Sovereign Hosting Guide

Amazon, Microsoft, and Google control 70% of the European cloud market – European providers now hold just 15%. Synergy Research: European Cloud Providers Hold 15% Market Share For German mid-market companies, this dependency is becoming a strategic risk: the US CLOUD Act, tightening EU regulation, and geopolitical tensions are turning provider choice into a strategic decision. This guide explains what sovereignty really means, which EU providers qualify, and how to plan your migration.

78%

of CIOs prioritize digital sovereignty (Lünendonk study 2025)

70%

of the EU cloud market is controlled by US hyperscalers

83%

of companies consider unilateral access restrictions realistic

€100B

projected size of the EU sovereign cloud market by 2031

What "sovereign" really means

Many companies confuse data residency with data sovereignty. An AWS server in Frankfurt does store data physically in Germany, but Amazon, as a US company, is subject to the CLOUD Act – and must hand over data on request from US authorities, regardless of where it is stored. Igor's Lab: Interior Ministry report confirms risks to data sovereignty

True sovereignty requires three criteria:

Legal sovereignty: the provider is subject solely to EU law – no US parent company, no CLOUD Act exposure
Data residency: data is stored and processed physically in the EU
Operational independence: operations and support are handled by EU staff, with no access by third countries

A data center in Frankfurt run by a US provider meets only criterion 2. For GDPR conformity and NIS2 supply chain security, that is not enough.

The CLOUD Act problem

The US CLOUD Act of 2018 obliges US companies to hand over data on request from US authorities – regardless of physical storage location. In 2025, Microsoft's own legal counsel admitted before the French Senate: "No, I cannot guarantee that data will not be passed on to US authorities." The Register: Microsoft Cannot Guarantee Data Sovereignty

For a detailed analysis of the legal implications, see our article US CLOUD Act: why AWS Frankfurt guarantees no data sovereignty.

EU-sovereign cloud providers compared

Five EU providers meet all three sovereignty criteria. All are EU-based, have no US parent company, and are therefore not subject to the US CLOUD Act: Gart Solutions: EU Cloud Provider Guide (2026)

Hetzner (Germany) – headquartered in Gunzenhausen, Bavaria. Data centers in Nuremberg, Falkenstein, and Helsinki. Known for an aggressive price-performance ratio and a developer-friendly API. NVMe SSD cloud servers with AMD EPYC CPUs.

IONOS (Germany) – majority-owned by the publicly listed United Internet AG. Operates its own data centers in several countries, including Germany, France, the UK, Spain, and the US; ISO 27001-certified.

OVHcloud (France) – the largest Europe-based cloud infrastructure provider, with annual revenue exceeding EUR 1 billion (fiscal year 2025: EUR 1,084.6M). A broad service portfolio spanning VPS to bare metal. OVHcloud: FY2025 Financial Results (revenue EUR 1,084.6M)

Open Telekom Cloud (Germany) – operated by T-Systems (Deutsche Telekom). BSI C5-certified, OpenStack-based. High-availability zones in Germany and the Netherlands. Open Telekom Cloud

STACKIT (Germany) – the cloud platform of the Schwarz Group (Lidl/Kaufland). Data centers in Germany and Austria, with strong GDPR positioning. STACKIT: The sovereign cloud

Kriterium	Hetzner	AWS Frankfurt
Owner	Hetzner GmbH, Gunzenhausen (DE)	Amazon.com Inc., Seattle (US)
CLOUD Act	No exposure	Fully exposed
BSI C5	In preparation	Certified
GDPR	Natively compliant – EU law only	Legal conflict with US law
Cost (comparable server)	A fraction of AWS costs	Hyperscaler level
Vendor lock-in	Low – standard APIs	High – proprietary services
Data centers	Nuremberg, Falkenstein, Helsinki	Frankfurt (US operator)

The cost advantage of EU-sovereign providers

Sovereign alternatives have a reputation for being expensive – and that simply is not true. EU providers like Hetzner deliver comparable compute power at a fraction of hyperscaler prices; our article Hetzner vs. AWS walks through the detailed cost comparison for a specific configuration.

The price advantage comes from leaner organizational structures, lower margins, and the absence of a global marketing budget. EU providers do, of course, lack some of the highly managed services (such as AWS Lambda or DynamoDB) – but for most workloads, standard containers, PostgreSQL, and object storage are entirely sufficient. DEV.to: Best European Cloud Hosting Providers 2025

BSI C5: Germany's cloud security standard

The BSI's Cloud Computing Compliance Criteria Catalogue (C5:2020) comprises 121 criteria across 17 subject areas and is regarded as the definitive standard for cloud security in Germany. Public authorities and regulated industries (banks, insurers, healthcare) increasingly require C5 conformity as a contractual prerequisite. BSI: C5 Criteria Catalogue

The updated version, C5:2025, is expected to be finalized in 2026 and will introduce expanded requirements for supply chain security, AI-specific cloud services, and zero-trust architectures. Schellman: Updates to BSI C5 Standard

Gaia-X and European cloud standards

Gaia-X does not provide a cloud of its own. It defines standards and interoperability rules for European cloud services. The Gaia-X Trust Framework 3.0 ("Danube Release") lets organizations add industry-specific compliance requirements as extensions without sacrificing technical interoperability. InfoQ: Gaia-X Trust Framework 3.0 – Danube Release

Gaia-X has not escaped criticism, however: after US hyperscalers such as Microsoft, Google, and AWS were admitted to the initiative, critics see its original sovereignty purpose as watered down. For businesses, the pragmatic recommendation stands: use Gaia-X standards as a point of orientation, but base your provider choice on the three sovereignty criteria (law, residency, operations).

Migration: what to expect

Phase 1 – Assessment (months 1–2): Take stock of all cloud services, data flows, and dependencies. Assess CLOUD Act exposure. Define the target architecture.

Phase 2 – Planning (months 2–3): Set the migration sequence, plan a fallback strategy, select data migration tools. Run a cost-benefit analysis of the target infrastructure.

Phase 3 – Migration (months 3–12): Migrate incrementally with parallel operation. Containerized workloads (Docker/Kubernetes) are the easiest to migrate. Database migration calls for particular care.

Phase 4 – Validation (months 12–14): Performance testing, security audit, compliance review. Only terminate the old provider after successful validation.

Since 12 September 2025, the EU Data Act has obliged cloud providers to make switching technically easier and to remove barriers – an important lever for companies looking to migrate. European Commission: Data Act (cloud switching since 12 Sept 2025)

Practical steps for SMEs

Run a CLOUD Act audit: check whether your current cloud provider, or its parent company, is subject to US jurisdiction
Categorize your data: classify data by sensitivity – not everything has to be migrated at once
Document an exit strategy: many mid-market companies have none – a risk under the NIS2 supply chain and incident management obligations
Push containerization forward: Docker and Kubernetes make switching cloud providers considerably easier
Infrastructure as Code: Terraform-based infrastructure is reproducible across providers
Start a pilot project: migrate a non-critical application first to build up experience

In a free intro call, we assess your cloud infrastructure for CLOUD Act exposure. We deliver the full migration and hardening on Hetzner at a fixed price of €36,000 – with a working app as the result, including containerization and Terraform setup.

Frequently asked questions

What does sovereign hosting mean?

True sovereignty requires three criteria: the provider is subject solely to EU law (no US parent company), data is stored physically in the EU, and operations and support are handled by EU staff with no third-country access.

Is Hetzner a genuine alternative to AWS?

For most workloads, yes. Hetzner delivers comparable compute power at a fraction of AWS prices. Standard containers, PostgreSQL, and object storage cover the requirements of most SaaS platforms.

Which EU cloud providers are there?

Hetzner (Germany), IONOS (Germany), OVHcloud (France), Open Telekom Cloud (Deutsche Telekom), STACKIT (Schwarz Group), and Scaleway (France). All are EU-based, have no US parent company, and are therefore not subject to the US CLOUD Act.

How long does a cloud migration take?

Typically 6 to 18 months. 82% of failed migrations fail due to inadequate planning. Containerized workloads are the easiest to migrate. Since September 2025, the EU Data Act has obliged cloud providers to make switching technically easier.

What is BSI C5?

The BSI's Cloud Computing Compliance Criteria Catalogue (C5:2020) comprises 121 criteria across 17 subject areas and is regarded as the definitive standard for cloud security in Germany. Public authorities and regulated industries increasingly require C5 conformity.

Why should I migrate now?

NIS2 requires a supply chain risk assessment, the EU Data Act has made switching providers easier since September 2025, and the US surveillance authority FISA 702 came up for reauthorization in April 2026. The regulatory direction is clearly moving away from US dependencies.