Fastly EU Alternative 2026: CDN & WAF Without CLOUD Act Exposure
Post #2 in the sota.io EU CDN & WAF Series
Fastly, Inc. is a Delaware-incorporated Content Delivery Network and edge cloud platform headquartered in San Francisco. Its services — CDN, Next-Gen WAF (powered by Signal Sciences), DDoS protection, Image Optimizer, and Bot Management — process billions of HTTP requests daily. The problem for European companies: every request log, WAF event, and behavioral signal passes through an infrastructure controlled by a US entity subject to the CLOUD Act, FISA §702, and National Security Letters.
This post maps Fastly's GDPR exposure using our 25-point CLOUD Act Risk Matrix, identifies which data flows fall under Articles 4, 22, 25, 28, 44, and 46, and benchmarks three EU-native alternatives for each Fastly service layer.
What Fastly Processes — And Why It's Personal Data
Fastly is not just a static file cache. Its modern edge cloud stack touches multiple categories of personal data as defined by GDPR Art.4(1):
| Fastly Service | Data Processed | GDPR Classification |
|---|---|---|
| CDN Access Logs | IP address, User-Agent, URL path, timestamp, referrer | Personal data (Art.4(1)) — IP = identified/identifiable natural person per EDPB Guidelines 01/2021 |
| Next-Gen WAF | HTTP request body, headers, session tokens, client fingerprint | Behavioral profiling (Art.22) — WAF scoring = automated decision-making |
| Bot Management | TLS fingerprint, JS challenge responses, behavioral patterns, cross-site signals | Cross-site profiling (Art.22 Recital 71) — patterns linked across multiple domains |
| Image Optimizer | URL structure exposing file naming conventions, user-generated content filenames | Potentially sensitive metadata |
| Real User Monitoring (RUM) | Full page load metrics, device fingerprint, geographic coordinates, session replay | Highly sensitive (Art.9 adjacent — location data) |
| Log Streaming | Aggregated access events sent to SIEM/analytics — Fastly pushes to AWS S3, Datadog, Splunk | Additional US-jurisdiction hop |
The key legal trigger is CDN access logs as personal data. The EDPB, Austrian DSB (C-019/2021), French CNIL (délibération SAN-2022-001), and Swedish IMY (IMY-2022-2253) have all confirmed that dynamic IP addresses constitute personal data when combined with timestamp and resource access patterns. Fastly retains access logs and makes them available via real-time log streaming to customer-configured endpoints — all of which exist within Fastly Inc.'s US-jurisdiction infrastructure until the customer pulls them out.
Fastly CLOUD Act Risk Score: 16/25
| Dimension | Score | Rationale |
|---|---|---|
| Corporate Jurisdiction | 5/5 | Fastly, Inc. (Delaware, NASDAQ: FSLY). US Stored Communications Act (18 U.S.C. §2701) + CLOUD Act §2713 apply regardless of where data is stored. |
| Government Contracts | 3/5 | Fastly holds FedRAMP Authorization (Agency ATO). Provides CDN services to multiple US federal agencies. FedRAMP = confirmed government contract relationship + FISMA compliance obligations. |
| Data Exposure Surface | 3/5 | CDN POPs globally, but Fastly's control plane (customer portal, API, management console, certificate issuance, log streaming configurations) is US-based. CLOUD Act compels access to data "in the possession, custody, or control" of the US provider — control plane jurisdiction = data jurisdiction. |
| Behavioral Profiling | 2/5 | WAF + Bot Management create behavioral profiles enabling automated decisions about request handling. GDPR Art.22 requires explicit consent or Art.6(1)(f) balancing test for automated profiling. |
| Transfer Mechanism | 2/5 | Fastly relies on SCCs (Standard Contractual Clauses) for EU-US transfers. However, SCCs do not suspend CLOUD Act jurisdiction — US courts can compel disclosure regardless of contractual arrangements (see Schrems II ruling, CJEU C-311/18, §§96-97). |
| Data Residency Options | 1/5 | Fastly's "EU Region" exists for its Compute@Edge product, but CDN edge nodes are globally distributed. No EU-only CDN-level data residency guarantee in standard contracts. |
Total: 16/25 — High Risk under the CLOUD Act Risk Matrix.
FedRAMP Authorization is the decisive factor elevating Fastly above a generic US CDN. FedRAMP-authorized providers have explicitly accepted government oversight frameworks, making them more likely targets for legitimate legal process — and more likely to have established internal processes for responding to government requests quickly.
GDPR Articles Triggered by Fastly
Art.4(1) — Definition of Personal Data
Every Fastly CDN access log contains personal data. IP address + timestamp + URL path = an identifiable natural person performing a specific action at a specific time. This is not a gray area — five EU DPAs have confirmed it in written decisions (AT DSB, FR CNIL, IT Garante, SE IMY, DK Datatilsynet).
Controller obligation: You must list Fastly as a data processor in your Art.30 Records of Processing Activities (ROPA). If you haven't, you're already non-compliant regardless of any other issue.
Art.22 — Automated Decision-Making
Fastly's WAF makes automated decisions: allow or block a request based on a risk score computed from behavioral signals. If a WAF block results in a user being denied service (e.g., blocked from completing a purchase or accessing their account), this constitutes an automated decision producing a "legal or similarly significant effect" per Art.22(1).
The Next-Gen WAF (Signal Sciences acquisition) specifically uses ML-based behavioral analysis, not just static OWASP ModSecurity rules. The GDPR requires either explicit consent (Art.22(2)(a)), necessity for contract performance (22(2)(b)), or explicit EU law authorization (22(2)(c)) — plus the right to human review on request.
Bot Management intensifies this: Fastly's bot management uses signals collected across multiple websites to build a behavioral reputation score. GDPR Recital 71 explicitly addresses cross-site profiling as a high-risk automated processing activity requiring additional safeguards.
Art.25 — Data Protection by Design
Under Art.25, you must implement data minimization. Enabling Fastly's RUM (Real User Monitoring), detailed bot scoring, or full WAF request body logging collects far more than the minimum necessary. You need a documented necessity analysis for each Fastly feature that processes personal data beyond simple request routing.
Art.28 — Data Processing Agreement
You must have a DPA with Fastly covering:
- Subject matter, duration, nature, and purpose of processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller
- Sub-processor list (Fastly uses multiple sub-processors)
Fastly provides a standard DPA, but note that DPA-level obligations do not override statutory CLOUD Act jurisdiction. A DPA clause saying "Fastly will not disclose data to US authorities without notifying the customer" is contractually void if a National Security Letter prohibits disclosure of the request itself (18 U.S.C. §2709(c)).
Art.44 + Art.46 — International Transfers
Every CDN access log streamed outside the EU/EEA to Fastly's US infrastructure constitutes a "transfer to a third country" under Art.44. Fastly's SCCs (2021 Module 2 — Controller to Processor) are the operative transfer mechanism post-Schrems II.
The gap: SCCs require a Transfer Impact Assessment (TIA). In your TIA, you must evaluate whether US law (specifically CLOUD Act + FISA §702) "impinges on the practical effectiveness" of the SCCs (CJEU C-311/18 §96). For CDN-level data, the answer is difficult to make affirmative — US intelligence agencies have documented interest in CDN-level traffic (see NSA's upstream collection program STORMBREW, revealed in Snowden disclosures).
EU-Native Alternatives: Full Comparison
BunnyNet — 0/25 CLOUD Act Score
CyberFortress OÜ, Tallinn, Estonia. EU-incorporated. No US parent. No CLOUD Act exposure. Estonia = EU member state, GDPR applies natively.
| Feature | BunnyNet | vs. Fastly |
|---|---|---|
| CDN | 114 global POPs, EU-first architecture | 80+ global POPs |
| WAF | Bunny Shield (basic WAF rules) | Signal Sciences Next-Gen WAF (ML-based) |
| DDoS | Layer 3/4/7 mitigation | Layer 3/4/7 + Anycast |
| Edge Compute | Bunny Script (JS, limited) | Compute@Edge (WASM, full) |
| Image Optimizer | Bunny Optimizer (resize, compress, WebP/AVIF) | Fastly Image Optimizer |
| Log Streaming | Real-time logs to S3/HTTP endpoint | Same |
| Pricing | $0.005/GB (EU), free tier available | $0.087/GB (US), higher for EU regions |
| CLOUD Act | 0/25 — Estonian OÜ, no US exposure | 16/25 |
BunnyNet is 6-17× cheaper than Fastly for EU-origin traffic and eliminates CLOUD Act exposure entirely.
Limitation: BunnyNet's WAF (Bunny Shield) is less sophisticated than Signal Sciences. It handles OWASP Top 10 but lacks ML-based behavioral analysis. For teams needing WAF beyond basic rules, pair BunnyNet CDN with self-hosted Coraza WAF (see below).
Gcore — 1/25 CLOUD Act Score
Gcore (G-Core Labs S.A.), Luxembourg. Luxembourg-incorporated entity (EU). US presence via subsidiary, but primary entity is Luxembourg-registered. Operates edge infrastructure across 180+ PoPs.
| Feature | Gcore | vs. Fastly |
|---|---|---|
| CDN | 180+ PoPs, EU-heavy footprint | 80+ PoPs |
| WAF | OWASP + custom rules, DDoS + WAF bundle | Signal Sciences (ML WAF) |
| DDoS | BGP Anycast, 160 Tbps capacity | ~10 Tbps |
| Edge Compute | EdgeWorkers (JS/WASM) | Compute@Edge |
| Gaming CDN | Specialized gaming stack | No gaming specialization |
| Pricing | $0.006/GB for EU traffic | $0.087/GB |
| CLOUD Act | 1/25 — Luxembourg entity, minor US subsidiary exposure | 16/25 |
Gcore's DDoS capacity (160 Tbps) significantly exceeds Fastly's. For high-traffic European services needing DDoS mitigation, Gcore is a strong replacement.
Note: The 1/25 reflects Gcore's US operational presence (Gcore Inc. in Nevada). Legal process from US authorities would need to target the Luxembourg parent — significantly higher legal barrier than a direct CLOUD Act demand to a Delaware corporation.
CDN77 — 1/25 CLOUD Act Score
Datacamp Limited, Prague, Czech Republic (registered in England & Wales for historical reasons, but operations are Czech/EU-centric). Part of Zenet Group (Czech). Acquired by Czech group, primary operations in EU.
| Feature | CDN77 | vs. Fastly |
|---|---|---|
| CDN | 45 PoPs, EU-optimized | 80+ PoPs |
| WAF | Basic Web Application Firewall (OWASP Top 10) | Signal Sciences (ML WAF) |
| Storage | Origin Shield + CDN Storage | No integrated storage |
| Video Streaming | HLS/DASH acceleration, RTMP ingest | No specialized video |
| Pricing | ~€0.012/GB EU tier | $0.087/GB |
| CLOUD Act | 1/25 — Czech operations, minimal US exposure | 16/25 |
CDN77 excels for video streaming workloads (OTT, live streaming). If your Fastly usage is primarily video delivery, CDN77 is purpose-built for this.
WAF Replacement: Coraza + OWASP CoreRuleSet
For teams using Fastly's Signal Sciences WAF — the most advanced part of the Fastly stack — the EU-native replacement is Coraza WAF:
- Coraza (Apache License 2.0): Go-native implementation of the ModSecurity WAF engine. Drop-in for any Go-based reverse proxy (Caddy, Traefik, custom).
- OWASP CRS 4.x: Updated ruleset covering OWASP Top 10 2021, injection attacks, path traversal, scanner detection.
- Deployment: Runs as middleware in your existing Hetzner/EU infra. Zero data leaves your infrastructure.
# Nginx + Coraza configuration example
location / {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/coraza.conf;
proxy_pass http://backend;
}
CLOUD Act Score: 0/25 — Self-hosted on EU infrastructure has no CLOUD Act exposure.
Gap vs. Signal Sciences: Coraza lacks ML-based behavioral analysis and cross-site reputation scoring. For high-sophistication bot threats, consider:
- Wallarm (with EU-region deployment): ~4/25 — US-incorporated but EU-hosted instance option. TIA possible.
- CrowdSec (SAS, Paris): ~1/25 — French company, collaborative behavioral threat intelligence, EU-native.
4-Week Migration Plan: Fastly → BunnyNet + Coraza
Week 1: Audit & Baseline
- Export Fastly access logs for the last 30 days
- Identify your top 20 cache patterns by hit ratio
- Document all WAF custom rules (Fastly VCL + Signal Sciences rules)
- Map Compute@Edge functions (if any) to equivalent BunnyEdge Scripts
- List all log streaming destinations
Checklist:
-
fastly service list— catalog all services -
fastly logging list— document all log endpoints -
fastly waf rules list— export all custom WAF rules - Record baseline Core Web Vitals (LCP, FID, CLS) from Fastly RUM
Week 2: BunnyNet Configuration
- Create BunnyNet Pull Zone for each Fastly service
- Configure cache rules matching your Fastly cache TTL/vary behavior
- Set up Bunny Shield with OWASP Top 10 rules translated from your Fastly WAF
- Configure Bunny Perma-Cache for large static assets
- Set up Log Forwarding to your EU-based SIEM (Graylog, OpenSearch on Hetzner)
# BunnyNet API — create Pull Zone
curl -X POST https://api.bunny.net/pullzone \
-H "AccessKey: YOUR_BUNNYNET_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"Name": "your-domain-cdn",
"OriginUrl": "https://origin.your-domain.com",
"Type": 0,
"Region": "EU"
}'
Week 3: Traffic Migration (Blue-Green)
- Add BunnyNet CDN hostname as secondary CDN for 10% of traffic (via DNS weighted routing)
- Compare cache hit ratios and error rates between Fastly and BunnyNet
- Monitor Core Web Vitals — BunnyNet should match or exceed Fastly for EU users due to EU-first PoP density
- Gradually shift traffic: 10% → 25% → 50% → 90% → 100%
- Keep Fastly service running in parallel for 72h rollback window
Week 4: WAF Hardening + Cutover
- Deploy Coraza WAF on all application servers (Nginx/Caddy/Traefik)
- Run in detection mode for 1 week — log false positives
- Tune OWASP CRS exclusions for your application's specific patterns
- Switch from detection to enforcement mode
- Decommission Fastly services + notify DPO of updated Art.30 ROPA
GDPR Article Reference Table
| GDPR Article | Fastly Risk | Migration Fix |
|---|---|---|
| Art.4(1) Personal Data | CDN logs = personal data (IP + timestamp + URL) | BunnyNet logs stay in EU; configure log forwarding to EU-only endpoints |
| Art.22 Automated Decisions | WAF blocks = automated decisions with significant effect | Coraza rules are deterministic (no ML profiling); document blocking logic |
| Art.25 Data by Design | RUM + Bot Management over-collect beyond necessity | BunnyNet: disable optional analytics features; Coraza: collect only what WAF needs |
| Art.28 DPA | Fastly DPA doesn't override CLOUD Act jurisdiction | BunnyNet DPA: Estonian entity, GDPR natively applies |
| Art.30 ROPA | Fastly must be listed as processor | Update ROPA: replace Fastly with BunnyNet/Coraza entries |
| Art.44+46 Transfers | SCCs required for US transfers; TIA problematic | Eliminated — BunnyNet is EU entity, no international transfer |
Decision Framework: Which Alternative For Your Use Case
Is your primary need WAF-heavy (bot protection, OWASP)?
├── Yes → Self-hosted Coraza + BunnyNet CDN
│ OR CrowdSec (Paris, 1/25) + BunnyNet
└── No, primarily CDN/caching?
├── High traffic volume (>1 TB/month) → Gcore (EU, 160 Tbps DDoS)
├── Video/streaming workloads → CDN77 (video-optimized)
└── General web/API acceleration → BunnyNet (cheapest, Estonian entity, 0/25)
Is Compute@Edge critical (WASM edge functions)?
├── Yes → Consider BunnyEdge Script (limited) or self-host Cloudflare Worker
│ equivalent on Hetzner with Deno Deploy (US) risk → use BunnyNet instead
└── No → BunnyNet handles standard CDN+WAF needs
Pricing Comparison (EU-Based Traffic, 1 TB/Month)
| Provider | CDN Cost | WAF Included | CLOUD Act Score |
|---|---|---|---|
| Fastly | ~$87/mo | Signal Sciences add-on (+$$$) | 16/25 HIGH |
| BunnyNet | ~$5/mo | Bunny Shield (OWASP) | 0/25 NONE |
| Gcore | ~$6/mo | WAF bundle included | 1/25 MINIMAL |
| CDN77 | ~$12/mo | Basic WAF included | 1/25 MINIMAL |
| Self-hosted Coraza + Hetzner | ~$4.51/mo (server cost) | Full OWASP CRS | 0/25 NONE |
BunnyNet is 17× cheaper than Fastly for EU traffic and scores 0/25 on the CLOUD Act Risk Matrix.
What This Means for Your DPA and Art.28 Agreement
When you replace Fastly with BunnyNet:
- Remove Fastly from your Art.30 ROPA as a processor for CDN-level data
- Add BunnyNet (CyberFortress OÜ, Tallinn, Estonia) as a sub-processor
- Sign BunnyNet's DPA — it falls under EU law directly (no SCCs needed)
- Update your Privacy Policy — your list of "third-party processors" changes
- Notify your DPO of the reduced transfer risk (no more Art.44/46 obligation for CDN logs)
The EU nationality of BunnyNet eliminates the entire Schrems II analysis for CDN log data — there is no "international transfer" when data moves from EU users to an EU processor.
Conclusion
Fastly's CLOUD Act Risk Score of 16/25 reflects its FedRAMP authorization, US corporate structure, and CDN control plane jurisdiction. The services it offers — CDN, WAF, Bot Management, RUM — each process personal data under GDPR, creating multiple compliance obligations that become legally precarious when the processor is subject to US compelled disclosure.
EU-native replacements cover the full stack:
- BunnyNet (0/25): CDN + basic WAF, 17× cheaper, Estonian entity
- Gcore (1/25): CDN + DDoS + WAF, 160 Tbps capacity, Luxembourg-incorporated
- Coraza WAF (0/25): Self-hosted ML-rule WAF, replaces Signal Sciences
- CrowdSec (1/25): Collaborative behavioral threat intelligence, French SAS
The 4-week migration path is straightforward for teams not using Compute@Edge. For teams with edge compute dependencies, the migration requires more planning but remains achievable with BunnyEdge Script or a self-hosted Deno/Workers-compatible runtime on EU infrastructure.
This post is part of the sota.io EU CDN & WAF Series. Up next: Akamai EU Alternative 2026 — the largest CDN by traffic volume, with NSA PRISM participation confirmed in leaked documents.
sota.io is an EU-native managed PaaS (Hetzner Germany, no US parent, no CLOUD Act exposure). Deploy any language, €9/month. Start building →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.