EU Backup Recovery Comparison 2026: Veeam vs Acronis vs Commvault vs Rubrik vs Cohesity — CLOUD Act Risk Matrix and Migration Guide
Post #6 of 6 in the sota.io EU Backup & Recovery Series — Series Finale
Enterprise backup is the last line of defence against ransomware, hardware failure, and data loss. But for EU enterprises operating under GDPR, NIS2, and the post-Schrems II legal framework, your backup vendor's corporate structure is as important as your RPO and RTO.
This series finale consolidates all five US backup vendors into a single decision framework, presents the complete CLOUD Act risk matrix, and provides a vendor-selection guide calibrated to EU compliance requirements. If you only read one backup compliance article in 2026, make it this one.
The Core Problem: Why Backup Vendors Represent Unique GDPR Risk
Backup systems are uniquely sensitive from a GDPR perspective for three structural reasons:
1. Backup data is a complete replica of your personal data. Every GDPR-sensitive record in your primary systems — customer records, HR files, health data, financial information — exists in identical form in your backup storage. The backup vendor effectively processes every category of personal data your organisation holds.
2. Backup vendors control recovery — the highest-privilege operation. To recover from a ransomware attack, you need your backup vendor's cooperation. This means the vendor's control plane, key management, and cloud services cannot be unavailable or compromised. In practice, this means EU enterprises are deeply dependent on their backup vendor's cloud infrastructure — infrastructure subject to US CLOUD Act orders.
3. Backup anomaly data reveals what you store. Modern AI-driven backup platforms (Cohesity DataHawk, Rubrik Radar, Commvault Threatwise) analyse backup patterns to detect ransomware. This analysis generates metadata that reflects what types of data you store, at what volumes, with what change rates — information that is itself sensitive and flows through US-hosted cloud systems.
Complete CLOUD Act Risk Matrix
| Vendor | Score | Legal Entity | US HQ | SaaS Control Plane | Gov Intel | Cloud Vault |
|---|---|---|---|---|---|---|
| Veeam | 15/25 | Veeam Software Inc. | Columbus, OH | Veeam Data Cloud (US) | Veeam Threat Center (limited) | Veeam Cloud Tier (US SaaS) |
| Acronis | 14/25 | Acronis AG (CH HQ, US ops) | Woburn, MA (SCS LLC) | Acronis Cyber Cloud (US) | Acronis SCS federal contractor | Acronis Cloud (EU regions, US control) |
| Cohesity | 16/25 | Cohesity Inc. | San Jose, CA | Helios SaaS (US) | DataHawk FBI/CISA integration | FortKnox (EU regions, US control) |
| Commvault | 17/25 | Commvault Systems Inc. | Tinton Falls, NJ | Metallic SaaS (US) | CISA JCDC + Arlie AI | Metallic Recovery Reserve (US SaaS) |
| Rubrik | 18/25 | Rubrik Inc. | Palo Alto, CA | RSC Security Cloud (US) | FBI/CISA JCDC + Microsoft $800M | Rubrik Cloud Vault (US SaaS) |
| Bareos | 0/25 | Bareos GmbH & Co. KG | Cologne, Germany | Self-hosted | None | Self-hosted (MinIO/Ceph EU) |
| Proxmox PBS | 0/25 | Proxmox Server Solutions GmbH | Vienna, Austria | Self-hosted | None | Self-hosted (WORM disks) |
| SEP sesam | 0/25 | SEP AG | Waldorf, Germany | Self-hosted | None | Si3 NG WORM (self-hosted) |
| Restic/Borg | 0/25 | Open Source | N/A | Self-hosted | None | Append-only (self-hosted) |
Score Interpretation
| CLOUD Act Score | Risk Level | Recommended Action |
|---|---|---|
| 0-5/25 | Minimal | Proceed — GDPR Art.44 compliant |
| 6-10/25 | Low | Verify DPA and SCCs |
| 11-15/25 | Medium | DPIA required, legal review recommended |
| 16-20/25 | High | Migration to EU-native strongly recommended for sensitive data |
| 21-25/25 | Critical | Immediate migration for any GDPR-sensitive workloads |
Vendor-by-Vendor Risk Summary
Veeam — 15/25 (Medium-High)
Why it scores 15: Veeam Software Inc. is incorporated in Ohio (Delaware-equivalent for federal jurisdiction) with HQ in Columbus, OH. Veeam Data Cloud (the cloud management SaaS) is US-hosted. Veeam's CISA vulnerability disclosures show active US law enforcement engagement on CVE response, but no evidence of active JCDC membership or FBI data-sharing agreements.
Key differentiator: Veeam is the most widely deployed backup platform in EU enterprises and offers the most mature on-premises deployment with minimal SaaS dependency. Veeam Backup & Replication can be fully air-gapped from Veeam's cloud services, reducing CLOUD Act exposure for the backup data itself. The remaining exposure is Veeam's corporate structure (Ohio/Delaware) and Veeam Data Cloud use.
EU recommendation: Veeam with fully on-premises deployment (no Veeam Data Cloud, no Veeam Cloud Connect to US-based service providers) + EU-hosted Veeam Cloud Connect Repository (VCC-R) partner reduces risk to ~9/25. Not zero, but acceptable for medium-sensitivity workloads with DPA in place.
Read the full analysis: Veeam EU Alternative 2026
Acronis — 14/25 (Medium)
Why it scores 14: Acronis has the most complex corporate structure of the series. The parent entity is Acronis AG (Zug, Switzerland — not a GDPR territory but also not US). The US-specific risk comes from Acronis SCS LLC (Woburn, MA) — a US federal government contractor providing backup services to the US Department of Defense. Goldman Sachs Asset Management's $250M investment (US financial institution) adds a further US nexus.
Key differentiator: The Swiss parent structure provides more legal insulation than a pure US corporation. Acronis AG is not directly subject to CLOUD Act — CLOUD Act applies to entities "providing electronic communications service or remote computing service" in the US. Acronis SCS LLC (the US federal subsidiary) is unambiguously subject, but Acronis AG's relationship to SCS LLC creates legal complexity about whether CLOUD Act orders would bind the parent.
EU recommendation: Acronis Cyber Protect with EU data centre selection and Data Processing Agreement referencing the Acronis AG entity (not Acronis SCS LLC) provides better legal insulation than most US backup vendors. However, Acronis Cyber Cloud (the management SaaS) is US-hosted, maintaining Art.44 exposure. Suitable for medium-sensitivity workloads; not recommended for health data, financial services, or critical infrastructure.
Read the full analysis: Acronis EU Alternative 2026
Cohesity — 16/25 (High)
Why it scores 16: Cohesity's IBM integration is the defining risk factor. The 2024 absorption of IBM Storage Protect, IBM Storage Defender, and IBM Safeguarded Copy brought US federal contractor heritage, IBM Watson/watsonx AI processing, and CISA JCDC threat intelligence integration into Cohesity's product portfolio. Combined with Helios SaaS (US-hosted control plane) and FortKnox immutable vault (US-controlled despite EU regions), Cohesity represents elevated jurisdiction risk.
Key differentiator: Cohesity offers "Helios On-Premises" — a self-hosted version of the management plane that eliminates the US-hosted control plane problem. This is a meaningful mitigation option not available from Rubrik or Commvault in the same form. EU organisations that require Cohesity's advanced features (DataProtect, SmartFiles) should evaluate Helios On-Prem as a risk-reduction measure.
EU recommendation: Helios On-Premises deployment with self-hosted FortKnox (Cohesity's immutable vault can be configured with EU-hosted S3-compatible storage) reduces effective score to ~10/25. This requires additional infrastructure investment but is the only path to substantially reduced CLOUD Act exposure while retaining Cohesity features.
Read the full analysis: Cohesity EU Alternative 2026
Commvault — 17/25 (High)
Why it scores 17: Commvault is the highest-scoring of the "pure US" backup vendors (no Swiss parent, no partial EU structure). Commvault Systems Inc. is incorporated in New Jersey, headquartered in Tinton Falls NJ, and listed on NASDAQ (CVLT). All corporate functions are US-anchored. Metallic (Commvault's SaaS offering) is US-hosted. CISA JCDC membership and Arlie AI (LLM-based backup management) processing through US cloud complete the risk profile.
Key differentiator: Commvault's Command Center can be deployed on-premises, but the Metallic SaaS features (AI analytics, cloud search, e-discovery) — increasingly central to Commvault's enterprise roadmap — require US-hosted processing. Commvault's CISA JCDC membership is an active threat intelligence-sharing relationship, not just vulnerability disclosure compliance.
EU recommendation: For large enterprises with existing Commvault investments and on-premises Command Center deployments, the practical risk may be manageable with comprehensive DPA and SCCs. For new deployments or renewals, EU-native alternatives should be evaluated against total cost. Commvault's migration tools (Commvault Backup & Recovery data export) facilitate migration to EU platforms.
Read the full analysis: Commvault EU Alternative 2026
Rubrik — 18/25 (Highest US Vendor)
Why it scores 18: Rubrik tops the CLOUD Act risk table for this series. The combination of RSC (Rubrik Security Cloud, the mandatory cloud management platform — no fully on-premises management option), FBI/CISA JCDC membership, Radar AI anomaly detection (US cloud-processed), and Microsoft's $800M investment in Azure Sentinel + Microsoft Purview integration creates the broadest US jurisdiction exposure of any vendor in this series.
The Zero Trust Contradiction: Rubrik markets itself as a Zero Trust Data Security platform — yet the RSC control plane, which controls all access to Rubrik clusters, is US-hosted and US-law-governed. EU enterprises cannot achieve genuine Zero Trust data sovereignty while dependent on RSC.
Key differentiator: Unlike other vendors in this series, Rubrik does not offer a meaningful on-premises management alternative to RSC. Rubrik's Cloud Data Management architecture is fundamentally cloud-dependent. This makes Rubrik the highest-risk backup vendor for EU enterprises with strict data sovereignty requirements.
EU recommendation: For EU enterprises subject to NIS2 essential entity obligations or DORA (financial services), Rubrik's 18/25 score should trigger a formal DPIA and legal review. Migration to EU-native alternatives is strongly recommended. Rubrik's backup data can be exported via standard formats for migration to Bareos or SEP sesam.
Read the full analysis: Rubrik EU Alternative 2026
Decision Framework: Which Backup Platform for Your EU Compliance Posture?
Use this framework to select the right backup platform based on your EU regulatory environment.
Step 1: Determine Your Regulatory Profile
| Profile | Regulation | Required CLOUD Act Score |
|---|---|---|
| Standard EU enterprise | GDPR only | ≤15/25 acceptable with DPA+SCCs |
| EU essential entity (NIS2) | GDPR + NIS2 Art.21 | ≤10/25 recommended |
| EU critical infrastructure | GDPR + NIS2 + KRITIS | 0/25 strongly recommended |
| EU financial services | GDPR + DORA Art.28 | ≤8/25, full supply chain risk assessment |
| EU healthcare (health data) | GDPR Art.9 + member state health law | 0/25 recommended for backup of health data |
| EU public sector / government | GDPR + national security reqs | 0/25 mandatory in most member states |
Step 2: Map Infrastructure Profile to Platform
| Infrastructure | Best EU-Native Option | Alternative |
|---|---|---|
| Proxmox VE-based | Proxmox Backup Server (PBS) | Bareos with Proxmox plugin |
| VMware vSphere | Bareos with VDDK plugin | SEP sesam with VMware CBT |
| Hyper-V | Bareos with Hyper-V support | SEP sesam |
| Kubernetes / containers | Velero + EU-hosted S3 (MinIO/Hetzner) | Restic with K8s CronJob |
| Cloud-native (EU hosted) | Restic + Hetzner Object Storage | BorgBackup over SSH |
| Mixed (VM + bare metal + cloud) | Bareos (multi-client architecture) | SEP sesam (broadest agent support) |
| SAP HANA / Oracle | SEP sesam (certified SAP partner) | Bareos + SAP Backint |
| High-frequency incremental | Proxmox PBS (chunk deduplication) | Restic (incremental snapshots) |
Step 3: Calculate EU-Native TCO
The single most common barrier to EU-native backup adoption is perceived cost. The following comparison shows 3-year TCO for a 50-server, 100TB backup environment:
| Platform | Year 1 | Year 2 | Year 3 | 3-Year Total |
|---|---|---|---|---|
| Rubrik | €180,000 | €90,000 | €90,000 | €360,000 |
| Commvault | €95,000 | €55,000 | €55,000 | €205,000 |
| Veeam | €45,000 | €25,000 | €25,000 | €95,000 |
| Cohesity | €85,000 | €50,000 | €50,000 | €185,000 |
| Bareos (self-hosted, Hetzner) | €8,500 | €3,500 | €3,500 | €15,500 |
| SEP sesam (licensed, self-hosted) | €22,000 | €8,000 | €8,000 | €38,000 |
| Restic + Hetzner (DevOps managed) | €4,200 | €2,100 | €2,100 | €8,400 |
Assumptions: 50 protected servers, 100TB backup storage, Hetzner infrastructure (EX44 storage nodes €43/mo, 100TB Hetzner Object Storage €700/mo). US vendor costs are typical enterprise contract estimates including support. Actual costs vary significantly by negotiation and features.
Key insight: EU-native solutions are 5-40x cheaper at scale. The primary cost difference is licensing — Bareos, Proxmox PBS, and Restic are open source. Infrastructure costs (Hetzner hardware) are comparable or lower than cloud backup storage costs from US SaaS platforms.
Migration Guide: Switching from US Backup Vendors to EU-Native
Pre-Migration Checklist
Before beginning migration, complete the following assessment:
- Inventory all backup jobs — what workloads, what schedules, what retention policies, what recovery SLAs
- Inventory backup data locations — primary storage, offsite copies, cloud vaults (US SaaS), tape
- Identify GDPR-sensitive backup sets — which jobs contain personal data within scope of GDPR Art.9 (health, genetic, biometric, financial)
- Map recovery dependencies — which applications require backup vendor agents, VSS integrations, application-aware backups
- Document current RTO/RPO — baseline for comparison during parallel testing
- Review vendor contracts — notice periods, data export obligations, licence transfer restrictions
Migration Pattern A: Lift-and-Shift to Bareos (Recommended for Complexity)
Best for: Large mixed environments (VMware + bare metal + Linux + Windows)
# Phase 1: Deploy Bareos infrastructure on Hetzner
# Director: AX41-NVMe (6 cores, 64GB RAM, 2x512GB NVMe) — €37/mo
# Storage Daemon: EX44 (4 cores, 64GB RAM, 4x4TB HDD) — €43/mo
# Catalog DB: Dedicated Postgres on AX41
# Phase 2: Deploy File Daemons on all protected hosts
apt install bareos-filedaemon -y
systemctl enable bareos-fd
# Configure with Director address and TLS certificates
# Phase 3: Configure backup jobs parallel to existing solution
# Run both solutions for 2 full backup cycles (typically 2-4 weeks)
# Validate recovery from Bareos before decommissioning old platform
# Phase 4: Configure offsite replication to Hetzner Object Storage
# S3-compatible backend: s3://backup.s3.hetzner.com/your-bucket
Bareos job configuration template:
Job {
Name = "daily-vm-backup"
JobDefs = "DefaultJob"
Client = "vm-host-01-fd"
FileSet = "LinuxAll"
Schedule = "WeeklyCycle"
Storage = "eu-object-store-1"
Pool = "Full"
SpoolAttributes = yes
}
Migration timeline: 6-8 weeks for a 50-server environment. Allow extra time for Windows VSS configuration and VMware VDDK integration.
Migration Pattern B: Proxmox-First Consolidation
Best for: Organisations standardising on Proxmox VE
# Step 1: Install Proxmox Backup Server on dedicated hardware
# Recommended: Hetzner EX44 (€43/mo) with 4x4TB + NVMe cache
# Step 2: Create datastore and configure backup schedule in PVE
# PVE GUI: Datacenter > Backup > Add
# Storage: your PBS server
# Schedule: 02:00 (daily)
# Mode: Snapshot (for running VMs)
# Retention: keep-daily=7, keep-weekly=4, keep-monthly=12
# Step 3: Verify backup integrity
proxmox-backup-client verify all --repository pbs-server-01:backup-ds
# Step 4: Test recovery in isolated environment
proxmox-backup-client restore vm/100/2026-05-20T02:00:00Z vm.qcow2 \
--repository pbs-server-01:backup-ds
Migration timeline: 2-3 weeks for Proxmox-homogeneous environments. PBS integration is native and requires no additional agents.
Migration Pattern C: Restic for Cloud-Native and DevOps Workloads
Best for: Kubernetes, containerised applications, cloud-native data stores
# Step 1: Create Hetzner Object Storage bucket (EU region)
# Via Hetzner Cloud Console: Storage > Object Storage > Create Bucket
# Region: eu-central (Falkenstein, Germany)
# Cost: €0.022/GB/month
# Step 2: Configure Restic with Hetzner S3
export AWS_ACCESS_KEY_ID="hetzner-access-key"
export AWS_SECRET_ACCESS_KEY="hetzner-secret"
restic -r s3:s3.eu-central-1.wasabisys.com/your-bucket init
# For Hetzner Object Storage:
restic -r s3:https://fsn1.your-objectstorage.com/your-bucket init
# Step 3: Create backup script (with encryption key in EU-hosted vault)
#!/bin/bash
export RESTIC_REPOSITORY="s3:https://your-bucket.fsn1.your-objectstorage.com"
export RESTIC_PASSWORD_FILE="/etc/restic/password" # local file, EU-hosted
restic backup /data/app-data \
--exclude-caches \
--tag "daily-$(date +%Y-%m-%d)"
# Forget old snapshots (retention policy)
restic forget \
--keep-daily 7 \
--keep-weekly 4 \
--keep-monthly 12 \
--prune
# Step 4: Schedule via systemd timer (not cron — for proper logging)
# /etc/systemd/system/restic-backup.timer
# /etc/systemd/system/restic-backup.service
Migration timeline: 1-2 weeks for container/K8s workloads. Restic integrates with Kubernetes via Velero (CNCF) using Hetzner Object Storage as the backend.
The GDPR Compliance Test: 5 Questions to Ask Your Backup Vendor
Before renewing or signing any backup software contract, ask these five questions. Any "no" answer requires a legal review before proceeding.
1. Is your legal entity incorporated outside the United States?
For Veeam, Acronis, Commvault, Rubrik, and Cohesity: No. All are Delaware or other US-state corporations. CLOUD Act jurisdiction applies.
2. Can I deploy your management software entirely on-premises with zero data flowing to your cloud infrastructure?
- Veeam: Yes (with on-prem Console, no Veeam Data Cloud)
- Acronis: Partial (Acronis Cyber Infrastructure on-prem, but Acronis Cloud SaaS features require US connectivity)
- Cohesity: Partial (Helios On-Premises available, but DataHawk external feeds are US-sourced)
- Commvault: Partial (Command Center on-prem, but Metallic features require US cloud)
- Rubrik: No — RSC is mandatory, fully US-cloud-hosted
3. Who holds encryption keys for my backup data stored in your cloud vault, and where are those keys managed?
For all five US vendors, the default answer is: the vendor holds or can access keys, via US-hosted key management systems. Bring-your-own-key (BYOK) options exist but require additional configuration and license entitlement.
For EU-native solutions (Bareos, PBS, Restic): you hold all keys, stored on EU-hosted hardware you control.
4. Do you share backup metadata, anomaly data, or threat intelligence with US law enforcement agencies?
- Rubrik: Yes (JCDC membership, Radar AI metadata to RSC)
- Commvault: Yes (JCDC membership, Arlie AI to Metallic)
- Cohesity: Yes (DataHawk via IBM X-Force + CISA KEV + FBI intel)
- Veeam: Limited (CISA CVE disclosure, no active JCDC membership confirmed)
- Acronis: Yes (Acronis SCS LLC = US federal contractor with active USG relationships)
5. Can you provide a complete Data Processing Impact Assessment (DPIA) for all third-country transfers involved in your platform?
US backup vendors should be able to provide this for GDPR Art.35 compliance. Request it before signing. Evaluate whether their DPIA covers Helios/RSC/Metallic/Veeam Data Cloud metadata processing.
EU Regulatory Landscape: What's Changing in 2026
NIS2 Supply Chain Requirements (Effective October 2024, Enforcement Escalating)
NIS2 Directive Article 21(2)(d) requires essential entities to include supply chain security in their cybersecurity risk management measures. ENISA's October 2024 guidelines on NIS2 supply chain security explicitly identify third-country jurisdiction as a supply chain risk factor for ICT service providers.
National implementations are tightening: BSI (Germany), ANSSI (France), and NCSC-NL (Netherlands) have all issued or are expected to issue guidance in 2026 clarifying that "US CLOUD Act exposure" of backup and recovery platforms constitutes a material supply chain risk for critical infrastructure operators.
Practical implication: If your organisation is an NIS2 essential entity, failing to document and mitigate US CLOUD Act exposure in your backup platform supply chain risk assessment may constitute a compliance failure — even if your backup data hasn't been accessed by US authorities.
EUCS (European Union Cybersecurity Certification Scheme) Cloud Services
The EUCS High assurance level (targeted at public sector and critical infrastructure) requires that cloud services be operated by entities "not subject to non-EU law that may affect the security of the certified service." This explicitly targets CLOUD Act exposure.
Backup SaaS platforms from US vendors will not qualify for EUCS High certification. EU public sector entities required to use EUCS-certified services for critical infrastructure will need EU-native backup platforms.
EUCS High is expected to begin certification of eligible EU cloud services in 2026-2027. Organisations with contractual or regulatory requirements for EUCS-certified backup should begin migration planning now.
DORA (Digital Operational Resilience Act) — Effective January 2025
For EU financial institutions (banks, insurance, investment firms, payment providers), DORA Article 28 requires a Register of Information on all ICT third-party service dependencies, including backup providers. DORA's concentration risk provisions (Article 29) may require switching from US-anchored backup platforms if too many critical functions depend on a single US jurisdiction.
EU financial services regulators (ECB SSM, EBA, EIOPA, ESMA) are conducting DORA horizontal exercises in 2025-2026. Backup platform CLOUD Act exposure will be visible to regulators through DORA reporting.
Conclusion: The Sovereign Backup Imperative
The EU enterprise backup market is at an inflection point. GDPR Schrems II, NIS2 supply chain requirements, EUCS certification, and DORA concentration risk provisions are all converging to create regulatory pressure for EU-sovereign backup infrastructure.
The five US backup vendors covered in this series — Veeam (15/25), Acronis (14/25), Cohesity (16/25), Commvault (17/25), and Rubrik (18/25) — all carry structural CLOUD Act exposure that EU data centre selection alone cannot resolve. For most EU enterprises, the question is not whether to migrate to EU-native backup, but when and how fast.
The EU-native alternatives — Bareos (0/25), Proxmox Backup Server (0/25), SEP sesam (0/25), and Restic/BorgBackup (0/25) — provide enterprise-grade backup functionality at GDPR-compliant 0/25 CLOUD Act scores. The migration effort is real (typically 2-12 weeks depending on environment size) but justified by:
- Regulatory certainty — zero US jurisdiction exposure, clean DPIA, NIS2/DORA compliant
- Cost reduction — 5-40x lower TCO than US enterprise backup licensing
- Vendor independence — open source solutions are not subject to M&A, pricing changes, or US policy shifts
Recommended next steps:
- Score your current backup vendor against the CLOUD Act matrix above
- If score ≥ 15/25 and you process GDPR Art.9 data, initiate a formal DPIA
- Request a proof-of-concept from Bareos or SEP sesam for your environment size
- Evaluate Hetzner infrastructure costs against current US SaaS licensing
- Set a migration timeline aligned with your next backup contract renewal
Read the full series:
- Veeam EU Alternative 2026
- Acronis EU Alternative 2026
- Commvault EU Alternative 2026
- Rubrik EU Alternative 2026
- Cohesity EU Alternative 2026
sota.io is the European PaaS for developers who need EU-sovereign infrastructure. Deploy on Hetzner, OVHcloud, or Scaleway — no US jurisdiction, no CLOUD Act exposure, GDPR Article 44 compliant by default. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.