The EU Sovereign Cloud Stack: Building Production Without US Providers

Only 4% of global cloud infrastructure is owned by European companies. The rest? AWS, Azure, GCP — all US corporations subject to the US CLOUD Act, which allows American law enforcement to compel access to data stored on US-owned servers, regardless of where those servers physically sit.

AWS launched their "European Sovereign Cloud" in 2025. It doesn't solve the fundamental problem. The parent company is still American. The CLOUD Act still applies.

We run production workloads for EU clients. Here's the complete stack we've built using only European providers — what works, what's missing, and what it actually costs.

The Full Stack

*GitHub is Microsoft-owned. We accept this tradeoff because CI runners process code, not user data. For clients who need full sovereignty, we use self-hosted GitLab.

**Mailgun's EU region stores data in EU data centers but is US-owned. For maximum sovereignty, use a European transactional email provider like Brevo (France).

Compute: Hetzner Cloud

We've written about Hetzner before. The short version: it's 50–70% cheaper than AWS for equivalent specs, and the servers are physically in Germany and Finland.

Our standard MVP deployment:

# docker-compose.yml on a Hetzner CPX31
services:
  app:
    image: registry.example.com/myapp:latest
    ports: ["3000:3000"]
    env_file: .env
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 2G

  db:
    image: postgres:16
    volumes:
      - pgdata:/var/lib/postgresql/data
      - ./backups:/backups
    environment:
      POSTGRES_DB: myapp
      POSTGRES_PASSWORD: ${DB_PASSWORD}
    restart: unless-stopped

  redis:
    image: redis:7-alpine
    restart: unless-stopped

  caddy:
    image: caddy:2
    ports: ["80:80", "443:443"]
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
    restart: unless-stopped

volumes:
  pgdata:
  caddy_data:

Cost: €15.90/month for a CPX31 (4 vCPU, 8GB RAM). An equivalent AWS setup (EC2 t3.large + RDS + ElastiCache + ALB) runs €150–200/month.

Automated Backups

Hetzner doesn't have managed database backups like RDS. We build our own:

#!/bin/bash
# /scripts/backup.sh — runs daily via cron
BACKUP_DIR="/backups"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
FILENAME="db_${TIMESTAMP}.sql.gz"

# Dump and compress
docker exec postgres pg_dump -U postgres myapp | gzip > "${BACKUP_DIR}/${FILENAME}"

# Upload to Hetzner Object Storage
aws --endpoint-url https://fsn1.your-objectstorage.com \
  s3 cp "${BACKUP_DIR}/${FILENAME}" "s3://backups/${FILENAME}"

# Keep only last 30 local backups
ls -t ${BACKUP_DIR}/db_*.sql.gz | tail -n +31 | xargs rm -f

Yes, this is more work than clicking "enable backups" in the AWS console. It takes 30 minutes to set up, and it works reliably.

Object Storage: Hetzner or Scaleway

Hetzner Object Storage is S3-compatible, which means your existing code works with a config change:

// lib/storage.ts
import { S3Client } from "@aws-sdk/client-s3";

export const storage = new S3Client({
  region: "fsn1",
  endpoint: "https://fsn1.your-objectstorage.com",
  credentials: {
    accessKeyId: process.env.S3_ACCESS_KEY!,
    secretAccessKey: process.env.S3_SECRET_KEY!,
  },
});

// Usage is identical to AWS S3
await storage.send(new PutObjectCommand({
  Bucket: "uploads",
  Key: `images/${id}.webp`,
  Body: buffer,
}));

Cost: €5/TB/month for storage, €1/TB for egress. AWS S3 charges €23/TB/month for storage and €90/TB for egress.

CDN: BunnyCDN

BunnyCDN is headquartered in Slovenia and stores data in EU data centers. It's fast, cheap, and has an excellent API.

Cost: €0.01/GB for EU traffic. CloudFront charges €0.085/GB. That's an 8.5x difference.

# Caddyfile — reverse proxy with BunnyCDN for static assets
example.com {
  handle /api/* {
    reverse_proxy app:3000
  }
  handle {
    reverse_proxy app:3000
    header Cache-Control "public, max-age=31536000"
  }
}

Monitoring: Self-Hosted Stack

This is where the "European cloud gap" is most noticeable. There's no EU-native equivalent of Datadog or New Relic. We self-host:

# monitoring/docker-compose.yml
services:
  prometheus:
    image: prom/prometheus:latest
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
    ports: ["9090:9090"]

  grafana:
    image: grafana/grafana:latest
    ports: ["3001:3000"]
    volumes:
      - grafana_data:/var/lib/grafana
    environment:
      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_PASSWORD}

  node-exporter:
    image: prom/node-exporter:latest

  cadvisor:
    image: gcr.io/cadvisor/cadvisor:latest
    volumes:
      - /:/rootfs:ro
      - /var/run:/var/run:rw
      - /sys:/sys:ro
      - /var/lib/docker/:/var/lib/docker:ro

We run this on a separate Hetzner CX22 (€5.29/month). Total monitoring cost: €5.29/month. Datadog's equivalent would start at €23/host/month for infrastructure monitoring alone.

The Cost Comparison

Here's our real production stack for a typical MVP serving 5,000 users, compared to the AWS equivalent:

That's an 88% cost reduction. For a startup burning through runway, this difference compounds fast.

What's Missing

Let's be honest about the gaps:

Managed Kubernetes: Hetzner doesn't offer managed Kubernetes. Scaleway has Kapsule, but it's not as polished as EKS or GKE. For most MVPs, you don't need Kubernetes — Docker Compose is enough.

Managed message queues: No EU equivalent of SQS. Use Redis streams or self-hosted RabbitMQ. Works fine for MVP-scale workloads.

Auto-scaling: Hetzner Cloud has an API and load balancers, but no auto-scaling groups. For MVPs, vertical scaling (upgrading the server) is simpler and sufficient.

Compliance certifications: AWS has every compliance cert imaginable. Hetzner has ISO 27001 and SOC 1. For most startups, this is enough. For regulated industries (healthcare, finance), you may need to evaluate carefully.

When to Use US Providers Anyway

We're pragmatic, not ideological. Use US providers when:

• Your product operates globally and needs edge presence in Asia, South America, or Africa
• You need managed AI/ML infrastructure (there's no EU equivalent of AWS SageMaker)
• Your client requires specific compliance certifications that EU providers don't have
• You need managed Kubernetes at scale with auto-scaling

For everything else — and that's most EU startups we work with — the European stack works.

The Bottom Line

Building on European infrastructure isn't a political statement. It's a practical decision for EU-based products:

• GDPR compliance is simpler when your data never leaves EU-owned servers
• Costs are 50–90% lower for equivalent workloads
• Latency is excellent for European users
• You're not subject to the CLOUD Act

The gap between EU and US cloud providers is real but shrinking. And for the workloads most startups run — a web app, a database, some file storage — the gap doesn't matter.

We sleep better knowing our clients' data is on servers owned by a company that can't be compelled by a US subpoena to hand it over.

We build and manage EU-sovereign cloud infrastructure for our clients. Learn more about our Cloud & DevOps services.

Sources

• Europe's Digital Sovereignty Dilemma — Akave
• EDPB/EDPS Joint Response on the US CLOUD Act (PDF)
• BunnyCDN — Headquartered in Slovenia
• PostHog EU Cloud