Customer content in the EU
Why important?
Regulatory/contractual requirements for data residency.
How measured?
Scale 0–5 + N/A:
- 0 = Customer content not EU-based / no EU residency commitment
- 1 = EU residency only claimed; scope/exceptions unclear
- 2 = EU residency only for partial scope (some services/regions), many exceptions
- 3 = EU residency for core scope, but relevant exceptions/uncertainties (e.g., backups/DR)
- 4 = EU residency broadly documented + clear commitments, few exceptions
- 5 = EU-only (including backups/DR) + contractually committed & supported by solid evidence
- N/A = no reliable evidence
Sources / Evidence
- https://aws.eu/de/
- https://aws.amazon.com/blogs/aws/opening-the-aws-european-sovereign-cloud/
- https://cloud.ionos.de/zertifikate
- https://stackit.com/en/why-stackit/benefits/data-sovereignty
- https://www.ovhcloud.com/pl/bare-metal/secnumcloud/
- https://www.open-telekom-cloud.com/en/benefits/sovereignty
- https://www.open-telekom-cloud.com/en/data-security-gdpr-cloud/data-centers
- https://www.oracle.com/europe/cloud/eu-sovereign-cloud/faq/
- https://www.plusserver.com/en/product/pluscloud-open/
- https://upcloud.com/solutions/european-cloud/
- https://www.exoscale.com/datacenters/
- https://www.hetzner.com/de/european-cloud/
- https://www.scaleway.com/en/security-and-resilience/
- https://news.microsoft.com/de-de/erste-souveraene-cloud-plattform-fuer-die-deutsche-verwaltung-auf-der-zielgeraden/
- https://www.plusserver.com/wp-content/uploads/2023/09/20251014_plusserver-ISO-27001-2022-Zertifikat-und-Statement-of-Applicability-SoA-DE.pdf
- https://learn.microsoft.com/de-de/industry/sovereign-cloud/overview/microsoft-sovereign-cloud
- https://www.microsoft.com/de-de/trust-center/privacy/european-data-boundary-eudb
- https://www.noris.de/it-services/cloud-services/cloudloesungen-fuer-unternehmen/noris-sovereign-cloud/
- https://www.noris.de/wp-content/uploads/noris-Sovereign-Cloud-Product-Sheet.pdf
- https://www.syseleven.de/produkte-services/openstack-cloud/
- https://documentation.syseleven.de/en/discover/apis-and-regions/
- https://geschaeftskunden.telekom.de/business/loesungen/digitalisierung/t-cloud
Validation questions (RFP)
- Welche Datenklassen? Nur Primärdaten oder inkl. Backups/Logs? Welche Regionen/Standorte sind zulässig?
Scores comparison
| Providers | Score | |
|---|---|---|
| Delos Cloud | 5.0 | |
| SysEleven OpenStack Cloud | 5.0 | |
| Cloud Temple Trusted Cloud | 5.0 | All data exclusively hosted in FR (mainland France). SecNumCloud 3.2 IaaS+PaaS qualified (ANSSI). 3 availability zones in FR region. HDS certified for health data. |
| Infomaniak Public Cloud | 4.0 | All data exclusively hosted in CH (Geneva, Winterthur). Tier III+ DCs. Swiss Hosting Label. FADP + GDPR compliant. No outsourcing. CH is not EU, but GDPR equivalence recognized. |
| noris Sovereign Cloud | 5.0 | |
| AWS European Sovereign Cloud | 4.0 | |
| Exoscale | 4.0 | |
| Hetzner Cloud | 4.0 | |
| Microsoft Sovereign Cloud | 4.0 | |
| Oracle EU Sovereign Cloud | 4.0 | |
| STACKIT | 4.0 | |
| Scaleway | 4.0 | |
| T Cloud Public | 4.0 | |
| UpCloud | 4.0 | |
| pluscloud open | 4.0 | |
| IONOS Cloud | 3.0 | |
| OVHcloud Public Cloud (inkl. SecNumCloud) | 3.0 |