GDPR-Compliant Kubernetes Hosting in Europe
Not all cloud providers are equal when it comes to compliance. The CLOUD Act, GDPR, NIS2, and industry-specific regulations like DORA (finance) and HDS (healthcare) create a complex landscape. This matrix helps you find providers that meet your requirements.
Provider Compliance Matrix
Certifications verified from provider websites as of January 2026
Gcore 
plusserver 
Aruba Cloud 
Exoscale Infomaniak 
Leafcloud NETWAYS Web Services 
OVHcloud Scaleway STACKIT 
Cleura Cyso gridscale Hetzner IONOS metalstack.cloud netcup Safespring 
UpCloud C1V Hosting Contabo 
Hostinger Serverspace Thalassa Cloud 
Webdock 
AWS (EKS) Azure (AKS) GCP (GKE) 
Civo | Provider | ISO27001 | SOC2 | C5 | HDS | PCI-DSS | FINMA | HIPAA | ISO9001 | ISO14001 | EU-Owned | EU DCs Only |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Gcore | ✓ | ✓ | ✕ | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| plusserver | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Aruba Cloud | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✕ | ✓ | ✓ |
| Exoscale | ✓ | ✕ | ✕ | ✕ | ✕ | ✓ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Infomaniak | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ | ✓ |
| Leafcloud | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| NETWAYS Web Services | ✓ | ✕ | ✕ | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| OVHcloud | ✓ | ✕ | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Scaleway | ✓ | ✕ | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| STACKIT | ✓ | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Cleura | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Cyso | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| gridscale | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Hetzner | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| IONOS | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| metalstack.cloud | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| netcup | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Safespring | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| UpCloud | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| C1V Hosting | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Contabo | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Hostinger | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Serverspace | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Thalassa Cloud | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| Webdock | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✓ |
| AWS (EKS) | ✓ | ✓ | ✕ | ✕ | ✓ | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Azure (AKS) | ✓ | ✓ | ✕ | ✕ | ✓ | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ |
| GCP (GKE) | ✓ | ✓ | ✕ | ✕ | ✓ | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Civo | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ | ✕ |
What Do These Certifications Mean?
ISO 27001
International standard for information security management systems (ISMS). Proves the provider has documented security processes that are regularly audited. The baseline certification — if a provider doesn't have this, consider it a red flag.
SOC 2
US-originated audit framework covering security, availability, processing integrity, confidentiality, and privacy. Commonly required by US-facing B2B SaaS companies. Not a legal requirement in the EU but often demanded by enterprise customers.
BSI C5
German Federal Office for Information Security (BSI) Cloud Computing Compliance Criteria Catalogue. Legally required for German public sector, healthcare (since July 2025), and critical infrastructure. Type 2 audits verify controls over time.
HDS (Hébergeur de Données de Santé)
French certification required for hosting personal health data. Mandatory since November 2024 for any provider handling healthcare data in France. Covers physical hosting, managed infrastructure, and application hosting.
PCI-DSS
Payment Card Industry Data Security Standard. Required for organizations processing, storing, or transmitting credit card data. Relevant if your Kubernetes workloads handle payment processing.
FINMA
Swiss Financial Market Supervisory Authority compliance. Required for Swiss financial institutions. Exoscale is a notable provider with FINMA compliance, making it suitable for fintech workloads in Switzerland.
HIPAA
US Health Insurance Portability and Accountability Act. Required for handling protected health information (PHI) in the US. Primarily relevant for providers serving US healthcare customers.
ISO 9001
Quality management systems standard. Demonstrates consistent processes and continuous improvement. Not security-specific but shows organizational maturity.
ISO 14001
Environmental management systems standard. Shows the provider has structured processes for reducing environmental impact. Relevant for organizations with sustainability requirements.
US Hyperscalers and CLOUD Act Risk
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) gives US law enforcement the legal right to compel US-headquartered companies to provide data stored on their servers, regardless of where those servers are physically located.
This means data stored on AWS eu-central-1 (Frankfurt), Azure West Europe (Netherlands), or GCP europe-west3 (Frankfurt) is still subject to US government access requests. Running in an EU datacenter does not provide legal protection from the CLOUD Act.
AWS launched its "European Sovereign Cloud" in 2025 as a partial mitigation — a physically and logically separated infrastructure operated by an EU entity. However, the CLOUD Act's extraterritorial reach remains legally untested against this structure. For organizations requiring absolute certainty, EU-owned providers eliminate this risk entirely.
NIS2 (effective October 2024) requires critical infrastructure operators to assess third-country risks in their ICT supply chain. Using a US-owned cloud provider is now a documented risk factor that must be addressed in compliance documentation.
Frequently Asked Questions
Need help choosing a compliant provider for your Kubernetes workloads?