Curated collection

European cloud providers

Q: What counts as a European cloud provider?

On this page, a European cloud provider is one whose operating company is headquartered and incorporated in the EU or EEA, with its primary infrastructure in European data centres. We keep ownership and hosting as separate signals: a provider can be EU-hosted but US-owned, or EU-owned but rely on US sub-processors. Each profile shows both so you can apply your own priority rather than trust a single label.

Q: Is a European cloud provider automatically outside the US CLOUD Act?

Not automatically. The CLOUD Act can reach data held by a company subject to US jurisdiction regardless of where the servers sit, so a US-owned provider's 'EU region' does not, on its own, remove exposure. A provider that is EU-incorporated, EU-owned and free of US sub-processors in the data path has a much weaker exposure profile. We record the ownership and sub-processor chain on every listing so the exposure flag is evidence-based, not assumed.

Q: How is this different from the cloud hosting category page?

The cloud hosting category lists every hosting product in the directory. This hub is the same data framed around the procurement question 'which cloud providers are genuinely European', with the editorial context, certification framing and FAQ that a buyer evaluating sovereignty needs. Use the filters here to narrow by country, certification or CLOUD Act exposure.

Q: Which certifications should I look for?

It depends on your jurisdiction. SecNumCloud is the French sovereign-cloud reference; BSI C5 is the German cloud-security benchmark; EUCS is the pan-European scheme still being finalised. ISO/IEC 27001, 27017 and 27018 are widely held baseline security standards. The comparison table lets you filter to any of these, but read each as a scoped signal, not a blanket guarantee.

Q: Can a European cloud provider still be subject to non-EU law?

Yes, depending on its ownership and sub-processor chain. A provider incorporated in the EU but ultimately owned by a non-EU parent may still fall within the reach of that parent's home jurisdiction. Conversely, an EU-owned provider that uses a US-incorporated CDN or managed-database layer may route data through a sub-processor covered by extraterritorial law. This is why each listing records the full ownership and sub-processor chain, not just the primary hosting location.

Q: What is the difference between IaaS, PaaS, and SaaS on this page?

All three layers are listed here when the provider is EU-incorporated and EU-hosted. Infrastructure-as-a-Service (IaaS) gives you raw compute, storage and networking; Platform-as-a-Service (PaaS) adds managed runtimes, databases and middleware; Software-as-a-Service (SaaS) is a finished application. The compliance questions are similar across layers, but the sub-processor list tends to grow as you move up the stack. Filter by service type in the comparison table to narrow to the relevant layer for your evaluation.

Europe-based infrastructure and hosting providers, compared on hosting region, ownership, CLOUD Act exposure, sub-processors and recognised certifications.

In short

European cloud providers listed here are EU- or EEA-incorporated companies running infrastructure in European data centres. The critical distinction: a US hyperscaler's EU region does not remove CLOUD Act exposure, because ownership determines legal reach, not server location. Providers such as Hetzner, OVHcloud, and IONOS are EU-owned and EU-hosted, giving a structurally different exposure profile.

Last verified May 2026 DISCLOSURE Some links on this site are affiliate links. We may earn a commission at no extra cost to you. Editorial signals and rankings are never influenced by affiliate relationships.

A European cloud provider, as listed here, is an infrastructure or hosting company whose operating entity is incorporated and headquartered in the EU or EEA, running its primary infrastructure in European data centres. That sounds simple, but the useful detail is in what it does not automatically mean: European hosting is not the same as European ownership, and neither one on its own removes exposure to non-EU extraterritorial law.

This page lists the providers in our directory that meet the European-cloud test, benchmarked on the criteria a buyer actually evaluates: hosting region, ownership signal, CLOUD Act exposure, sub-processor chain and recognised certifications. Every figure is sourced to the provider's public documentation and re-verified quarterly.

Why it matters

The reason this distinction is worth a dedicated page is that the easy version of "European cloud" (a US hyperscaler's EU region) does not answer the question most procurement teams are actually asking. Under the US CLOUD Act, data held by a company subject to US jurisdiction can be reached regardless of where the servers physically sit. An "EU region" changes the data's location; it does not change the operator's legal exposure.

A genuinely European provider (EU-incorporated, EU-owned, with no US sub-processors in the data path) has a structurally weaker exposure profile. But "genuinely European" is a chain of facts, not a logo: the operating entity, its ultimate owners, where decisions are made, and who the sub-processors are. We record each link separately so the CLOUD Act exposure flag on every listing is evidence-based. Use this page to shortlist, then open each profile to confirm the chain against your own transfer impact assessment.

Showing all 13 alternatives in this category updating

		Cert.	Pricing	Signals	Open
Aruba Cloud Italian sovereign cloud (Aruba S.p.A.), 4 Italian DCs (Arezzo/Bergamo/Rome), ACN-qualified up to AI3/QC3 for public administration.	AREZZO · IT Italy	ISO/IEC 27001 ISO/IEC 27017 +1 more	Paid €1 /mo	Public DPA Sub-processors Open source	→
Cleura Swedish OpenStack public + compliant cloud (Cleura, ex-City Network, Iver-owned), ISO 27001/27017/27018, EU-only residency.	SE Sweden	ISO/IEC 27001 ISO/IEC 27017 +1 more	Paid	Public DPA Sub-processors Open source	→
Contabo Munich-based budget VPS / dedicated hosting (Contabo GmbH); KKR + Oakley-owned since 2022; 11 global DCs; VPS from <€5/month.	MUNICH · DE Germany	—	Paid €5 /mo	Public DPA Sub-processors Open source	→
Exoscale Swiss public cloud (Akenes SA, A1 Digital member), 6 EU/CH zones, ISO 27001 + FINMA + TISAX, Swiss-data-residency guarantee.	GENEVA · CH Switzerland	ISO/IEC 27001 ISO/IEC 27017 +1 more	Paid €9 /mo	Public DPA Sub-processors Open source	→
Hetzner Family-founded German hyperscaler alternative (1997), EU DCs in Falkenstein, Nuremberg, Helsinki; ISO 27001 + BSI C5 Type 2; from €4/month.	GUNZENHAUSEN · DE Germany	ISO/IEC 27001 C5	Paid €4 /mo	Public DPA Sub-processors Open source	→
IONOS German publicly-listed cloud (IONOS Group SE, Frankfurt + Berlin DCs), first DE provider with both BSI C5 + IT-Grundschutz, Gaia-X member.	FRANKFURT · DE Germany	ISO/IEC 27001 C5	Paid €2 /mo	Public DPA Sub-processors Open source	→
OVHcloud French sovereign cloud (OVH Groupe, Roubaix, 1999), ANSSI SecNumCloud 3.2-qualified Bare Metal Pod; 46 DCs, public on Euronext Paris.	ROUBAIX · FR France	ISO/IEC 27001 SecNumCloud +2 more	Paid €5 /mo	Public DPA Sub-processors Open source	→
Scaleway French sovereign cloud (Iliad-owned, Xavier Niel), ANSSI SecNumCloud + HDS + ISO 27001; winner of €180M EU Cloud III tender.	PARIS · FR France	ISO/IEC 27001 SecNumCloud	Paid €2 /mo	Public DPA Sub-processors Open source	→
STACKIT German sovereign cloud built by Schwarz Digits (Lidl/Kaufland parent), 4 EU DCs, EU Cloud III €180M winner with SEAL-3 highest rating.	NECKARSULM · DE Germany	ISO/IEC 27001 C5 +1 more	Paid	Public DPA Sub-processors Open source	→
Stackscale Spanish private cloud + bare metal (Stackscale, Grupo Aire), Madrid + Amsterdam DCs, ISO 27001/27017/27018 + ENS High.	MADRID · ES Spain	ISO/IEC 27001 ISO/IEC 27017 +1 more	Paid	Public DPA Sub-processors Open source	→
T Cloud Public (formerly Open Telekom Cloud) Deutsche Telekom's OpenStack public cloud (T-Systems), Biere + Magdeburg DCs, ISO 27001 + BSI C5 + TISAX; rebranded from Open Telekom Cloud.	BIERE · DE Germany	ISO/IEC 27001 ISO/IEC 27017 +2 more	Paid	Public DPA Sub-processors Open source	→
Thalassa Cloud Dutch Kubernetes-native sovereign cloud (Thalassa Cloud Services B.V., Arnhem, 2024); 100% EU-owned, NL-hosted, API-first with an official Terraform provider — early-stage, no published certifications yet.	ARNHEM · NL Netherlands	—	Paid €5 /mo	Public DPA Sub-processors Open source	→
UpCloud Finnish performance-focused cloud (Helsinki, 2011), 14+ DCs worldwide including 9 EU regions; ISO 27001; trusted by Plausible.	HELSINKI · FI Finland	ISO/IEC 27001	Paid €5 /mo	Public DPA Sub-processors Open source	→

How to choose

Match the provider to your binding constraint. If you need raw infrastructure (IaaS), weigh the established European players against hosting region, ownership and certification: a clean ownership chain matters more than headline price for sovereignty-driven buys. If you need managed services, check the sub-processor list closely: managed databases, email and CDN layers are where US sub-processors most often re-enter an otherwise European stack. If certification is written into your tender, filter by SecNumCloud (France), BSI C5 (Germany) or EUCS and confirm the certification covers the specific service. If you are a solo founder or small team, the lower-cost European hosts will usually serve you well; your binding constraint is more likely price and developer experience than a formal compliance framework. Sort the table above by compliance score, hosting region or CLOUD Act exposure to find your shortlist.

FAQ

Frequently asked questions

What counts as a European cloud provider?

On this page, a European cloud provider is one whose operating company is headquartered and incorporated in the EU or EEA, with its primary infrastructure in European data centres. We keep ownership and hosting as separate signals: a provider can be EU-hosted but US-owned, or EU-owned but rely on US sub-processors. Each profile shows both so you can apply your own priority rather than trust a single label.

Is a European cloud provider automatically outside the US CLOUD Act?

Not automatically. The CLOUD Act can reach data held by a company subject to US jurisdiction regardless of where the servers sit, so a US-owned provider's 'EU region' does not, on its own, remove exposure. A provider that is EU-incorporated, EU-owned and free of US sub-processors in the data path has a much weaker exposure profile. We record the ownership and sub-processor chain on every listing so the exposure flag is evidence-based, not assumed.

How is this different from the cloud hosting category page?

The cloud hosting category lists every hosting product in the directory. This hub is the same data framed around the procurement question 'which cloud providers are genuinely European', with the editorial context, certification framing and FAQ that a buyer evaluating sovereignty needs. Use the filters here to narrow by country, certification or CLOUD Act exposure.

Which certifications should I look for?

It depends on your jurisdiction. SecNumCloud is the French sovereign-cloud reference; BSI C5 is the German cloud-security benchmark; EUCS is the pan-European scheme still being finalised. ISO/IEC 27001, 27017 and 27018 are widely held baseline security standards. The comparison table lets you filter to any of these, but read each as a scoped signal, not a blanket guarantee.

Can a European cloud provider still be subject to non-EU law?

Yes, depending on its ownership and sub-processor chain. A provider incorporated in the EU but ultimately owned by a non-EU parent may still fall within the reach of that parent's home jurisdiction. Conversely, an EU-owned provider that uses a US-incorporated CDN or managed-database layer may route data through a sub-processor covered by extraterritorial law. This is why each listing records the full ownership and sub-processor chain, not just the primary hosting location.

What is the difference between IaaS, PaaS, and SaaS on this page?

All three layers are listed here when the provider is EU-incorporated and EU-hosted. Infrastructure-as-a-Service (IaaS) gives you raw compute, storage and networking; Platform-as-a-Service (PaaS) adds managed runtimes, databases and middleware; Software-as-a-Service (SaaS) is a finished application. The compliance questions are similar across layers, but the sub-processor list tends to grow as you move up the stack. Filter by service type in the comparison table to narrow to the relevant layer for your evaluation.

Methodology

How we verified every listing here.

For each product we read the public DPA, sub-processors document, hosting region declaration, certifications, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.

Read methodology →