A vendor-neutral overview of the European private cloud landscape. This page does not recommend specific providers — it maps the categories, evaluates the trade-offs, and gives CISOs and CTOs a framework for navigating EU-jurisdiction alternatives to US hyperscalers.
European organisations exploring alternatives to US hyperscalers face a fragmented but maturing market.
AWS, Microsoft Azure, and Google Cloud collectively hold approximately 65-70% of the European cloud market. This concentration creates a structural dependency that conflicts with EU regulatory objectives around sovereignty, supply chain security, and data protection.
European alternatives exist across a spectrum — from managed private cloud providers to national sovereign cloud initiatives to EU-headquartered public cloud operators. The landscape is fragmented, and no single European provider matches the breadth of a hyperscaler. But for organisations whose primary requirement is regulatory compliance rather than global scale, the European market offers viable and increasingly mature options.
Not all providers claiming European credentials offer the same level of jurisdictional protection. Key distinctions to evaluate:
A provider with EU data centres but US parent company ownership does not deliver the same jurisdictional protection as a provider incorporated, owned, and operated within the EU.
The European cloud landscape can be divided into distinct categories, each with different trade-offs for compliance, capability, and operational complexity.
Providers that deploy and operate dedicated private cloud infrastructure for a single customer. Typically based on OpenStack, Kubernetes, or similar open-source platforms. Hardware may be customer-owned or provider-owned, located in a data centre of the customer's choosing.
Trade-offs: Highest level of control and compliance alignment. Higher operational cost than shared infrastructure. Requires clear SLAs for the managed service layer. Best suited for regulated industries and government.
Deployment model: Dedicated hardware, single-tenant, customer-controlled or managed.
European-headquartered companies offering public cloud services (IaaS, PaaS) from EU data centres. These are multi-tenant environments but operated by EU-jurisdiction entities, avoiding exposure to US extraterritorial law.
Trade-offs: Lower cost than dedicated private cloud. Shared infrastructure means less granular control. Still requires DPAs and sub-processor due diligence. Services may be less feature-rich than hyperscaler equivalents. Good for organisations that need EU jurisdiction without full private cloud complexity.
Deployment model: Shared infrastructure, multi-tenant, provider-managed.
Government-backed or government-mandated cloud platforms designed to meet national sovereignty requirements. These include national government cloud programmes, GAIA-X-aligned federations, and EUCS-certified providers.
Trade-offs: Strongest regulatory alignment, particularly for public sector. May be limited to government or critical infrastructure customers. Feature sets are often narrower. Procurement processes can be lengthy. Interoperability across Member States is still developing.
Deployment model: Varies — dedicated or shared, government-certified.
OpenStack is the most widely deployed open-source cloud platform, used by organisations ranging from CERN to major telecoms. For European organisations seeking private cloud without vendor lock-in, managed OpenStack is a well-established option.
A managed OpenStack provider handles the deployment, operation, and lifecycle management of the OpenStack platform while the customer retains control over the infrastructure decisions — hardware selection, data centre location, network architecture, and security configuration.
This model addresses NIS2 supply chain requirements because the software is open-source (auditable), the hardware is customer-specified, and the management layer is provided by a contractually bound EU-jurisdiction entity.
Several European companies offer public cloud services that compete with hyperscaler IaaS. Each has distinct strengths and limitations.
| Characteristic | What to Assess | Why It Matters |
|---|---|---|
| Headquarters and incorporation | Country of incorporation, applicable corporate law, court jurisdiction | Determines which government can compel data disclosure. EU incorporation means no CLOUD Act exposure. |
| Ownership structure | Public or private, majority shareholders, investor nationality | A provider incorporated in the EU but majority-owned by a US fund may still face indirect pressure. Assess the full ownership chain. |
| Data centre locations | Countries, specific cities, tier rating, owned vs. leased | Data residency is necessary but not sufficient. Owned data centres provide stronger physical security control than leased space in shared facilities. |
| Certifications | ISO 27001, SOC 2, C5 (BSI), SecNumCloud (ANSSI), EUCS (when available) | Certifications indicate baseline security maturity. National certifications (C5, SecNumCloud) are increasingly required for government contracts. |
| Service breadth | Compute, storage, networking, managed databases, Kubernetes, AI/ML, serverless | European providers typically offer narrower service catalogues than hyperscalers. Assess whether their services cover your actual requirements — not hypothetical ones. |
| Interconnection and peering | Internet exchanges, private peering, dedicated connectivity options | Network performance and connectivity options are critical for hybrid and multi-cloud architectures. European providers often have strong regional peering but limited global presence. |
| Support model | Support language, location, availability, escalation paths | EU-based support teams reduce the risk of personal data exposure through support tickets routed to non-EU jurisdictions. |
Multiple EU Member States and the European Commission itself are investing in sovereign cloud infrastructure. These programmes range from national government clouds to pan-European certification frameworks.
ENISA is developing the European Cybersecurity Certification Scheme for Cloud Services (EUCS). Originally proposed with a "High" level that would have required EU-jurisdiction ownership and operation, the scheme has been revised following political negotiations. The current status and final requirements are subject to ongoing EU institutional discussions.
Regardless of the final EUCS outcome, national certification schemes (France's SecNumCloud, Germany's C5) continue to apply and are increasingly referenced in procurement requirements.
GAIA-X is a European initiative to develop a federated data infrastructure based on common standards for data sovereignty, interoperability, and portability. It is not a cloud provider — it is a framework for establishing trust and data exchange rules across providers.
GAIA-X defines "labels" that attest to a provider's compliance with data sovereignty principles. In practice, adoption has been slower than initially projected, and the framework's practical impact varies significantly across Member States and industries.
Several Member States operate or are developing dedicated government cloud platforms:
These programmes demonstrate that sovereign cloud is an active policy priority, not just a theoretical concept.
US hyperscalers now offer "sovereign cloud" products in Europe. These deserve careful scrutiny.
Major US cloud providers have introduced sovereign cloud variants for the European market. These typically include data residency guarantees (data stays in EU), operational controls (EU-resident staff operate the environment), and in some cases, partnerships with EU-headquartered entities to create legally separate operating structures.
These offerings address one dimension of sovereignty: data residency. Some also address operational sovereignty by restricting personnel access to EU residents. This is a meaningful step beyond standard "EU region" deployments.
Even the most restrictive hyperscaler sovereign cloud offering does not address several fundamental concerns:
A "sovereign cloud" product from a US hyperscaler is an improvement over standard public cloud deployment. But it is not equivalent to infrastructure operated by an EU-jurisdiction entity. Evaluate the substance behind the label — not the label itself.
A structured approach to assessing EU-jurisdiction cloud providers against your regulatory and operational requirements.
| Evaluation Category | Key Questions | Red Flags |
|---|---|---|
| Jurisdictional Independence | Where is the provider incorporated? Who are the majority shareholders? Is the provider subject to any non-EU extraterritorial law? | US parent company. Majority non-EU ownership. Refusal to disclose ownership structure. |
| Data Sovereignty | Where is data stored? Where is it processed? Where do backups reside? Does telemetry or metadata leave the EU? | Metadata sent to non-EU headquarters. Backups in non-EU locations. Vague answers about data flows. |
| Operational Control | Who operates the infrastructure? Where are operations staff located? What access do they have? How is access logged? | Support routed to non-EU jurisdictions. No transparency about staff locations. Inadequate access logging. |
| Supply Chain Transparency | Who are the sub-processors? What hardware is used? Is the software stack open-source or proprietary? Can you audit the supply chain? | Hundreds of undisclosed sub-processors. Proprietary software with no audit rights. Refusal to share supply chain details. |
| Portability and Exit | Can you export your data and configurations? What formats are used? Is there vendor lock-in at the application layer? | Proprietary APIs with no open equivalents. Data export fees. No documented exit process. |
| Certifications and Compliance | ISO 27001? SOC 2? National certifications (C5, SecNumCloud)? GDPR DPA available? NIS2 compliance posture? | No independent certifications. DPA only available on request after signing. No NIS2 compliance statement. |
| Financial Viability | What is the provider's revenue? How long have they been operating? What is their customer base? Is the business sustainable? | Pre-revenue startup. Dependent on a single government contract. No public financial information. |
Not all workloads require sovereign infrastructure. Classify your data and applications by regulatory sensitivity. Personal data under GDPR, data subject to NIS2, financially regulated data under DORA — these should be prioritised for EU-jurisdiction infrastructure. Development environments and non-regulated workloads may remain on existing platforms.
A wholesale migration from a hyperscaler to a European provider is rarely practical or necessary. Most organisations adopt a hybrid approach: regulated and sensitive workloads on EU-jurisdiction private or sovereign cloud, with non-regulated workloads remaining on existing platforms. The goal is compliance, not ideological purity.
If your team has deep expertise in AWS or Azure, moving to OpenStack or a European provider requires investment in training and hiring. Managed service providers can bridge this gap, but you should plan for building internal competence over time. Relying entirely on a managed provider for a platform you do not understand creates a different form of dependency.
Evaluate your regulatory requirements, classify your workloads, and identify the right EU-jurisdiction infrastructure for your organisation.