Alternativa solo UE a Cloudflare.
Cloudflare is the most US-exposed vendor in most "EU" stacks because it sits in front of the user — every visitor connects to a Cloudflare edge server before reaching your origin. The EU regions of Cloudflare are EU-located edges, but the parent company is a Delaware corporation with US-controlled key material and US-controlled traffic logs. For Schrems II purposes, Cloudflare in front of personal-data traffic is one of the most defensible problems to remove first, because the alternatives — Bunny.net (SI) and KeyCDN (CH) — have comparable feature sets and dramatically simpler legal stories.
"Región UE" no es soberanía. Cuatro preguntas lo deciden.
La residencia de datos indica dónde están los bits. La soberanía indica qué sistema jurídico puede obligar al acceso. La respuesta debe cumplirse en los cuatro puntos — o el stack no es soberano.
¿Dónde se almacenan físicamente los datos?
No "en la nube" — qué datacenter, en qué país, bajo qué jurisdicción.
¿Quién más está en su ruta de datos?
Cada proveedor que toca los datos: el CDN, el relay de correo, el rastreador de errores, el pipeline de analítica.
¿Qué leyes pueden obligar a la divulgación?
Un proveedor con sede en EE. UU. está sujeto a la FISA 702 y la CLOUD Act — incluso cuando los datos están en Fráncfort.
¿Quién posee realmente las claves de cifrado?
Si el proveedor cloud tiene tanto los datos como las claves, puede leerlos — independientemente del DPA.
Falla en jurisdicción y custodia de claves.
Bits en la UE, matriz con sede en EE. UU., subprocesadores estadounidenses en la ruta por defecto, claves gestionadas por el proveedor.
Pasa en los cuatro.
Alojado en la UE sobre infraestructura con sede europea. Cero subprocesadores estadounidenses en la ruta por defecto. Claves del cliente o de un KMS europeo. Nombrados en su DPA del Artículo 28.
Por qué los equipos están saliendo Cloudflare
The pattern we see: a privacy or DPO review identifies Cloudflare as a US subprocessor that processes every visitor request including IP addresses, browser fingerprints (via Bot Management) and cookies. Under Schrems II that is a transfer that needs supplementary measures — typically encryption that Cloudflare cannot read, which defeats the WAF and Bot Management features that were the reason for using Cloudflare. The simpler answer is to swap to an EU-jurisdictional provider where the legal analysis collapses to "no transfer." Bunny.net is the standard target and the migration is genuinely a few hours of DNS and configuration work.
Cloudflare servicios y sus equivalentes solo en la UE
Una migración no es "cambiar una caja por otra". El mapeo a continuación es lo que ejecutamos para los clientes que dejan Cloudflare por motivos Schrems II — plena jurisdicción UE, sin matriz US en la ruta de datos.
| Cloudflare servicio | Alternativa solo UE | Nota de ingeniería |
|---|---|---|
| Cloudflare CDN | Bunny.net, KeyCDN (CH) | Bunny has 110+ POPs including dense EU coverage. Per-GB pricing is roughly half Cloudflare's comparable plan. Migration is a CNAME flip plus origin pull configuration. |
| Cloudflare WAF | Bunny WAF, ModSecurity / Coraza on EU edge, OVH Anti-DDoS rules | Bunny's WAF covers OWASP Top 10 with rule-based controls. For deep custom rules, ModSecurity on a self-managed edge is the production pattern. |
| Cloudflare DDoS protection | OVH Anti-DDoS (included on most plans), Bunny DDoS protection | OVH has invested heavily in their VAC scrubbing infrastructure; for large-scale L3/L4 attacks they are demonstrably competitive with Cloudflare. |
| Cloudflare DNS | Hetzner DNS, Bunny DNS, deSEC (DE non-profit) | For most use cases Hetzner or Bunny is sufficient. deSEC is privacy-first with mandatory DNSSEC. |
| Cloudflare R2 (storage) | Bunny Storage, OVH Object Storage, Wasabi EU, self-hosted MinIO | R2's zero-egress story is unique; on EU providers, egress is also typically free or very low, so the cost argument transfers. |
| Cloudflare Workers | Bunny Edge Scripting, self-hosted edge functions on Knative, EU-based serverless platforms | Workers is the hardest single Cloudflare product to replace. For most use cases (request rewriting, A/B testing, simple APIs), Bunny Edge Scripting covers it. For complex Workers (Durable Objects), self-hosted is the pattern. |
| Cloudflare Pages | Bunny CDN + EU object storage, GitLab Pages (EU instance), self-hosted Coolify | Pages' main value is the build pipeline; that piece moves to your CI provider. |
| Cloudflare Tunnel (Argo) | Tailscale (US — flag), Twingate (US — flag), Wireguard self-managed, Netbird (DE) | Netbird is DE-headquartered and provides the "no-public-IP" pattern with EU jurisdiction. Wireguard self-managed is the standard sovereign answer. |
| Cloudflare Access (zero trust) | Pomerium self-hosted, Authelia self-hosted, Boundary by Hashicorp on EU infra | For internal-only applications, an OIDC-protected reverse proxy on EU infrastructure is functionally equivalent. |
| Cloudflare Stream (video) | Bunny Stream, OVH Streaming, self-hosted Mediamtx with EU-only POPs | Bunny Stream offers comparable HLS/DASH delivery with EU-only edge option. |
| Cloudflare Bot Management | CrowdSec (FR), DataDome (FR), Cloudflare → Bunny + custom rules | CrowdSec is FR-headquartered and increasingly capable. For high-traffic e-commerce, DataDome (also FR) is the enterprise alternative. |
Cómo migramos desde Cloudflare
Una migración típica de mid-market se desarrolla en tres fases. Los números a continuación asumen un equipo de ingeniería de 6 a 10 personas y un stack de aplicación moderadamente complejo.
Inventory & risk-rank
List every Cloudflare product in use: CDN, DNS, WAF rules, Workers, Pages, R2, Tunnel, Access. Map each to a personal-data exposure (does it touch PII?) and migration complexity. Output: priority list, usually CDN/DNS first.
Soft swap (CDN, DNS, R2)
Provision Bunny pull zones for the same hostnames. Test with a staging hostname. Cut DNS over with low TTL pre-stage. R2 → Bunny Storage migration via parallel-write. WAF rules ported manually to Bunny WAF.
Hard pieces (Workers, Tunnel, Access)
Worker code reviewed and either ported to Bunny Edge Scripting, rewritten as origin-side middleware, or self-hosted on Knative. Tunnel replaced with Netbird or self-managed Wireguard. Access replaced with Pomerium or Authelia. Pages workloads moved to GitLab Pages or self-hosted.
Cloudflare-to-Bunny migrations almost always reduce monthly spend by 40–70% at typical mid-market volumes. The exceptions are Workers-heavy stacks (where the equivalent self-hosted infrastructure has higher fixed cost) and high-traffic Pages stacks (where Cloudflare's aggressive free tier is hard to match).
Preguntas frecuentes
Cloudflare has EU-only data plans now — does that solve it?
Cloudflare's "Data Localization Suite" can keep EU traffic on EU edges and EU keys, which addresses residency. It does not address jurisdiction: Cloudflare Inc. remains a US corporation subject to the CLOUD Act. For most Schrems II analyses, the data-localization product is an improvement but not full sovereignty.
Will switching CDN affect performance for European visitors?
For European users specifically, Bunny.net often performs equal or better than Cloudflare because their EU POP density is higher per-traffic. Real-world tests on e-commerce migrations have shown TTFB improvements of 10–30ms for EU-specific traffic. For global users (US, APAC), Cloudflare's POP count is larger.
How do we handle Cloudflare Workers replacement?
Three patterns depending on the Worker: (1) trivial request rewrites move to Bunny Edge Scripting unchanged, (2) Workers that talk to KV / Durable Objects need a re-architect — typically the logic moves to the origin and uses Redis or Postgres, (3) Workers acting as API endpoints become small Knative services on EU infrastructure.
Is Bunny.net a real Schrems II–safe alternative?
Bunny.net is BunnyWay d.o.o., headquartered in Ljubljana, Slovenia (EU member). The legal entity is fully under EU jurisdiction. Their published subprocessor list is short and EU-focused. For Schrems II, the analysis collapses to "no third-country transfer" which is materially easier than Cloudflare's data-localization story.
What about Fastly or Akamai?
Both US-headquartered. Fastly is San Francisco; Akamai is Cambridge, MA. Same CLOUD Act analysis as Cloudflare. They are not Schrems II–easier than Cloudflare; they are different US providers with different feature sets.
How long does a Cloudflare migration take?
For a typical workload (CDN, DNS, basic WAF, no Workers): 1–2 weeks elapsed. For a Workers-heavy or Tunnel-dependent setup: 4–8 weeks. We can run the whole thing as a managed migration if you want it done without burning your team's capacity.
Planifique su salida de Cloudflare.
Llamada de alcance de 30 minutos. Mapeamos su stack frente a alternativas solo UE, estimamos el esfuerzo de migración y le decimos si es la decisión correcta.