Cloudflare One EU Alternative 2026: CLOUD Act 23/25 in Zero Trust Network Access

Post #1224 in the sota.io EU Cyber Compliance Series

Cloudflare has two entirely different product lines with radically different data-sovereignty profiles. The CDN, WAF, R2 object storage, and Workers edge-computing products accelerate and protect web traffic at the edge — exposure is primarily HTTP metadata and IP addresses. Cloudflare One is something else entirely: it replaces your corporate VPN, your web proxy, your network firewall, and your SaaS access controls with a single cloud-delivered security stack. Every DNS query your employees make. Every HTTPS session. Every device posture check. Every SaaS audit log. All of it transiting a Delaware C-Corp with FedRAMP authorizations and active CISA cooperation agreements.

For EU enterprises buying Cloudflare One under GDPR Art.32 (technical measures for data-at-rest and data-in-transit), NIS2 Art.21(2)(h) (network access control obligations), or DORA Art.9 (ICT security for financial entities), the data-sovereignty question is unavoidable — and the answer is 23 out of 25 on our CLOUD Act risk scale.

Why Cloudflare One Is Different from Cloudflare CDN

European developers and security architects frequently conflate the two product families. The distinction matters for compliance:

Cloudflare CDN/WAF sits in front of your web applications. It caches static assets, filters HTTP requests for known attack signatures, and absorbs DDoS traffic. The data it sees: source IP addresses, HTTP headers, URL paths, and payload metadata for suspicious requests. Your employees' personal data almost never flows through it unless you're protecting an authenticated internal application.

Cloudflare One sits in front of your employees. Its four core components:

• Cloudflare Access (ZTNA): Replaces VPN. Every employee authenticates per-application via Cloudflare's global control plane. Identity assertions, device posture results (OS version, disk encryption state, endpoint security agent status), and session tokens all flow through Cloudflare infrastructure before reaching your internal applications.

• Cloudflare Gateway (SWG): Replaces your web proxy. All employee DNS queries and HTTP/S traffic are routed through Cloudflare Gateway for filtering. Cloudflare sees every domain your employees visit, every URL, and — when TLS inspection is enabled — decrypted payload content.

• Cloudflare CASB: Connects to your SaaS applications (Microsoft 365, Google Workspace, Salesforce, GitHub) via OAuth API access. It reads configuration state, user permissions, sharing settings, and file metadata across your entire SaaS estate.

• Magic WAN + Magic Firewall: Replaces MPLS and on-premises network firewalls. Layer-3 and layer-4 network flows from all your offices and data centers route through Cloudflare's network for inspection and policy enforcement.

• Area 1 (Email Security): Cloudflare's anti-phishing product acquired in 2022. Processes all inbound and outbound email headers, links, and attachments.

The aggregate data picture: Cloudflare One knows every site your employees visit, every application they authenticate to, the security posture of every device they use, and — via CASB — the permission structure of your entire SaaS estate. This is orders of magnitude more sensitive than CDN/WAF exposure.

Corporate Structure: Delaware C-Corp, NYSE:NET

Cloudflare, Inc. (NYSE: NET) is incorporated in Delaware and headquartered at 101 Townsend Street, San Francisco, California 94107. Founded 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn. Market capitalization approximately USD 45 billion (May 2026).

Delaware incorporation means Cloudflare is subject to US federal law for purposes of the Electronic Communications Privacy Act, FISA Title VII, and the CLOUD Act — regardless of where your data is processed or stored. San Francisco HQ means key personnel, encryption key management, and engineering decision-making are on US soil.

Cloudflare does not have a non-US parent. There is no holding structure that takes Cloudflare outside US jurisdiction. For GDPR Chapter V purposes (transfers to third countries), Cloudflare One data transfers to the US qualify as international transfers requiring appropriate safeguards.

CLOUD Act Risk Assessment: 23/25

We evaluate CLOUD Act exposure across five dimensions: corporate structure, US government relationships, data residency, data sensitivity, and legal transparency. Each dimension scores 1–5, where 5 indicates maximum CLOUD Act risk.

D1 — Corporate Structure and Jurisdiction: 5/5

Cloudflare, Inc. is a Delaware C-Corp with US headquarters and US-citizen majority leadership. There is no intermediate holding structure in a non-US jurisdiction. CLOUD Act §2522(a) applies directly: the US government can compel Cloudflare to disclose data it controls — including data stored on EU servers — via warrant or court order.

NYSE listing reinforces US-primary reporting obligations. Cloudflare's 10-K SEC filings are US regulatory documents. The company operates under the jurisdiction of the Northern District of California federal courts for most legal matters.

Score: 5/5.

D2 — US Government Contracts and Security Relationships: 5/5

Cloudflare has pursued and obtained multiple US government authorizations:

• FedRAMP Authorized: Cloudflare for Government (the federal variant of Cloudflare One) achieved FedRAMP Moderate authorization. FedRAMP requires that US government agencies' data can be accessed by cleared US persons — which means the infrastructure, operational procedures, and personnel security architecture exists to support such access.

• CISA Strategic Partnership: Cloudflare participates in CISA's Joint Cyber Defense Collaborative (JCDC). Under this partnership, Cloudflare shares threat intelligence with CISA — which includes information about network traffic patterns observed across its global infrastructure.

• Project Galileo: Cloudflare's program providing free DHS-cooperating cyber protection to civil society organizations. While the intent is protective, it creates a formal US-government-acknowledged relationship with DHS/CISA.

• Athenian Project: Similar cooperation for US election infrastructure, coordinated with CISA.

• DoD Magic Transit: Cloudflare provides DDoS protection for US Department of Defense internet properties via Magic Transit. This contract implies security clearance requirements and US-government-compliant operational procedures exist within Cloudflare's engineering teams.

The combination of FedRAMP authorization and active CISA cooperation means Cloudflare has already built the administrative and technical infrastructure for US government access to data it processes. The FISA Court has jurisdiction over Cloudflare as a US electronic communications service provider.

Score: 5/5.

D3 — Data Residency and Infrastructure: 4/5

Cloudflare operates 300+ points of presence globally, including significant EU infrastructure in Frankfurt, Amsterdam, Paris, London, Stockholm, Warsaw, Milan, and Madrid. Their anycast routing architecture means that traffic originating in Germany might be processed in the Frankfurt PoP — but there is no guarantee, and the policy enforcement plane for Cloudflare One is globally distributed.

In 2023, Cloudflare announced Data Gravity Centers (DGC) — designated regional processing zones where customer data for regulated industries is stored and processed within-region. EU DGCs were launched for Germany and France. However, several limitations apply:

• DGCs are a separate product tier (Cloudflare for Enterprise with Data Localization Suite), not the default configuration for Cloudflare One
• DGC guarantees apply to stored configuration data and logs, not necessarily to all real-time traffic inspection operations
• The Data Localization Suite restricts where logs land but cannot fully regionalize the anycast routing architecture for real-time traffic
• Cloudflare's global control plane (authentication services, policy compilation, threat intelligence aggregation) remains US-coordinated

For most Cloudflare One deployments without the Data Localization Suite, EU employee network traffic may be processed in any Cloudflare PoP globally. US PoPs have capacity to handle EU-originating traffic during peak hours.

Score: 4/5.

D4 — Scope and Sensitivity of Data Accessed: 5/5

Cloudflare One's data exposure is significantly broader than typical cloud applications. Consider what sits in Cloudflare's infrastructure when Cloudflare One is fully deployed:

DNS visibility: Every domain your employees resolve — internal applications, SaaS tools, personal web browsing on corporate devices, health information sites, financial services, HR systems. Cloudflare Gateway processes these DNS queries and uses them for filtering and threat detection.

HTTP/S visibility: With TLS inspection enabled (common in enterprise deployments for DLP enforcement), Cloudflare Gateway decrypts and inspects HTTPS content. Full URL paths, page titles, form field names, and downloaded document metadata become visible to the filtering infrastructure.

Device posture data: Cloudflare Access continuously checks device posture — OS patch level, disk encryption status, endpoint security agent installation and version, certificate presence. This generates a continuous fingerprint of every corporate device.

User identity correlation: Access logs correlate user identity (typically from your IdP — Okta, Azure AD, Google Workspace) with every application access event, device used, location (IP), and time. Over time this creates detailed behavioral profiles of individual employees.

SaaS configuration: CASB reads API-level configuration from connected SaaS applications — which means Cloudflare has OAuth tokens that grant read access to file metadata, user permissions, and sharing settings across Microsoft 365, Google Workspace, and other integrated SaaS.

Network flow metadata: Magic WAN captures source/destination IP, port, protocol, and byte counts for all office network traffic — the functional equivalent of a complete netflow archive.

The regulatory classification is clear: under GDPR Art.4(1), employee data processed by Cloudflare One constitutes personal data subject to Chapter V transfer requirements. Under GDPR Art.9, device health data correlated with individual users may constitute special-category-adjacent data requiring explicit Article 46 safeguards.

Score: 5/5.

D5 — Legal Protections and Transparency: 4/5

Cloudflare publishes a transparency report and maintains a warrant canary. The transparency report details government requests by country and request type (national security letters, FISA orders, law enforcement requests). Cloudflare has a documented history of challenging overbroad government demands in court — most notably in the 2013 legal challenge to NSL gag orders.

However, the structural limits apply:

• US jurisdiction means FISA Title VII (Section 702) collection can target foreign nationals communicating with US persons — without individual court orders
• National Security Letters do not require judicial approval
• Aggregate disclosure in transparency reports cannot reveal individual FISA orders by law
• The warrant canary was removed from Cloudflare's transparency report — which some legal observers interpret as an indicator that FISA orders have been received

Cloudflare scores better on transparency than many US cloud providers, but the structural limitations of US jurisdiction create a ceiling.

Score: 4/5.

Total CLOUD Act Risk: 23/25.

What "23/25" Means for GDPR Art.32 Compliance

GDPR Art.32 requires "appropriate technical and organisational measures" to ensure security appropriate to the risk. When your network security stack is itself a potential point of government-compelled access, the threat model expands beyond external attackers to include legal-compelled disclosure to a foreign government.

The specific GDPR obligations implicated:

Art.32(1)(a) — Pseudonymisation and encryption: Network traffic inspection by definition requires decryption. If Cloudflare Gateway performs TLS inspection, the Art.32 encryption protection is broken at the point of inspection. The legal basis for this decryption must be documented, and the data controller (your organisation) remains responsible for the processing under Art.28 DPA requirements.

Art.46 — Transfers to third countries: When Cloudflare processes EU employee data on US infrastructure (or when the Data Localization Suite is not deployed), each processing event is an international transfer. SCCs (Standard Contractual Clauses) under Art.46(2)(c) are the standard mechanism — but SCCs do not override CLOUD Act compelled-access powers. Your DPA (Data Processing Agreement) with Cloudflare will include SCCs, but these do not protect against US government access.

Art.13/14 — Transparency to employees: Employees must be informed that their network activity is monitored by a US cloud provider subject to CLOUD Act jurisdiction. Many EU works councils (Betriebsrat in Germany, CSE in France, WOR in the Netherlands) require consultation before deploying network monitoring tools, and the CLOUD Act exposure is material information for that consultation.

NIS2 Art.21(2)(h): NIS2 mandates "policies and procedures regarding the use of cryptography and, where appropriate, encryption" and "human resources security, access control policies and asset management." ZTNA tools directly implement these controls — which means the ZTNA provider's own data-sovereignty posture becomes an NIS2 compliance matter for your DPO and CISO.

EU-Native Zero Trust Alternatives

Several EU-incorporated companies offer credible ZTNA and SASE functionality without US jurisdiction:

Systancia Gate (France) — 0/25 CLOUD Act

Systancia is a French software company founded in 2001, headquartered in Issy-les-Moulineaux (Île-de-France). Their product Systancia Gate is a purpose-built ZTNA solution for enterprise access control, operating as a SaaS or on-premises deployment. Systancia is French-incorporated with no US parent. French Ministry of Interior and other public sector clients. ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) certified components. 0/25 CLOUD Act: no US parent, no US-incorporated entity, no FedRAMP or DoD contracts.

Gate supports agentless access via browser, agent-based device posture checks, and integration with existing IdPs. The SaaS offering runs on European infrastructure. For organisations requiring a pure ZTNA use case (replace VPN for application access), Gate covers the Cloudflare Access use case with no CLOUD Act exposure.

Applicable to: VPN replacement, application access control, employee-to-application ZTNA.

WALLIX (France, Euronext: ALLIX) — 0/25 CLOUD Act

WALLIX Group SA (Euronext Growth Paris: ALLIX) is a French publicly listed cybersecurity company specialising in Privileged Access Management and ZTNA. WALLIX Bastion combines PAM with ZTNA capabilities — particularly strong for privileged administrator access and jump-server replacement. Founded 2000, Paris-headquartered. ISO 27001 certified, ANSSI references. 0/25 CLOUD Act: French C-Corp, Euronext listed (French regulation), no US parent, no US government contracts.

The WALLIX One SaaS platform extends beyond PAM to include application access control aligned with ZTNA principles. For financial services under DORA Art.9 (ICT security), WALLIX's PAM credentials and EU regulatory alignment are particularly relevant.

Applicable to: Privileged access, admin jump access, application access, DORA-compliant PAM+ZTNA.

T-Systems SASE (Germany) — 0/25 CLOUD Act

T-Systems International GmbH is the B2B subsidiary of Deutsche Telekom AG (XETRA: DTE), headquartered in Frankfurt am Main. T-Systems offers a managed Secure Access Service Edge solution built on European infrastructure with Telekom's sovereign cloud (Open Telekom Cloud, certified BSI C5 level). 0/25 CLOUD Act: German GmbH, Deutsche Telekom AG as parent (German stock corporation with German federal government as largest shareholder via KfW), no US parent, operates under German TKG (telecommunications law) rather than US ECPA.

The T-Systems SASE combines SD-WAN, SWG (Secure Web Gateway), ZTNA (via partner technology validated against German BSI standards), and managed firewall. Particularly strong for German enterprises requiring BSI C5 compliance and existing Deutsche Telekom network contracts.

Applicable to: Enterprise SASE with German/EU regulatory certification, SD-WAN replacement, SWG for large German enterprises.

Rohde & Schwarz Cybersecurity (Germany) — 0/25 CLOUD Act

Rohde & Schwarz Cybersecurity GmbH is a subsidiary of the Rohde & Schwarz Group (Munich, Germany), a privately held German electronics conglomerate founded 1933. Their network security portfolio includes R&S Browser in the Box (remote browser isolation, analogous to Cloudflare Browser Isolation), R&S Trusted VPN (classified network access), and network security appliances. 0/25 CLOUD Act: German GmbH, Rohde & Schwarz private German ownership, BSI-certified products including VS-NfD classification.

For government and defence organisations requiring classified network access, R&S Cybersecurity's BSI VS-NfD certification is unmatched by US ZTNA providers. For commercial enterprises needing remote browser isolation without US data exposure, the Browser in the Box addresses the specific Cloudflare Browser Isolation use case.

Applicable to: Government/defence ZTNA, classified network access, remote browser isolation.

Cato Networks (Israel) — 0/25 CLOUD Act

Cato Networks Ltd is an Israeli company (Tel Aviv) with its SASE platform headquartered outside US jurisdiction. Israel has an EU adequacy decision under GDPR, meaning data transfers from the EU to Israel do not require SCCs or BCRs — they are treated equivalently to intra-EU transfers. 0/25 CLOUD Act: Israeli private company, no Delaware incorporation, no US parent, no FedRAMP/DoD contracts.

Cato SASE is a full-stack ZTNA + SWG + SD-WAN + NGFW-as-a-service platform — the closest functional equivalent to Cloudflare One in terms of scope. Cato's global PoP network includes EU locations (Amsterdam, Frankfurt, London, Paris). The Israeli jurisdiction with EU adequacy decision makes Cato a compliant transfer destination without additional Chapter V safeguards beyond the standard DPA.

Applicable to: Full-stack SASE replacement for Cloudflare One, SD-WAN, enterprise ZTNA at scale.

Comparative CLOUD Act Scoring

D4 scores for EU-native providers reflect inherent sensitivity of ZTNA products (they see network traffic by design), not US-jurisdiction risk.

Migration Framework: Three Phases from Cloudflare One to EU-Native ZTNA

Moving from a full-stack Cloudflare One deployment to EU-native ZTNA is a significant infrastructure project. The recommended sequence:

Phase 1 — VPN Replacement (Months 1–3): Begin with Cloudflare Access replacement. Deploy the EU-native ZTNA solution (Systancia Gate or Cato ZTNA) alongside Cloudflare One. Migrate applications from Cloudflare Access to the EU solution one by one, starting with internal applications that handle the most sensitive EU personal data (HR systems, payroll, healthcare). Validate identity provider integration (Okta, Entra ID, Google Workspace). Decommission Cloudflare Access for migrated applications.

Phase 2 — SWG and DNS (Months 4–7): Replace Cloudflare Gateway. This requires deploying the EU-native SWG at each office network egress point and redirecting corporate DNS resolvers. Test URL filtering policies, TLS inspection certificates, and bypass rules for financial/health sites that prohibit inspection. WARP client removal from corporate devices. Validate that all DNS resolution for EU employee devices no longer routes through Cloudflare.

Phase 3 — Network and SaaS Controls (Months 8–12): Migrate Magic WAN (replace with EU-native SD-WAN), CASB (replace with EU-native SaaS security broker or native SaaS controls), and Area 1 Email Security (replace with EU-native email security gateway — e.g., Hornetsecurity DE, Retarus DE). This phase is typically the longest because Magic WAN replacement involves physical connectivity changes at office locations.

Parallel workstream — Data Localization Suite exit: If your organisation has the Cloudflare Data Localization Suite, document all data residency guarantees it provides and ensure your EU-native replacement provides equivalent or stronger guarantees. Update your GDPR Art.30 ROPA (Record of Processing Activities) at each phase to remove Cloudflare One processing activities.

GDPR Data Processing Agreement Checklist

For organisations that continue using Cloudflare One during a transition period or that have assessed the risk as acceptable:

• Art.28 DPA: Cloudflare's Data Processing Agreement is available in the Cloudflare dashboard. Verify it covers Cloudflare One specifically — not just CDN/WAF. The DPA should list all Cloudflare One sub-processors.
• Art.46 SCCs: Cloudflare's DPA includes SCCs for data transfers to the US. Document that you have executed the SCCs and that your DPO has conducted a transfer impact assessment (TIA) per the EDPB's November 2020 recommendations.
• Art.32 TIA: Assess whether the TIA for Cloudflare One adequately addresses FISA Title VII and NSL risk for your employee data. The EDPB's guidance (Opinion 10/2023) requires that SCCs cannot alone be the sole safeguard when compelled-access risk is material.
• Works Council Consultation: In Germany, France, Netherlands, and other EU member states with co-determination laws, deploying network monitoring tools requires works council consultation. The CLOUD Act exposure is material information for this consultation — include it in the works council information package.
• Art.13/14 Privacy Notice: Update employee privacy notices to include Cloudflare One as a data processor, specify the categories of data processed (network traffic, DNS, device posture), the legal basis (legitimate interest / employment contract), and the third-country transfer mechanism (SCCs to US).

Conclusion

Cloudflare One and Cloudflare's CDN/WAF products represent completely different data-sovereignty risk profiles. The CDN/WAF exposure is primarily metadata and IP addresses. Cloudflare One gives a Delaware C-Corp with FedRAMP clearances visibility into every DNS query, every browsing session, every device on your corporate network, and every SaaS application your employees use.

At 23/25 on the CLOUD Act risk scale, Cloudflare One matches Zscaler and Palo Alto Prisma Access — the three dominant US SASE vendors are effectively tied at maximum structural risk. For EU enterprises that need to demonstrate GDPR Art.32 compliance without relying solely on SCCs to mitigate US government access risk, Systancia Gate, WALLIX, T-Systems SASE, and Cato Networks offer functional ZTNA coverage with 0–4/25 CLOUD Act exposure.

The migration is non-trivial but tractable. The three-phase framework (VPN replacement → SWG/DNS → Network/SaaS) provides a structured path that allows business continuity while eliminating CLOUD Act exposure progressively.

This is Post #1224 in the sota.io EU Compliance Series. Previous post: Palo Alto Prisma Access EU Alternative 2026 (Post #1223). Next: Netskope EU Alternative 2026 (Post #1225).

sota.io is an EU-native managed PaaS — deploy any language on Hetzner Germany infrastructure, 100% GDPR, zero CLOUD Act exposure. Start free →