Hetzner Cloud EU Alternative 2026: AWS Scores 23/25, Azure 22/25, GCP 21/25 — Hetzner 0/25

Post #1 in the sota.io EU Cloud Infrastructure Providers Series

Every EU architect has heard the same argument: "Your data stays in Frankfurt. The EU region is compliant." This argument is legally incorrect in 2026, and understanding why matters for every IaaS decision you make.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2713) grants US law enforcement the authority to compel disclosure of data held by a US person — regardless of where that data is physically stored. The critical phrase is "regardless of where such communication, record, or other information is located." Frankfurt data center. Dublin data center. Stockholm data center. None of it matters if the company managing your infrastructure is incorporated in the United States.

Amazon Web Services, Inc. is a Delaware C-Corp. Microsoft Corporation is a Washington C-Corp. Google LLC is a Delaware LLC. All three are US persons under 18 U.S.C. § 2713. All three can receive CLOUD Act production orders covering data stored in their EU regions.

Hetzner Online GmbH is registered in Gunzenhausen, Bavaria, Germany. It is a German limited liability company with no US parent, no US VC backing, and no US shareholders. It is not a US person under 18 U.S.C. § 2713. A US District Court cannot compel Hetzner to disclose EU customer data.

This is not a theoretical distinction. It is the architectural foundation of CLOUD Act compliance for EU businesses processing data under GDPR, DORA, NIS2, and emerging EU data sovereignty regulations.

The IaaS CLOUD Act Scoring Framework

Before examining each provider, we need to understand what we are measuring. The CLOUD Act exposure score operates across five dimensions:

D1: Corporate Jurisdiction — Is the IaaS company a US person under 18 U.S.C. § 2713? A US-incorporated entity automatically exposes all managed data to CLOUD Act orders. Score 0/5 (EU) to 5/5 (US C-Corp with PRISM history).

D2: Data Routing — Does EU-region data transit through or become accessible via US-based infrastructure? EU-region servers operated by a US company still connect to US-controlled management planes, APIs, and backbone networks. Score 0/5 (EU-only routing) to 5/5 (documented US transit).

D3: Subprocessors — Does the provider rely on US-incorporated subprocessors for EU-region operations? Cloud providers depend on complex supply chains. AWS uses US companies for DNS, CDN, and security monitoring even in EU regions. Score 0/5 (no US subprocessors) to 5/5 (critical US-based subprocessor dependencies).

D4: Personnel Access — Can US-based engineers, support staff, or contractors access EU customer data? AWS Global Support operates 24/7 globally with US-based engineers. Score 0/5 (EU-only access) to 5/5 (documented US-based privileged access).

D5: Legal Framework — Does the provider's ToS, DPA, or enterprise agreement invoke US jurisdiction for dispute resolution? Companies that accept US jurisdiction in their contracts create additional legal vectors beyond CLOUD Act. Score 0/5 (EU law exclusively) to 5/5 (US choice of law).

AWS EU Regions: CLOUD Act Score 23/25

Amazon Web Services, Inc. is a Delaware C-Corp, wholly owned by Amazon.com, Inc. (also a Delaware C-Corp). Amazon participated in the NSA's PRISM surveillance program under FISA Section 702 — a fact disclosed in the 2013 Snowden documents and never formally disputed. As a US person, AWS is subject to CLOUD Act production orders covering all data it manages, globally.

D1: Corporate Jurisdiction — 5/5

The corporate structure is unambiguous: Amazon Web Services, Inc. (Delaware, EIN: 47-0956324) is the contracting entity for AWS services globally. Its parent, Amazon.com, Inc., is also a Delaware C-Corp. The AWS EU regions (Frankfurt/eu-central-1, Ireland/eu-west-1, Stockholm/eu-north-1, Milan/eu-south-1, Spain/eu-south-2, Zurich/eu-central-2) are operated by this US person. There is no European subsidiary that operates EU regions independently of US corporate control.

The AWS "Data Processing Addendum" for EU customers includes Standard Contractual Clauses (SCCs) under GDPR Art.46. SCCs acknowledge cross-border transfer risk but do not and cannot remove CLOUD Act exposure — they are contractual instruments, not jurisdictional shields. US law supersedes contractual arrangements between private parties when US law enforcement presents a valid CLOUD Act order.

D2: Data Routing — 4/5

AWS EU region data centers are physically located in Europe. However, the management plane — AWS IAM, CloudTrail, CloudWatch, the AWS Management Console, AWS Config, AWS Organizations, AWS Control Tower — all operate globally with data stored and processed across AWS regions including us-east-1 (Northern Virginia). When an EU engineer logs into the AWS Management Console to manage an eu-central-1 workload, that management session data transits AWS's global backbone and is accessible from us-east-1.

AWS Route 53 (DNS), AWS CloudFront (CDN edge distribution), and AWS Shield (DDoS mitigation) have global footprints with US-based infrastructure components that process traffic metadata from EU workloads. Network-level metadata about EU operations is continuously generated and accessible in US-controlled infrastructure.

D3: Subprocessors — 5/5

The AWS GDPR Subprocessor List (publicly available at aws.amazon.com) includes multiple US-incorporated entities that provide infrastructure services for EU-region operations:

• Amazon.com Services LLC (Delaware) — billing, account management
• Amazon Data Services, Inc. (Delaware) — data center operations coordination
• Amazon Connect Technology Services, Inc. (Delaware) — support infrastructure
• Multiple US-based CDN, security, and network providers

The total number of US subprocessors with potential access to EU-region operational data exceeds 15 entities as of 2026.

D4: Personnel Access — 5/5

AWS Premium Support, AWS Enterprise Support, and AWS Solution Architects are global teams with US-based members. AWS support engineers can, with customer consent or in break-glass scenarios, access customer environments including EU-region workloads. AWS Security Operations Center (SOC) operates globally with US-based staff.

The AWS Shared Responsibility Model explicitly states that "AWS is responsible for security of the cloud." This responsibility includes US-based AWS personnel having privileged access to the hypervisor layer, storage infrastructure, and network fabric underlying EU-region customer workloads.

D5: Legal Framework — 4/25

AWS Customer Agreement (Section 12.5) includes an arbitration clause with JAMS (Judicial Arbitration and Mediation Services) under Washington State law as governing law for US customers. AWS Enterprise Agreements for EU customers typically use AWS's EU contracting entity (Amazon Web Services EMEA SARL, Luxembourg) with Luxembourg law — but the operational entity and CLOUD Act target remains Amazon Web Services, Inc. (Delaware).

The distinction between contracting entity (EMEA SARL) and operating entity (AWS Inc.) is legally significant: CLOUD Act orders target the data custodian (AWS Inc.) not the contracting party. Luxembourg law governing your enterprise agreement does not prevent US law enforcement from serving an order on the AWS Inc. parent.

AWS Total: 23/25 — Maximum CLOUD Act Exposure for Enterprise IaaS

Azure EU Regions: CLOUD Act Score 22/25

Microsoft Corporation (Washington State C-Corp, founded 1975) has been a PRISM participant since 2007, per NSA documents. Microsoft Azure operates EU regions through Microsoft Ireland Operations Ltd. (wholly owned Microsoft subsidiary) but the parent company subject to CLOUD Act orders is Microsoft Corporation (US person).

D1: Corporate Jurisdiction — 5/5

Microsoft's EU region contracting entity is Microsoft Ireland Operations Ltd., but the data custodian and operational parent is Microsoft Corporation (Redmond, Washington). CLOUD Act orders served on Microsoft Corporation cover all data managed globally, including through subsidiaries. Microsoft has litigated CLOUD Act predecessor issues (United States v. Microsoft Corp., SCOTUS 2018) — the case was mooted by CLOUD Act passage, which codified the government's ability to reach offshore data held by US persons.

D2: Data Routing — 4/5

Azure's EU data centers are in Ireland (Dublin, Ireland — North), Netherlands (Amsterdam), Germany (Berlin, Frankfurt), France (Paris, Marseille), Norway (Oslo, Stavanger), Sweden (Gävle, Sandviken), Finland (Helsinki), Poland (Warsaw), Spain (Madrid), and Italy (Milan). Physical data residency within this footprint is achievable with proper configuration.

However, Azure Active Directory (now Entra ID), Microsoft 365 integration metadata, Azure DevOps, GitHub (Microsoft subsidiary), and Azure Monitor all have global operational components that process metadata from EU workloads in US data centers. Azure's global WAN (one of the world's largest private networks) routes traffic between regions including through US PoPs.

D3: Subprocessors — 4/5

Microsoft's Online Services Subprocessors list includes US entities supporting EU-region operations: LinkedIn Corporation (Delaware), Microsoft Advertising (US operations), GitHub, Inc. (San Francisco C-Corp acquired 2018), and multiple US-based security and infrastructure vendors. The Microsoft Security Response Center (MSRC) operates globally with US personnel.

D4: Personnel Access — 5/5

Microsoft's Customer Lockbox (available on Enterprise agreements) requires explicit approval for Microsoft support access to customer data. However, infrastructure-level access by US-based Microsoft datacenter personnel cannot be blocked by Customer Lockbox — it applies to support scenarios, not privileged infrastructure access. Microsoft's global Security Operations Centers include US-based staff with privileged access to global infrastructure.

Microsoft "Confidential Compute" VMs use AMD SEV or Intel TDX to encrypt VM memory from Microsoft staff. This is the most advanced data isolation offered by any hyperscaler — but it does not apply to management plane, networking, or storage metadata.

D5: Legal Framework — 4/5

Microsoft Customer Agreement (EU) uses Irish law for EU customers contracting through the Irish entity. However, Microsoft Product Terms (which govern data processing) include arbitration under Washington State law for certain dispute categories. The CLOUD Act target is Microsoft Corporation (US) regardless of the customer's contracting entity.

Azure Total: 22/25 — Very High CLOUD Act Exposure

Google Cloud EU Regions: CLOUD Act Score 21/25

Google LLC is a Delaware LLC, wholly owned by Alphabet Inc. (Delaware C-Corp). Google (originally a California C-Corp, converted to Delaware LLC in 2017) participated in PRISM from 2009, per NSA documents. Google Cloud Platform (GCP) operates EU regions through Google LLC as the data custodian.

D1: Corporate Jurisdiction — 5/5

Google LLC (Delaware) is the data custodian for Google Cloud EU regions. Alphabet Inc., Google's parent, is also a Delaware C-Corp. The EU contracting entity for GCP is Google Cloud EMEA Limited (Ireland) — but CLOUD Act orders target Google LLC (US), not the Irish subsidiary. Google has received NSL (National Security Letters) and FISA production orders; specific counts are disclosed annually in Google's Transparency Report.

D2: Data Routing — 3/5

Google Cloud's EU regions include Belgium (europe-west1), Netherlands (europe-west4), Germany (europe-west3, europe-west10/Berlin), Finland (europe-north1), Poland (europe-central2), Italy (europe-west8), Spain (europe-southwest1), France (europe-west9), and Switzerland (europe-west6). Google's Data Residency commitments (available via Google Cloud DRZ) allow pinning compute and storage to EU regions.

Google's network differentiation: Unlike AWS and Azure, Google builds and operates its own undersea cable infrastructure (Dunant, Curie, Equiano cables). Traffic between Google EU data centers is more likely to remain on Google-owned fiber — reducing third-party network exposure but not CLOUD Act exposure, as Google itself is the US person.

D3: Subprocessors — 4/5

Google Cloud's Subprocessor list includes Google LLC subsidiaries (all US persons): YouTube LLC (California), Google Ireland Ltd. (nominally Irish but controlled by US Google LLC), Mandiant, Inc. (acquired 2022, Virginia C-Corp — provides cloud security monitoring for GCP). US-based Google security teams (Project Zero, Chronicle) have visibility into EU-region workloads.

D4: Personnel Access — 5/5

Google Access Transparency provides near-real-time logs of Google admin access to customer data. GCP's Access Approval allows customers to require explicit approval for Google support access. However, Google's SRE (Site Reliability Engineering) teams are globally distributed including US-based engineers with privileged hypervisor and network access.

Google's PRISM participation means US intelligence agencies have direct access to Google infrastructure through established programs — not requiring individual CLOUD Act orders for each data request.

D5: Legal Framework — 4/5

Google Cloud's Cloud Data Processing Addendum (CDPA) references the EU entity (Google Cloud EMEA Ltd.) as the processor for EU customers. Governing law is Irish law for EU customers. However, the ultimate data custodian (Google LLC, Delaware) is subject to US law regardless of the CDPA's governing law. Google's Transparency Report shows consistent compliance with US law enforcement requests.

Google Cloud Total: 21/25 — High CLOUD Act Exposure

Hetzner Cloud: CLOUD Act Score 0/25

Hetzner Online GmbH (Handelsregister: HRB 6931, Amtsgericht Ansbach, Bavaria) was founded in 1997 by Martin Hetzner. It remains a privately held German GmbH with no external investors, no US parent, no US VC backing, and no publicly traded shares. The company is headquartered in Gunzenhausen, Bavaria (Industrie-/Gewerbezentrum, 91710 Gunzenhausen) with data centers in:

• Falkenstein (FSN), Saxony, Germany
• Nuremberg (NBG), Bavaria, Germany
• Helsinki (HEL), Finland (EU member state)
• Ashburn (ASH), Virginia, USA — only for US-targeted workloads (separate account/project required)

For EU workloads targeted to Falkenstein, Nuremberg, or Helsinki: Hetzner is a German legal person under German law. It is not a US person under 18 U.S.C. § 2713. US District Courts have no statutory authority to compel a German GmbH operating entirely in the EU to disclose EU customer data.

D1: Corporate Jurisdiction — 0/5

Hetzner Online GmbH is registered under German commercial law (GmbH-Gesetz). Its ownership is private and German. There is no US corporate parent, no US controlling shareholder, and no entity that would qualify as a US person with custodial responsibility for EU customer data. A CLOUD Act order served in a US District Court has no direct legal mechanism to reach a German GmbH. The correct pathway — if US authorities believe Hetzner holds evidence relevant to a US criminal investigation — would be Mutual Legal Assistance (MLA) proceedings under the US-Germany MLAT (Mutual Legal Assistance Treaty), a significantly slower and more constrained process.

D2: Data Routing — 0/5

Hetzner's EU data centers (Falkenstein, Nuremberg, Helsinki) are connected via Hetzner's own network backbone. EU-region traffic does not route through US infrastructure by default. Hetzner's Network page documents direct connectivity with DE-CIX (Frankfurt), AMS-IX (Amsterdam), FICIX (Helsinki), and other European IXPs. No US transit providers are involved in the default EU-region routing path.

The Hetzner Cloud API (api.hetzner.cloud) is served from Hetzner's German infrastructure — the management plane is not US-operated. This is the key architectural distinction from AWS, Azure, and GCP, where the management plane is operated by a US person.

D3: Subprocessors — 0/5

Hetzner's subprocessor list is minimal and EU-centric. Hardware supply chains include Supermicro (San Jose, CA) and Intel (Santa Clara, CA) for server components — but hardware vendors are not data subprocessors; they do not process customer data. For operational subprocessors (entities that access customer data during service delivery), Hetzner relies on German-law entities. No US-incorporated entity appears as a Hetzner operational subprocessor for EU-region services.

D4: Personnel Access — 0/5

Hetzner's engineering, operations, and support teams are based in Germany (Gunzenhausen, Falkenstein, Nuremberg) and Finland (Helsinki). There are no US-based Hetzner employees with privileged access to EU customer data. All Hetzner personnel operate under German employment law and are not subject to US legal process in their roles as Hetzner employees.

Hetzner's data center access control requires biometric authentication and is restricted to authorized Hetzner GmbH employees — all subject to German privacy law under BDSG and GDPR, not US law.

D5: Legal Framework — 0/5

Hetzner's Terms of Service and Data Processing Agreement (available at hetzner.com/legal/) are governed exclusively by German law. The DPA designates the Amtsgericht Ansbach, Bavaria as jurisdiction for disputes. There are no US arbitration clauses, no US choice-of-law provisions, and no submission to US court jurisdiction.

Hetzner's DPA explicitly references GDPR Art.28 (processor obligations) and includes all required Art.28(3) provisions. The SCCs question does not arise for Hetzner EU-region services — there is no cross-border transfer to a third country; German and Finnish data centers are within the GDPR territorial scope.

Hetzner Cloud Total: 0/25 — Zero CLOUD Act Exposure

The Four IaaS CLOUD Act Risk Patterns

Operating EU infrastructure on AWS, Azure, or GCP creates four structural risk patterns that cannot be mitigated through configuration alone:

Pattern 1: The EU Region Sovereignty Illusion

The Misconception: "We use the AWS eu-central-1 region. Our data stays in Frankfurt. We're GDPR compliant."

The Reality: AWS EU region data residency satisfies GDPR Art.5(1)(f) (storage limitation and integrity) and may satisfy Art.44 (transfer to third country) depending on your SCCs. But it does not satisfy the CLOUD Act dimension of sovereignty — because the custodian (AWS Inc.) is a US person. GDPR and CLOUD Act operate in different legal frameworks. You can be simultaneously GDPR compliant (data in EU) and CLOUD Act exposed (US company holds the data).

The Mechanism: 18 U.S.C. § 2713 reads: "A provider of electronic communication service or remote computing service shall comply with the obligations of chapter 119, 121, or 206 of this title to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

The phrase "regardless of whether...located within or outside of the United States" explicitly removes geographic location as a defense. Your Frankfurt data is legally accessible to US law enforcement through Amazon Web Services, Inc.

The Hetzner Fix: Hetzner GmbH is not subject to 18 U.S.C. § 2713. Data in Hetzner's Falkenstein or Nuremberg data centers is only accessible to German authorities through German law (BDSG Sections 23-25, Criminal Procedure Code) and EU mechanisms (GDPR Art.48 on judgments and administrative decisions of third countries). The sovereignty threshold changes categorically.

Pattern 2: The Control Plane Metadata Trap

The Misconception: "We encrypt everything with customer-managed keys (CMK). AWS can't read our data."

The Reality: Customer-managed encryption protects data-at-rest content. It does not protect control plane metadata — and control plane metadata is often more operationally valuable than raw data.

What AWS Control Plane Captures:

• CloudTrail: Every API call with timestamp, source IP, user agent, resource ARN, request parameters (but not payload)
• IAM Access Advisor: What services each IAM role accessed and when
• AWS Config: Configuration history of every AWS resource
• CloudWatch Metrics: CPU, memory, network I/O patterns that reveal workload behavior
• S3 Access Logs: Object-level access patterns (which keys, when, from where)
• VPC Flow Logs: Network-level communication graph between all services

This metadata enables sophisticated adversarial analysis: which databases hold sensitive records (inferred from access patterns), which services process payment data (inferred from IAM cross-service calls), when a critical business process runs (inferred from CPU/IO spikes), who accesses what (complete access graph from CloudTrail).

A CLOUD Act subpoena for CloudTrail logs from an AWS EU region produces a complete architectural intelligence map of the target organization's EU operations — without decrypting any customer-managed data.

The Hetzner Fix: Hetzner's Cloud API logs are Hetzner-internal operational data, governed by German data protection law. The level of metadata exposure is dramatically reduced: Hetzner captures server lifecycle events (create/delete/reboot) and billing data. There is no equivalent of CloudTrail's comprehensive API call logging that creates architectural intelligence accessible to US authorities.

Pattern 3: The Global Backbone Exfiltration Risk

The Misconception: "We only use EU regions. We've turned off cross-region replication."

The Reality: AWS, Azure, and GCP operate global backbone networks that carry EU-region operational traffic across US routing infrastructure even without explicit cross-region configuration.

Specific Mechanisms:

AWS: Route 53 Resolver (used for private DNS in VPCs) forwards DNS queries through AWS's global DNS infrastructure, including US-based resolvers. AWS Global Accelerator routes traffic to US anycast points of presence before directing to EU regions. AWS Shield Advanced threat intelligence operates globally, collecting traffic metadata from EU regions at US-based analysis infrastructure.

Azure: Azure ExpressRoute circuits (used for private enterprise connectivity) terminate in US edge PoPs when connecting to Azure's global WAN. Microsoft's Intelligent Traffic Management (ITM) dynamically routes traffic across global infrastructure including US nodes. Azure DDoS Protection Standard uses global signal correlation including US-based threat intelligence.

GCP: Google's Jupiter network fabric (internal data center network) is US-designed and US-operated even in EU data centers. Google's QUIC protocol (used for internal services and Cloud CDN) was developed and is maintained by US Google engineers with administrative access. Google's BeyondCorp model routes all access through US-controlled Zero Trust proxy infrastructure.

The Hetzner Fix: Hetzner's network is European-centric. DE-CIX (Frankfurt), AMS-IX (Amsterdam), and FICIX (Helsinki) are EU-based internet exchange points. Hetzner does not operate a global SDN controlled by US engineers. Traffic between Hetzner EU data centers stays on European routing infrastructure.

Pattern 4: The Support Engineer Access Gap

The Misconception: "We have a Business Associate Agreement / enhanced support. Data access requires explicit approval."

The Reality: Enterprise support agreements control voluntary data access for troubleshooting. They do not control CLOUD Act-compelled access, infrastructure-level privileged access, or access by US-based security operations teams acting on threat intelligence.

AWS Infrastructure Access: AWS data center personnel (globally distributed, including US-based) have physical access to servers hosting EU customer workloads. Hypervisor-level access (used for maintenance, migration, and capacity management) is managed by AWS operations staff globally. AWS Customer Lockbox covers console-level access by AWS support — not hypervisor or datacenter operations.

Azure Infrastructure Access: Microsoft's datacenter technicians are globally distributed. Azure Confidential Computing (with AMD SEV or Intel TDX) provides VM memory encryption against Microsoft's hypervisor access — the most technically advanced protection offered. But management plane access, Azure Monitor, and network-level traffic remain accessible to US Microsoft staff.

GCP Infrastructure Access: Google's SRE model means US-based SREs have privileged access to global infrastructure including EU-region servers. Google Access Transparency logs provide visibility but not control over access.

The Hetzner Fix: Hetzner's operations team is based in Germany and Finland (EU). Physical access to Hetzner's Falkenstein, Nuremberg, and Helsinki data centers is restricted to Hetzner GmbH employees operating under German employment law. There is no US support engineer with privileged access to Hetzner EU customer data.

Comparative Scoring Summary

Hetzner Cloud Services: The EU-Native IaaS Stack

Hetzner offers the core IaaS primitives required for production EU workloads:

Compute (Hetzner Cloud Servers)

Hetzner's compute line covers development through production:

• Shared CPU (CX/CPX line): CX22 (2 vCPU, 4GB RAM, 40GB NVMe, €4.35/month) through CX52 (8 vCPU, 32GB RAM, 240GB NVMe, €27.55/month). AMD EPYC processors (CPX line).
• Dedicated CPU (CCX line): CCX13 (2 dedicated vCPU, 8GB RAM, 80GB NVMe, €22.09/month) through CCX63 (32 dedicated vCPU, 128GB RAM, 1.5TB NVMe, €206.09/month). AMD EPYC exclusively.
• GPU (GCX line): NVIDIA H100 NVL GPU instances (introduced 2024). GCX16 (1 H100, 16 vCPU, 128GB RAM, €9.46/hour). EU-hosted GPU compute for AI/ML without CLOUD Act exposure.
• Arm64 (CAX line): Ampere Altra-based. CAX11 (2 ARM vCPU, 4GB RAM, 40GB NVMe, €3.79/month) — lowest-cost production compute in EU.

Price comparison (roughly equivalent specs):

• AWS t3.medium (2 vCPU, 4GB): €0.0456/hour = €32.83/month (eu-central-1, on-demand)
• Hetzner CX22 (2 vCPU, 4GB): €4.35/month (Falkenstein)
• Hetzner is ~7.5x cheaper for equivalent compute.

This price differential reflects Hetzner's ownership model: no US investors demanding IRR, no publicly-traded share price to maintain, no global go-to-market overhead. The cost savings are structural, not promotional.

Object Storage (Hetzner Object Storage)

Hetzner Object Storage is S3-compatible (uses the S3 API) and available in FSN1, NBG1, and HEL1. Pricing: €0.0068/GB/month (no egress fees within Hetzner network). Standard S3 clients (boto3, s3cmd, MinIO client) work without modification.

For applications migrating from AWS S3 (eu-central-1): change the endpoint URL from s3.eu-central-1.amazonaws.com to fsn1.your-objectstorage.com (or nbg1/hel1). With path-style addressing, most S3-compatible clients work without code changes.

Load Balancers

Hetzner Load Balancers support HTTP/HTTPS and TCP. LB11 (5 services, 25 targets, €5.39/month) through LB31 (25 services, 250 targets, €17.08/month). Health checks, SSL termination, and sticky sessions are supported. The load balancers are operated within Hetzner's EU network fabric — no US-based load balancing infrastructure.

Managed Kubernetes (Hetzner Kubernetes Engine / K3s on Hetzner)

Hetzner does not offer a fully managed Kubernetes service equivalent to EKS/AKS/GKE. The primary Kubernetes deployment options on Hetzner are:

1. Hetzner Cloud Controller Manager (community): Deploy K3s or Kubeadm clusters on Hetzner VMs using the community-maintained hetzner-cloud-controller-manager and hetzner-csi-driver. The controller manager integrates K8s with Hetzner's Load Balancer and Volume API.

2. Managed Kubernetes add-ons: Rancher, Gardener (EU-native open-source Kubernetes orchestration from SAP), or OpenShift can be self-managed on Hetzner compute.

3. Hetzner K3s Reference Architecture: K3s (lightweight Kubernetes from Rancher/SUSE) on Hetzner CX/CCX nodes is the most common community pattern. Reference Terraform configurations are available in the hcloud-k8s community repos.

The trade-off vs. EKS/AKS/GKE: no managed control plane. You own the K8s control plane — more operational responsibility, but also complete sovereignty over the control plane (no US-operated managed K8s API server).

Volumes (Block Storage)

Hetzner Volumes are network-attached block devices (up to 10TB per volume, multi-attach not supported). €0.0478/GB/month in EU regions. Volumes are encrypted at rest (AES-256) with Hetzner-managed keys. For application-level encryption, LUKS (Linux Unified Key Setup) with customer-managed keys provides additional assurance that Hetzner infrastructure staff cannot access volume content.

Networking

• Private Networks: Hetzner Cloud Private Networks provide RFC1918 address space across server groups in the same project. Cross-region private networks are supported (FSN + NBG + HEL in the same private network).
• Floating IPs: Persistent public IPs that survive server migrations.
• Firewalls: Stateful firewall rules at the hypervisor level. No additional firewall service cost (unlike AWS Security Groups which are "free" but require VPC which is paid at scale).
• VPN: No managed VPN service. WireGuard (kernel-native in recent Linux) self-managed on Hetzner VMs is the standard pattern for site-to-site VPN.

Migration Framework: AWS → Hetzner for EU Workloads

Migrating from AWS to Hetzner requires mapping services to Hetzner equivalents or self-managed alternatives:

Migration Priority Order:

1. Stateless compute (EC2 → Hetzner Cloud Servers): highest confidence, easiest migration
2. Object storage (S3 → Hetzner Object Storage): S3-compatible API requires minimal code change
3. Load balancing (ELB → Hetzner LB): straightforward for HTTP/HTTPS workloads
4. Databases: highest complexity — managed RDS → self-managed PostgreSQL requires operational maturity or a managed EU-native DB service (Aiven Helsinki, Scaleway Managed DB)
5. Kubernetes: K8s control plane becomes your responsibility — assess operational maturity before migrating EKS clusters

GDPR Art. 44 Transfer Analysis

GDPR Article 44 prohibits transfers of personal data to third countries that do not provide adequate protection, unless an appropriate safeguard (Art.46) or derogation (Art.49) applies.

For AWS/Azure/GCP EU regions: The US is not an adequacy decision country under GDPR (the EU-US Data Privacy Framework is in force since 2023, but applies to certified US companies processing EU data transferred to the US, not to EU-region data). Data stored in AWS/Azure/GCP EU regions involves a transfer to the US only if data actually crosses the border. Management API calls, metadata, and support access constitute potential transfers even when production data remains in EU regions.

EU DPA guidance (post-Schrems II, EDPB Recommendations 01/2020) requires assessing whether technical and organizational measures (TOMs) actually prevent access by the US entity to the transferred data. For CloudTrail metadata, management plane access, and support engineer scenarios — the conclusion of most EDPB-aligned DPA assessments is that TOMs cannot effectively prevent access, making Art.46 SCCs insufficient for high-risk data categories.

For Hetzner Cloud EU regions: No GDPR Art.44 analysis is required. Processing personal data on Hetzner's FSN, NBG, or HEL infrastructure involves no transfer to a third country — all processing occurs within the EU/EEA. The legal basis is GDPR Art.6 (for processing) and GDPR Art.28 (for Hetzner as processor), with no Art.44 complications.

This simplifies DPIAs (Data Protection Impact Assessments) under GDPR Art.35 and reduces compliance documentation burden — a practical operational advantage beyond the legal protection.

The EU Cloud Infrastructure Providers Series

This post is #1 in our 5-part EU Cloud Infrastructure Providers Series, examining IaaS and PaaS options under CLOUD Act:

1. Hetzner Cloud 2026 (this post) — 0/25
2. Scaleway EU Cloud 2026 — French IaaS, AWS alternative (coming next)
3. OVHcloud EU Alternative 2026 — CLOUD Act IaaS Data Sovereignty
4. IONOS Cloud EU Alternative 2026 — German IaaS GDPR CLOUD Act
5. EU Cloud Infrastructure Comparison Finale 2026 — Full comparison framework

Conclusion: Jurisdiction Is Architecture

The choice between AWS and Hetzner is not primarily a feature comparison. At its core, it is a jurisdictional choice: Do you want your EU infrastructure to be managed by a US person subject to 18 U.S.C. § 2713, or by a German GmbH subject to German BDSG and EU GDPR?

AWS scores 23/25, Azure 22/25, and GCP 21/25 on CLOUD Act exposure — not because they are poorly engineered, but because they are US companies. Their corporate structure creates this exposure regardless of their data center locations, encryption capabilities, or contractual commitments.

Hetzner scores 0/25 because it is a German GmbH. This is the only permanent fix for CLOUD Act exposure: a non-US legal person as your IaaS provider.

The trade-off is real: Hetzner requires more operational self-management. You own your K8s control plane. You self-manage your database HA. You implement your own audit logging. For teams with the operational maturity to manage this complexity — and for EU businesses processing data that cannot legally be exposed to US jurisdiction — the trade-off is increasingly the correct architectural choice.

The EU Cloud Infrastructure Providers Series will examine Scaleway (France), OVHcloud (France), and IONOS (Germany) next — three more alternatives scoring 0-3/25 on CLOUD Act — to give EU architects a complete comparison framework.

Hetzner Online GmbH details: HRB 6931, Amtsgericht Ansbach. CEO: Martin Hetzner. Registered: Industriestraße 25, 91710 Gunzenhausen. GDPR DPA: dpa@hetzner.com. Updated: May 2026.