Here’s the thing most people miss about cloud sovereignty: it’s not about where your data physically lives — it’s about who controls it legally.
US hyperscalers own around 70% of Europe’s cloud infrastructure. They’ll tell you their EU sovereign offerings come with data residency and technical controls. That’s true. But the US CLOUD Act means American authorities can compel a US-headquartered provider to hand over data stored in the EU regardless of where the servers are. Jurisdiction follows the company, not the data centre.
EU-native cloud providers — 100% EU-owned, EU-operated, and governed exclusively by EU law — cut that exposure off at the source. No US parent company means no entity that can receive a CLOUD Act warrant. This is what’s called the Full EU Isolation Model, and it’s the strongest legal protection tier available to European organisations.
This article compares the four leading EU-native providers — Hetzner, OVHcloud, Scaleway, and T-Systems — on legal protection, service capability, and workload fit. We’ll also cover two important nuances: the OVHcloud Canadian court order that shows EU-native protection isn’t absolute, and why GAIA-X certification isn’t the sovereignty guarantee it sounds like. For the complete framework behind all of this, see our sovereign cloud explained guide.
What Does Full EU Isolation Actually Mean — and How Is It Different from Hyperscaler Sovereign Cloud?
Three things determine genuine sovereignty — and it’s worth being clear about what each one means.
Data residency is where data physically sits. Data sovereignty is which legal system governs it. Jurisdictional control is who can legally compel access. EU-native providers satisfy all three. Hyperscaler sovereign cloud offerings typically satisfy only the first.
The gap in AWS’s European Sovereign Cloud and Azure’s EU Data Boundary isn’t technical — it’s structural. When a US parent company exists, that entity can receive a CLOUD Act warrant. That directly conflicts with GDPR Article 48, which requires an international agreement before EU data reaches non-EU authorities. Microsoft’s chief legal officer admitted before the French Senate that Microsoft cannot guarantee EU data is safe from US access requests.
Here’s the terminology you need to cut through the marketing. “EU-native” means EU-headquartered, EU-owned, and EU-law governed. “EU-based” means servers are in Europe — necessary but not sufficient. “EU-sovereign” is a marketing term with no consistent legal definition.
Hetzner, OVHcloud, Scaleway, and T-Systems all qualify as EU-native. None of them have a US parent company or CLOUD Act exposure. The differences between them come down to service capability, compliance certifications, and the type of workloads they suit best — not their fundamental legal structure.
How Does Hetzner Compare on Sovereignty, Pricing, and Service Capability?
Hetzner is German-headquartered with data centres in Germany and Finland. It’s 100% EU-owned, no foreign parent, zero CLOUD Act exposure.
Pricing is where it gets really interesting. An independent benchmark by Callista (February 2026) found Hetzner delivers approximately 14.3 times the value-per-compute-unit of AWS. A Hetzner CPX32 instance runs €16.36 per month versus €162.88 for an equivalent AWS instance — 10% of the price with 71% better multi-core performance. As the benchmark puts it: “The undisputed value winner. For 10% of the AWS price, you get 70% better multi-core performance.”
That laser focus on compute and storage is also its main limitation. The service catalogue is solid on compute, storage, and networking, but there are no native AI/ML services, limited serverless options, and no enterprise software integrations. Hetzner also doesn’t participate in GAIA-X — worth knowing if your procurement frameworks require it.
Best fit: SMB SaaS companies, developer teams, and cost-sensitive startups that need genuine EU legal protection without enterprise overhead. The value advantage over hyperscalers is unmatched in the EU-native tier.
Is OVHcloud Actually Safe for Sensitive European Data — and What Does the Canadian Court Order Mean?
OVHcloud is France’s largest EU-native cloud provider and the most full-stack alternative in the tier. It operates 30+ data centres across Europe, holds ISO 27001 and HDS certifications, is SecNumCloud-qualified, participates in GAIA-X, and offers a broad managed service catalogue including Kubernetes, databases, and AI.
But here’s something you need to know before you commit.
In September 2024, the Ontario Court of Justice ordered OVHcloud to hand over user data stored in France, Great Britain, and Australia to Canadian police. The ruling held that OVHcloud’s “virtual presence” in Canada subjected it to Canadian jurisdiction regardless of where the data was stored. This was widely reported in November 2025.
OVHcloud invoked France’s blocking statute (loi de blocage), which prohibits French companies from disclosing sensitive data to foreign authorities outside official channels. The court rejected it. Complying would expose OVHcloud’s French executives to six months in prison and €90,000 fines per violation. OVHcloud appealed; France confirmed direct disclosure would be illegal and offered expedited processing through MLAT channels.
What this means: A non-EU court can direct orders at a foreign subsidiary the provider controls in its jurisdiction — targeting the local entity, not the EU parent, and thereby bypassing GDPR Article 48. This wasn’t a systemic failure, and it involved OVHcloud’s Canadian entity specifically. But it proves that EU-native providers with non-EU entities carry cross-jurisdictional legal risk. Check the full corporate structure — not just data centre locations — before assuming complete jurisdictional immunity.
Best fit: FinTech and HealthTech companies requiring compliance certifications (ISO 27001, HDS, SecNumCloud) and a broader managed service catalogue. Also the right call for EU-wide enterprise deployments needing the broadest European data centre footprint.
How Does Scaleway Compare for Developer-Centric Sovereignty?
Scaleway is Paris-headquartered, a subsidiary of Iliad Group (French telecom), with data centres exclusively in Paris, Amsterdam, and Warsaw. 100% EU-owned, no CLOUD Act exposure.
It sits between Hetzner’s pure cost efficiency and OVHcloud’s enterprise breadth — and it has the strongest developer experience in the tier. The catalogue covers managed Kubernetes, GPU-powered instances, serverless functions, managed databases, and AI compute. An independent benchmark (Callista, February 2026) found Scaleway delivers approximately 4.8x the value per euro of AWS — double the single-core performance for a quarter of the price, with free egress where AWS charges €15.20 per 200GB.
GPU infrastructure is Scaleway’s key differentiator. If you’re running inference or training workloads that would otherwise require hyperscaler GPU instances, you can do that here with full EU legal protection. Hetzner doesn’t offer equivalent options.
One thing worth knowing: a 2025 Xomnia analysis noted Scaleway uses some US-based services for management console infrastructure. This doesn’t affect data centre operations or storage jurisdiction, but if you have extremely strict operational sovereignty requirements, evaluate the full stack before committing.
Scaleway participates in GAIA-X and is working toward SecNumCloud alignment.
Best fit: SMB SaaS startups and development teams prioritising developer experience alongside sovereignty, particularly those with GPU or AI compute needs.
What Makes T-Systems and Open Telekom Cloud Different from Other EU-Native Providers?
Where Hetzner and Scaleway target cost-sensitive developer teams, T-Systems is the EU-native option for the other end of the market — regulated industries, government agencies, and large enterprise.
T-Systems is the parent entity; Open Telekom Cloud (OTC) is the actual cloud platform, backed by Deutsche Telekom — one of Europe’s largest telecoms. Open Telekom Cloud runs on OpenStack with high-availability zones in Germany and the Netherlands. It holds BSI C5 certification — the mandatory German federal attestation for government agency cloud use — alongside ISO 27001 and GAIA-X participation.
One distinction you need to get right: Delos Cloud is a sovereign GCP stack for the German market where T-Systems controls the operational layer. It uses Google Cloud technology under T-Systems management — that’s Guardrail Sovereign positioning, not Full EU Isolation. Open Telekom Cloud is fully EU-native. They’re distinct products; evaluate them separately.
For German federal workloads, BSI C5 is a mandatory procurement requirement. T-Systems and StackIT (Schwarz Group / Lidl/Kaufland) are the primary EU-native providers at this level. AWS’s European Sovereign Cloud also holds BSI C5 — but retains CLOUD Act exposure through its US parent.
T-Systems is enterprise-oriented in pricing and support. Not the cost-efficient choice for SMBs, but absolutely the right choice where compliance depth and institutional backing are non-negotiable.
Best fit: Government, healthcare, automotive, financial services, and large enterprise workloads, particularly in the German market.
When Does GAIA-X Certification Actually Matter — and What Are Its Limits?
GAIA-X is the European Commission-backed federated cloud ecosystem promoting data portability, transparency, and interoperability. Europe contributes nearly 25% of global cloud revenues but owns less than 2% of cloud infrastructure — GAIA-X was designed to address exactly that imbalance.
Here’s the catch though: AWS, Azure, and Google Cloud are all GAIA-X members, right alongside OVHcloud, Scaleway, and T-Systems. GAIA-X membership does not mean Full EU Isolation. CISPE, the EU cloud trade association, has called this a “Trojan horse” — US hyperscaler membership dilutes the sovereignty signal the framework was supposed to provide. GAIA-X labels certify interoperability, transparency, and data portability. They say nothing about ownership structure or CLOUD Act exposure.
EuroStack is the newer EU initiative responding to GAIA-X’s structural compromise — more focused on AI regulation, blockchain identity, and genuinely sovereign alternatives built without US hyperscaler co-authorship.
GAIA-X certification does have practical value when procurement policy or regulatory guidance requires it — a compliance checkbox in certain public-sector frameworks. But it’s not a substitute for verifying whether a provider is genuinely EU-native.
How Do You Choose the Right EU-Native Provider for Your Workloads?
The right choice depends on your company profile, regulatory requirements, service capability, and budget. There’s no single best EU-native provider — it depends on what you’re actually running.
SMB SaaS: Hetzner or Scaleway. Hetzner for maximum cost savings on compute and storage — 14.3x value over AWS is the strongest advantage in the market. Scaleway for GPU infrastructure, managed Kubernetes, and developer tooling.
FinTech and HealthTech: OVHcloud or T-Systems. OVHcloud’s ISO 27001, HDS, and SecNumCloud profile covers HealthTech requirements with the broadest EU footprint. T-Systems suits organisations operating primarily in Germany or requiring BSI C5.
German federal workloads: T-Systems or StackIT. BSI C5 is mandatory. AWS ESC holds it too, but retains CLOUD Act exposure — for full EU isolation plus BSI C5, T-Systems and StackIT are your options.
EU-wide enterprise scale: OVHcloud, with 30+ European data centres and the most comprehensive managed service catalogue in the tier.
Service tradeoffs to plan for: EU-native providers offer genuine legal protection, but their managed service catalogues are narrower than AWS or Azure. The gaps are real: no native AI/ML platform equivalent to SageMaker or Vertex AI; narrower serverless orchestration; smaller global edge networks. Expect to self-manage Redis, use GitHub or GitLab for CI/CD, and potentially run Kafka clusters independently.
The broader EU-native landscape also includes Aruba Cloud (Italian-origin, SME-focused, data centres in Italy, France, Germany, and Czech Republic), StackIT (Schwarz Group, Germany-based with BSI C5 and full EU isolation), and Exoscale (Swiss-based with no CLOUD Act exposure but governed by Swiss law — for GDPR, NIS2, or DORA compliance, an EU-headquartered provider is the cleaner path).
To give you a sense of scale: Airbus issued a €50 million, decade-long EU-native cloud migration tender. Catherine Jestin, EVP Digital: “We want to ensure this information remains under European control.” EU-native adoption isn’t a niche choice — the most sovereignty-sensitive enterprises at scale are making the same move.
For regulatory requirements driving provider selection, see when DORA, NIS2, or SecNumCloud mandate full EU isolation. For the full due diligence framework, see how to evaluate and select an EU-native provider. Return to our sovereign cloud hub for the complete sovereignty framework.
Frequently Asked Questions
What does “EU-native cloud provider” mean?
An EU-native cloud provider is 100% EU-owned, EU-operated, and governed exclusively by EU law, with no foreign parent company subject to the US CLOUD Act. This is the Full EU Isolation Model — the strongest legal protection tier for European data. EU data residency (servers in the EU) is necessary but not sufficient for genuine sovereignty.
Is Hetzner cheaper than AWS for cloud computing in Europe?
Yes, significantly. Independent benchmarks (Callista, February 2026) show Hetzner delivers approximately 14.3 times the value-per-compute-unit of AWS. The pricing difference is structural, not marginal.
What happened with the OVHcloud Canadian court order, and does it mean EU-native providers are not safe?
The Ontario Court of Justice ordered OVHcloud to hand over data stored in France because OVHcloud has a Canadian entity. The court rejected France’s blocking statute defence. This is a procedural case involving a non-EU entity, not a systemic failure — but verify any provider’s full corporate structure before assuming complete jurisdictional immunity. See the OVHcloud section above for full detail.
What is GAIA-X and does it guarantee cloud sovereignty?
GAIA-X promotes interoperability and transparency standards — it does not guarantee sovereignty. AWS, Azure, and Google Cloud are all GAIA-X members alongside EU-native providers. A GAIA-X label indicates data portability compliance, not Full EU Isolation. CISPE has described US hyperscaler membership as a “Trojan horse” diluting the framework’s intended sovereignty signal.
What is BSI C5 and why does it matter for German cloud compliance?
BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the mandatory German federal attestation for government-use cloud services. T-Systems (Open Telekom Cloud) and StackIT are the primary EU-native providers certified at this level. AWS ESC has also achieved BSI C5 but retains CLOUD Act exposure through its US parent company.
What managed services will I lose switching from AWS to an EU-native provider?
The main gaps: no native AI/ML platform (no SageMaker or Vertex AI equivalent), narrower serverless orchestration, fewer managed database variants, and smaller global edge networks. Expect to self-manage Redis, use GitHub or GitLab for CI/CD, and potentially run Kafka clusters independently.
What is the Delos Cloud and how does it relate to T-Systems?
Delos Cloud is a sovereign GCP stack for the German market where T-Systems controls the operational layer — Google Cloud technology under T-Systems management, making it Guardrail Sovereign positioning, not Full EU Isolation. T-Systems’ own Open Telekom Cloud is fully EU-native. These are distinct products that must be evaluated separately against sovereignty requirements.
