European sovereign cloud spending is forecast to more than triple between 2025 and 2027. A majority of Western European CIOs are already planning to shift more workloads to local cloud providers. If the board or your legal team hasn’t asked about your cloud sovereignty posture yet, they will soon.
Here’s the problem though: “sovereign cloud” has become a marketing term with a loose definition. AWS, Azure, and Google Cloud all have products labelled “sovereign.” But those products still carry CLOUD Act exposure through their US parent companies — and no contract you sign changes that.
This article is a buyer’s survey. We cover which cloud providers are genuinely EU-native in 2026, how the major players stack up against concrete criteria, what the Kyndryl/Solvinity acquisition means for your existing contracts, and where EU-native providers are — and aren’t — ready for SMB SaaS workloads. This guide is part of our comprehensive look at how European cloud procurement became a jurisdictional risk decision — covering the legal threats, certification landscape, and decision framework for European tech companies.
Which cloud providers are genuinely EU-native in 2026, and what distinguishes them from hyperscaler “sovereign” offerings?
EU-native means: EU-headquartered, EU-owned, and governed exclusively by EU law — with no US or non-EU parent company capable of receiving a CLOUD Act warrant.
Here’s why that matters. The US CLOUD Act (2018) allows US law enforcement to compel any American company to hand over data — regardless of where that data is physically stored. Jurisdiction follows the company, not the data centre. An AWS data centre in Frankfurt, managed by an EU GmbH subsidiary, is still subject to a US federal warrant issued to Amazon Inc. in Seattle. Gartner analyst René Buest put it plainly: “AWS European Sovereign Cloud GmbH is a 100 percent subsidiary of Amazon Inc. There are still dependencies. They don’t give up control.”
GDPR Article 48 directly conflicts with CLOUD Act compliance — it prohibits transferring EU personal data to non-EU authorities without an international agreement. Schrems II (2020) confirmed that US surveillance law prevents adequate data protection for EU data held by US-parent companies.
So the cloud landscape splits into three tiers:
- Full EU Isolation: EU data residency + EU data sovereignty + EU jurisdictional control. The only tier that eliminates CLOUD Act exposure.
- Guardrail Sovereign: Hyperscaler sovereign variants — AWS European Sovereign Cloud, Azure EU Data Boundary, Oracle EU Sovereign Cloud. EU data residency, but residual CLOUD Act exposure via the US parent. Typically a 10–30% price premium for what is, ultimately, an incomplete solution.
- EU-Based (insufficient): Servers in the EU but non-EU ownership. GDPR-compliant on paper, legally exposed to extraterritorial warrants in practice.
One thing to clear up before we get into the providers: GAIA-X membership is not a sovereignty signal. AWS, Azure, and Google Cloud are all GAIA-X members. CISPE described this as a “Trojan horse.” GAIA-X certifies data portability and interoperability — not EU ownership, not CLOUD Act protection.
For a detailed comparison of how these EU-native providers differ from the AWS European Sovereign Cloud — including its corporate structure and GAIA-X Level 3 exclusion — see our dedicated analysis.
How do OVHcloud, STACKIT, Outscale, and Open Telekom Cloud actually compare — and which is right for your workload?
For the full breakdown of SecNumCloud, BSI C5, and GAIA-X certifications held by each provider, see our certification guide.
OVHcloud
OVHcloud — France-based; 30+ data centres across Europe; ISO 27001 and HDS certified; SecNumCloud-qualified (earlier version, not 3.2); GAIA-X participant. OVHcloud has the broadest managed service catalogue in the EU-native tier: IaaS, PaaS, managed Kubernetes, managed databases, object storage, and AI infrastructure. If you’re looking for the most AWS-comparable EU-native option for SMB SaaS teams, OVHcloud is it.
Due diligence flag — the Canadian court order: In September 2024, the Ontario Court of Justice ordered OVHcloud to produce data stored in France, Great Britain, and Australia. OVHcloud invoked France’s loi de blocage; the Canadian court rejected it. Whether this affects EU sovereignty credentials depends on whether EU legal entities or EU-hosted data were directly implicated. Ask OVHcloud directly, and if the answer is ambiguous, require a contractual indemnity clause.
STACKIT
STACKIT is the cloud division of Schwarz Group — the people behind Lidl and Kaufland. BSI C5 certified; German-headquartered; privately held; no US parent, so the CLOUD Act does not apply. It offers managed databases, Kubernetes, message queues, and object storage with GDPR-first design. The €11 billion Schwarz Group commitment is the largest single private investment in EU-native cloud infrastructure, which makes STACKIT the least acquisition-vulnerable major EU-native provider around right now. The trade-off: catalogue maturity — particularly AI and global CDN — is still developing relative to OVHcloud.
Outscale (3DS Outscale)
Outscale is a Dassault Systèmes subsidiary and the only public cloud provider holding SecNumCloud 3.2 certification as of late 2025. That certification requires EU-only ownership, immunity from non-EU authority requests, and exclusive EU data processing. Outscale hosts France’s Visio sovereign video-conferencing platform and partners with Mistral AI for sovereign AI inference. Service breadth is narrower than OVHcloud or STACKIT. The right choice when SecNumCloud 3.2 is a procurement requirement; not the default for general SMB SaaS.
Open Telekom Cloud
T-Systems/Deutsche Telekom subsidiary; BSI C5 certified; OpenStack-based; high-availability zones in Germany and the Netherlands. Dominant in German federal and regulated-sector procurement. Enterprise-oriented in pricing and onboarding — less SMB-friendly than OVHcloud or STACKIT. SAP S/4HANA certified. One thing worth noting: some OTC infrastructure uses Huawei hardware — this is publicly disclosed, and it’s relevant if you have supply-chain-sensitive workloads. Also, OTC is a Full EU Isolation provider. Delos Cloud, a separate T-Systems product built on a sovereign GCP stack, is not — don’t confuse the two.
Redcentric, ANS, and Hetzner
Redcentric and ANS are UK-based. Post-Brexit, they operate outside EU regulatory frameworks — no SecNumCloud, no BSI C5, no GDPR enforcement parity. Evaluate them for UK-domiciled workloads only.
Hetzner Online is German-headquartered, privately held, and genuinely EU-native by ownership. It’s left out of the main comparison because it lacks managed service depth — no BSI C5, limited managed databases, no managed Kubernetes at OVHcloud or STACKIT’s level. Where it shines is compute: a Callista benchmark from February 2026 found Hetzner at 10% of the equivalent AWS price with 71% better multi-core performance. Use it for cost-optimised compute and raw storage alongside a provider with managed PaaS. Not as a standalone primary cloud.
What happened when Kyndryl acquired Solvinity — and what does it mean for sovereign cloud procurement?
Before you select a provider, there’s a risk dimension that no comparison table captures: what happens after you sign the contract.
What Solvinity was: A Dutch managed cloud provider whose clients included the Dutch Ministry of Justice and Security (via the Justitienet secure communications network), the citizen authentication system DigiD, and the government portal MijnOverheid. These organisations had specifically chosen Solvinity to reduce dependence on American firms and limit CLOUD Act exposure.
What happened: On 4 November 2025, Kyndryl — a US-headquartered IT services company and 2021 IBM infrastructure spin-off — announced it was acquiring Solvinity. Once the acquisition completed, Solvinity’s services fell under US CLOUD Act jurisdiction. The Justitienet network, DigiD, and MijnOverheid became accessible via a US federal warrant — without any change to server locations or data residency. Amsterdam was informed one day before the official announcement. The Dutch House of Representatives voted to accelerate investment in European cloud alternatives.
The structural lesson: Provider sovereignty at contract signing is not the same as durable sovereignty over the life of a multi-year contract. M&A can revoke EU-native status overnight with no notification requirement to existing customers.
Due diligence checklist for every sovereign cloud contract:
- Request the full ownership chain — every holding company and majority investor, not just the operating entity
- Include a change-of-control clause: right to terminate without penalty if acquired by a non-EU entity
- Define “EU-native” in the contract: EU-headquartered, majority EU-owned, not subject to any non-EU extraterritorial law (specifically the US CLOUD Act)
- Require 30-day notification of any acquisition discussions or ownership change
- Include a data portability clause: open-format export within 30–90 days triggered by any ownership change
For the full legal and procurement risk framework, see our European cloud sovereignty decision guide which contextualises acquisition risk within the broader jurisdictional landscape.
Can EU-native cloud providers actually handle SMB SaaS workloads in 2026?
The honest answer: most SMB SaaS compute and storage workloads can run on EU-native infrastructure today. Managed AI/ML services, advanced serverless, and global CDN are where AWS and Azure remain materially ahead.
Where EU-native providers are ready
Compute: OVHcloud, STACKIT, Open Telekom Cloud, and Hetzner are all competitive — with Hetzner delivering a 14.3x value ratio vs AWS for compute-heavy workloads.
Object storage: S3-compatible on OVHcloud, STACKIT, and Hetzner. Adequate for most SaaS patterns.
Managed Kubernetes: OVHcloud and STACKIT both offer managed K8s. Viable for containerised SaaS applications.
Managed relational databases: PostgreSQL and MySQL on OVHcloud and STACKIT. Adequate for standard SaaS workloads.
Enterprise ERP: OVHcloud and Open Telekom Cloud are both SAP-certified for S/4HANA. Mission-critical application hosting is not the bottleneck.
Where EU-native providers lag
Managed AI/ML: No EU-native platform comparable to AWS SageMaker or Azure ML. The Outscale + Mistral AI partnership provides sovereign AI inference on SecNumCloud 3.2 infrastructure — strong for regulated workloads — but inference is not a full MLOps platform.
Serverless: No EU-native equivalent to AWS Lambda or Azure Functions with comparable ecosystem depth. This is the biggest migration friction point for serverless-heavy architectures.
Global CDN and edge: EU-native providers are EU-regional. US or APAC SaaS traffic is a genuine gap.
Developer tooling and CI/CD: Thin offerings. Most EU-native SaaS teams use GitHub or GitLab (US-hosted) for CI/CD even when compute is EU-native — an accepted hybrid gap for now.
Gartner’s framing for 2026 is “hybrid first”: new workloads go to EU-native infrastructure; existing hyperscaler integrations for AI/ML and global CDN stay for now. The gaps above are precisely where current EU build and fund efforts are concentrated.
For the open-source layer that resolves the Microsoft 365 dependency without hyperscalers, see our analysis of what Nextcloud, OpenDesk and LibreOffice actually replace for a European tech company — covering capability gaps, deployment case studies, and migration considerations.
What is the Eurostack Foundation’s buy/build/fund framework — and where does it stand in 2026?
The Eurostack Foundation is associated with economist Cristina Caffarra and publishes research and advocacy on building a genuinely independent EU digital infrastructure ecosystem. Their work is at euro-stack.info. Caffarra’s framing cuts straight to it: “Can we please have 30 to 40 percent for ourselves?” Not autarky. Meaningful resilience. The stakes: over 80% of Europe’s digital technologies are imported, and Europe’s digital bill to foreign providers runs to roughly €264 billion annually.
The buy/build/fund framework is the operational response to that problem.
Buy: Prioritise procurement of existing EU-native services where they meet requirements. OVHcloud, STACKIT, Outscale, and Open Telekom Cloud are the current buy tier.
Build: Where EU-native alternatives don’t yet exist — AI/ML platforms, advanced serverless, global edge — support or commission EU-native equivalents. GAIA-X Data Spaces are the most operational manifestation: 150+ active industry data space projects covering Catena-X (automotive) and the European Health Data Space.
Fund: Direct investment to close capability gaps. The EU Commission launched a €180 million sovereign cloud competition in October 2025; the EuroHPC Joint Undertaking is building JUPITER, Europe’s first exascale system.
The buy tier is viable today for compute, storage, and containerised SaaS. Build and fund are active but incomplete. Don’t build a 2026 migration plan around 2027 capabilities.
For the broader European cloud sovereignty decision framework that contextualises the Eurostack initiative within EU regulatory and legislative developments, see the pillar article.
How should a European SMB approach the EU-native provider market in 2026 — a practical starting framework?
Here’s how to turn the research above into something actionable. This is a five-step procurement starting point — a framework, not a migration playbook.
Step 1: Classify your workloads by sensitivity tier
Tier A — Highest sensitivity: Personal data of EU citizens, financial data subject to DORA, health data. Full EU Isolation mandatory; no hyperscaler sovereign variant is acceptable.
Tier B — Standard business: SaaS application compute, internal tooling, B2B customer data. EU-native preferred; hybrid with hyperscaler acceptable where no EU-native equivalent exists.
Tier C — Low sensitivity: Public-facing CDN, global AI/ML training, CI/CD tooling. Hyperscaler acceptable; prioritise EU-native where available.
Step 2: Match provider to workload
- SecNumCloud 3.2 required (French public sector, healthcare, defence-adjacent): Outscale — the only qualifying public cloud
- BSI C5 required (German federal, German healthcare): Open Telekom Cloud or STACKIT
- Broad EU SMB SaaS: OVHcloud or STACKIT — the most AWS-comparable EU-native options
- Value compute without managed services: Hetzner
- UK workloads only: Redcentric or ANS — outside EU regulatory frameworks post-Brexit
Step 3: Apply acquisition risk due diligence
Use the checklist from the Solvinity section above. Do not skip this for Tier A workloads, regardless of provider.
Step 4: Plan a hybrid architecture, not a full migration
Migrate Tier A and Tier B workloads to EU-native compute and storage. Maintain hyperscaler relationships for AI/ML, global CDN, and advanced serverless until EU-native equivalents mature. Build new workloads on EU-native infrastructure from day one.
Step 5: Monitor the build/fund pipeline
Set an 18–24 month review trigger. Eurostack Foundation publications (euro-stack.info) and EU Commission cloud sovereignty updates are the primary signals. For the complete jurisdictional risk in cloud procurement framework, see our pillar guide — it synthesises the legal context, certification landscape, and provider evaluation into a single decision resource for European tech leaders.
Frequently Asked Questions
What is the difference between a SecNumCloud-certified provider and a GDPR-compliant provider?
GDPR is a baseline legal requirement for any provider handling EU personal data. It governs data handling but does not address provider ownership, jurisdiction, or CLOUD Act exposure. SecNumCloud 3.2 goes further: the provider must be immune to requests from non-EU public authorities, process data exclusively within the EU, and be registered within the EU. For French public-sector contracts, SecNumCloud 3.2 is now mandatory; GDPR compliance alone is insufficient.
Is STACKIT genuinely independent, or is the Lidl connection a risk?
STACKIT is a division of the Schwarz Group (Lidl, Kaufland). German-headquartered, privately held, no US parent — the CLOUD Act does not apply. Schwarz Group’s scale makes STACKIT the least acquisition-vulnerable major EU-native provider. The Lidl association creates perception friction in enterprise conversations, not a legal or governance risk. The real limitation is catalogue maturity: managed AI and global CDN offerings are still developing relative to OVHcloud.
Does OVHcloud’s Canadian court order affect its EU sovereignty credentials?
The Ontario Court of Justice issued a data-access order in September 2024 requiring OVHcloud to produce data stored in France, Great Britain, and Australia. OVHcloud invoked France’s loi de blocage; the Canadian court rejected it. If the order applied only to OVHcloud’s Canadian entity and Canadian-hosted data, EU operations are unaffected. Ask OVHcloud directly whether EU data or EU legal entities were involved, and require a contractual indemnity clause if the answer is ambiguous.
What is BSI C5 Type 1 vs Type 2 — and which should I require?
Type 1 is a point-in-time design attestation; Type 2 is a sustained operational audit over a defined period (typically 12 months) — materially stronger assurance. For German federal agencies and German healthcare (mandatory from July 2025), Type 2 is the expected standard. For buyers outside German regulated verticals, Type 1 is an adequate baseline.
What is GAIA-X and why doesn’t it guarantee cloud sovereignty?
GAIA-X is a European initiative for cloud interoperability and data portability. AWS, Azure, and Google Cloud are all GAIA-X members alongside EU-native providers — CISPE called this a “Trojan horse” diluting the sovereignty signal. GAIA-X labels certify interoperability and data portability compliance, not EU ownership, not CLOUD Act protection, and not SecNumCloud or BSI C5 equivalence.
Can I run SAP S/4HANA on an EU-native provider?
Yes — OVHcloud and Open Telekom Cloud are both SAP-certified hosting environments for S/4HANA. Mission-critical application hosting is not the constraint. The constraint is managed database scaling and support SLA structure — review specific managed database offerings against your S/4HANA sizing requirements before signing. STACKIT is also targeting SAP workloads given Schwarz Group’s own ERP footprint; check current certification status before procurement.
What acquisition-protection clause should I include in a cloud provider contract?
Include a change-of-control clause granting the right to terminate without penalty if the provider is acquired by a non-EU-headquartered entity. Define “EU-native” in the contract: EU-headquartered, majority EU-owned, not subject to non-EU extraterritorial law (specifically the US CLOUD Act). Require 30-day notification of any ownership change, and a data portability clause guaranteeing open-format export within 30–90 days on any change-of-control event.
What EU-native cloud options exist specifically for AI and machine learning workloads in 2026?
Limited, honestly. No EU-native provider offers an AI/ML platform comparable to AWS SageMaker or Azure ML. The Outscale + Mistral AI partnership provides sovereign AI inference on SecNumCloud 3.2 infrastructure — the strongest regulated-workload option. OVHcloud offers GPU instances adequate for teams with strong ML engineering capability. STACKIT’s AI roadmap is active but not mature enough for production MLOps at scale. Expect meaningful progress within 18–24 months.
Is Hetzner a genuine EU-native provider — and why is it not in the main provider comparison?
Hetzner Online is German-headquartered, privately held, and EU-native by ownership. It’s excluded from the main comparison because it lacks the managed service depth that buyers making a primary cloud provider decision need — no BSI C5, limited managed databases, no managed Kubernetes at OVHcloud or STACKIT’s level. Use it for cost-optimised compute and raw storage layered alongside a managed PaaS provider — not as a standalone primary cloud for SaaS workloads above around 20 employees.
What does “EU digital sovereignty” actually mean in a legal contract — is it enforceable?
“EU digital sovereignty” has no single legal definition. What is enforceable: specific certification requirements (SecNumCloud 3.2, BSI C5 Type 2), contractual change-of-control clauses, GDPR data processing agreements with specific transfer restriction provisions, and data localisation requirements under NIS2, DORA, or German healthcare law. A provider calling itself “sovereign” in marketing materials has no legal weight. Translate sovereignty requirements into specific, verifiable contractual specifications — certifications held, ownership structure, change-of-control rights, data portability obligations.
