GDPR and Cloud Hosting: What You Need to Know in 2026

So you need GDPR-compliant hosting and everyone tells you “just use an EU data center”. If only it were that simple.

The CLOUD Act problem

The thing is, in 2026 there’s this whole “sovereign cloud” marketing wave going on. AWS launched their European Sovereign Cloud in January - €7.8 billion invested in Brandenburg. Microsoft and Google have similar offerings. They all promise your data stays in the EU, operated by EU staff, separate legal entities, the whole deal.

Sounds great until you look at the fine print.

The US has this thing called the CLOUD Act. It lets US authorities compel American companies to hand over data regardless of where it’s physically stored. Your data could literally be in a bunker in Bavaria - doesn’t matter. If the parent company is American, US courts can demand access.

Here’s the kicker: in July 2025, a Microsoft exec admitted under oath in the French Senate that they cannot guarantee data sovereignty to European customers. That’s not some random blogger saying this. That’s Microsoft, under oath, in an official inquiry.

Anexia’s CEO called it out pretty directly:

“What is being presented here is a classic smokescreen – not genuine digital sovereignty. The CLOUD Act remains fully valid. According to public records, the European company is still 100% owned by a US-based Amazon company.”

He’s not wrong. AWS European Sovereign Cloud GmbH is still owned by Amazon. Courts can compel parent companies to produce data from subsidiaries. The fancy legal structure changes nothing about jurisdiction.

Who’s actually moving

And this isn’t just theoretical hand-wringing. Real organizations are actually moving away from US providers.

Airbus put out a €50M+ tender in January to migrate critical systems to European providers. Their EVP Digital was pretty clear:

“I need a sovereign cloud because part of the information is extremely sensitive from a national and European perspective.”

The ICC - the International Criminal Court in The Hague - ditched Microsoft Office for European alternatives. The backstory? Their chief prosecutor got temporarily locked out of his Outlook account during US political pressure. Think about that for a second.

Schleswig-Holstein migrated 40,000 employees off Microsoft Exchange to Open-Xchange. Also moved from Windows to Linux on desktops. A whole German state.

What the EU is doing

The EU isn’t sitting around either. They introduced this SEAL certification (Sovereign European Assurance Level) that’s strict enough on data residency and foreign law immunity that US hyperscalers can’t qualify for the highest tier. Not without completely restructuring their companies.

There’s also the EU Data Act since January 2025 requiring providers to block illegal international transfers, and a sovereignty scoring system for public procurement with €180 million in contracts favoring compliant providers.

Despite all this, US hyperscalers still control over 70% of Europe’s cloud infrastructure. But the sentiment is shifting. Gartner surveyed 214 Western European IT leaders and the numbers are pretty clear:

The real options

So what are the actual options if you want real sovereignty?

You need providers that are headquartered in EU/EEA/Switzerland, not owned by US companies (the actual parent, not some subsidiary), and not dependent on US tech partnerships for their core stuff.

The usual suspects: OVHcloud and Scaleway (both French, HDS certified for healthcare), Hetzner (German, great value), IONOS (German, 1&1), UpCloud (Finnish), Exoscale (Swiss, FINMA compliant), STACKIT (German, BSI C5, owned by Schwarz Group - yeah, the Lidl people), Infomaniak (Swiss), netcup (German).

What about those partnerships you see advertised? T-Systems operating Google Cloud in Germany, SAP partnering with AWS, Orange working with Microsoft? They might have operational benefits but the fundamental problem stays. US company in the chain = CLOUD Act exposure. It’s not real sovereignty.

Certifications

Different industries have different legal requirements. Quick version:

• German healthcare/government: BSI C5 Type 2 (mandatory since July 2025)
• French healthcare: HDS v2.0 (mandatory since Nov 2024)
• French government: SecNumCloud
• EU financial/insurance: DORA compliant (mandatory since Jan 2025)
• Swiss financial: FINMA compliant
• Selling to US customers: SOC 2 (often contractually required)

I wrote a detailed breakdown of all the certifications if you need the specifics.

What to do

What should you actually do? Depends on your situation.

For sensitive or regulated workloads, use actually European providers. No marketing “sovereign cloud” changes US jurisdiction. STACKIT for German compliance, OVHcloud/Scaleway for French healthcare, Exoscale for Swiss financial.

For normal business stuff, European providers typically offer better value anyway. Scaleway, OVHcloud, UpCloud. Or Hetzner if you’re comfortable with DIY.

If your US customers require SOC 2, look at Civo or Gcore - EU-based but have the American certification.

For maximum savings, DIY Kubernetes on Hetzner or netcup. Full control, German providers, ISO 27001. I’ve been running Talos clusters on Hetzner for my own projects and it works great.

The only questions that matter

The questions that actually matter when evaluating any provider:

1. Where’s the parent company headquartered? Not the subsidiary - the actual parent.
2. Is any US company in the ownership chain?
3. Can a US court compel them to hand over data?

The €180 million in EU procurement shifting toward sovereign providers signals where this is going. Might as well position for it now instead of dealing with migrations later.

---

Compare providers on our calculator or check provider details for compliance info.