For most of the last decade, the default answer to "where should we host this?" was a US hyperscaler with a European region toggled on. In 2026 that answer no longer holds up to scrutiny. Enterprise procurement teams now ask who controls the infrastructure, which legal jurisdiction the operating company sits in, and whether a foreign government can compel access to data stored on European soil. Those questions changed the market. A US provider running servers in Frankfurt is not the same thing as a European cloud provider, and the difference is now a line item in security reviews.
This guide compares the real options for teams that need European hosting. It covers why EU data residency matters beyond a checkbox, the three distinct categories of provider you will encounter, a side-by-side comparison table, and where a managed EU PaaS fits for teams that want compliance without running their own infrastructure.
The short answer
A European cloud provider hosts and operates infrastructure inside the EU under European jurisdiction. In 2026 you have three realistic categories: US hyperscalers with EU regions (broad services, but a US-headquartered operator), sovereign or European-native clouds (EU-operated, sometimes narrower catalogs), and managed EU PaaS (developer-first deployment with EU data residency built in). Pick based on jurisdiction risk, service breadth, and how much infrastructure you want to operate yourself.
Why EU data residency matters in 2026
Data residency is the guarantee that your data is physically stored and processed within a specific geography. For European teams and for anyone serving EU residents, that geography is the EU. Three forces make this a technical and legal priority rather than a marketing preference.
The GDPR governs where data can flow. The General Data Protection Regulation applies to every organization that processes personal data belonging to people in the EU, regardless of where the company is incorporated. Chapter V of the regulation restricts transfers of personal data to countries outside the EU unless specific safeguards are in place. Keeping data inside the EU removes an entire category of transfer risk. You can read the transfer rules directly in the official GDPR text, Articles 44 to 50. Hosting in Europe does not make you automatically compliant, but it eliminates the hardest compliance problem before you start.
Extraterritorial access laws create jurisdiction risk. The US CLOUD Act, enacted in 2018, allows US authorities to compel US-based providers to produce data under their control, even when that data is stored on servers in another country. This is the crux of the sovereignty debate. A dataset sitting in a Frankfurt data center is still reachable through a US-headquartered operator's legal obligations. This is not hypothetical procurement paranoia. It is why public-sector buyers, healthcare platforms, and regulated financial services increasingly require an operator under European jurisdiction, not merely servers on European soil.
Enterprise buyers now audit for it. Data residency has moved from a nice-to-have into standard security questionnaires. When a mid-market or enterprise customer evaluates your product, "where is our data stored and who operates it?" is a gating question. Being able to answer "in the EU, operated in the EU" shortens sales cycles and removes a common objection.
Data residency vs. data sovereignty. Data residency means your data is stored in a defined location. Data sovereignty is the stronger claim that the data and the infrastructure fall exclusively under the laws of that location, with no foreign legal reach. A US hyperscaler's EU region gives you residency. It does not, on its own, give you sovereignty.
The three types of European cloud provider
Not all "European hosting" is the same. Understanding which category a provider falls into is the single most useful filter when you evaluate options.
1. US hyperscalers with EU regions
The large global platforms operate data centers across multiple European countries. You can deploy into Frankfurt, Dublin, Paris, or Stockholm with a region selector. The service catalog is enormous, the tooling is mature, and the ecosystem is deep.
The catch is jurisdiction. The operating company is headquartered in the United States, which brings the CLOUD Act into scope regardless of where the bytes sit. Several of these providers have introduced "sovereign" offerings operated by local partners to address this, but the standard region toggle does not change who legally controls the infrastructure. For many teams the breadth is worth it. For teams whose whole reason to be in Europe is jurisdiction, an EU region on a US operator only solves the residency half of the problem.
2. Sovereign and European-native clouds
These are providers incorporated and operated within the EU. The operating entity is European, which means the CLOUD Act does not reach them and your contract sits under European law end to end. This is the category that genuinely answers the sovereignty question.
The tradeoff is usually breadth and abstraction level. Many European-native infrastructure providers offer excellent raw compute, storage, and networking, but the managed-service catalog is narrower than a hyperscaler's, and much of the operational work stays with you. You get sovereignty and often better price-to-performance, in exchange for doing more of the assembly yourself.
3. Managed EU PaaS
A Platform as a Service sits one layer above raw infrastructure. Instead of provisioning servers, configuring a container runtime, and wiring up your own CI/CD, you connect a Git repository and the platform builds, deploys, and scales your application. A managed EU PaaS combines that developer experience with EU data residency.
This is the category for teams that want to ship product, not operate infrastructure, while still keeping data in Europe. You give up some low-level control compared to raw servers, and you gain deployment speed, managed databases, automatic scaling, and HTTPS without a checklist. Out Plane is in this category, with a default region in Nuremberg, Germany and EU data residency across its European regions.
Comparison table: European cloud provider types in 2026
| Factor | US hyperscaler (EU region) | European-native / sovereign cloud | Managed EU PaaS (Out Plane) |
|---|---|---|---|
| Operating jurisdiction | United States | European Union | European Union |
| CLOUD Act exposure | Yes | No | No |
| Data residency | EU region available | EU | EU regions (default Nuremberg) |
| Service breadth | Very broad | Moderate | Deployment-focused |
| Abstraction level | Raw + managed services | Mostly raw infrastructure | Fully managed platform |
| You operate the servers | Partially | Mostly yes | No |
| Deployment model | Console, CLI, IaC | SSH, IaC, your own CI/CD | Git push or container image |
| Managed databases | Extensive | Limited to moderate | Managed PostgreSQL + Redis |
| Auto-scaling | Configurable | DIY | Built-in |
| HTTPS / custom domains | Manual or add-on | Manual | Automatic |
| Time to first deploy | Hours to days | Hours to days | Minutes |
| Billing granularity | Per-second to per-hour | Per-hour common | Per-second |
| Best for | Global scale, deep catalog | Sovereignty, cost-performance | Ship fast, stay in the EU |
How to choose the right category for your team
The right provider depends less on brand and more on three concrete questions.
How strict is your jurisdiction requirement? If a customer contract, a public-sector tender, or a regulator requires that your data never fall under foreign legal reach, a US operator's EU region does not satisfy it. You need a European operating entity, which points you at a European-native cloud or a managed EU PaaS. If you only need to keep data physically in Europe for latency or general GDPR comfort, any of the three categories can work.
How much infrastructure do you want to run? Raw European infrastructure gives you maximum control and often the best price for pure compute, but you own the operating system, the container runtime, patching, scaling logic, backups, and TLS. A managed EU PaaS trades that control for speed. A two-person team shipping a SaaS product almost always saves money overall by not spending engineering hours on undifferentiated infrastructure work, even when the per-instance price of a managed platform looks higher on paper.
How broad is your service surface? If your architecture depends on dozens of specialized managed services, a hyperscaler's catalog is hard to replace. If your application is a web service plus a database, a cache, and some background jobs, the breadth is not doing anything for you, and the simpler operating model of a PaaS is a better fit.
Here is a rough decision heuristic:
Need foreign-jurisdiction immunity?
yes -> European-native cloud OR managed EU PaaS
no -> any category works, choose on breadth vs. speed
Want to operate servers yourself?
yes -> European-native raw infrastructure
no -> managed EU PaaS
Application is a web app + database + cache + jobs?
yes -> managed EU PaaS is the shortest path
no (dozens of specialized services) -> hyperscaler
Where Out Plane fits, honestly
Out Plane is a managed EU PaaS. Its purpose is to let a team push code and have a production application running in the EU within minutes, without touching servers. Here is what that means concretely, and where the honest boundaries are.
What it does. You deploy from a GitHub repository with git push, or from a prebuilt container image. Builds use Buildpacks or your own Dockerfile, and the platform supports Node.js, Python, Go, Java, Ruby, PHP, .NET, and Rust. Bind your service to 0.0.0.0 on the injected PORT and it is reachable. You get managed PostgreSQL with automated backups, point-in-time recovery, read replicas, and connection pooling, plus managed Redis. Applications get automatic scaling and load balancing, custom domains with automatic HTTPS, persistent volumes, TCP services, environment variables, API tokens, and a browser terminal. There is no cold start. Billing is per-second, so you pay for what you run.
The EU data residency claim, stated plainly. Out Plane's default region is Nuremberg, Germany, and it operates European regions with EU data residency. That is the accurate claim. What this guide will not tell you is that residency alone equals full regulatory certification for your specific use case. Whether Out Plane fits a given compliance regime depends on your data, your obligations, and your own Data Processing Agreement review. For the compliance mechanics, see the companion guide on GDPR-compliant hosting in Europe.
Where a European-native raw cloud is a better fit. If you need dozens of specialized managed services, deep control over the operating system, or you are running workloads where you genuinely want to own the infrastructure, a PaaS is the wrong layer. Out Plane is deliberately deployment-focused, not a full hyperscaler catalog.
Try it without commitment. The Hobby tier is permanently free with up to 3 instances, and new accounts get $20 in credit valid for 30 days with no card required. Pricing for paid usage starts at a low monthly rate, detailed on the pricing page. If you are moving off a US managed platform specifically, the Railway alternative comparison walks through the migration mechanics.
Frequently asked questions
What is a European cloud provider?
A European cloud provider hosts and operates cloud infrastructure inside the EU under European jurisdiction. The important word is "operates." A provider that merely offers a European region while being headquartered elsewhere gives you data residency but not full jurisdictional independence. A true European cloud provider is an EU-incorporated entity whose contracts and infrastructure fall under European law.
Is a US hyperscaler's EU region enough for GDPR compliance?
It helps but is not sufficient on its own. Keeping data in an EU region addresses the data transfer restrictions in Chapter V of the GDPR. However, because the operator is US-headquartered, the data can still fall under US extraterritorial laws like the CLOUD Act. For strict sovereignty requirements you need an EU-operated provider. GDPR compliance also requires application-layer measures, a signed Data Processing Agreement, and lawful processing bases regardless of provider.
What is the difference between data residency and data sovereignty?
Data residency means your data is physically stored in a defined location, such as the EU. Data sovereignty is stronger: it means the data and the infrastructure fall exclusively under the laws of that location, with no foreign legal reach. A US provider's EU region delivers residency. Only an EU-operated provider delivers sovereignty.
Does the CLOUD Act apply to servers located in Europe?
Yes, when the operator is subject to US jurisdiction. The CLOUD Act allows US authorities to compel US-based providers to produce data under their control regardless of where the servers physically sit. Physical location in Frankfurt does not remove the legal reach if the operating company is American. Only an operator incorporated and controlled in the EU falls outside its scope.
Is a managed EU PaaS more expensive than raw European servers?
The per-instance price of a managed platform can look higher than a bare virtual server, but total cost of ownership usually favors the managed platform for small and mid-sized teams. Raw servers require engineering time for setup, patching, scaling, backups, and TLS. A managed EU PaaS includes those, and per-second billing means you do not pay for idle capacity. For a two-person team, the engineering hours saved typically outweigh the compute markup.
Which EU regions does Out Plane offer?
Out Plane operates regions including Nuremberg and Helsinki in Europe, with additional regions in Ashburn, Hillsboro, and Singapore for teams serving other geographies. The default region is Nuremberg, Germany. For EU data residency, deploy into the European regions.
Can I migrate an existing app to a European provider without rewriting it?
In most cases yes. If your application already runs in a container or builds cleanly with a standard buildpack, moving it to a managed EU PaaS is mostly a matter of connecting your repository, setting environment variables, and pointing your custom domain. Applications that bind to 0.0.0.0 on a configurable port and store state in a managed database rather than local disk migrate with little or no code change.
Do I need to run my own database on a European provider?
Not with a managed EU PaaS. Out Plane provides managed PostgreSQL with automated backups, point-in-time recovery, read replicas, and connection pooling, plus managed Redis. You provision a database in the console and connect to it, without operating the database server yourself. On raw European infrastructure you would install and maintain the database engine on your own.
Summary
The phrase "European cloud provider" now means something specific in 2026: an operator under European jurisdiction, not just servers on European soil. US hyperscalers give you EU regions and enormous breadth, but the operating company remains under US extraterritorial law. European-native clouds give you genuine sovereignty and strong price-to-performance, at the cost of running more infrastructure yourself. A managed EU PaaS gives you EU data residency with a Git-push deployment experience, managed databases, automatic scaling, and HTTPS, for teams that want to ship product rather than operate servers.
Choose on three axes: how strict your jurisdiction requirement is, how much infrastructure you want to run, and how broad your service needs are. If your requirement is "keep our data in the EU and let us deploy fast," a managed EU PaaS is the shortest path.
Ready to deploy in the EU without managing servers? Get started with Out Plane. The Hobby tier is permanently free with up to 3 instances, and new accounts get $20 in credit for 30 days, no card required.