IONOS EU Cloud Alternative 2026 — BSI C5, CLOUD Act Immunity & German Data Sovereignty

Post #4 in the sota.io EU Cloud Infrastructure Providers Series

European enterprises face a fundamental compliance paradox: the cloud infrastructure powering GDPR-compliant workloads is itself subject to the US CLOUD Act (18 U.S.C. §2703). AWS scores 23/25 on CLOUD Act exposure. IONOS SE — the German cloud giant headquartered in Montabaur — scores 1/25, certified by Germany's Federal Office for Information Security (BSI) under the C5 framework. This analysis provides a technical breakdown of IONOS's corporate structure, data sovereignty controls, and migration strategy for European DevOps and security teams.

The German Corporate Fortress: IONOS SE Ownership Chain

IONOS SE is a Societas Europaea (SE) — a European Company incorporated under EU law (Council Regulation (EC) No 2157/2001). The ownership chain is entirely European:

Key fact: United Internet AG holds approximately 64% of IONOS SE. United Internet AG itself is 100% German — no US parent, no Delaware C-Corp in the chain. Ralph Dommermuth founded both entities and remains the controlling shareholder.

Compare this to the hyperscalers:

• AWS = Amazon Web Services Inc., subsidiary of Amazon.com Inc. → Delaware C-Corp → definitively a "US person" under 18 U.S.C. §2713
• Azure = Microsoft Corporation → Washington C-Corp → definitively a "US person"
• GCP = Google LLC → Delaware LLC → definitively a "US person"
• IONOS SE = German SE, parent United Internet AG (German AG) → NOT a "US person" under 18 U.S.C. §2713

CLOUD Act Risk Score: IONOS 1/25 vs AWS 23/25

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. §2703) compels US persons — including US corporations and their subsidiaries — to produce stored data on request from US law enforcement, regardless of where the data is physically stored.

We score each provider across five dimensions (D1–D5), each rated 0–5:

D1: Corporate Jurisdiction — Is the entity a US person?

IONOS D1 = 0/5. IONOS SE is a German Societas Europaea registered at Amtsgericht Montabaur (HRB 24498). United Internet AG (HRB 5762) is equally German. Neither entity qualifies as a "US person" triggering CLOUD Act obligations.

D2: Data Center Geography — Physical Data Sovereignty

IONOS D2 = 1/5. IONOS operates data centers in Frankfurt (Germany), Karlsruhe (Germany), Madrid (Spain), London (UK), and Newark/Lenexa in the US. However, European customers can — and should — explicitly select EU regions. IONOS does not default to US regions for EU accounts. The US DCs are genuinely optional and GDPR workloads can be isolated to EU-only geography with proper region selection.

D3: Operational Control — Who Has Privileged Access?

IONOS D3 = 0/5. IONOS SE's engineering and operations teams are based in Germany, with offices in Montabaur, Berlin, and Karlsruhe. No evidence of US-based personnel having privileged access to EU customer workload data. United Internet AG's board and executive leadership are entirely German.

D4: Personnel Jurisdiction — Where Are the Decision Makers?

IONOS D4 = 0/5. IONOS SE management operates entirely within German and EU jurisdiction. No US persons in the executive chain who could be compelled by a US court without invoking international legal assistance treaty (MLAT) procedures — which themselves take months and face EU blocking rules.

D5: Legal Framework — What Courts Govern Disputes?

IONOS D5 = 0/5. IONOS Cloud ToS is governed by German law (Bürgerliches Gesetzbuch), with disputes resolved at the Landgericht Montabaur. No US arbitration clauses. EU Data Processing Agreement (DPA) aligns with GDPR Art. 28 requirements.

Summary CLOUD Act Scores

BSI C5 Certification: Germany's Answer to SOC 2

The BSI Cloud Computing Compliance Criteria Catalogue (C5) was published by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) and has become the de-facto standard for cloud security assurance in German-speaking markets and increasingly across the EU.

What BSI C5 Covers

BSI C5 covers 17 audit domains across the full cloud operations lifecycle:

1. Organization of Information Security (OIS) — Security governance, roles, responsibilities
2. Security Policies (SP) — Documentation, review, and enforcement of security policies
3. Human Resources Security (HRS) — Pre-employment screening, security awareness training
4. Asset Management (AM) — Inventory of information assets and their classification
5. Physical and Environmental Security (PES) — Data center access controls, power, cooling
6. Operations Security (OS) — Change management, capacity planning, malware protection
7. Communications Security (CS) — Network security, segregation, monitoring
8. Access Control (AC) — Identity management, privileged access, authentication
9. Cryptography (CRY) — Encryption at rest and in transit, key management
10. Logging and Monitoring (LOM) — Audit logging, security event detection
11. Incident Management (IM) — Security incident response, breach notification
12. Portability and Interoperability (PI) — Data export capabilities, vendor lock-in prevention
13. Procurement, Development and Maintenance (PDM) — Secure development lifecycle
14. Supplier Relationships (SR) — Third-party risk management
15. Compliance (COM) — Legal, regulatory, and contractual requirements
16. Business Continuity Management (BCM) — RTO/RPO, disaster recovery
17. Cloud Management (CM) — Cloud-specific controls, multi-tenancy isolation

BSI C5 vs SOC 2 vs ISO 27001

For EU enterprises subject to NIS2, DORA (financial sector), or German BDSG: BSI C5 provides the strongest alignment with regulatory requirements. IONOS holds BSI C5 Type II attestation — meaning an independent auditor verified both the design and operating effectiveness of controls over a defined period.

3 Named Risk Patterns for IONOS

Pattern 1: US-Region Workload Bleed

Risk: IONOS provides US data center regions (Newark/US-East and Lenexa/US-West) in addition to EU regions. A misconfigured Terraform module deploying to us-east instead of de-fra would place EU customer data in a US jurisdiction, triggering CLOUD Act exposure — even though IONOS SE itself is not a US person.

Why this matters: The CLOUD Act applies to stored data based on where it is stored. If data lands in a US data center, US authorities can compel disclosure from the US DC operator (which may be a US-contracted third party or sub-processor in the US jurisdiction).

Mitigation:

# Terraform — enforce EU-only deployment
resource "ionoscloud_datacenter" "main" {
  name        = "production-eu"
  location    = "de/fra"  # Frankfurt — explicitly EU
  description = "GDPR-compliant workload location"
}

# Policy guard — reject non-EU locations
variable "allowed_locations" {
  default = ["de/fra", "de/txl", "fr/par", "es/vit", "gb/lhr"]
}

resource "null_resource" "location_guard" {
  triggers = {
    location = ionoscloud_datacenter.main.location
  }
  provisioner "local-exec" {
    command = <<-EOT
      if ! echo '${join(",", var.allowed_locations)}' | grep -q '${ionoscloud_datacenter.main.location}'; then
        echo "POLICY VIOLATION: Non-EU datacenter location detected"
        exit 1
      fi
    EOT
  }
}

Additional control: IONOS Cloud console supports region restriction policies. Enable "EU-only" constraints in your IONOS organization settings and configure IAM policies that deny resource creation outside EU locations.

Pattern 2: United Internet Dual-Listing Institutional Investor Exposure Theory

Risk: United Internet AG is listed on the Frankfurt SDAX. Institutional investors — including US hedge funds, pension funds, and index funds (BlackRock, Vanguard, etc.) — hold positions in United Internet AG. Some argue this creates CLOUD Act exposure through indirect US control.

Why this doesn't hold legally: The CLOUD Act is clear: it applies to US persons as defined by 18 U.S.C. §2713 — not to companies in which US entities hold minority stock positions. A US investment fund holding 3% of United Internet AG is not a CLOUD Act trigger. The operative legal principle is control over data as a data custodian, not equity ownership as a passive investor.

Legal precedent: In In re Search of Information Associated with Email Accounts (2017), courts confirmed that CLOUD Act obligations attach to the data custodian (the cloud provider), not to its shareholders. United Internet AG, as the parent of IONOS SE, has no access to customer data — it is a holding company, not a data processor.

Why it still warrants DPA review: A careful DPIA under GDPR Art. 35 should nonetheless confirm that United Internet AG's corporate governance structure doesn't create indirect data access rights for any US-affiliated entities. IONOS's DPA should explicitly exclude United Internet AG from sub-processor status.

Pattern 3: B2C SaaS Stack Shadow IT Compliance Ambiguity

Risk: IONOS provides both B2C products (1&1 IONOS email hosting, website builders, domain registrations) and B2B enterprise cloud (IONOS Cloud VPS, Managed Kubernetes, Object Storage). The compliance frameworks differ substantially. German SMEs using "1&1 email" alongside "IONOS Cloud VPS" may inadvertently mix compliance frameworks in their documentation.

Why this matters for GDPR Art. 28: A DPA signed for "IONOS Cloud" may not cover "1&1 IONOS Email" as a separate product line. The sub-processors, data retention policies, and security controls differ. An enterprise DPIA that lumps all IONOS products together may be legally insufficient.

Mitigation:

• Request separate DPAs for IONOS Cloud (IaaS/PaaS) and any 1&1 IONOS consumer products
• Verify that your GDPR Record of Processing Activities (ROPA) under Art. 30 lists each IONOS product as a distinct entry
• Check the IONOS Cloud-specific sub-processor list (published at ionos.de/hilfe/datenschutz/) — it is separate from 1&1 consumer sub-processors
• For enterprise DORA/NIS2 compliance: use only IONOS Cloud (not 1&1 consumer products) for regulated workloads

AWS → IONOS Migration: 15-Service Mapping

IONOS Cloud provides a comprehensive service catalog with S3-compatible APIs for most core AWS primitives:

S3-Compatible Object Storage: Drop-In Replacement

IONOS Object Storage implements the full S3 API. Migration from AWS S3 requires only a configuration change:

# AWS SDK (boto3) — Before: AWS
import boto3
s3 = boto3.client(
    's3',
    region_name='eu-central-1',
    aws_access_key_id='AKIA...',
    aws_secret_access_key='...'
)

# After: IONOS Object Storage (same boto3 call, different endpoint)
import boto3
s3 = boto3.client(
    's3',
    region_name='de',
    endpoint_url='https://s3-eu-central-1.ionoscloud.com',
    aws_access_key_id='IONOS_ACCESS_KEY',
    aws_secret_access_key='IONOS_SECRET_KEY'
)
# All s3.put_object(), s3.get_object(), s3.list_objects() calls work unchanged

# Terraform: AWS provider → IONOS provider
# Before:
provider "aws" {
  region = "eu-central-1"
}
resource "aws_s3_bucket" "data" {
  bucket = "my-gdpr-data"
}

# After:
terraform {
  required_providers {
    ionoscloud = {
      source  = "ionos-cloud/ionoscloud"
      version = ">= 6.4.0"
    }
  }
}
provider "ionoscloud" {
  token = var.ionos_token
}
resource "ionoscloud_object_storage_bucket" "data" {
  name   = "my-gdpr-data"
  region = "de"
}

IONOS Managed Kubernetes: EKS Migration

# kubeconfig — switch from EKS to IONOS
apiVersion: v1
clusters:
- cluster:
    # Replace EKS endpoint with IONOS endpoint
    server: https://k8s-cluster.ionos.com
    certificate-authority-data: <IONOS_CA_DATA>
  name: ionos-k8s
contexts:
- context:
    cluster: ionos-k8s
    user: ionos-admin
  name: ionos-production
current-context: ionos-production
users:
- name: ionos-admin
  user:
    token: <IONOS_KUBECONFIG_TOKEN>

IONOS Managed Kubernetes is CNCF-certified. Existing Helm charts, Kubernetes manifests, and operators deploy without modification. Node pools support auto-scaling and can be restricted to EU data center locations.

GDPR-Compliant EU Sovereign Stack on IONOS

For a production-grade GDPR-compliant workload on IONOS:

Cost Comparison: IONOS vs AWS (EU Production Stack)

Reference workload: 3-node Kubernetes cluster, 100GB object storage, managed PostgreSQL, 2TB/month bandwidth

IONOS's pricing advantage is particularly pronounced for bandwidth — AWS charges €0.085–€0.09/GB for data transfer out of eu-central-1, while IONOS includes generous bandwidth in VPS/Kubernetes plans.

BSI vs ANSSI: German vs French Certification Compared

Since OVHcloud (French, SecNumCloud/ANSSI) and IONOS (German, BSI C5) both earn 1/25 CLOUD Act scores, the certification landscape becomes the differentiator:

Guidance:

• German-regulated entities (BaFin, BSI-regulated agencies, German hospitals under BSI-KRITIS): IONOS BSI C5 is the stronger choice due to direct regulatory alignment
• French-regulated entities or EU-wide sovereign requirements: OVHcloud SecNumCloud provides stronger recognition in French regulatory context
• For multinational EU deployments requiring both: consider IONOS (DE/FR DCs) with BSI C5 as the primary certification anchor

Hetzner vs IONOS: German Cloud Comparison

Both Hetzner (0/25 CLOUD Act) and IONOS (1/25 CLOUD Act) are excellent German alternatives. The choice depends on workload requirements:

Decision rule:

• Startup / developer workload with cost as primary constraint → Hetzner
• Enterprise / regulated / NIS2-audited workload requiring compliance evidence → IONOS
• Mixed: use Hetzner for non-regulated dev/staging, IONOS for production regulated tier

Regulatory Compliance Matrix

IONOS Cloud supports compliance with the following EU regulatory frameworks:

Choosing Your EU IaaS: Decision Framework

After covering Hetzner (0/25), Scaleway (1/25), OVHcloud (1/25), and IONOS (1/25) in this series, here's when to choose each:

EU IaaS Selection:

CLOUD Act risk = critical AND budget = primary?
├── Yes → Hetzner (0/25, lowest cost, no US DCs)
└── No ↓

Regulated workload (BaFin/NIS2/KRITIS)?
├── Yes, German regulation → IONOS (BSI C5 Type II)
├── Yes, French regulation → OVHcloud (SecNumCloud/ANSSI)
└── No ↓

Developer-first managed platform?
├── Yes → Scaleway (GPU H100, Kubernetes Kapsule, Paris-native)
└── No ↓

Multi-cloud EU strategy?
└── IONOS + Hetzner (compliance tier + cost tier)

Conclusion

IONOS SE earns its 1/25 CLOUD Act risk score through a clean German corporate structure: IONOS SE (Societas Europaea) → United Internet AG (German AG) → no US parent, no US persons in the data custodian chain. BSI C5 Type II certification provides regulatory-grade compliance evidence for German-regulated industries (BaFin, BSI-KRITIS, NIS2) that exceeds what SOC 2 or ISO 27001 alone can provide.

The 1/25 score vs Hetzner's 0/25 reflects only the existence of optional US data center locations — European customers who explicitly select de/fra or other EU regions achieve equivalent data sovereignty to Hetzner, with the additional benefit of BSI C5 attestation, managed Kubernetes, managed databases, and a more comprehensive enterprise service catalog.

For European DevOps teams under regulatory pressure — DORA financial compliance, NIS2 critical infrastructure, or BaFin cloud guidance — IONOS provides the strongest combination of CLOUD Act immunity and formal compliance certification available in the German cloud market.

Next in the series: EU Cloud Infrastructure Finale — a complete comparison matrix across Hetzner, Scaleway, OVHcloud, and IONOS with a decision framework for every EU enterprise use case.

This analysis is based on publicly available corporate registry data, official BSI C5 documentation, and IONOS Cloud terms of service as of May 2026. CLOUD Act risk scores are assessments based on the five-dimensional framework developed by sota.io. Consult legal counsel for binding compliance determinations.