EU-controlled metadata. Even with data in an EU region, the control plane, billing, telemetry and support tickets often route through US infrastructure.

‍

For the rest of this article, "European" means the provider is EU-incorporated and not legally reachable under the CLOUD Act.

‍

Who should consider switching?

Three kinds of team have a real case. If you're not one of them, the maths usually says stay, and that's a legitimate answer, not a failure of nerve.

‍

The cost-driven team runs workloads heavy on egress or compute, and watches the bill punish them for it. The receipts are real. 37signals reported a $10m five-year saving moving from cloud back to on-prem. Everysize cut infrastructure cost from roughly €50k to €10k a year, an 80% drop, by moving to Hetzner. OneUptime's two-year retrospective on running production on Hetzner records around 90% lower infrastructure cost than the AWS equivalent. The catch is that these numbers hold for a specific shape of workload: predictable CPU, steady traffic, an in-house ops team that can run things itself. 

‍

The sovereignty-driven team has watched CLOUD Act exposure graduate from an interesting dinner-party argument into a documented audit finding, under NIS2 (now Dutch law via the Cyberbeveiligingswet 2025), DORA (binding on financial entities since 17 January 2025), and the BIO 2 framework for the Dutch public sector. It's not only regulators asking anymore. Customer auditors now put the question in writing.

‍

The customer-driven team has already felt it commercially. End-customer contracts in Dutch and German public sector, financial services, healthcare and parts of legal increasingly require EU-resident data on an EU-jurisdiction provider. If you've lost a deal on this in the last twelve months, the case stopped being theoretical the moment that contract walked.

‍

When neither the maths nor the regulation is pushing you? Stay where you are. There's no prize for migrating on principle.

‍

The five European cloud providers worth considering

Hetzner

Germany, privately held, headquartered in Gunzenhausen. Compute and bandwidth specialist. The CX, CPX and CCX VM lines run on x86 and ARM (Ampere) in Falkenstein, Nuremberg, Helsinki and Hillsboro. Object storage is S3-compatible. Egress is the most generous in the market: 20 TB included per VM, then €1/TB.

‍

What is missing: managed Postgres, managed Redis, native managed Kubernetes, FaaS and GuardDuty-equivalent threat detection.

‍

Hetzner suits workloads that are compute-heavy, bandwidth-heavy and operationally boring. VMs, containers on self-managed Kubernetes (k3s, Talos, kubeadm), an object store, a database the team is willing to run themselves or pay a third party to run on top.

Scaleway

France, part of the Iliad group. Headquartered in Paris, data centres in Paris (par1, par2, par3), Amsterdam (ams1) and Warsaw (waw1). The strongest EU-native serverless story of the five: Serverless Functions (Python, Node, Go, Rust, custom containers), Serverless Containers, Serverless Jobs and Serverless SQL Databases as first-party products.

‍

Compute spans Stardust, Pop2 and Pro2 (x86) and ARM (Ampere) lines. GPU options include H100, L40S and L4. Managed databases cover PostgreSQL, MySQL and Redis. Kapsule provides managed Kubernetes. Object storage is S3-compatible, with known edge cases on certain SDK calls (pre-signed URLs and the x-amz-content-sha256 header bite some SDK versions; lifecycle rules do not support every AWS predicate).

‍

If the architecture is event-driven and Lambda-shaped, Scaleway is the only credible single-provider EU answer.

OVHcloud

France, listed Paris. Headquartered in Roubaix, data centres across France (Gravelines, Roubaix, Strasbourg), Germany, the UK, Poland and others. The breadth provider and the bare-metal specialist. The Scale, High Grade and Advance bare-metal lines have the deepest catalogue when bare metal is what the workload actually needs.

‍

Public Cloud covers Discovery through HG instances, Public Cloud Databases (PostgreSQL, MySQL, MongoDB, Redis), Managed Kubernetes Service and a Swift- and S3-compatible object store. SecNumCloud-qualified offerings exist for regulated French public-sector work. SecNumCloud is the French ANSSI qualification; it does not directly transfer to Dutch BIO 2 or German C5, although it signals depth of audit.

‍

OVH suits database-server-shaped workloads, GPU clusters where virtualisation overhead matters, and any workload that benefits from a wide catalogue. Public Cloud egress: 9.99 TB per month included on Discovery, then tiered.

StackIT

Germany, part of Schwarz Gruppe (Lidl, Kaufland). Headquartered in Heilbronn. Data centres in Berlin and Frankfurt. The newest of the five and the most regulated-customer-friendly. The April 2026 DNB selection made the BaFin and DNB procurement conversation materially easier for everyone behind them.

‍

Compute runs on OpenStack with x86 instances. SKE (StackIT Kubernetes Engine) provides managed Kubernetes. SKE Postgres is in beta in some regions. Object storage is S3-compatible. The Secrets Manager exists. IAM is Keycloak-based. No bare-metal SKU, no FaaS.

‍

Prices are higher than Hetzner or OVH. The procurement story (German group, German jurisdiction, no CLOUD Act exposure) is easier. If the customer roster includes Dutch financials, German public sector or anyone reading the BaFin opinion on third-country cloud, StackIT often wins even at the higher per-vCPU price.

Ionos

Germany, listed Frankfurt. Headquartered in Montabaur. Data centres across Germany, the UK, France, Spain and the US. Ionos Cloud (formerly ProfitBricks) targets the enterprise segment with tiered support (Bronze, Silver, Gold, Platinum) and an operational model closer to Azure than to AWS.

‍

Compute Engine, managed Kubernetes, managed PostgreSQL, MySQL, MongoDB and Redis, S3 Object Storage and a native Vault all exist. The catalogue is narrower than AWS or Azure but covers what an SAP or Microsoft estate needs. No FaaS, no GuardDuty equivalent.

‍

Ionos suits teams whose stack already looks like a Microsoft estate, who value 24/7 phone support in German and English, and whose procurement department wants the paperwork an enterprise vendor produces by default.

‍

Five capability gaps to plan for

1. Managed Databases. Not native on Hetzner. Scaleway, OVH, StackIT and Ionos ship a managed Databases, with caveats: StackIT SKE Postgres is beta in some regions, OVH Public Cloud Databases has a narrower extension catalogue than AWS RDS, none match RDS on point-in-time recovery granularity. EU-resident third-party options: Aiven (Finland, EU control plane, runs on Hetzner, OVH and others) and Crunchy Bridge (EU regions, US control plane, so this gets good Postgres but not sovereignty). Self-host with Patroni and pgBackRest if the team has the SRE talent.

‍

2. Lambda / FaaS. Scaleway is the only mature EU-native option. Outside Scaleway: Knative on a managed Kubernetes cluster (Kapsule, MKS, SKE) with the cold-start tax, or rethink the architectural pattern (event mesh on NATS, queue workers on small VMs, CronJobs on Kubernetes). For cron and webhook handlers, a VM with systemd timers is usually fine.

‍

3. IAM granularity. AWS IAM combines resource-level permissions, condition keys (aws:SourceIp, aws:RequestTag) and identity- and resource-based policies. No EU provider has this. Scaleway IAM is closest and still meaningfully coarser. The others are RBAC at project or service level. For ABAC at AWS-grade granularity, layer Keycloak or Cloud-IAM on top of the provider's RBAC. Often the right answer is to put isolation at the project boundary instead: one Scaleway project per tenant rather than one project with clever IAM.

‍

4. KMS and secrets management. No drop-in equivalent for AWS KMS plus Secrets Manager. HashiCorp Vault moved to the Business Source Licence (BUSL) in 2023, no longer OSI-approved, which some procurement teams will not accept. Options: OpenBao (Linux Foundation fork of Vault from before the licence change, MPL 2.0, broadly API-compatible), Infisical (open source, EU regions, strong DX for secrets-in-CI), Bitwarden Secrets Manager and the provider-native options (Scaleway Key Manager, StackIT Secrets Manager, Ionos Vault). For FIPS 140-2 or eIDAS-certified HSM, none of these are drop-in.

‍

5. Threat detection (GuardDuty / Security Hub). No EU-native managed equivalent. The patterns that work: Wazuh plus Falco self-hosted (Wazuh for host SIEM, Falco for container runtime, open source, requires tuning), or commercial EDR from CrowdStrike or SentinelOne (both US-incorporated, which re-introduces CLOUD Act exposure). The MKB version that ships: turn on every audit log the provider exposes, ship to a self-hosted Wazuh or to Grafana Loki, alert on the obvious signals (root logins, IAM changes, mass deletes).

‍

How the costs actually compare

Numbers make this concrete faster than any argument. Take a single 4-vCPU, 16 GB VM, equivalent class across the five providers and AWS, on-demand list price, per month:

‍

• AWS m6i.xlarge (eu-central-1): roughly $140 to $150 per month, plus EBS, plus egress.
• Hetzner CPX41 (4 vCPU, 16 GB, AMD): around €25 per month, including 20 TB egress.
• Scaleway Pro2-S (4 vCPU, 16 GB): around €70 per month.
• OVHcloud B3-32 (4 vCPU, 32 GB): around €70 per month for the larger memory class; the smaller class sits closer to €50.
• StackIT comparable OpenStack flavour: roughly €80 to €100 per month.
• Ionos comparable Compute Engine instance: roughly €70 to €90 per month.

‍

The headline almost writes itself: the same box that runs $140-plus on AWS is €25 on Hetzner.

‍

A fairness check on those numbers: the AWS figure is on-demand list price, and few teams running steady workloads actually pay it. A Compute Savings Plan trades a one- or three-year usage commitment for up to 66% off, and an EC2 Instance Savings Plan or Reserved Instance goes up to 72% off for a specific family and region. Committing the m6i.xlarge for a year typically pulls it toward $100 or below, and a three-year all-upfront commitment can roughly halve it again. That narrows the per-VM gap to Scaleway, OVH, Ionos and StackIT considerably, though it stays wide against Hetzner. The catch is what the commitment doesn't cover: Savings Plans apply to compute, not to egress, S3 or the proprietary managed services, so the two lines where AWS hurts most are exactly the ones you can't discount away.

‍

Object storage tells the same story per TB per month. AWS S3 Standard sits around $23 in eu-central-1, against Hetzner Object Storage at €5.99, Scaleway Standard at €11.40, OVH Standard around €7, and StackIT and Ionos around €15.

‍

But egress is where the gap widens hardest, and it's the line most teams underestimate. AWS charges up to $0.09 per GB outbound (tiered down at volume). Hetzner includes 20 TB per VM and €1 per TB above. Scaleway includes 75 GB per project per month, then around €0.01 per GB. OVH Public Cloud includes 9.99 TB per month on Discovery. For anything that ships a lot of bytes to end users (video, media, large file downloads, busy public APIs), egress alone can make the whole case on its own.

‍

The pattern underneath all of it: savings track the boringness of the workload. VMs, object storage, a database and a load balancer all move cleanly, and the bill drops hard. Event meshes, ML pipelines and multi-region active-active either don't move at all, or move at a cost that eats the saving.

What enforcement and audit look like in 2026

NIS2 came into force across the EU in October 2024 and into Dutch law via the Cyberbeveiligingswet in 2025. Article 21(2)(d) names supply-chain security explicitly. In practice the customer's auditor now asks whether the cloud provider is subject to a third-country legal order. The answer "the data sits in Frankfurt" is no longer sufficient.

‍

DORA (Regulation (EU) 2022/2554) has been in force for financial entities since 17 January 2025. Article 28 requires a register of information on all ICT third-party service providers, with concentration risk assessed for critical providers. The register is filed annually with the competent authority (DNB for Dutch entities). For most Dutch fintechs running on AWS or Azure, the register has a single dominant provider and a concentration risk discussion the board now has to document.

‍

CLOUD Act exposure follows jurisdiction, not geography. A US-incorporated company is reachable under the CLOUD Act for data held anywhere, including in EU regions and in subsidiaries. AWS European Sovereign Cloud is the most serious attempt to wall this off legally through a separate German entity. The test case has not happened.

‍

The EU Data Act (Regulation (EU) 2023/2854) is the other side. From 12 January 2027, cloud providers may no longer charge switching costs, which includes the egress fees that have historically locked workloads in. The change makes switching cheaper at exactly the moment auditors are starting to ask whether the provider is the right one.

‍

What's intensifying for 2026 and 2027

15 January 2026: AWS European Sovereign Cloud goes GA in Brandenburg. A legally separated entity, EU-only personnel, EU-only operational control. Whether it answers the CLOUD Act question is still contested; whether it answers most customer auditor questionnaires is getting clearer.

‍

April 2026: the Open Cloud Alliantie manifesto, in which KPN, Centric, Intermax, Nebul, Info Support and others argue that Dutch public-sector workloads belong on Dutch infrastructure.

‍

April 2026: the EU Commission awards a €180m sovereign cloud framework to OVHcloud, StackIT, Scaleway and Proximus.

‍

April 2026: DNB moves public-facing workloads to StackIT, and with that the procurement conversation for every Dutch regulated entity behind it gets easier.

‍

12 January 2027: the EU Data Act prohibits switching costs. Providers must support data and application portability "without undue delay" and on commercially reasonable terms.

Metadata residency: what to check beyond data location

A provider can put data in Frankfurt and still send a great deal about the customer across the Atlantic. Account billing, support tickets, telemetry, usage analytics that feed the provider's own dashboards: these flows often run through US-hosted systems regardless of where the VMs live.

‍

Four things to check in any residency claim:

‍

Where the control plane lives. If creating a VM goes through an API server in us-east-1, the metadata is in the US even if the VM lands in Frankfurt.

‍

Where billing data is processed. Stripe, HubSpot, Salesforce as a back-office stack means the company's invoicing data sits where those vendors host it.

‍

Where telemetry is shipped. Datadog, New Relic and Splunk in a US region means the provider's own observability sees the customer's usage patterns.

‍

Where support tickets are stored. Zendesk is the usual culprit. It lives wherever the provider's support stack lives.

‍

StackIT and OVH score best because their corporate stacks are EU-native by default. Hetzner is small enough that the surface is narrow. Scaleway and Ionos have more US-SaaS dependencies in the back office than their marketing suggests.

Three things you can do this week

1. Pull the last three months of the AWS bill and segment it by service. The egress and proprietary-service lines (DynamoDB, Aurora Serverless v2, Kinesis, Bedrock) tell where the cost saving is plausible and where it is not. EC2, S3, ALB and RDS move cleanly. The rest does not.

‍

2. List the five AWS services the stack would lose if it moved. Lambda, RDS, S3, CloudWatch, EventBridge: write the actual five. That list is the lock-in, and the input to every architectural decision that follows.

‍

3. Pick one non-critical workload (a dev environment, a batch job, an internal tool) and pilot it on Hetzner or Scaleway. The team learns more from one weekend pilot than from a quarter of vendor calls. Done from scratch this can be slow: cost modelling, pilot deployment, IaC translation. Blackbird builds cloud-migration playbooks for MKB scale-ups. Whichever route the team picks, the pilot matters more than the planning.

‍

Frequently asked questions about European cloud alternatives to AWS

Is Hetzner production-ready? Yes, for the right shape of workload. Compute-heavy, bandwidth-heavy, where the team is willing to run its own database (or pay Aiven), its own Kubernetes cluster and its own observability. Not yet for teams that rely on a deep managed-services catalogue.

‍

What is the realistic cost saving? For VM-and-object-storage workloads that mostly used EC2, S3, ALB and RDS on AWS, 70% to 90% is plausible (Everysize, OneUptime and 37signals all sit in that range). For workloads heavy on DynamoDB, Aurora Serverless v2 and Kinesis, the saving disappears once the rebuild cost is counted.

‍

What is the catch with European cloud providers? Shallower managed-services catalogue, coarser IAM, no EU-native managed threat-detection product, different support culture (slower, less hand-holding, email-first). None are blockers. All require planning.

‍

Does AWS European Sovereign Cloud solve the CLOUD Act problem? It is the most serious attempt yet. Separate German entity, EU-only personnel, EU-only operational control. Whether it satisfies a court ruling on a CLOUD Act warrant has not been tested. For some Dutch regulated entities the answer is yes; for anything touching DNB or BaFin in 2026, the answer is still preference for an EU-incorporated provider.

‍

How long does a migration off AWS actually take? For a single application with a Postgres database and an S3 bucket, two to six weeks including the pilot. For a multi-service estate with twenty applications, six to eighteen months is realistic. The variable is not the lift, it is the number of AWS managed services that have to be replaced.

‍

Can I use a hybrid setup? Yes, and many teams do. Keep Lambda and DynamoDB on AWS, move EC2 and S3 to Hetzner, connect via IPsec or WireGuard. Or keep regulated workloads on StackIT or OVH and leave the rest on AWS. Plan for network egress between clouds and operational complexity (two sets of IaC, two on-call rotations).

‍

What about the EU Data Act egress changes in 2027? From 12 January 2027 cloud providers may no longer charge switching costs. Pricing detail is being clarified through Commission guidance. Egress as a lock-in mechanism ends.

‍

Key takeaways

• The five EU-incorporated providers worth shortlisting: Hetzner (cheapest, no managed services), Scaleway (only credible EU FaaS story), OVHcloud (broadest catalogue, bare-metal specialist), StackIT (regulated-customer-friendly, easier procurement), Ionos (closest-to-Azure operational model).
• Cost savings of 70% to 90% are documented for the right shape of workload (Everysize, OneUptime, 37signals); they evaporate for workloads heavy on AWS-proprietary services.
• Five capability gaps to plan for: managed Postgres on Hetzner, FaaS outside Scaleway, IAM granularity, KMS and secrets, and threat detection.
• CLOUD Act exposure follows the provider's jurisdiction, not the data centre's location.
• NIS2 Article 21(2)(d) and DORA Article 28 now require customer auditors to ask where the provider is incorporated and what concentration risk exists.
• EU Data Act removes switching-cost charges from 12 January 2027.
• DNB selected StackIT in April 2026. The EU Commission awarded a €180m sovereign framework to OVH, StackIT, Scaleway and Proximus the same month.
• Metadata residency (control plane, billing, telemetry, support tickets) is the part of sovereignty most providers gloss over.

Cloud strategy is risk management, not religion

For most MKB teams, the right answer is neither "all-in on AWS forever" nor "everything off the hyperscaler by Q4." It is a decision made workload by workload, with the cost model, the architectural assessment and the compliance picture on the same page. The teams that do this well are the ones that piloted one workload before drawing the migration plan for twenty.