How to Migrate Your Dev Stack to Europe in 2026: The Complete Checklist
Post #1091 in the sota.io EU Developer Sovereignty Series
Hacker News thread "I moved my digital stack to Europe" generated hundreds of comments in 2026. The consensus: it's doable, but nobody had written a comprehensive developer checklist. After researching 40+ EU-native services across every stack layer, here is that checklist.
This guide covers 10 infrastructure layers, with CLOUD Act risk scores (0–25, lower is better) and GDPR Art.46 transfer mechanism status for each. If your current stack scores above 15 on any layer, you have a data transfer compliance gap.
Why Migrate in 2026?
Three converging forces make EU stack migration urgent for European developers:
1. CLOUD Act enforcement expanded. The US Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713) allows US authorities to compel disclosure of data held by US-controlled companies anywhere in the world — including EU-region servers. After the Schrems II ruling invalidated Privacy Shield, DPA enforcement intensified. The Austrian DSB (2022), French CNIL (2022), Italian Garante (2022), Swedish IMY (2022), and Danish Datatilsynet (2022) all ruled US-hosted analytics tools illegal under GDPR.
2. EU Cloud Sovereignty legislation accelerated. The European Cloud Act entered force in 2025. EUCS (EU Cybersecurity Certification Scheme for Cloud Services) is finalising Level High requirements that explicitly require jurisdictional independence from non-EU law. CADA (Cyber Act) implementation deadlines hit in mid-2026.
3. Enterprise procurement requires it. DORA (Digital Operational Resilience Act, effective January 2025) requires financial entities to ensure their ICT vendors are not subject to concentration risk from non-EU jurisdictions. NIS2 (effective October 2024) applies similar logic to critical infrastructure operators. B2B SaaS sales into regulated EU sectors now require evidence of EU data processing.
CLOUD Act Risk Score Framework
Throughout this checklist, each service is scored on a 25-point scale:
| Dimension | Max Points |
|---|---|
| US corporate parent | 8 |
| US-law data access clauses | 6 |
| Sub-processor CLOUD Act exposure | 5 |
| Data residency guarantees | 3 |
| DPA/SCCs enforceability | 3 |
Score 0–4: EU-native, no CLOUD Act exposure. ✅
Score 5–12: Manageable with DPAs and SCCs, document carefully. ⚠️
Score 13–20: High risk, DPA enforcement likely. ❌
Score 21–25: Critical exposure, GDPR Art.46 gap. 🔴
Layer 1: DNS and Domain Registrar
What's exposed: Every DNS query for your domain. Registrar account data. WHOIS records.
US-controlled services to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| Cloudflare DNS (free) | 18/25 | Cloudflare Inc. San Francisco CA — CLOUD Act full exposure |
| GoDaddy | 20/25 | Delaware Corp, DoJ access precedent (2019) |
| Namecheap | 15/25 | Phoenix AZ, US-incorporated |
| AWS Route 53 | 22/25 | Amazon.com Inc. Seattle WA |
EU-native replacements
| Service | Score | Notes |
|---|---|---|
| Hetzner DNS | 0/25 | Nuremberg DE, free, GDPR Art.5 compliant |
| INWX | 1/25 | Cologne DE, DENIC accredited, since 2004 |
| Gandi | 3/25 | Paris FR SAS, B Corp certified, no sub-processor US exposure |
| IONOS (United Internet AG) | 4/25 | Montabaur DE, Frankfurt-listed |
Migration effort: 30 minutes per domain (TTL reduction → NS change → propagation).
Checklist:
- Export zone files from current registrar
- Create zone in Hetzner DNS or INWX
- Lower TTL to 300s (5 min) 24h before cutover
- Verify all records (A, AAAA, MX, TXT, CNAME, CAA) are correct
- Update nameservers at registrar
- Monitor DNS propagation (72h full propagation)
Layer 2: CDN and DDoS Protection
What's exposed: All HTTP request headers (including IP, User-Agent, cookies). Cached content. TLS termination (private keys at CDN edge).
US-controlled services to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| Cloudflare CDN | 18/25 | TLS termination in US, CLOUD Act §2713 |
| Fastly | 19/25 | San Francisco CA, DoD contracts |
| AWS CloudFront | 22/25 | Amazon.com Inc., all-US executive team |
| Akamai | 21/25 | Cambridge MA, DoD-cleared personnel |
EU-native replacements
| Service | Score | Notes |
|---|---|---|
| BunnyCDN | 1/25 | Ljubljana SI (Slovenia), EU incorporated, 116 PoPs |
| KeyCDN | 2/25 | Winterthur CH Switzerland, GDPR compliant by design |
| Bunny.net Shield | 2/25 | DDoS protection bundled, EU operator |
| Cloudflare EU Data Localization | 12/25 | Reduces but does NOT eliminate CLOUD Act (US parent) |
Migration effort: 2–4 hours (DNS CNAME swap + cache warming).
Checklist:
- Sign up BunnyCDN or KeyCDN (free trials available)
- Configure pull zone pointing to your origin
- Set CNAME dns.bunnycdn.com (or equivalent)
- Enable HTTPS with Let's Encrypt auto-renewal
- Configure cache rules (match existing Cloudflare Page Rules)
- Test with
curl -I https://yourdomain.com— check CDN headers
Layer 3: PaaS and Application Hosting
What's exposed: Your application code. Environment variables (secrets, API keys, database URLs). Build logs. All runtime data.
This is the most critical layer. Your PaaS provider has root access to everything your application does. A CLOUD Act request here means full application data exposure.
US-controlled PaaS to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| Vercel | 21/25 | Vercel Inc. San Francisco CA, VC-backed US Corp |
| Heroku (Salesforce) | 22/25 | Salesforce Inc. San Francisco CA |
| Railway | 14/25 | Railway Corp, Delaware |
| Render | 16/25 | Render Inc. San Francisco CA |
| Fly.io | 13/25 | Fly.io Inc. Delaware Corp |
EU-native PaaS replacements
| Service | Score | Notes |
|---|---|---|
| sota.io | 0/25 | EU-native managed PaaS, Hetzner Germany backbone, no US parent |
| Scalingo | 1/25 | Strasbourg FR SAS, OVHcloud infrastructure, GDPR DPA standard |
| Clever Cloud | 1/25 | Nantes FR SAS, multi-EU regions, SOC 2 + HDS certified |
| Northflank | 4/25 | UK Ltd, EU data residency option, Docker/Kubernetes |
| Koyeb | 3/25 | Paris FR SAS, edge-first, EU regions (Paris, Frankfurt) |
Why sota.io: sota.io is the only EU-native managed PaaS with one-sentence deploy semantics (git push, Docker, or CLI) and explicit CLOUD Act independence documentation. No US parent company, no US-law compelled disclosure risk. Hetzner Germany infrastructure gives EUCS-compatible data residency.
Migration effort: 1–3 hours for a typical Next.js/Rails/Django/Go app.
Checklist:
-
sota deployor push Dockerfile (sota.io supports any language) - Migrate environment variables to sota.io secrets
- Configure custom domain (
sota domains add yourdomain.com) - Update DNS CNAME to sota.io edge
- Run smoke tests on staging environment
- Cut over production DNS (low TTL first)
Layer 4: Authentication and Identity
What's exposed: User passwords (hashed). Session tokens. OAuth tokens for connected services. MFA seeds. User PII.
US-controlled auth to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| Auth0 (Okta) | 20/25 | Okta Inc. San Francisco CA, Auth0 acquired 2021 |
| Firebase Auth | 22/25 | Google LLC Delaware, CLOUD Act full exposure |
| AWS Cognito | 22/25 | Amazon.com Inc., IAM-linked |
| Clerk | 15/25 | Clerk Inc. New York, VC-backed US Corp |
| Stytch | 16/25 | Stytch Inc. San Francisco, US-only infrastructure |
EU-native auth replacements
| Service | Score | Notes |
|---|---|---|
| Keycloak | 0/25 | JBoss/Red Hat open source, self-hosted on EU infra |
| Zitadel | 0/25 | CAOS AG Zürich CH, Cloud edition EU-hosted |
| Authentik | 0/25 | Open source, self-hosted, full OIDC/SAML/LDAP |
| WALLIX Bastion | 2/25 | Paris FR SAS, PAM/SSO enterprise, ANSSI certified |
| NetIQ eDirectory | 4/25 | Micro Focus UK Ltd, Newbury UK |
Keycloak on sota.io: Deploy Keycloak container on sota.io in under 10 minutes. Keycloak supports OIDC, SAML 2.0, OAuth 2.0, LDAP federation, and social login — replacing Auth0/Firebase Auth feature-for-feature. GDPR Art.25 privacy by design built in (minimal data collection, right to erasure built into user management).
Migration effort: 4–8 hours (Keycloak setup + OAuth redirect URI updates in all apps).
Checklist:
- Deploy Keycloak via sota.io Docker (
keycloak/keycloak:latest) - Configure realm, clients, and user federation
- Update OAuth callback URLs in your applications
- Migrate existing user accounts (export from Auth0 via Management API)
- Test all OAuth flows (login, refresh, logout, token introspection)
- Update email templates (Keycloak has full custom template support)
Layer 5: Database and Data Storage
What's exposed: All application data. User PII. Business logic tables. Query logs.
US-controlled databases to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| Supabase (US region) | 14/25 | Supabase Inc. San Francisco CA |
| AWS RDS | 22/25 | Amazon.com Inc., CLOUD Act full |
| PlanetScale | 16/25 | PlanetScale Inc. Mountain View CA |
| Neon (US region) | 13/25 | Neon Inc. Delaware |
| MongoDB Atlas (US) | 17/25 | MongoDB Inc. NYC NYSE |
EU-native database services
| Service | Score | Notes |
|---|---|---|
| Supabase (EU region: Frankfurt) | 8/25 | US parent, but EU data residency reduces risk |
| Neon (EU region: Frankfurt/AWS eu-central-1) | 6/25 | US parent, EU residency, Standard SCCs |
| Hetzner Dedicated (self-managed PostgreSQL) | 0/25 | Full control, no third-party DPA needed |
| Managed PostgreSQL on sota.io | 0/25 | EU-native, GDPR Art.28 DPA auto-provided |
| Scaleway Managed DB | 1/25 | Paris FR SAS, PostgreSQL/MySQL/Redis |
| OVHcloud Cloud Databases | 1/25 | Roubaix FR, EU regulated, GDPR native |
Migration effort: 4–16 hours (schema export, data migration, application connection string update + testing).
Checklist:
- Export current database (
pg_dump,mysqldump, or DB-specific tool) - Provision EU-native PostgreSQL instance
- Import schema and data
- Update
DATABASE_URLin application environment - Run integration tests against new DB
- Enable automated backups (daily full + WAL streaming)
- Set up monitoring/alerting for connection pool exhaustion
Layer 6: Object Storage and File Storage
What's exposed: User-uploaded files. Application assets. Backups. Log archives.
US-controlled storage to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| AWS S3 | 22/25 | Amazon.com Inc., NSL gag-order precedent |
| Google Cloud Storage | 22/25 | Google LLC Delaware, CLOUD Act |
| Azure Blob Storage | 21/25 | Microsoft Corp WA, CLOUD Act |
| Cloudflare R2 | 18/25 | Cloudflare Inc. CA (no egress fees, but US parent) |
| Backblaze B2 | 15/25 | Backblaze Inc. San Mateo CA |
EU-native storage
| Service | Score | Notes |
|---|---|---|
| Hetzner Object Storage | 0/25 | Nuremberg DE, S3-compatible API, €0.012/GB |
| Scaleway Object Storage | 1/25 | Paris/Amsterdam, S3-compatible, GDPR |
| OVHcloud Object Storage | 1/25 | Roubaix/Strasbourg, Swift + S3 API |
| MinIO (self-hosted) | 0/25 | Open source, deploy on any EU VPS |
| Exoscale Object Storage | 2/25 | Vienna AT SAS, Swiss datacenters |
S3-compatible API: All EU alternatives listed above support the S3 API. Your existing AWS SDK code works with zero changes — just swap the endpoint URL and credentials.
Migration effort: 1–3 hours (bucket creation + aws s3 sync or rclone copy to move data).
Checklist:
- Create bucket in Hetzner Object Storage or Scaleway
- Run
rclone copy s3:your-bucket hetzner:your-bucketfor data migration - Update
AWS_ENDPOINT_URL,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - Test presigned URL generation and file upload/download
- Update application code if bucket policy logic differs
- Verify CORS settings for frontend direct uploads
Layer 7: Email and Transactional Email
What's exposed: Customer email addresses. Transactional content (order confirmations, password resets). Open/click tracking pixels.
US-controlled email to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| SendGrid (Twilio) | 21/25 | Twilio Inc. San Francisco CA |
| Mailgun (Sinch) | 17/25 | Sinch AB acquired Mailgun — mixed jurisdiction |
| Postmark | 16/25 | ActiveCampaign Inc. Chicago IL |
| AWS SES | 22/25 | Amazon.com Inc. |
| Mandrill (Mailchimp/Intuit) | 21/25 | Intuit Inc. Mountain View CA |
EU-native transactional email
| Service | Score | Notes |
|---|---|---|
| Brevo (ex-Sendinblue) | 1/25 | Paris FR SAS, GDPR Art.28 DPA, ISO 27001 |
| Mailtrap SMTP | 3/25 | Railsware Ltd IE, servers in EU |
| Resend (EU region) | 8/25 | US parent (YC-backed), EU region option |
| Postal (self-hosted) | 0/25 | Open source, deploy on EU VPS |
| Mailcow (self-hosted) | 0/25 | Open source, GDPR-first, full SMTP+IMAP |
Brevo for developers: Brevo has a developer-friendly REST API compatible with the Mailgun/SendGrid patterns. Starter tier is free up to 300 emails/day. GDPR-compliant opt-in/opt-out management is built in.
Migration effort: 2–4 hours (API credential swap + email template migration).
Layer 8: Monitoring and Observability
What's exposed: Application error messages (may contain PII). Performance traces. Log streams. Infrastructure metrics. User session data (in APM tools).
US-controlled monitoring to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| Datadog | 20/25 | Datadog Inc. NYC NYSE |
| New Relic | 19/25 | New Relic Inc. San Francisco CA |
| Sentry | 15/25 | Functional Software Inc. San Francisco |
| PagerDuty | 17/25 | PagerDuty Inc. San Francisco CA |
| Grafana Cloud (US) | 13/25 | Grafana Labs Inc. NYC — US parent |
EU-native monitoring
| Service | Score | Notes |
|---|---|---|
| AppSignal | 0/25 | Amsterdam NL B.V., EU-only infrastructure |
| Grafana Cloud (EU region) | 7/25 | US parent, EU data residency option |
| Prometheus + Grafana (self-hosted) | 0/25 | Open source stack, deploy on EU infra |
| Glitchtip (self-hosted) | 0/25 | Open source Sentry alternative |
| Signoz (self-hosted) | 0/25 | OpenTelemetry native, EU-deployable |
| Better Stack | 4/25 | Prague CZ SRO, EU infrastructure |
AppSignal for developers: AppSignal is a Dutch company offering APM, error tracking, and uptime monitoring with zero US data exposure. It integrates with Rails, Node.js, Python, Elixir, Go, and PHP. GDPR DPA auto-generated on signup. No sub-processors outside EU.
Layer 9: Analytics
What's exposed: User behavior data. Page views. Session recordings. Conversion funnels. IP addresses. Device fingerprints.
Analytics tools receive the most GDPR enforcement because they sit closest to end-user PII.
US-controlled analytics ruled illegal by EU DPAs
| Service | DPA Ruling | CLOUD Act Score |
|---|---|---|
| Google Analytics (UA) | 5 DPAs illegal (2022) | 22/25 |
| Google Analytics 4 | Legal uncertainty in AT, FR, IT | 22/25 |
| Adobe Analytics | No ruling yet, but same parent-risk | 21/25 |
| Mixpanel | No EU DPA ruling yet | 17/25 |
| Amplitude | No EU DPA ruling yet | 16/25 |
EU-native analytics
| Service | Score | Notes |
|---|---|---|
| Plausible Analytics | 0/25 | Tallinn EE OÜ, no cookies, GDPR native |
| Matomo (self-hosted) | 0/25 | InnoCraft Ltd — deploy on EU infra |
| PostHog (EU Cloud) | 4/25 | US parent, EU region option |
| Pirsch | 0/25 | Emmerich am Rhein DE, no cookies |
| Fathom Analytics | 3/25 | CA-incorporated, but EU processing only — check DPA |
Plausible for product teams: Plausible requires no cookie banner (no cookies!), is cookieless by design, and provides product analytics (events, goals, funnels) sufficient for most SaaS teams. The self-hosted option has zero third-party data exposure.
Layer 10: CI/CD and Version Control
What's exposed: Source code. Build secrets. Deployment keys. All environment variables used in CI.
US-controlled CI/CD to replace
| Service | CLOUD Act Score | Issue |
|---|---|---|
| GitHub Actions | 20/25 | Microsoft Corp WA, CLOUD Act |
| CircleCI | 16/25 | CircleCI Inc. San Francisco CA |
| Travis CI (Idera) | 14/25 | Idera Inc. Houston TX |
EU-native CI/CD
| Service | Score | Notes |
|---|---|---|
| GitLab.com (EU region) | 6/25 | GitLab Inc. SF (public), EU data residency option |
| GitLab Self-Hosted | 0/25 | Deploy on Hetzner/Scaleway, full control |
| Woodpecker CI | 0/25 | Open source drone fork, Docker-native, self-hostable |
| Forgejo + Woodpecker | 0/25 | Fully EU-sovereign gitea/forgejo combo |
| Gitea (self-hosted) | 0/25 | Open source GitHub alternative |
| Gitea Actions | 0/25 | GitHub Actions-compatible runner syntax |
GitHub Actions with EU runners: If migrating your entire VCS is too large an investment right now, you can reduce CLOUD Act exposure by using self-hosted GitHub Actions runners on EU infrastructure. Your code stays on GitHub (US risk), but compute and secrets handling move to EU. This is a partial mitigation only.
Full Stack Migration Timeline
A realistic EU migration for a 3-developer SaaS team:
| Week | Layer | Effort |
|---|---|---|
| Week 1 | DNS + Domain registrar | 1–2 hours |
| Week 1 | Analytics (Plausible/Matomo) | 2–4 hours |
| Week 2 | PaaS migration (sota.io) | 4–8 hours |
| Week 2 | Object storage (Hetzner/Scaleway) | 2–4 hours |
| Week 3 | Authentication (Keycloak/Zitadel) | 4–8 hours |
| Week 3 | Email (Brevo) | 2–4 hours |
| Week 4 | Database migration | 4–16 hours |
| Week 4 | Monitoring (AppSignal) | 2–4 hours |
| Week 5 | CI/CD (GitLab self-hosted) | 4–8 hours |
| Week 5 | CDN (BunnyCDN) | 2–4 hours |
| Total | ~4–6 weeks part-time |
Common Migration Pitfalls
1. Assuming EU-region = EU-jurisdiction. AWS eu-central-1 (Frankfurt) is hosted in Germany, but the operator is Amazon.com Inc. (Seattle WA). US CLOUD Act applies to the company, not the datacenter.
2. Forgetting sub-processors. Your EU PaaS may be clean, but if it sends error reports to Sentry (US) or metrics to Datadog (US), the sub-processor is a GDPR Art.28 breach.
3. DNS as an afterthought. Cloudflare DNS sees all your traffic metadata even if you've moved to EU hosting. Fix DNS first.
4. Breaking change during migration window. For databases, run the new EU instance in read-replica mode for 48h before cutting over. Validate all query patterns before switching the primary.
5. Missing the GDPR Art.28 DPA documentation. Every service you use must have a signed Data Processing Agreement. EU-native providers generate these automatically (Hetzner, Scaleway, Brevo). US providers offer SCCs — which are legally weaker and potentially invalidatable by future Schrems III.
Your Post-Migration GDPR Compliance Checklist
After completing the stack migration:
- All sub-processors in your privacy policy are EU-incorporated or have valid SCCs
- Record of Processing Activities (ROPA) updated with new processor list
- Data Processing Agreements signed with every new EU provider
- No personal data flowing through US-incorporated sub-processors without Art.46 mechanism
- Cookie banner updated to reflect Plausible/Matomo (may no longer be required!)
- Data Subject Rights requests can be fulfilled from EU-controlled data only
- 72-hour breach notification contacts updated to EU DPA in your country
Start with the PaaS Layer
The application hosting layer has the highest CLOUD Act exposure and the highest migration payoff. Every other layer's data flows through your PaaS (auth tokens, DB connection strings, API keys, logs).
sota.io is the EU-native managed PaaS that removes US jurisdiction from your application runtime. Deploy your existing Dockerfile, git repository, or use sota deploy for zero-configuration deploys. Hetzner Germany infrastructure, no US parent company, automatic GDPR Art.28 DPA, and full CLOUD Act independence documentation.
→ Deploy your first service on sota.io — free tier available, no credit card required.
Sources: GDPR Art.46 transfer mechanisms, CJEU Data & Dossier Schrems II (C-311/18), CLOUD Act 18 U.S.C. § 2713, Austrian DSB complaint (2021-0.586.257), French CNIL decision SAN-2022-001, Italian Garante Provv. 224/2022, Swedish IMY DI-2020-11397, Danish Datatilsynet (2022-431-0159), EUCS Level High criteria consultation paper (2025), CADA Regulation (EU) 2023/2854.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.