EU Managed Kubernetes 2026: CLOUD Act Risk Matrix — GKE, AKS, EKS, DOKS, Kapsule, OVH

Post #1114 — EU-KUBERNETES-MANAGED-SERIE #5/5 FINALE

This is the finale of our five-part series on managed Kubernetes platforms and EU data sovereignty. We've scored six providers across five CLOUD Act dimensions, compared pricing from €25/mo to €200/mo, and mapped every GDPR transfer mechanism needed for compliant EU deployments. Here is the definitive comparison.

The EU Kubernetes CLOUD Act Series — What We Covered

Over the past five posts, we analysed every major managed Kubernetes provider through the lens of CLOUD Act jurisdiction risk, GDPR Article 28/44–49 compliance, and total cost of ownership for EU enterprises:

Summary in one sentence: US hyperscalers score 17–21/25 on CLOUD Act risk. French-owned EU-native providers score 0–1/25. The gap is 20 risk points and 2.8× the price.

CLOUD Act 5-Dimension Risk Matrix — All Providers

Our scoring methodology applies five equal-weighted dimensions (5 points each, 25 total):

Full 6-Provider Risk Matrix

Score interpretation:

• 0–4/25 — EU-native, no material CLOUD Act risk. Standard GDPR Art.28 DPA sufficient.
• 5–9/25 — Predominantly EU-jurisdiction, minor US linkage. SCCs may be required.
• 10–15/25 — Mixed jurisdiction. Transfer Impact Assessment (TIA) required under Art.46.
• 16–24/25 — High CLOUD Act exposure. GDPR Art.48 infringement risk. Legal review mandatory.
• 25/25 — Maximum risk. Cross-border government access without DPA safeguards legally possible.

Provider Deep Dives

AWS EKS — 21/25 (Highest Risk)

Corporate structure: Amazon.com, Inc. — Washington State Corporation, NYSE: AMZN. AWS operates through Amazon Web Services, Inc. (Delaware). Both entities fully subject to U.S. jurisdictional reach.

PRISM: Amazon AWS is a confirmed PRISM participant (NSA slide deck, June 2013). This means the NSA has direct collection capability from AWS infrastructure, including EU regions.

Why EU regions don't help: Amazon Web Services EMEA SARL (Luxembourg) is the data-processing entity for EU customers. But U.S. law reaches Amazon.com, Inc. as parent. A CLOUD Act warrant or NSL is served on the US parent, not the EU subsidiary. EU data boundary ≠ US law barrier.

EKS control plane jurisdiction: The Kubernetes API server, etcd cluster, and control plane components run on AWS-managed infrastructure. Even if worker nodes are in eu-central-1, the control plane is operated by Amazon entities subject to CLOUD Act.

GDPR risk: Art.44-49 international transfer rules apply. SCCs + TIA required. After Schrems II (2020) and CJEU C-311/18, any US-based data transfer requires an adequacy decision or explicit derogation. Data Privacy Framework (DPF) is under active legal challenge (Schrems III filing pending).

Full analysis: AWS EKS EU Alternative 2026

Azure AKS — 21/25 (Highest Risk, tied with EKS)

Corporate structure: Microsoft Corporation — Washington State, NASDAQ: MSFT. Azure operates through Microsoft Ireland Operations Limited (Dublin) for EU customers, but Microsoft Corp. (US) retains CLOUD Act exposure.

PRISM: Microsoft is a confirmed PRISM participant (NSA PRISM slides, 2007 earliest participation). Microsoft is also the largest NSL recipient in the US tech sector by disclosed figures.

EU Data Boundary programme: Microsoft launched the EU Data Boundary initiative (2023) to store and process EU data within EU/EEA. This is a contractual commitment, not a legal shield against CLOUD Act. The US Department of Justice can still serve warrants on Microsoft Corporation even if the physical data is in westeurope.

AKS control plane: Kubernetes API server managed by Microsoft. etcd control plane hosted on Microsoft Azure infrastructure. US-jurisdiction CLOUD Act risk applies.

Pricing: AKS cluster management is free. Compute (3× Standard_D4s_v5 in West Europe) ≈ €200/mo. Premium Tier AKS (SLA-backed control plane) adds €68/mo.

Full analysis: Azure AKS EU Alternative 2026

Google GKE — 20/25

Corporate structure: Google LLC — Delaware Corporation, wholly owned by Alphabet Inc. (Delaware). Alphabet is the parent subject to US jurisdiction.

PRISM: Google is a confirmed PRISM participant (NSA slides, 2009 induction). Like Microsoft and Amazon, Google has received thousands of FISA Section 702 orders and National Security Letters.

etcd jurisdiction: GKE's etcd control plane is operated by Google LLC. Even in regional clusters (europe-west4), the Kubernetes control plane is managed by Google's US-incorporated entity.

GDPR specificity: Google Workspace launched the EU Data Regions programme in 2022. GKE does not have an equivalent "data boundary" commitment. Google's sub-processor list for GKE includes US-based entities.

Pricing: GKE cluster management free (Standard tier). Compute (3× n2-standard-4 in europe-west4) ≈ €190/mo. Autopilot mode (managed nodes) ≈ €165/mo with right-sizing.

Full analysis: Google GKE EU Alternative 2026

DigitalOcean DOKS — 17/25

Corporate structure: DigitalOcean Holdings, Inc. — Delaware Corporation, NYSE: DOCN, headquartered New York City. Fully subject to US jurisdiction.

PRISM: DigitalOcean is NOT a confirmed PRISM participant. This is the key differentiator from the Big Three hyperscalers — and the reason DOKS scores 17/25 instead of 20–21/25.

Why it still scores 17/25: DigitalOcean is a US-incorporated, US-listed company. CLOUD Act warrants (18 U.S.C. § 2713) apply to any US company with qualifying data in their control. PRISM participation affects the passive surveillance dimension, not the targeted warrant dimension.

DOKS control plane: Kubernetes API server managed by DigitalOcean LLC. EU regions fra1 (Frankfurt) and ams3 (Amsterdam) use US-managed control plane infrastructure. No "EU-operated" version exists.

Pricing: DOKS control plane free. Compute (3× Standard 4vCPU/8GB in fra1) ≈ €130/mo. 5.2× more expensive than Hetzner k3s equivalent.

Full analysis: DigitalOcean DOKS EU Alternative 2026

OVHcloud Managed Kubernetes — 1/25

Corporate structure: OVH SAS — French company, registered Roubaix (Hauts-de-France), parent OVH Groupe SA (Euronext Paris: OVH). No US parent. No US stock exchange listing.

The 1-point risk: OVH US LLC (registered Virginia) is OVH's US-market subsidiary. It is a separate legal entity but the existence of a US subsidiary creates a narrow CLOUD Act exposure vector. OVH does not operate EU customer data through the US entity, but the corporate relationship exists.

Control plane: OVH operates its own Kubernetes control plane infrastructure in OVH-owned data centres in Gravelines (FR), Frankfurt (DE), Warsaw (PL), and others. The control plane is French-entity-operated. No AWS/Azure/Google sub-processor chain.

GDPR: No Art.44-49 international transfer required. Data stays within EU/EEA under OVH's GDPR-compliant framework. Standard Art.28 Data Processing Agreement applies.

Pricing: b2-15 nodes (15GB RAM, 4vCPU) × 3 ≈ €74.50/mo. No control plane fee. Similar to Scaleway Kapsule.

Scaleway Kapsule — 0/25 (Lowest Risk)

Corporate structure: Scaleway SAS — French company, subsidiary of Iliad SA (Euronext Paris: ILD). Headquartered Paris. Xavier Niel (Iliad founder) controls >70% of Iliad. Zero US corporate linkage.

CLOUD Act score 0/25: Scaleway is not incorporated in the US, not traded on US exchanges, not a PRISM participant, does not operate through US subsidiaries, and uses only EU-based sub-processors for core Kubernetes infrastructure.

Control plane: Kapsule runs Kubernetes API server, etcd, and controller-manager exclusively on Scaleway-owned infrastructure in Paris (PAR1/PAR2), Amsterdam (AMS1), and Warsaw (WAW1). No third-party cloud sub-processor for control plane.

GDPR Art.48: Because no international transfer occurs, Scaleway Kapsule fully satisfies GDPR Art.48 (transfer prohibition without adequate safeguards). No SCCs, no TIA, no DPF reliance needed. Your GDPR Art.28 DPA with Scaleway is the only agreement required.

Pricing: GP1-S (10GB, 2vCPU) × 3 nodes ≈ €72/mo. Identical management fee to OVHcloud. 2.8× cheaper than Azure AKS. No egress fees within Scaleway regions.

Total Cost of Ownership (TCO) — 3-Node Production Cluster

This comparison uses equivalent specs: 3 × 4vCPU / 8GB RAM nodes in EU regions, with managed control plane, for a 12-month contract.

Hetzner note: Hetzner Cloud (CX31: 2vCPU/8GB) × 3 nodes = €25/mo. But k3s on Hetzner is self-managed — no SLA-backed control plane, no automated node upgrades, no managed autoscaler. For teams with DevOps capacity, it is the lowest-cost EU-native option at 0/25 CLOUD Act.

GDPR Compliance by Provider

International Transfer Analysis (GDPR Art.44–49)

Data Processing Agreement (Art.28) Checklist

All six providers offer a standard GDPR Data Processing Agreement (DPA). For EU-native providers (Scaleway, OVHcloud), the DPA is sufficient. For US providers, a DPA is not enough — you also need:

1. Standard Contractual Clauses (SCCs) — EU Commission Implementing Decision 2021/914
2. Transfer Impact Assessment (TIA) — mandatory post-Schrems II (CJEU C-311/18, July 2020)
3. Supplementary measures — encryption at rest+in-transit with EU-controlled keys, pseudonymisation where feasible
4. Data Privacy Framework reliance — valid until challenged (Schrems III pending before CJEU)

For DORA-regulated entities (financial services), EBA Guidelines on ICT Risk (EBA/GL/2019/04) add further requirements: auditability, right of inspection, and supervisory access provisions. US-based providers face structural challenges satisfying DORA Art.28(8) audit rights.

Decision Framework: Which Provider for Your Workload

Use Case 1 — Regulatory-heavy workload (banking, healthcare, public sector)

Requirement: GDPR Art.9 sensitive data, DORA/NIS2/ISO27001, DPA audit rights, no international transfer.

Recommendation: Scaleway Kapsule or OVHcloud Managed Kubernetes.

Reason: Only 0/25 and 1/25 providers eliminate international transfer risk. DORA Art.28(8) audit rights are contractually enforceable against EU entities without the structural barriers of US discovery law (28 U.S.C. § 1782).

Use Case 2 — Startup / scale-up, EU market focus

Requirement: Managed Kubernetes, reasonable ops overhead, GDPR-compliant, competitive pricing.

Recommendation: Scaleway Kapsule (simplest, lowest cost) or Hetzner k3s + FluxCD (for teams with GitOps capacity).

Reason: CLOUD Act score 0/25 means no legal team needed for transfer risk analysis. Kapsule is managed (automated upgrades, control plane SLA). Hetzner k3s cuts costs by 65% but requires self-management.

Use Case 3 — Global company with EU subsidiary needing data locality

Requirement: Data must stay in EU, but existing cloud contract is AWS/Azure/Google.

Recommendation: Run EU workloads on Scaleway Kapsule or OVHcloud; keep non-EU workloads on your existing hyperscaler. Use Crossplane or cluster federation for unified GitOps.

Reason: Splitting by jurisdiction (not just by region) is the only legally defensible architecture for Schrems II compliance. Running a separate EU-native cluster for EU customer data is cheaper than a TIA re-audit every 12–18 months.

Use Case 4 — Existing AWS/Azure/GCP investment, risk tolerance acceptable

Recommendation: DigitalOcean DOKS as a step-down (17/25 vs 20–21/25), or accept hyperscaler risk with proper SCCs + TIA documentation.

If you are already on a hyperscaler and the legal review has been done, switching for CLOUD Act reasons alone may not justify migration cost. DOKS is a reasonable middle ground for smaller workloads that need managed Kubernetes without hyperscaler pricing.

Migration Paths

AWS EKS → Scaleway Kapsule

# 1. Export workloads (using Velero for backup)
velero install --provider aws --plugins velero/velero-plugin-for-aws \
  --bucket eks-migration-backup --backup-location-config region=eu-central-1

velero backup create eks-full-backup --include-namespaces '*'

# 2. Provision Kapsule cluster (Terraform)
terraform init && terraform apply -var="region=fr-par" -var="node_type=GP1-S" -var="node_count=3"

# 3. Restore workloads
velero restore create --from-backup eks-full-backup

# 4. Update DNS + validate
kubectl get ingress -A
# Test endpoints, verify PVC binding, check ConfigMaps + Secrets

Expected migration time: 1–2 days for stateless workloads. 3–5 days for stateful workloads with PV migration. Plan for a maintenance window.

Azure AKS → OVHcloud Managed Kubernetes

OVHcloud supports kubectl contexts natively. The migration path is equivalent to the EKS→Kapsule guide above using OVH's Terraform provider (ovh/ovh):

resource "ovh_cloud_project_kube" "eu_cluster" {
  service_name = var.ovh_project_id
  name         = "eu-production"
  region       = "GRA7"
  version      = "1.30"
}

GKE → Hetzner k3s (budget migration)

# k3sup installs k3s on Hetzner nodes in ~90 seconds
k3sup install --ip <node1-ip> --user root --ssh-key ~/.ssh/hetzner_ed25519
k3sup join --ip <node2-ip> --server-ip <node1-ip> --user root --ssh-key ~/.ssh/hetzner_ed25519
k3sup join --ip <node3-ip> --server-ip <node1-ip> --user root --ssh-key ~/.ssh/hetzner_ed25519

K3s supports the full Kubernetes API — all standard manifests, Helm charts, and operators work unchanged.

Kubernetes-Serie: All Posts

1. AWS EKS EU Alternative 2026 — CLOUD Act 21/25, PRISM, Amazon.com WA, existing post
2. Google GKE EU Alternative 2026 — CLOUD Act 20/25, Google LLC Delaware, etcd jurisdiction
3. Azure AKS EU Alternative 2026 — CLOUD Act 21/25, Microsoft Corp WA, PRISM participant, EU Data Boundary limitation
4. DigitalOcean DOKS EU Alternative 2026 — CLOUD Act 17/25, Delaware Corp, no PRISM, US jurisdiction still applies
5. Scaleway Kapsule vs OVHcloud Kubernetes 2026 — 0/25 and 1/25, French SAS, no US parent, Terraform + Migration Guide
6. This post — Finale comparison, full risk matrix, decision framework, migration guides

The sota.io Advantage for EU-Native Kubernetes Deployments

If you choose Scaleway Kapsule or OVHcloud Managed Kubernetes, your application layer should match the same CLOUD Act-free jurisdiction. sota.io is an EU-native PaaS hosted exclusively on Hetzner Germany — no US parent, no CLOUD Act exposure, GDPR Art.28 DPA as standard.

Deploy your application tier to sota.io. Run your Kubernetes workloads on Kapsule or OVHcloud. Your entire stack operates under EU jurisdiction with zero CLOUD Act transfer risk:

Internet → sota.io (Hetzner DE, 0/25) → Scaleway Kapsule (0/25) → OVHcloud DB (1/25)

CLOUD Act exposure across your entire stack: 0–1/25. Compare with the equivalent hyperscaler stack: Vercel → GKE → Cloud SQL = 20/25 + 20/25 + 20/25 = compounded risk at every layer.

Start deploying on sota.io →

Conclusion

The EU Kubernetes landscape in 2026 is clearly divided into two tiers:

Tier 1 — US hyperscalers (17–21/25 CLOUD Act risk): AWS EKS, Azure AKS, Google GKE, and DigitalOcean DOKS all operate under US corporate jurisdiction. The Kubernetes control plane is managed by US-incorporated entities. GDPR international transfer safeguards (SCCs + TIA) are required. CLOUD Act warrants can reach EU-region data without your knowledge.

Tier 2 — EU-native providers (0–1/25 CLOUD Act risk): Scaleway Kapsule and OVHcloud Managed Kubernetes are operated by French companies with no US parent. The control plane is hosted on EU-owned infrastructure. No international transfer is required. GDPR Art.28 DPA is sufficient. 2.8× cheaper than AKS.

For DORA-regulated institutions, healthcare providers, public sector bodies, or any organisation processing GDPR Article 9 special-category data — Tier 2 is the only compliant path.

For startups and scale-ups prioritising cost efficiency without full regulatory exposure — Tier 2 also wins on price.

The only reason to stay on Tier 1 for EU workloads is existing investment and lock-in friction. With migration tooling (Velero, k3sup, Terraform) maturing rapidly, that friction is decreasing every quarter.

This post concludes the EU-KUBERNETES-MANAGED-SERIE. Next series coming soon — follow sota.io for updates on EU cloud sovereignty, GDPR compliance, and EU-native infrastructure.