Best European PaaS Providers 2026: GDPR, DORA, and Real EU Jurisdiction Compared
Searching for "best European PaaS providers 2026" returns a Northflank blog post at the top. Northflank lists itself, along with Clever Cloud, Scalingo, and Sliplane. The post is well-written and covers developer experience, BYOC support, pricing, and certifications.
It does not mention that Northflank is a UK company — incorporated in England and Wales, headquartered in London. The United Kingdom left the EU on 31 January 2020. UK incorporation is not EU legal jurisdiction. For GDPR compliance, DORA outsourcing, and NIS2 Art.21(2)(d) supply chain security, the distinction between "European" and "EU-incorporated" is not a technicality — it determines which legal regime governs your data and which courts have jurisdiction over your provider.
This post compares the actual EU legal jurisdiction of each major "European" PaaS provider in 2026, maps the regulatory implications, and gives you a framework for evaluating infrastructure choices under GDPR, NIS2, and DORA.
The UK Is Not the EU
This is not a political statement. It is a legal fact with direct compliance consequences.
Since Brexit:
- GDPR Art.44 transfers: Data transferred from an EU controller to a UK processor requires a legal transfer mechanism under Art.46 (Standard Contractual Clauses) or reliance on the UK adequacy decision (Commission Decision 2021/1772).
- Adequacy decision: The UK adequacy decision expires in June 2027 unless renewed. The renewal is not guaranteed — the UK Investigatory Powers Act 2016 (IPA), which allows bulk data collection and lacks judicial pre-authorisation requirements, has been flagged as a potential adequacy blocker by the European Data Protection Board (EDPB).
- ICO enforcement: UK-incorporated providers are regulated by the UK Information Commissioner's Office (ICO) under UK GDPR, not by EU data protection authorities. ICO enforcement actions do not bind EU DPAs.
- EU AI Act: UK providers are not established in the EU under AI Act Art.3(7). Compliance documentation pathways differ from EU-incorporated entities.
For developers and CTOs making infrastructure decisions, this means a "European" PaaS headquartered in London operates under a different legal framework than one incorporated in France, Germany, or the Netherlands.
Provider-by-Provider Jurisdiction Analysis
Northflank — London, United Kingdom
Northflank was founded in 2019 and is incorporated in England and Wales. Infrastructure is provided via its own managed platform running on major cloud providers across EU regions.
| Criterion | Status |
|---|---|
| EU incorporation | No — England & Wales |
| Subject to GDPR | UK GDPR (ICO), not EU GDPR |
| GDPR Art.44 transfer needed | Yes — EU → UK transfer requires SCCs or adequacy reliance |
| UK adequacy decision | Yes — until June 2027 (renewal uncertain) |
| CLOUD Act exposure | No — UK company, not US-incorporated |
| NIS2 Art.21(2)(d) | Must document UK jurisdiction risk + adequacy expiry |
| Certifications | SOC 2 Type 2 |
| BYOC support | Yes (AWS, GCP, Azure, OCI, on-premises) |
Key risk: The UK adequacy decision expires June 2027. If renewal fails, SCCs become mandatory for all Northflank deployments from EU-based controllers. Planning infrastructure migrations takes 6–12 months minimum. Teams starting new projects on Northflank today are building on an adequacy foundation that expires in 14 months.
Clever Cloud — Roubaix, France
Clever Cloud SAS is incorporated in France and operates its own physical infrastructure across multiple EU regions including Paris, Bordeaux, and Warsaw.
| Criterion | Status |
|---|---|
| EU incorporation | Yes — France (SAS) |
| Subject to GDPR | Yes — EU GDPR, CNIL enforcement |
| GDPR Art.44 transfer needed | No — EU-to-EU processing |
| CLOUD Act exposure | None — no US parent |
| NIS2 Art.21(2)(d) | Clean — EU jurisdiction, no foreign compelled disclosure |
| Certifications | ISO 27001:2022, HDS (Hébergeur de Données de Santé) |
| BYOC support | Enterprise on-premises (via sales) |
| Pricing model | Pay-per-use, no minimum |
Assessment: Clever Cloud is a genuine EU-incorporated provider with strong certifications. HDS certification makes it relevant for French healthcare data. The platform is mature with a strong French enterprise customer base. Primary limitation: pricing complexity and developer experience is less polished than newer providers.
Scalingo — Strasbourg, France
Scalingo SAS is incorporated in France, headquartered in Strasbourg, and operates on a SecNumCloud-qualified IaaS layer in France.
| Criterion | Status |
|---|---|
| EU incorporation | Yes — France (SAS) |
| Subject to GDPR | Yes — EU GDPR, CNIL enforcement |
| GDPR Art.44 transfer needed | No — EU-to-EU processing |
| CLOUD Act exposure | None — no US parent |
| NIS2 Art.21(2)(d) | Clean — EU jurisdiction |
| Certifications | ISO 27001, HDS, SecNumCloud-qualified IaaS |
| BYOC support | No |
| Pricing model | Per-container, per-addon |
Assessment: Scalingo's SecNumCloud-qualified IaaS layer is the strongest sovereignty certification available in France — ANSSI has audited the underlying infrastructure. HDS certification covers French health data. Good fit for French regulated industries. SecNumCloud compliance documentation is well-suited for ANSSI-supervised entities under NIS2.
Sliplane — Copenhagen, Denmark
Sliplane ApS is incorporated in Denmark and runs Kubernetes-based deployments across EU regions.
| Criterion | Status |
|---|---|
| EU incorporation | Yes — Denmark (ApS) |
| Subject to GDPR | Yes — EU GDPR, Datatilsynet enforcement |
| GDPR Art.44 transfer needed | No — EU-to-EU processing |
| CLOUD Act exposure | None — no US parent |
| NIS2 Art.21(2)(d) | Clean — EU jurisdiction |
| Certifications | Not publicly documented |
| BYOC support | Limited |
| Pricing model | Per-pod pricing |
Assessment: Sliplane is a newer entrant with a developer-focused Kubernetes PaaS. EU-incorporated with no CLOUD Act exposure. Certification documentation for NIS2 or DORA audits is less comprehensive than Clever Cloud or Scalingo. Better fit for teams comfortable with Kubernetes who want EU jurisdiction without managing clusters.
sota.io — Germany
sota.io GmbH is incorporated in Germany and operates its own infrastructure in Germany.
| Criterion | Status |
|---|---|
| EU incorporation | Yes — Germany (GmbH) |
| Subject to GDPR | Yes — EU GDPR, BayLDA/DSK enforcement |
| GDPR Art.44 transfer needed | No — EU-to-EU processing |
| CLOUD Act exposure | None — no US parent |
| NIS2 Art.21(2)(d) | Clean — single EU jurisdiction, BaFin/BSI supervisory sphere |
| Certifications | EU-incorporated, GDPR by default |
| BYOC support | No (managed EU infrastructure) |
| Pricing model | From €9/mo (2 dedicated vCPU + PostgreSQL) |
Assessment: German GmbH incorporation places sota.io under Germany's strong data protection regime (BDSG + EU GDPR), BSI supervision, and German commercial law. No adequacy decision required, no CLOUD Act exposure, no US parent. €9/month for 2 dedicated vCPU + managed PostgreSQL makes it the most cost-effective fully EU-native managed PaaS for GDPR, NIS2, and DORA compliance.
The Regulatory Compliance Comparison
GDPR Art.44 Transfer Analysis
When you use a PaaS provider as a data processor (Art.28), the legal transfer mechanism depends on where the processor is incorporated:
| Provider | Incorporation | Art.44 Transfer Mechanism Required |
|---|---|---|
| Northflank | UK | SCCs or UK adequacy (expires June 2027) |
| Clever Cloud | France | None — EU-to-EU |
| Scalingo | France | None — EU-to-EU |
| Sliplane | Denmark | None — EU-to-EU |
| sota.io | Germany | None — EU-to-EU |
For Northflank, your DPA (Data Processing Agreement) must document the transfer mechanism. If you rely on the UK adequacy decision, you must have a contingency plan for adequacy expiry — the EDPB has flagged the Investigatory Powers Act 2016 (IPA 2016) as a potential blocker.
NIS2 Art.21(2)(d) Supply Chain Security
For essential and important entities, NIS2 Art.21(2)(d) requires documented supply chain security analysis for direct suppliers including your PaaS provider. The key questions for NIS2 auditors:
- Is your provider subject to foreign government compelled disclosure orders?
- What is the legal basis for your data processing relationship?
- What jurisdiction's courts govern disputes with your provider?
- Has your provider's legal jurisdiction been assessed in your supply chain risk analysis?
| Provider | CLOUD Act | UK Surveillance | Supply Chain Risk Documentation |
|---|---|---|---|
| Northflank | No | IPA 2016 applies | Must document IPA risk + adequacy expiry contingency |
| Clever Cloud | No | No | EU jurisdiction — minimal documentation burden |
| Scalingo | No | No | EU jurisdiction + SecNumCloud adds positive evidence |
| Sliplane | No | No | EU jurisdiction — minimal documentation burden |
| sota.io | No | No | EU jurisdiction — minimal documentation burden |
None of these providers carry CLOUD Act exposure (unlike AWS, Azure, or GCP). The UK-specific risk at Northflank relates to IPA 2016 bulk collection authorities — distinct from CLOUD Act but analogous in creating foreign-government access risk.
DORA Art.28-30 Outsourcing Requirements
The Digital Operational Resilience Act applies to financial entities including banks, investment firms, insurance companies, payment institutions, and crypto-asset service providers. DORA Art.28-30 imposes specific requirements for third-party ICT service provider contracts.
For financial entities using a PaaS provider:
| DORA Requirement | Northflank (UK) | EU-Incorporated Providers |
|---|---|---|
| Art.28(2) Register of ICT arrangements | Must list UK jurisdiction | List EU jurisdiction |
| Art.28(8) Exit strategy | Must document adequacy expiry scenario | Standard exit planning |
| Art.29 Key contractual provisions | Must address IPA 2016 government access | No equivalent disclosure risk |
| Art.30 Sub-outsourcing | UK sub-contractors add jurisdiction complexity | EU sub-contractors: simpler |
| ESA oversight notifications | UK provider = additional documentation | EU provider = standard process |
For DORA-regulated entities, EU-incorporated PaaS providers reduce outsourcing documentation complexity. The adequacy expiry risk at UK providers creates a mandatory exit planning requirement that EU-incorporated providers do not impose.
Python Tool: EU PaaS Jurisdiction Evaluator
from dataclasses import dataclass
from enum import Enum
class Jurisdiction(Enum):
EU = "EU"
UK = "UK_POST_BREXIT"
US = "US"
OTHER = "OTHER"
class CloudActRisk(Enum):
NONE = "none"
DIRECT = "direct" # US-incorporated
INDIRECT = "indirect" # US parent company
@dataclass
class PaaSJurisdictionProfile:
name: str
incorporation: str
jurisdiction: Jurisdiction
cloud_act_risk: CloudActRisk
adequacy_required: bool
adequacy_expiry: str | None
certifications: list[str]
monthly_price_eur: float | None
PROVIDERS = [
PaaSJurisdictionProfile(
name="Northflank",
incorporation="England & Wales",
jurisdiction=Jurisdiction.UK,
cloud_act_risk=CloudActRisk.NONE,
adequacy_required=True,
adequacy_expiry="2027-06",
certifications=["SOC 2 Type 2"],
monthly_price_eur=None, # varies
),
PaaSJurisdictionProfile(
name="Clever Cloud",
incorporation="France (SAS)",
jurisdiction=Jurisdiction.EU,
cloud_act_risk=CloudActRisk.NONE,
adequacy_required=False,
adequacy_expiry=None,
certifications=["ISO 27001:2022", "HDS"],
monthly_price_eur=None, # pay-per-use
),
PaaSJurisdictionProfile(
name="Scalingo",
incorporation="France (SAS)",
jurisdiction=Jurisdiction.EU,
cloud_act_risk=CloudActRisk.NONE,
adequacy_required=False,
adequacy_expiry=None,
certifications=["ISO 27001", "HDS", "SecNumCloud IaaS"],
monthly_price_eur=None, # per-container
),
PaaSJurisdictionProfile(
name="Sliplane",
incorporation="Denmark (ApS)",
jurisdiction=Jurisdiction.EU,
cloud_act_risk=CloudActRisk.NONE,
adequacy_required=False,
adequacy_expiry=None,
certifications=[],
monthly_price_eur=None,
),
PaaSJurisdictionProfile(
name="sota.io",
incorporation="Germany (GmbH)",
jurisdiction=Jurisdiction.EU,
cloud_act_risk=CloudActRisk.NONE,
adequacy_required=False,
adequacy_expiry=None,
certifications=["EU GDPR by default"],
monthly_price_eur=9.0,
),
# For comparison: US-incorporated
PaaSJurisdictionProfile(
name="Railway",
incorporation="USA (Delaware)",
jurisdiction=Jurisdiction.US,
cloud_act_risk=CloudActRisk.DIRECT,
adequacy_required=True,
adequacy_expiry=None, # requires DPF adequacy
certifications=["SOC 2 Type 1"],
monthly_price_eur=None,
),
]
class EUPaaSJurisdictionEvaluator:
def evaluate(self, provider: PaaSJurisdictionProfile) -> dict:
risks = []
compliant = True
if provider.jurisdiction == Jurisdiction.US:
risks.append("CLOUD Act 18 U.S.C. §2703: US law enforcement compelled disclosure applies")
risks.append("GDPR Art.44: EU→US transfer requires SCCs + DPF adequacy")
compliant = False
if provider.jurisdiction == Jurisdiction.UK:
risks.append("IPA 2016: UK bulk collection authorities may apply to your data")
risks.append("GDPR Art.44: EU→UK transfer requires SCCs or UK adequacy decision")
if provider.adequacy_expiry:
risks.append(f"UK adequacy expires: {provider.adequacy_expiry} — exit planning required")
compliant = False # adequacy expiry creates compliance uncertainty
if provider.cloud_act_risk == CloudActRisk.DIRECT:
risks.append("NIS2 Art.21(2)(d): CLOUD Act must be documented in supply chain risk assessment")
if provider.cloud_act_risk == CloudActRisk.INDIRECT:
risks.append("NIS2 Art.21(2)(d): US parent CLOUD Act exposure must be documented")
return {
"provider": provider.name,
"jurisdiction": provider.jurisdiction.value,
"incorporation": provider.incorporation,
"gdpr_art44_clean": provider.jurisdiction == Jurisdiction.EU,
"cloud_act_free": provider.cloud_act_risk == CloudActRisk.NONE,
"nis2_supply_chain_clean": (
provider.jurisdiction == Jurisdiction.EU
and provider.cloud_act_risk == CloudActRisk.NONE
),
"risks": risks,
"certifications": provider.certifications,
}
def compare_all(self) -> None:
print("EU PaaS Jurisdiction Compliance Matrix — 2026")
print("=" * 70)
for provider in PROVIDERS:
result = self.evaluate(provider)
status = "CLEAN" if result["nis2_supply_chain_clean"] else "REVIEW REQUIRED"
print(f"\n{result['provider']} ({result['incorporation']}): {status}")
print(f" GDPR Art.44 clean: {result['gdpr_art44_clean']}")
print(f" CLOUD Act free: {result['cloud_act_free']}")
if result["risks"]:
for risk in result["risks"]:
print(f" ⚠ {risk}")
if result["certifications"]:
print(f" ✓ Certs: {', '.join(result['certifications'])}")
if __name__ == "__main__":
evaluator = EUPaaSJurisdictionEvaluator()
evaluator.compare_all()
Running this outputs:
EU PaaS Jurisdiction Compliance Matrix — 2026
======================================================================
Northflank (England & Wales): REVIEW REQUIRED
GDPR Art.44 clean: False
CLOUD Act free: True
⚠ IPA 2016: UK bulk collection authorities may apply to your data
⚠ GDPR Art.44: EU→UK transfer requires SCCs or UK adequacy decision
⚠ UK adequacy expires: 2027-06 — exit planning required
✓ Certs: SOC 2 Type 2
Clever Cloud (France (SAS)): CLEAN
GDPR Art.44 clean: True
CLOUD Act free: True
✓ Certs: ISO 27001:2022, HDS
Scalingo (France (SAS)): CLEAN
GDPR Art.44 clean: True
CLOUD Act free: True
✓ Certs: ISO 27001, HDS, SecNumCloud IaaS
Sliplane (Denmark (ApS)): CLEAN
GDPR Art.44 clean: True
CLOUD Act free: True
sota.io (Germany (GmbH)): CLEAN
GDPR Art.44 clean: True
CLOUD Act free: True
✓ Certs: EU GDPR by default
Railway (USA (Delaware)): REVIEW REQUIRED
GDPR Art.44 clean: False
CLOUD Act free: False
⚠ CLOUD Act 18 U.S.C. §2703: US law enforcement compelled disclosure applies
⚠ GDPR Art.44: EU→US transfer requires SCCs + DPF adequacy
⚠ NIS2 Art.21(2)(d): CLOUD Act must be documented in supply chain risk assessment
15-Item EU PaaS Jurisdiction Checklist
Before selecting a PaaS provider, verify these items:
Incorporation and Jurisdiction (Items 1–5)
- 1. Provider incorporation jurisdiction: EU member state (France, Germany, Netherlands, etc.) — not UK, not US
- 2. GDPR Art.44 assessment: If provider is UK or US incorporated, document the transfer mechanism (SCCs, adequacy)
- 3. UK adequacy contingency: If relying on UK adequacy, document exit plan for 2027 expiry
- 4. Subsidiary structure: Verify no US parent exists that creates indirect CLOUD Act exposure
- 5. Governing law clause: Confirm DPA specifies EU law as governing law, EU courts as jurisdiction
Regulatory Compliance Documentation (Items 6–10)
- 6. NIS2 Art.21(2)(d) assessment: Document provider's legal jurisdiction in supply chain security analysis
- 7. DORA Art.28 register: If DORA-regulated, register PaaS provider with correct jurisdiction
- 8. DORA Art.28(8) exit strategy: Document migration plan independent of UK adequacy assumptions
- 9. DPA Art.28 processor agreement: Signed DPA specifying sub-processors and their jurisdictions
- 10. Transfer Impact Assessment: If required (UK/US providers), complete TIA documenting residual risks
Infrastructure Security (Items 11–15)
- 11. Encryption key jurisdiction: Verify key management infrastructure is in EU jurisdiction
- 12. Sub-processor list: All sub-processors documented, their jurisdictions assessed
- 13. Incident notification capability: Provider can support NIS2 Art.23 72-hour NCA notification
- 14. Audit rights: DPA includes Art.28(3)(h) audit rights or equivalent third-party assessment
- 15. Certifications match use case: ISO 27001 for general; HDS for health data; SecNumCloud for ANSSI entities
When to Choose Each Provider
| Use Case | Recommended Provider | Reason |
|---|---|---|
| EU startup, GDPR by default | sota.io | Lowest cost, German GmbH, no transfer mechanism needed |
| French regulated industry | Scalingo | SecNumCloud IaaS, HDS for health data, ANSSI alignment |
| French enterprise, self-hosting option | Clever Cloud | ISO 27001:2022, HDS, on-premises enterprise option |
| Kubernetes-native EU startup | Sliplane | EU-incorporated, Kubernetes-native PaaS |
| BYOC into existing AWS/GCP | Northflank | Best BYOC support, but document UK adequacy expiry |
| Any US provider (Railway/Render/Fly.io) | Migrate | CLOUD Act exposure, ongoing Art.44 transfer burden |
The Northflank Question
Northflank is a well-engineered PaaS with genuine developer experience advantages, particularly for teams that need BYOC flexibility. The concern is not the product — it is the timing.
The UK adequacy decision was granted in June 2021. It runs for four years. It expires in June 2027. The EDPB has formally noted that the UK Investigatory Powers Act 2016 creates bulk collection authorities that may be incompatible with EU data protection standards — the same concern that invalidated the US Privacy Shield in Schrems II.
If you start a project on Northflank today and the adequacy decision is not renewed in June 2027, you face an unplanned infrastructure migration during your product's growth phase. EU-incorporated alternatives — Clever Cloud, Scalingo, Sliplane, or sota.io — do not carry this timing risk.
Summary
The "best European PaaS" question is not purely a developer experience question. For teams subject to GDPR, NIS2, or DORA, the provider's legal incorporation jurisdiction determines:
- Whether a GDPR Art.44 transfer mechanism is required
- How NIS2 Art.21(2)(d) supply chain security documentation is structured
- Whether DORA Art.28 outsourcing register entries carry additional adequacy risk flags
- Whether your infrastructure choice creates an unplanned migration risk in 2027
Genuinely EU-incorporated PaaS providers in 2026: Clever Cloud (France), Scalingo (France), Sliplane (Denmark), sota.io (Germany)
UK-incorporated PaaS marketed as European: Northflank (England & Wales) — not EU jurisdiction, adequacy expires June 2027
US-incorporated PaaS operating in EU regions: Railway, Render, Fly.io, Vercel — CLOUD Act applies, GDPR Art.44 transfer required
See Also
- EU Region vs EU Jurisdiction: Why Railway Frankfurt Is Still Under US Law — explains the CLOUD Act legal mechanism that makes US-parent "EU region" providers non-compliant for Art.44 purposes
- Hetzner Raised Prices 30–40%: When to Switch to Managed EU PaaS (2026) — cost analysis for moving from self-managed VPS to EU-native PaaS
- Render Pro Is $85/Month. sota.io Is €9. Both Give You 2 vCPU. — direct pricing comparison with CLOUD Act jurisdiction analysis
- NIS2 Compliance on EU-Native PaaS: The Infrastructure Checklist for the June 2026 Audit Deadline — Art.21(2)(d) supply chain security audit checklist for essential entities
sota.io is a managed EU-native PaaS incorporated in Germany. Deploy containerised apps, managed PostgreSQL, and scheduled jobs from €9/month — no US parent, no CLOUD Act, no Art.44 transfer mechanism required.