European-only alternative to AWS.
Amazon Web Services is the original public cloud — and the original Schrems II problem. The same EU regions that make AWS technically usable for European workloads do not change the parent jurisdiction: AWS Inc. is a Delaware corporation, AWS EMEA SARL is a Luxembourg subsidiary fully controlled by it, and the CLOUD Act applies to both. For audited workloads, regulated industries and any business that has had a customer ask "is your provider US-subpoenable?", the honest answer on AWS is yes. Below is the engineering-grade map for getting off it.
"EU region" is not sovereignty. Four questions decide it.
Data residency tells you where the bits sit. Sovereignty tells you which legal system can compel access. The answer must hold on all four — or the stack is not sovereign.
Where is the data physically stored?
Not "in the cloud" — which datacenter, in which country, under which jurisdiction.
Who else is in your data path?
Every vendor that touches the data: the CDN, the email relay, the error tracker, the analytics pipe.
Whose laws can compel disclosure?
A US-headquartered provider falls under FISA 702 and the CLOUD Act — even when the bits sit in Frankfurt.
Who actually holds the encryption keys?
If the cloud provider holds both the data and the keys, the data is readable by them — regardless of any DPA.
Fails on jurisdiction and key custody.
EU bits, US-headquartered parent, US subprocessors in the default path, provider-managed keys.
Passes on all four.
EU-hosted on EU-headquartered infrastructure. Zero US subprocessors in the default path. Customer-held or EU-KMS keys. Listed by name in your Article 28 DPA.
Why teams are exiting AWS
The drivers we hear in scoping calls are consistent: a procurement gate that now demands "no third-country data processor" (NIS2, DORA, public sector), a customer audit (typically B2B enterprise or healthcare) that flagged the AWS relationship, escalating egress and bandwidth costs that look worse every quarter, or a leadership-level concern after the 2024–2025 round of EU-US transfer mechanism uncertainty. The technical lift to leave AWS is rarely the blocker it appears to be. The real friction is choreography: zero-downtime database migrations, DNS cutover, observability continuity. That is where a managed-infrastructure partner saves months.
AWS services and their EU-only equivalents
A migration is not "swap one box for another". The mapping below is what we run for clients leaving AWS on Schrems II grounds — full EU jurisdiction, no US parent in the data path.
| AWS service | EU-only alternative | Engineering note |
|---|---|---|
| EC2 (compute) | Hetzner Cloud, OVH Public Cloud, IONOS Compute, Scaleway Instances, Leaseweb VMs | Per-vCPU and per-GB pricing on EU providers is dramatically lower; bare-metal options exist on Hetzner and OVH for reserved workloads. |
| S3 (object storage) | OVH Object Storage, Wasabi EU, Bunny Storage, self-hosted Ceph or MinIO on EU compute | S3-compatible APIs are universal; most application code is a single endpoint change. No egress fees on most EU providers. |
| RDS / Aurora (managed DB) | OVH Managed Databases, Scaleway Managed PostgreSQL, Aiven (FI), or self-managed PostgreSQL/MySQL with replication on EU compute | Streaming replication enables zero-downtime cutover. Managed EU PostgreSQL pricing is typically 30–50% lower than equivalent RDS. |
| CloudFront (CDN) | Bunny.net, KeyCDN | Bunny.net offers comparable POP density in EU and Middle East; cheaper per-GB; no US-default edge. |
| Route 53 (DNS) | Hetzner DNS, Bunny DNS, deSEC (DE non-profit) | For zone-only management, Hetzner DNS is free with hosting; deSEC is privacy-first and DNSSEC-by-default. |
| Lambda (serverless) | Scaleway Serverless Functions, Cloudflare Workers (note: US parent), or self-hosted OpenFaaS / Knative on EU Kubernetes | For sovereign deployments, self-hosted Knative on EU compute is the cleanest. Most Lambda workloads fit a small Kubernetes cluster. |
| SES (email) | Self-hosted Postfix on EU infra, Mailpace (NL), Tuta business, Brevo (FR) | For transactional volume under 1M/month, a properly-configured Postfix relay is operationally simpler and cheaper than SES. |
| SQS / SNS | Self-hosted RabbitMQ, NATS, or Redis Streams on EU compute | Managed message brokers are rare in the EU sovereign space. Self-managed is the standard pattern; we operate it for clients. |
| EKS (managed Kubernetes) | Scaleway Kapsule, OVH Managed Kubernetes, IONOS Managed K8s, or self-managed K3s/Talos on Hetzner | Managed K8s on EU providers has feature parity for 95% of workloads. We typically run Talos Linux on Hetzner bare metal for high-trust workloads. |
| CloudWatch / X-Ray | Self-hosted Prometheus + Grafana + Loki + Tempo on EU compute, or Grafana Cloud EU region | The OpenTelemetry standard makes the migration trivial; the operational gain is consolidated dashboards and zero per-metric pricing. |
| IAM | Hashicorp Vault on EU infra, plus per-platform IAM equivalents | No 1:1 replacement; cross-platform identity is rebuilt with Vault, OIDC providers (Keycloak), and per-tool roles. |
| WAF / Shield | Bunny.net WAF, ModSecurity / Coraza on EU edge, OVH Anti-DDoS | OVH includes large-scale anti-DDoS at no extra cost on most plans; Bunny WAF is rule-based and competitive. |
| KMS | Hashicorp Vault Transit on EU infra, GCP-style EU-KMS providers, or HSM-backed keys | For HYOK scenarios, on-premises HSM with cloud-side BYOK is the standard sovereign pattern. |
| Secrets Manager / SSM Parameter Store | Hashicorp Vault, Bitwarden Secrets Manager (US-headquartered — flag), Infisical (self-hosted) | Vault on EU infra is the production-grade answer. We deploy and operate it. |
How we migrate off AWS
A typical mid-market migration runs in three phases. The numbers below assume a 6–10 person engineering team and a moderately complex application stack.
Audit & dependency map
Inventory every AWS service in use, every IAM role, every Lambda, every cross-service call. Tag personal data flows. Output: a remediation plan with risk-ranked findings and an effort estimate per service.
Soft dependencies & egress prep
Replace CloudFront, Route 53, SES and CloudWatch first — zero application code changes for most. Move S3 buckets behind S3-compatible EU storage with dual-write during cutover. Pre-stage replicas of RDS in EU.
Core compute & DB cutover
Blue-green compute migration with DNS-level traffic shift. Streaming-replication database cutover during a low-traffic window. EKS workloads moved to managed EU K8s or self-managed Talos. Decommission AWS account once verified.
5-year TCO modelling on workloads we have actually migrated: typically 30–55% cheaper on EU sovereign infrastructure for predictable workloads, neutral to slightly higher for highly bursty workloads that benefit from sub-second autoscaling. Egress savings alone are often the difference between a positive and negative ROI.
Frequently asked questions
Does using an AWS EU region (Frankfurt, Ireland, Stockholm) solve the Schrems II problem?
No. The data residency is in the EU but Amazon Web Services Inc. is the controller of the infrastructure under US law. The CLOUD Act allows US authorities to compel disclosure of data held by US-controlled entities anywhere in the world. The EDPB has explicitly flagged this as a Schrems II issue. AWS EMEA SARL is a Luxembourg subsidiary fully owned by AWS Inc.; that ownership chain is what the analysis turns on.
How long does an AWS exit take in practice?
For a mid-market application (10–50 EC2 instances, a couple of RDS databases, S3, CloudFront, SES) with a 6–10 person engineering team and competent operational support: 10–16 weeks elapsed time. With a managed-infrastructure partner driving the choreography (which is most of the actual work), 6–10 weeks.
What about AWS GovCloud or AWS Sovereign Cloud Europe?
AWS GovCloud is for US federal workloads and is not relevant to EU buyers. AWS European Sovereign Cloud (announced 2023, in build-out) is operated by EU-headquartered AWS staff in EU regions, but the parent legal entity remains Amazon Web Services Inc. Whether it is "sovereign enough" depends on your specific compliance regime; for many Schrems II analyses it is not sufficient because the parent jurisdiction is unchanged.
Will we lose features by leaving AWS?
Specific managed services (DynamoDB single-digit-ms, Aurora Serverless v2, Bedrock model access, SageMaker training on H100s) have no clean EU sovereign equivalents. For 90% of mid-market workloads — web applications, APIs, e-commerce, B2B SaaS, analytics on warehouses — the EU sovereign stack covers it. We tell you upfront if your workload sits in the 10% category.
Can we keep some AWS services and migrate the rest?
Yes — a hybrid is sometimes the right answer. The discipline is to keep AWS only for clearly non-personal workloads, and document the boundary in your DPA. We have run hybrids where AWS handles ML training (no personal data, batch-only) and the EU sovereign stack handles all customer-facing infrastructure.
What does a managed exit cost?
Project-based pricing, scoped after the audit. Typical mid-market AWS exit: €25–80k for the project, plus the ongoing managed-infrastructure retainer for the new EU stack. The first-year savings on AWS spend usually exceed the project cost.
Plan your exit from AWS.
30-minute scoping call. We map your stack against EU-only alternatives, estimate the migration effort, and tell you whether it is the right call.