Category 08 of 22

Cloud & hosting

Q: What is the best EU cloud hosting provider?

On EU Vetted's editorial compliance score, Hetzner (Germany), Scaleway (France), OVHcloud (France), IONOS (Germany), Cleura (Sweden), STACKIT (Germany), UpCloud (Finland), Aruba Cloud (Italy), Stackscale (Spain), and T Cloud Public (Germany) all reach 5/5 as EU-owned and EU-hosted providers. The right choice depends on workload type and team size: Hetzner is the price-performance leader for developers; Scaleway and OVHcloud have the broadest managed services; STACKIT and T Cloud Public target large German enterprises with BSI C5 credentials.

Q: Does cloud hosting fall under the US CLOUD Act?

If the cloud provider is owned or ultimately controlled by a US-incorporated company, the CLOUD Act can compel it to produce data it controls regardless of where that data is physically hosted. AWS, Google Cloud, Azure, and DigitalOcean are all US-owned. EU-owned providers such as Hetzner, OVHcloud, Scaleway, and IONOS are not directly subject to the CLOUD Act. This is an assessment of corporate ownership, not a claim that EU providers are immune from all legal process — they are subject to EU and member-state law instead.

Q: Is there a GDPR-compliant cloud provider?

EU-incorporated cloud providers with EU-only data centres and published DPAs are GDPR-compliant in their role as data processors. Hetzner, OVHcloud, Scaleway, and IONOS all publish detailed DPAs. The term 'GDPR-compliant cloud' is widely used but the compliance burden lies primarily with how the customer architect and operates the workload — the provider's compliance is a necessary but not sufficient condition.

Q: What is BSI C5 or SecNumCloud, and which EU hosting providers have it?

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is a German federal security framework for cloud services, audited by accredited third parties. It is broadly equivalent to ISO 27001 but with additional transparency and sovereignty requirements. STACKIT (Germany) and T Cloud Public (Germany) hold BSI C5 attestations, making them common picks for German public-sector and regulated-industry workloads. SecNumCloud is the French equivalent, developed by ANSSI; OVHcloud and Scaleway hold or are pursuing SecNumCloud qualification, which is a leading indicator for the EUCS Sovereign tier under development.

Q: What is the difference between EU-hosted and EU-owned cloud?

EU-hosted means the physical servers and data centres are in the EU — data at rest is on European soil. EU-owned means the company controlling the infrastructure is incorporated and headquartered in the EU, with no ultimate US parent. Both matter, for different reasons. EU-hosted without EU-owned means a US company's legal team can potentially be compelled to access data via CLOUD Act. EU-owned with EU-hosted means the legal exposure is to EU and member-state law only. The listings on this page show both dimensions separately.

Q: How does Hetzner compare to AWS and Google Cloud for a typical startup workload?

Hetzner (Germany, 5/5) offers significantly lower compute prices than AWS and Google Cloud for equivalent virtual machines — roughly 3–5x cheaper for standard workloads. The trade-off is a narrower managed-services catalogue: Hetzner has excellent bare-metal, VPS, and object storage, but lacks the AI/ML pipeline, serverless, and PaaS breadth of AWS or GCP. For startups whose primary constraint is compute cost and who can adopt managed services from other EU providers (e.g. Scaleway Functions, IONOS databases), Hetzner is typically the price-performance leader in the EU.

Q: Are EU cloud providers suitable for regulated workloads such as healthcare or financial services?

Yes, for most regulated workloads. STACKIT (Germany) and T Cloud Public (Germany) hold BSI C5 attestations and are regularly used for KRITIS-adjacent workloads. OVHcloud and Scaleway are ISO 27001 certified and are in use in financial services across the EU. The specific certification required depends on your regulation and member state: DORA (financial), NIS2, HIPAA (if serving US healthcare), and sectoral frameworks from national regulators. Check each provider's compliance page against your specific framework requirements.

In short

Cloud and hosting services provide the compute, storage, and network infrastructure on which applications and workloads run. For EU buyers, the key criteria are ownership of the infrastructure provider and hosting region — specifically whether the consolidated group is subject to US CLOUD Act jurisdiction. Top-rated EU options on EU Vetted include Hetzner (Germany, 5/5), Scaleway (France, 5/5), OVHcloud (France, 5/5), IONOS (Germany, 5/5), and Cleura (Sweden, 5/5).

Cloud and hosting covers the infrastructure layer: virtual machines, bare-metal servers, object storage, managed databases, Kubernetes clusters, and the network fabric that connects them. This category includes general-purpose public cloud providers (Hetzner, OVHcloud, Scaleway, IONOS), private cloud and managed hosting specialists (Cleura, Exoscale, STACKIT, Stackscale), and sovereign cloud offerings targeting regulated industries. It does not cover SaaS applications that run on top of this infrastructure.

For EU organisations, the ownership question in this category carries disproportionate weight compared to other software categories, because the cloud infrastructure provider has physical access to everything you run on it. If the infrastructure operator is a US-incorporated company — or has a US parent — the CLOUD Act can compel the consolidated group to produce data it controls regardless of where servers are physically located. This is why AWS Europe, Google Cloud Frankfurt, and Azure Netherlands all remain within CLOUD Act jurisdiction: the operating entity is ultimately controlled by a US parent. EU-owned providers such as Hetzner (Germany, 5/5), Scaleway (France, 5/5), OVHcloud (France, 5/5), IONOS (Germany, 5/5), and UpCloud (Finland, 5/5) are not subject to that direct exposure.

The second dimension specific to this category is regulatory certification. For regulated workloads — public sector, healthcare, financial services, critical infrastructure — the relevant certifications are BSI C5 (Germany), SecNumCloud (France), ISO 27001, and the emerging EUCS (European Union Cloud Service) scheme currently under development by ENISA. STACKIT and T Cloud Public (both Germany, 5/5) hold BSI C5 attestations and are frequently used for German regulated-sector workloads. OVHcloud and Scaleway are among the front-runners for the EUCS Sovereign tier. The listings below show each provider's certification status alongside its compliance score and ownership signal.

Showing all 12 alternatives in this category updating

Sort by

		Cert.
Cleura Swedish OpenStack public + compliant cloud (Cleura, ex-City Network, Iver-owned), ISO 27001/27017/27018, EU-only residency.	SE Sweden	ISO/IEC 27001 ISO/IEC 27017 +1 more	Open ↗
Exoscale Swiss public cloud (Akenes SA, A1 Digital member), 6 EU/CH zones, ISO 27001 + FINMA + TISAX, Swiss-data-residency guarantee.	GENEVA · CH Switzerland	ISO/IEC 27001 ISO/IEC 27017 +1 more	Open ↗
Hetzner Family-founded German hyperscaler alternative (1997), EU DCs in Falkenstein, Nuremberg, Helsinki; ISO 27001 + BSI C5 Type 2; from €4/month.	GUNZENHAUSEN · DE Germany	ISO/IEC 27001 C5	Open ↗
IONOS German publicly-listed cloud (IONOS Group SE, Frankfurt + Berlin DCs), first DE provider with both BSI C5 + IT-Grundschutz, Gaia-X member.	FRANKFURT · DE Germany	ISO/IEC 27001 C5	Open ↗
OVHcloud French sovereign cloud (OVH Groupe, Roubaix, 1999), ANSSI SecNumCloud 3.2-qualified Bare Metal Pod; 46 DCs, public on Euronext Paris.	ROUBAIX · FR France	ISO/IEC 27001 SecNumCloud +2 more	Open ↗
Scaleway French sovereign cloud (Iliad-owned, Xavier Niel), ANSSI SecNumCloud + HDS + ISO 27001; winner of €180M EU Cloud III tender.	PARIS · FR France	ISO/IEC 27001 SecNumCloud	Open ↗
STACKIT German sovereign cloud built by Schwarz Digits (Lidl/Kaufland parent), 4 EU DCs, EU Cloud III €180M winner with SEAL-3 highest rating.	NECKARSULM · DE Germany	ISO/IEC 27001 C5 +1 more	Open ↗
Stackscale Spanish private cloud + bare metal (Stackscale, Grupo Aire), Madrid + Amsterdam DCs, ISO 27001/27017/27018 + ENS High.	MADRID · ES Spain	ISO/IEC 27001 ISO/IEC 27017 +1 more	Open ↗
T Cloud Public (formerly Open Telekom Cloud) Deutsche Telekom's OpenStack public cloud (T-Systems), Biere + Magdeburg DCs, ISO 27001 + BSI C5 + TISAX; rebranded from Open Telekom Cloud.	BIERE · DE Germany	ISO/IEC 27001 ISO/IEC 27017 +2 more	Open ↗
UpCloud Finnish performance-focused cloud (Helsinki, 2011), 14+ DCs worldwide including 9 EU regions; ISO 27001; trusted by Plausible.	HELSINKI · FI Finland	ISO/IEC 27001	Open ↗
Aruba Cloud Italian sovereign cloud (Aruba S.p.A.), 4 Italian DCs (Arezzo/Bergamo/Rome), ACN-qualified up to AI3/QC3 for public administration.	AREZZO · IT Italy	ISO/IEC 27001 ISO/IEC 27017 +1 more	Open ↗
Contabo Munich-based budget VPS / dedicated hosting (Contabo GmbH); KKR + Oakley-owned since 2022; 11 global DCs; VPS from <€5/month.	MUNICH · DE Germany	—	Open ↗

FAQ

Frequently asked questions

What is the best EU cloud hosting provider?

On EU Vetted's editorial compliance score, Hetzner (Germany), Scaleway (France), OVHcloud (France), IONOS (Germany), Cleura (Sweden), STACKIT (Germany), UpCloud (Finland), Aruba Cloud (Italy), Stackscale (Spain), and T Cloud Public (Germany) all reach 5/5 as EU-owned and EU-hosted providers. The right choice depends on workload type and team size: Hetzner is the price-performance leader for developers; Scaleway and OVHcloud have the broadest managed services; STACKIT and T Cloud Public target large German enterprises with BSI C5 credentials.

Does cloud hosting fall under the US CLOUD Act?

If the cloud provider is owned or ultimately controlled by a US-incorporated company, the CLOUD Act can compel it to produce data it controls regardless of where that data is physically hosted. AWS, Google Cloud, Azure, and DigitalOcean are all US-owned. EU-owned providers such as Hetzner, OVHcloud, Scaleway, and IONOS are not directly subject to the CLOUD Act. This is an assessment of corporate ownership, not a claim that EU providers are immune from all legal process — they are subject to EU and member-state law instead.

Is there a GDPR-compliant cloud provider?

EU-incorporated cloud providers with EU-only data centres and published DPAs are GDPR-compliant in their role as data processors. Hetzner, OVHcloud, Scaleway, and IONOS all publish detailed DPAs. The term 'GDPR-compliant cloud' is widely used but the compliance burden lies primarily with how the customer architect and operates the workload — the provider's compliance is a necessary but not sufficient condition.

What is BSI C5 or SecNumCloud, and which EU hosting providers have it?

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is a German federal security framework for cloud services, audited by accredited third parties. It is broadly equivalent to ISO 27001 but with additional transparency and sovereignty requirements. STACKIT (Germany) and T Cloud Public (Germany) hold BSI C5 attestations, making them common picks for German public-sector and regulated-industry workloads. SecNumCloud is the French equivalent, developed by ANSSI; OVHcloud and Scaleway hold or are pursuing SecNumCloud qualification, which is a leading indicator for the EUCS Sovereign tier under development.

What is the difference between EU-hosted and EU-owned cloud?

EU-hosted means the physical servers and data centres are in the EU — data at rest is on European soil. EU-owned means the company controlling the infrastructure is incorporated and headquartered in the EU, with no ultimate US parent. Both matter, for different reasons. EU-hosted without EU-owned means a US company's legal team can potentially be compelled to access data via CLOUD Act. EU-owned with EU-hosted means the legal exposure is to EU and member-state law only. The listings on this page show both dimensions separately.

How does Hetzner compare to AWS and Google Cloud for a typical startup workload?

Hetzner (Germany, 5/5) offers significantly lower compute prices than AWS and Google Cloud for equivalent virtual machines — roughly 3–5x cheaper for standard workloads. The trade-off is a narrower managed-services catalogue: Hetzner has excellent bare-metal, VPS, and object storage, but lacks the AI/ML pipeline, serverless, and PaaS breadth of AWS or GCP. For startups whose primary constraint is compute cost and who can adopt managed services from other EU providers (e.g. Scaleway Functions, IONOS databases), Hetzner is typically the price-performance leader in the EU.

Are EU cloud providers suitable for regulated workloads such as healthcare or financial services?

Yes, for most regulated workloads. STACKIT (Germany) and T Cloud Public (Germany) hold BSI C5 attestations and are regularly used for KRITIS-adjacent workloads. OVHcloud and Scaleway are ISO 27001 certified and are in use in financial services across the EU. The specific certification required depends on your regulation and member state: DORA (financial), NIS2, HIPAA (if serving US healthcare), and sectoral frameworks from national regulators. Check each provider's compliance page against your specific framework requirements.