Cloudflare CDN + WAF EU Alternative 2026: CLOUD Act Risk in Your Edge Network

Post #1 in the sota.io EU CDN + WAF Serie

Cloudflare is everywhere. Over 20% of the web uses it. But Cloudflare Inc. is a Delaware corporation, headquartered in San Francisco — and that means your CDN access logs, WAF rule hits, Bot Management scores, and DDoS mitigation data all sit on infrastructure controlled by a company that the US government can compel to disclose information under the CLOUD Act and FISA Section 702, without notifying you or your EU users.

This post is not about Cloudflare Workers and edge computing — we covered that separately. This is about Cloudflare's core CDN, WAF, DDoS Protection, and Bot Management products — the services that most EU companies use without realizing they create a GDPR transfer problem.

Why CDN Data Is Personal Data Under GDPR

The most common misconception: "Cloudflare just caches static files — there's no personal data involved."

This is wrong. Under GDPR Art. 4(1), an IP address is personal data whenever it can be linked to an identified or identifiable natural person. Your CDN access logs contain:

• IP addresses of every EU visitor → personal data
• User-Agent strings → device fingerprint → personal data
• Timestamps + URLs visited → browsing behavior → personal data
• Cookie values passed through (session IDs, tracking IDs) → personal data
• Geolocation derived from IP → personal data

Cloudflare's Access Log format includes all of these. If you enable Cloudflare Logs (available on Pro plans and above), this data is stored in Cloudflare's infrastructure — which is a US entity.

The Schrems II Trap

Under Schrems II (C-311/18, July 2020), Standard Contractual Clauses (SCCs) alone are not sufficient for transfers to the US if US surveillance law renders the protections illusory. The EDPB's recommendations (01/2020) require a Transfer Impact Assessment (TIA) that honestly evaluates:

1. Is the importer subject to US surveillance laws? → Yes (FISA 702, CLOUD Act, NSL authority)
2. Can the US government access the transferred data? → Yes
3. Do EU data subjects have effective judicial redress in the US? → No (FISA Court is secret)

For Cloudflare specifically: they received 3,078 legal demands in H2 2023 alone (per their transparency report), including national security requests with gag orders. The very fact that they publish a transparency report confirms they receive — and comply with — US government data requests.

Cloudflare's CLOUD Act Risk Matrix

CLOUD Act Score: 20/25

Compare this to the EU-native alternatives below (BunnyNet: 0/25, Gcore: 1/25, CDN77: 1/25).

The Four GDPR Problem Areas

1. CDN Access Logs (GDPR Art. 4(1) + Art. 28)

Cloudflare's CDN generates access logs for every request. On Free/Pro plans, these logs are accessible via the dashboard. On Business/Enterprise, they can be forwarded via Logpush to your own storage — but the logs originate on Cloudflare's US-controlled infrastructure before forwarding.

GDPR Art. 28 implication: Cloudflare is your data processor for CDN log data. Their DPA (Data Processing Addendum) includes SCCs, but your TIA must assess whether those SCCs provide real protection given CLOUD Act / FISA 702 authority.

What EDPB says: If your TIA concludes that US surveillance law makes protection illusory, you cannot rely on SCCs alone. You need supplementary measures (encryption, pseudonymization) — but Cloudflare processes plaintext HTTP traffic for WAF to function. You cannot encrypt what you need Cloudflare to inspect.

2. WAF Rule Hits = Behavioral Profiling (GDPR Art. 22)

Cloudflare WAF operates at L7 — it inspects the content of HTTP requests. When a WAF rule fires:

• The request body, headers, and URL are analyzed
• The attacker/user IP is logged with the rule ID and action taken
• Managed rule sets (OWASP, Cloudflare Managed) create decision-making records

Under GDPR Art. 22, automated decision-making that produces legal or significant effects on individuals requires explicit consent or a legal basis. A WAF block is exactly this: an automated decision (block/challenge) based on behavioral analysis of an EU user's HTTP request.

If Cloudflare's WAF blocks a legitimate EU user because their request pattern matched an attack signature, that's an automated decision without human review. Article 22(3) gives users the right to human review — but you can't exercise that right if you don't know Cloudflare is the decision-maker.

3. Bot Management = Cross-Site Profiling (GDPR Art. 22 + Recital 71)

Cloudflare Bot Management goes further than WAF. It assigns a Bot Score (0-100) to every request, derived from:

• HTTP fingerprinting (header order, timing)
• JavaScript behavioral analysis (via Cloudflare's JS challenge)
• Cross-site signals — Cloudflare sees traffic across all ~20% of websites that use it

That last point is the GDPR Art. 22 land mine. Cloudflare's Bot Score for your EU user is influenced by how that user's IP/fingerprint behaved on other websites also protected by Cloudflare. This is cross-site behavioral profiling — exactly what GDPR Recital 71 targets.

The EU user has no idea Cloudflare is profiling their behavior across the web. They visited your site, not Cloudflare. There's no transparency obligation fulfilled, no consent obtained.

4. DDoS Mitigation Data (GDPR Art. 25 — Data Minimisation)

During L3/L4 DDoS attacks, Cloudflare's network captures packet-level data including:

• Source IPs of attack traffic (may include spoofed EU IPs)
• Legitimate user IPs mixed with attack traffic
• Traffic patterns used to build heuristics for future DDoS defense

GDPR Art. 25 (Data protection by design and by default) requires that data processing is minimized to what is necessary. Cloudflare's DDoS mitigation necessarily captures more data than the minimum — it needs traffic samples to distinguish attack from legitimate traffic.

The problem: this data flows to and is processed by a US entity with FISA/CLOUD Act exposure. There's no technical supplementary measure that lets Cloudflare both protect against DDoS and keep the data beyond US government reach.

EU-Native CDN + WAF Alternatives

BunnyNet — 0/25 CLOUD Act Risk ⭐

Bunny.net d.o.o. — Ljubljana, Slovenia. Founded 2012. EU-incorporated, no US parent, no US VC (bootstrapped). GDPR-native by design.

BunnyNet strengths:

• Pure-play EU CDN with no US exposure
• BunnyShield WAF covers OWASP Top 10, rate limiting, IP blocking
• 98 PoPs globally, strong EU coverage (Frankfurt, Amsterdam, Paris, Warsaw, Stockholm)
• Video delivery (BunnyStream), image optimization (BunnyOptimizer) as add-ons
• Pricing: typically 40-80% cheaper than Cloudflare for equivalent traffic

BunnyNet limitations:

• No Bot Management equivalent (basic bot rules only)
• No Magic Transit (BGP routing protection)
• Smaller engineering team → slower feature development
• No equivalent to Cloudflare Access (ZTNA)

Best for: EU companies that need CDN + basic WAF without US jurisdiction. Cost-effective replacement for Cloudflare Free/Pro.

Gcore — 1/25 CLOUD Act Risk

G-Core Labs SA — Luxembourg. EU incorporated. Strong presence in CIS, EU, and gaming sector. Founded 2009.

Gcore strengths:

• Genuine EU entity (Luxembourg, not UK or US)
• Massive DDoS scrubbing capacity (1 Tbps+) — strong for gaming, fintech
• CDN + WAF + DDoS in one EU-native package
• Used by major EU financial institutions and gaming companies
• GDPR Art. 28 DPA without CLOUD Act caveats

Gcore limitations:

• Less developer-friendly than Cloudflare (no Workers equivalent, no Pages)
• Enterprise pricing for WAF
• Smaller ecosystem and community

Best for: High-traffic EU companies needing serious DDoS protection + WAF without US jurisdiction. Good Cloudflare Enterprise alternative.

CDN77 / Datacamp — 1/25 CLOUD Act Risk

DataCamp Limited / Datacamp s.r.o. — Czech Republic / British Virgin Islands holding. Czech operational entity. Tier 1 peering, Prague datacenter focus.

CDN77 strengths:

• Pure CDN play, good EU pricing
• Strong video streaming CDN
• Czech entity = EU GDPR jurisdiction
• Good Tier 1 peering in Central Europe

CDN77 limitations:

• No meaningful WAF (not a WAF replacement)
• No L7 DDoS protection
• Limited to CDN use case

Best for: EU companies that need CDN-only without WAF — replace Cloudflare's CDN function while keeping WAF elsewhere.

Self-Hosted WAF: Coraza + Nginx/Caddy

If you need WAF without a CDN vendor, self-hosting gives you full control:

# Nginx + Coraza WAF (EU-native Hetzner server)
# coraza.conf
Include /etc/coraza/crs/crs-setup.conf
Include /etc/coraza/crs/rules/*.conf

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# EU server = EU jurisdiction = 0/25 CLOUD Act

Coraza (CNCF project, Apache 2.0) is a Go-native WAF engine compatible with OWASP CRS. Deploy on Hetzner (Nuremberg, Falkenstein, Helsinki) for full EU data sovereignty.

Cost comparison (100GB/month traffic, WAF included):

• Cloudflare Pro: $20/month (CLOUD Act: 20/25)
• BunnyNet + BunnyShield: ~€10–15/month (CLOUD Act: 0/25)
• Gcore Enterprise: Custom pricing (CLOUD Act: 1/25)
• Hetzner CX22 + Coraza: €4.51/month (CLOUD Act: 0/25, full control)

GDPR Compliance Requirements by Cloudflare Feature

Migration Decision Framework

6-Dimension Assessment:

1. Traffic Profile
   → Static files only? → CDN77 or BunnyNet sufficient
   → Dynamic API traffic? → BunnyNet or Gcore with WAF
   → Mixed CDN + compute? → See Cloudflare Workers post for edge functions

2. WAF Requirements
   → Basic OWASP rules? → BunnyShield or self-hosted Coraza
   → ML-based bot detection? → Gcore or accept trade-off
   → Enterprise WAF (managed rules)? → Gcore or self-hosted ModSecurity

3. DDoS Threat Level
   → Standard web attack (L7)? → BunnyShield or Coraza adequate
   → Volumetric DDoS (L3/L4)? → Gcore (1 Tbps capacity) or upstream provider
   → State-level DDoS? → Gcore Enterprise or Tier 1 ISP scrubbing

4. EU Data Residency Need
   → Legal requirement (GDPR Art. 44)? → BunnyNet (0/25) or Gcore (1/25)
   → Contractual requirement (customer DPA)? → BunnyNet or self-hosted
   → Best practice only? → TIA documentation may suffice for Cloudflare

5. Engineering Capacity
   → Full DevOps team? → Self-hosted Coraza + BunnyNet
   → Small team, managed preferred? → Gcore or BunnyNet all-in-one
   → No CDN experience? → BunnyNet (simpler than Cloudflare)

6. Compliance Timeline
   → Audit in <3 months? → BunnyNet (fastest migration)
   → Greenfield? → Build EU-native from day one (BunnyNet + Coraza)
   → Legacy Cloudflare migration? → Phased: CDN first, WAF second

4-Week Migration Plan

Week 1 — Audit

• Run cloudflare-cli log show to inventory what Cloudflare data you generate
• Identify WAF rules currently active (Rules > WAF > Managed Rules)
• Check Bot Management configuration (Security > Bots)
• Document all Cloudflare features in use for GDPR Art. 30 RoPA
• Evaluate your DDoS threat profile (have you been attacked? L3/L4 or L7?)

Week 2 — Choose Replacement Stack

• CDN-only need → BunnyNet trial (free tier available)
• CDN + WAF need → Gcore trial OR BunnyNet + BunnyShield
• WAF-only need → Deploy Coraza on EU server (Hetzner CX22 = €4.51/mo)
• DDoS-primary need → Gcore Enterprise quote

Week 3 — Parallel Run

• Add BunnyNet/Gcore in front of staging environment
• Test WAF rules: verify OWASP CRS equivalence
• Verify cache hit rates match Cloudflare levels
• Test DDoS simulation (coordinate with provider)
• Confirm CDN logs stored in EU storage (BunnyNet: included)

Week 4 — DNS Cutover

• Update GDPR Art. 28 processor list (remove Cloudflare, add replacement)
• Update RoPA (Art. 30) to reflect new CDN processor
• Update Privacy Policy to remove Cloudflare mention (if referenced)
• Execute DNS cutover with 5-minute TTL for quick rollback
• Monitor error rates for 48h post-cutover
• Archive Cloudflare account (don't delete for 30 days — rollback window)

GDPR Article Reference

Pricing Comparison (EU Traffic, 100GB/month)

Note: Self-hosted Coraza has no L3/L4 DDoS protection — pair with Hetzner's free DDoS filtering at network level.

Bottom Line

Cloudflare is an exceptional product — but it is a US entity with confirmed CLOUD Act and FISA 702 exposure. Every IP address your EU visitors send to Cloudflare's network becomes personal data under US jurisdiction.

For EU companies building GDPR-compliant infrastructure:

• CDN-only → BunnyNet (0/25, EU-native, 40-80% cheaper than Cloudflare)
• CDN + WAF → BunnyNet + BunnyShield or Gcore (1/25, EU jurisdiction)
• High-threat DDoS + WAF → Gcore (1 Tbps capacity, Luxembourg entity)
• Maximum control + zero US exposure → Hetzner + Coraza WAF (0/25, self-hosted)
• Cloudflare Workers/Edge Computing → see our dedicated post

If your customers are asking "where is your CDN data processed?" — the answer with Cloudflare is "the United States." With BunnyNet or Gcore, it's "the European Union."

Part of the sota.io EU CDN + WAF Serie — tracking CLOUD Act exposure across the infrastructure tools EU companies use every day. See all posts in the series.