AWS EBS EU Alternatives 2026: Block Storage Without CLOUD Act Exposure

AWS Elastic Block Store (EBS) is the default block storage layer for EC2 instances and many containerised workloads running on AWS in Europe. The typical setup — EBS volumes in eu-west-1 or eu-central-1, encrypted with an AWS KMS key — appears GDPR-compliant at first glance. The data doesn't leave the EU region. The volume is encrypted. The access logs are in CloudTrail.

The problem is subtler: the encryption keys are managed by AWS KMS, an American company subject to US law, and EBS snapshots replicate into S3 under the same jurisdiction constraints. When EU developers treat "encrypted EBS in eu-west-1" as a data sovereignty solution, they are conflating encryption at rest with control over decryption — and under GDPR, those are not the same thing.

This post explains the specific legal gaps in the standard EBS setup and the EU-native block storage alternatives that close them.

What AWS EBS Actually Gives You

EBS provides persistent block-level storage volumes that attach to EC2 instances. In practice, EBS is used for:

Root volumes — the operating system disk for EC2 instances
Database storage — MySQL, PostgreSQL, and MongoDB running on EC2 rely on EBS for their data directories
Application state — containerised workloads using EBS-backed persistent volumes via the EBS CSI driver in Kubernetes

AWS recommends encrypting EBS volumes using AWS KMS. Encryption is enabled by default in modern account configurations, using either the AWS-managed key (aws/ebs) or a customer-managed key (CMK) that you create in KMS.

The AWS documentation correctly states that the encryption is performed at the hypervisor level — data is encrypted before it leaves the EC2 host and never hits the network in plaintext. For technical security, this is solid.

The CLOUD Act Problem With AWS KMS

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US law enforcement to compel US-based cloud providers to produce data stored on servers anywhere in the world, including servers located in the EU. This applies regardless of where the data is physically stored — what matters is where the company is incorporated.

AWS is a US company (Amazon Web Services, Inc., incorporated in Delaware). Its KMS service is subject to the CLOUD Act regardless of which region your KMS keys are configured in.

What this means in practice:

When you encrypt an EBS volume with an AWS KMS key — even a CMK you created — AWS holds the key material in its KMS infrastructure. If the US government issues a valid CLOUD Act order targeting AWS, AWS can be required to use that key material to decrypt your data. You would not necessarily be notified. The order can include a gag provision prohibiting AWS from informing the data owner.

This is not a theoretical scenario. CLOUD Act warrants have been issued against major cloud providers, and the existence of active orders is typically confirmed only through court proceedings — long after the access occurred.

The GDPR Art. 32 Implication

GDPR Article 32(1)(a) requires "the pseudonymisation and encryption of personal data" as part of appropriate technical measures. But the EDPB's 2021 Recommendations on supplementary measures for data transfers (Rec. 01/2020) make clear that encryption only qualifies as an effective safeguard if the controller holds the keys. If a third party (here, AWS) can be legally compelled to use the keys without your knowledge, the encryption does not provide the protection GDPR Art. 32 contemplates.

The Schrems II ruling (C-311/18, July 2020) established that US surveillance law — including FISA Section 702 and Executive Order 12333 — creates a risk incompatible with EU fundamental rights. The CLOUD Act adds a separate vector: law enforcement access to cloud-stored data via provider compulsion, without requiring the provider's customer to be notified or have standing to challenge the order.

EBS Snapshots: The Data Transfer You Didn't Know About

EBS snapshots are stored in Amazon S3 in the same region as the volume. This appears safe — your data stays in eu-west-1. But snapshots stored in S3 are subject to the same AWS/CLOUD Act jurisdiction as everything else in your AWS account.

More specifically, when you copy an EBS snapshot to another region — a common disaster recovery practice — the data crosses AWS's internal network. Cross-region snapshot copies are performed by AWS infrastructure and are not subject to your VPC routing controls. The data briefly exists in AWS's internal transfer layer, which is under US jurisdiction.

For GDPR purposes, copying an EBS snapshot from eu-west-1 to us-east-1 for backup purposes is a data transfer to a third country under Art. 44. If no valid transfer mechanism exists (standard contractual clauses with AWS do not remedy the CLOUD Act exposure under current EDPB guidance), this transfer may be unlawful.

Note: Cross-region snapshot copies to other EU regions (e.g., eu-west-1 to eu-central-1) are less clear-cut, since both source and destination are within the EU. However, the underlying infrastructure performing the copy remains US-controlled.

EU-Native Block Storage Alternatives

The following providers offer block storage with EU incorporation, no US parent company, and no CLOUD Act exposure.

Hetzner Block Volumes

Hetzner Online GmbH is a German company (Gunzenhausen, Bavaria) with 100% German ownership — no US parent company, no CLOUD Act exposure.

Hetzner Block Volumes:

Regions: Falkenstein (DE), Nuremberg (DE), Helsinki (FI), Ashburn (US, if not used for EU data)
Performance: Up to 80,000 IOPS, 1,200 MB/s throughput on Premium tier
Encryption: AES-256 encryption at rest, Hetzner holds the keys — no US key management
Pricing: €0.0476/GB/month — significantly cheaper than EBS gp3
Art. 28 DPA: Hetzner provides a standard Data Processing Agreement under GDPR; as a German company, there is no third-country transfer concern

For most EC2+EBS workloads, migrating to Hetzner Cloud with Block Volumes is a direct architectural substitution: Hetzner Cloud Server replaces EC2, Block Volume replaces EBS.

Scaleway Block Storage SSD

Scaleway SAS is a French cloud provider (subsidiary of Iliad Group), incorporated in France with no US parent company.

Scaleway Block Storage SSD:

Regions: Paris (FR-PAR-1, FR-PAR-2, FR-PAR-3), Amsterdam (NL-AMS-1), Warsaw (PL-WAW-1, PL-WAW-2, PL-WAW-3)
Performance: Up to 15,000 IOPS for block volumes attached to production-tier instances
Encryption: Available via LUKS encryption managed by the customer; no AWS KMS equivalent
Pricing: €0.08/GB/month for standard SSD block volumes
CSI Driver: Available for Kubernetes workloads via the Scaleway CSI plugin

OVHcloud Block Storage

OVH SAS is a French company (Roubaix) with no US parent company. OVHcloud is the second-largest European cloud provider by revenue.

OVHcloud Block Storage:

Regions: Gravelines (FR), Roubaix (FR), Strasbourg (FR), Frankfurt (DE), London (UK), Warsaw (PL), Beauharnois (CA), Sydney (AU)
Performance: Up to 20,000 IOPS on Ultra High Speed tier
Encryption: Customer-managed encryption available; OVHcloud provides the encryption service but the key hierarchy can be customer-controlled
GDPR posture: OVHcloud publishes a dedicated SecNumCloud compliance roadmap; their French government cloud (Sovereign Cloud) is ANSSI-certified for sensitive public sector data
Pricing: Variable by tier; High Speed SSD from ~€0.09/GB/month

gridscale Block Storage

gridscale GmbH is a German company (Cologne) providing block storage as part of their cloud platform.

Regions: Cologne (DE), Hamburg (DE), Düsseldorf (DE)
Performance: SSD-based, up to 10,000 IOPS
GDPR posture: German DPA compliant, no US parent, BSI-aligned operations

The Kubernetes/Container Case: Why PaaS Avoids the Problem Entirely

A significant subset of EBS use cases — persistent volumes for stateless containerised applications — can be eliminated entirely by moving to a EU-native PaaS instead of self-managed EC2+Kubernetes.

When you run a containerised application on a PaaS layer, the platform abstracts storage management. Your application code runs in containers without needing direct EBS-equivalent block storage for application state. Databases are provided as managed services (Postgres, Redis) where the storage layer is fully managed by the EU-native PaaS operator.

This changes the GDPR posture significantly:

No AWS KMS keys → no CLOUD Act key exposure
No EBS snapshots → no cross-region transfer risk
No direct S3 dependency → no AWS sub-processor relationship
One Art. 28 DPA with one EU-native provider instead of multiple AWS service DPAs

For teams migrating off AWS EC2+EBS, the decision tree is:

Database workloads on EBS → migrate to managed Postgres/MySQL/Redis on an EU-native PaaS
Stateless application code on EBS root volumes → containerise and deploy to EU-native PaaS
Large file/object storage on EBS → evaluate Hetzner Object Storage or Scaleway Object Storage as S3-compatible EU alternatives
Stateful legacy applications requiring raw block storage → Hetzner Block Volumes or Scaleway Block Storage SSD

One EBS management task that creates hidden GDPR complexity is key rotation with CMKs. When you rotate an AWS KMS CMK used for EBS encryption, AWS re-encrypts the volume's data key (DEK) but does not re-encrypt the volume data itself. This means:

If a CLOUD Act order was served against AWS before rotation, the pre-rotation key material may still be retained by AWS per its legal hold procedures
For GDPR Art. 17 (right to erasure) purposes, deleting the KMS key is the intended mechanism for cryptographic erasure — but AWS CMK deletion has a mandatory 7-30 day waiting period, and the deletion does not guarantee destruction of all key material AWS may hold for compliance purposes

EU-native block storage providers operating without US regulatory exposure do not have this legal-hold complication — key deletion under their jurisdiction is subject only to EU commercial law requirements.

Practical Migration Checklist

For teams moving from AWS EBS to EU-native block storage:

Phase 1: Inventory

List all EBS volumes and their attached instances
Identify which volumes use AWS-managed keys vs CMKs
Check for cross-region snapshot copies in your DR procedures

Phase 2: Data classification

Which volumes contain personal data under GDPR Art. 4(1)?
Does any volume contain special category data (Art. 9) requiring enhanced protection?
Are any volumes used by services meeting NIS2 essential/important entity thresholds?

Phase 3: Migration

For containerised workloads: deploy to EU-native PaaS, remove EBS dependency
For database workloads: export data, provision EU-native managed database, import
For raw block storage needs: provision Hetzner Block Volume or Scaleway Block Storage in equivalent region, use dd or rsync to migrate data, update instance configuration

Phase 4: Compliance verification

Confirm no AWS sub-processor relationship in updated Records of Processing Activities (Art. 30)
Update Art. 28 DPA to reflect new storage provider
Verify no cross-border transfers in DR/backup procedures
Test encryption key management — confirm you control all key material

Summary

AWS EBS in EU regions provides technical encryption but not data sovereignty. The key management infrastructure (AWS KMS) is a US company subject to CLOUD Act compulsion, and EBS snapshots carry DR-copy patterns that can trigger GDPR Art. 44 cross-border transfer obligations.

EU-native alternatives — Hetzner Block Volumes, Scaleway Block Storage SSD, and OVHcloud Block Storage — provide equivalent technical capabilities without US jurisdiction over key management or data access. For containerised workloads, moving to a EU-native PaaS eliminates the raw block storage layer entirely, simplifying both the architecture and the GDPR compliance posture.

The migration effort is measurable and bounded. The compliance gap with AWS KMS-encrypted EBS is structural and cannot be fixed by configuration alone.