Cloudflare R2 EU Alternative 2026: Zero Egress Fees Don't Mean Zero CLOUD Act Risk

Post #1162 in the sota.io EU Cloud Sovereignty Series

Cloudflare R2 solved the egress cost problem that made AWS S3 so expensive. No egress fees. S3-compatible API. EU storage locations. For EU developers trying to cut cloud costs, R2 looks like the obvious choice. But EU storage location does not equal EU jurisdiction. Cloudflare, Inc. is incorporated in Delaware, headquartered in San Francisco, and listed on NYSE as NET. That makes every R2 bucket — regardless of its physical location — accessible under the US CLOUD Act.

This guide explains where R2's GDPR exposure actually sits, why "EU region" marketing does not protect against FISA §702 or CLOUD Act §2713, and which EU-native object storage services operate at 0/25 CLOUD Act risk.

Cloudflare, Inc. — Corporate Structure

Cloudflare's transparency report acknowledges receiving and complying with US government legal process including National Security Letters (NSLs) and court orders. In 2016, Cloudflare challenged a gag order accompanying an NSL — a rare act of transparency. But challenging a gag order is not the same as being exempt from the underlying compelled disclosure obligation.

CLOUD Act Score: 16/25

The sota.io CLOUD Act Risk Index scores US-incorporated SaaS/cloud providers across 25 risk dimensions. Higher = more GDPR Art.44 transfer risk.

For comparison: AWS S3 = 21/25, Google Cloud Storage = 20/25, Hetzner Object Storage = 0/25.

5 GDPR Exposure Points in Cloudflare R2

1. R2 Control Plane Operates Under US Jurisdiction

R2 buckets may store objects physically in EU locations (Cloudflare's WEUR or EEUR storage classes), but every API call — CreateBucket, PutObject, GetObject, DeleteObject, HeadObject — routes through Cloudflare's global API infrastructure under US operational control.

Under CLOUD Act §2713 (28 USC §2713), US providers must comply with compelled disclosure orders for data they "possess, custody, or control" — regardless of where the data is physically stored. Cloudflare controls R2. Physical EU location provides zero CLOUD Act protection.

GDPR Art.44 problem: Any transfer of personal data to a system where the controller is a US person is a third-country transfer requiring a lawful mechanism (Standard Contractual Clauses, Adequacy Decision). R2 objects containing personal data are subject to this requirement even in EU regions.

2. Account and Audit Data in US-Controlled Systems

All Cloudflare account management flows through dash.cloudflare.com — a US-controlled system. This includes:

• Bucket policies and CORS configurations — access control decisions logged in Cloudflare's US infrastructure
• R2 access logs — request timestamps, client IPs (personal data under GDPR), object keys, response codes
• API token management — credentials that control access to all R2 objects
• Billing records — payment data, subscription tier, usage statistics

These are processed by Cloudflare's US entity under US law. A CLOUD Act or FISA §702 order targeting Cloudflare would give US authorities access to all account data and the metadata of every R2 access request — even without touching the objects themselves.

Under GDPR Art.4(1), IP addresses, access timestamps, and object keys that relate to identified or identifiable persons are personal data. The account-level metadata alone creates a GDPR-regulated transfer.

3. Workers Integration: Compute Jurisdiction is Not Guaranteed EU

R2's most powerful use case is pairing it with Cloudflare Workers for serverless compute. A Worker reading from or writing to an R2 bucket executes on Cloudflare's Anycast edge network — which routes requests to the nearest Cloudflare data centre globally.

Without explicit Smart Placement configuration or subrequest routing, Worker execution for EU users may occur at edge nodes outside the EU/EEA. Even with Smart Placement enabled, there is no contractual guarantee of EU-exclusive execution. Workers accessing R2 objects can:

• Receive personal data from request bodies
• Read objects containing personal data from R2
• Log output to Cloudflare's global observability infrastructure

GDPR Art.29 implication: Workers that process personal data are "processors" under GDPR. Cloudflare's DPA covers Workers, but the underlying CLOUD Act jurisdiction question remains: Cloudflare, Inc. processes the data, and US authorities can compel disclosure.

4. Cloudflare Zero Trust / Access Integration

Many teams use Cloudflare R2 alongside Cloudflare Access (the Zero Trust component) to gate R2 access. The authentication layer sits entirely within Cloudflare's US-controlled infrastructure:

• Identity provider (IdP) federation — OIDC/SAML tokens issued by Cloudflare Access, logs stored in US systems
• Access application logs — which user accessed which resource, when, from which IP
• Device posture data — endpoint health information collected by WARP client, processed in Cloudflare's US infrastructure

An Access policy protecting an R2 bucket means every authentication event is logged in a US-controlled system under CLOUD Act jurisdiction. For applications serving EU users, this creates a systematic GDPR Art.44 transfer problem.

5. Transparency Report: CLOUD Act Compliance Documented

Cloudflare publishes a Transparency Report listing requests received from US authorities. The 2024 report shows:

• Requests for user data (NSLs, court orders, subpoenas): complied in majority of cases where legally required
• National Security Letters received with gag orders: Cloudflare challenged one in 2016, but receives and partially complies with others
• Emergency disclosure provisions: complied when life/safety threshold met

The transparency report is good corporate practice, but it confirms what the CLOUD Act predicts: Cloudflare has received and will continue to receive compelled disclosure orders from US authorities. EU enterprises storing personal data in R2 — even in EU-region buckets — should treat this as a documented GDPR Art.44 transfer risk, not a theoretical one.

EU-Native Object Storage Alternatives (0/25 CLOUD Act)

Hetzner Object Storage — 0/25 ⭐ Recommended

Entity: Hetzner Online GmbH, Martin-Luther-Str. 1, 91710 Gunzenhausen, Germany
Jurisdiction: Germany (GDPR Art.44 no transfer required)
CLOUD Act: 0/25 — no US parent, no US operations

# boto3 — drop-in replacement for R2
import boto3
s3 = boto3.client(
    "s3",
    endpoint_url="https://nbg1.your-objectstorage.com",  # or fsn1/hel1
    aws_access_key_id=HETZNER_ACCESS_KEY,
    aws_secret_access_key=HETZNER_SECRET_KEY,
    region_name="eu-central",
)
s3.put_object(Bucket="my-eu-bucket", Key="file.pdf", Body=data)

Migration from R2: Change endpoint_url from https://<account_id>.r2.cloudflarestorage.com to the Hetzner endpoint. All S3 API calls work unchanged.

Scaleway Object Storage — 0/25

Entity: Scaleway SAS (Iliad Group), 8 rue de la Ville l'Évêque, 75008 Paris, France
Jurisdiction: France (GDPR Art.44 no transfer required)
CLOUD Act: 0/25 — no US parent, Iliad is a French company

# rclone config for Scaleway
rclone config
# Type: s3
# Provider: Other
# Endpoint: s3.nl-ams.scw.cloud
# Access key: <SCW_ACCESS_KEY>
# Secret key: <SCW_SECRET_KEY>
# Region: nl-ams

OVHcloud Object Storage — 1/25

Entity: OVH SAS, 2 rue Kellermann, 59100 Roubaix, France
Jurisdiction: France (GDPR Art.44 no transfer required)
CLOUD Act: 1/25 — OVH has a US subsidiary (OVHcloud US Corp.) for US market, but EU data stays under FR entity

OVH is the most cost-effective option for EU object storage. At scale (100 TB), OVH costs ~€870/month vs Cloudflare R2 at ~$1,500/month (with Workers execution costs).

MinIO (Self-Hosted on EU VPS) — 0/25

Entity: MinIO, Inc. (company behind the software) is US-based, but self-hosted MinIO runs entirely under your control
Jurisdiction: Your choice — deploy on Hetzner/OVH/Scaleway for 0/25
CLOUD Act: 0/25 when self-hosted on EU infrastructure

MinIO is Apache 2.0 licensed, S3-compatible, and runs on any Linux VPS. The perfect choice when you need S3 compatibility but want zero dependency on any external cloud provider.

# Deploy MinIO on Hetzner CX21 (€7.17/month)
docker run -d \
  -p 9000:9000 -p 9001:9001 \
  -v /data/minio:/data \
  -e "MINIO_ROOT_USER=admin" \
  -e "MINIO_ROOT_PASSWORD=$(openssl rand -hex 32)" \
  minio/minio server /data --console-address ":9001"

For production: use MinIO with TLS termination (Nginx/Caddy), distributed erasure coding (4+ nodes for durability), and Prometheus monitoring.

Storj Decentralized Storage — 3/25

Entity: Storj Labs, Inc. (Atlanta, GA, USA) — but data is stored across globally distributed nodes
Jurisdiction: Decentralized (EU segment selection possible)
CLOUD Act: 3/25 — US parent entity, but data sharded with erasure coding across EU nodes with client-side encryption

Storj is unique: data is split into 80 pieces, only 29 needed for reconstruction, each encrypted before leaving the client. Even Storj cannot access your data without your encryption keys. EU geographic segment ensures node selection in EU/EEA. The US entity issue remains, but technical controls dramatically reduce actual CLOUD Act risk.

Price: $4/TB/month storage, $7/TB egress — competitive with R2.

Cost Comparison: R2 vs EU-Native at Scale

R2 egress advantage vs EU alternatives: Cloudflare R2's zero egress model is compelling at scale if you're serving content globally through Cloudflare CDN. But if you're primarily serving EU users and using a separate CDN or direct access, Hetzner/OVH have lower all-in costs.

GDPR Art.44 Transfer Analysis

Under GDPR Art.44, personal data may only be transferred to a third country (here: the US) if:

1. Adequacy Decision — The EU-US Data Privacy Framework (DPF) covers Cloudflare. Cloudflare is DPF-certified. However, as with Schrems II, DPF certification does not immunise against CLOUD Act or FISA §702 collection. Max Schrems and NOYB have already indicated intent to challenge DPF validity. If DPF is invalidated (as Safe Harbor and Privacy Shield were), all R2-based GDPR transfers lose their legal basis overnight.

2. Standard Contractual Clauses (SCCs) — Cloudflare offers SCCs in its DPA. SCCs survive a DPF invalidation, but they require a Transfer Impact Assessment (TIA) under EDPB Guidelines 05/2021. A TIA for R2 must acknowledge that US FISA §702 and CLOUD Act §2713 can override SCCs — and document why "supplementary measures" are sufficient. Most EU DPOs conclude that no supplementary measure can override a US court order.

3. EU-native alternative = no Art.44 analysis needed — When data stays in Germany (Hetzner), France (Scaleway/OVH), or your own EU-hosted MinIO, GDPR Art.44 does not apply. There is no third-country transfer. This eliminates the DPF/SCC dependency and Schrems risk entirely.

Migration from R2 to Hetzner Object Storage: 4-Week Roadmap

Week 1: Audit

# List all R2 buckets and estimate data size
npx wrangler r2 bucket list
# For each bucket, check object count
npx wrangler r2 object list <bucket-name> | wc -l

Identify buckets containing personal data (profile images, user uploads, documents, logs with IPs). These require Art.44 remediation. Static assets (JS bundles, CSS, images with no personal data) have lower urgency.

Week 2: Provision Hetzner Object Storage

# Create Hetzner project and S3 credentials in Hetzner Console
# Then test connection
aws s3 ls s3://test-bucket/ --endpoint-url https://nbg1.your-objectstorage.com \
  --no-verify-ssl=false \
  --region eu-central

# Create target bucket
aws s3 mb s3://my-eu-production-bucket \
  --endpoint-url https://nbg1.your-objectstorage.com \
  --region eu-central

Week 3: Dual-Write Migration

# Dual-write shim: writes to both R2 and Hetzner during transition
import boto3

r2 = boto3.client("s3", endpoint_url=R2_ENDPOINT, ...)
hetzner = boto3.client("s3", endpoint_url=HETZNER_ENDPOINT, ...)

def put_object_migrated(bucket, key, body):
    hetzner.put_object(Bucket=f"hetzner-{bucket}", Key=key, Body=body)
    r2.put_object(Bucket=bucket, Key=key, Body=body)  # keep R2 in sync during cutover

Week 4: Cutover

# Sync remaining objects using rclone
rclone sync r2:old-bucket hetzner:new-bucket \
  --progress \
  --transfers=16 \
  --checkers=32 \
  --s3-upload-concurrency=16

# Verify checksums
rclone check r2:old-bucket hetzner:new-bucket

# Update DNS/CDN to point to Hetzner endpoint
# Update application config: STORAGE_ENDPOINT=https://nbg1.your-objectstorage.com
# Remove R2 API credentials from secrets vault

Workers + R2 to EU-Native Equivalent

If you're using Cloudflare Workers + R2 as a serverless compute + storage stack, the EU-native equivalent is:

sota.io deploys applications on Hetzner Germany infrastructure with no US parent entity. Combined with Hetzner Object Storage, you get a complete serverless-equivalent stack at 0/25 CLOUD Act risk.

The EU Object Storage Series

This post is the first in the sota.io EU Object Storage Series — a five-part deep-dive into the CLOUD Act exposure of the major US object storage platforms and the EU-native alternatives:

1. Cloudflare R2 (this post) — 16/25: Zero egress ≠ zero jurisdiction
2. Backblaze B2 (next) — California-based, S3-compatible, popular for cost-sensitive backups
3. Wasabi — Massachusetts-based, "hot storage" at cold-storage prices
4. Google Cloud Storage — 20/25: PRISM, FISA §702, and EU multi-region misconceptions
5. EU Object Storage Comparison Finale — Full risk matrix, migration decision framework, TCO at scale

Decision Framework: When R2 is Acceptable vs When to Migrate

R2 is acceptable for EU teams when:

• Objects contain zero personal data (compiled JS bundles, public static assets, open datasets)
• You're using DPF + SCCs + a documented TIA that survives EDPB scrutiny
• Your legal team has accepted residual CLOUD Act risk and documented it in the Art.30 record

Migrate to EU-native storage when:

• Objects contain user uploads (profile photos, documents, media)
• Objects contain logs with IP addresses, user identifiers, or behavioural data
• You process data for healthcare, finance, or government clients with strict sovereignty requirements (NIS2, DORA, EUCS Level 3)
• Your DPO has flagged DPF as a fragile legal basis after Schrems II experience
• You're building for German public sector (IT-Sicherheitsgesetz, BSI Grundschutz)

Summary

Cloudflare R2 solved the egress lock-in problem, but it did not solve the GDPR jurisdiction problem. Cloudflare, Inc. is a Delaware-incorporated, San Francisco-headquartered, NYSE-listed US corporation. Its published transparency report confirms it receives and complies with US government legal process. CLOUD Act §2713 applies to every byte in every R2 bucket, regardless of the EU storage class selected.

For EU developers who need to store personal data without CLOUD Act exposure, Hetzner Object Storage (0/25, Germany, S3-compatible, €0.0115/GB) provides a drop-in replacement. The migration is a one-line endpoint URL change for boto3/rclone users.

Zero egress fees are a real benefit. But zero CLOUD Act risk requires a European entity — not a European data centre.

Next in the EU Object Storage Series:
Backblaze B2 EU Alternative 2026 — California-based B2 Cloud Storage: S3-compatible, $6/TB/month, but subject to CLOUD Act and California CCPA/US jurisdiction in parallel.

Deploy on EU-native infrastructure with sota.io:
Git-push deploy on Hetzner Germany. No US parent. No CLOUD Act. PostgreSQL included. From €9/month.