Scaleway EU Cloud 2026: French IaaS Scores 1/25 on CLOUD Act vs AWS 23/25
Post #2 in the sota.io EU Cloud Infrastructure Providers Series
The CLOUD Act conversation in European cloud architecture usually centers on the obvious: AWS, Azure, and GCP are US companies, and US law enforcement can compel them to disclose data regardless of where that data is physically stored. What gets less attention is the second half of that analysis — which EU-incorporated cloud providers genuinely eliminate this exposure, and what technical and legal characteristics determine their risk profile.
Scaleway SAS represents a structurally different option from the hyperscalers. It is not a European subsidiary of an American company. It is not a US-funded startup with a Delaware holding structure. Scaleway SAS is a French Société par Actions Simplifiée — a French simplified joint stock company — incorporated under French law, owned by Iliad SA (a French group), with data centers exclusively in Paris, Amsterdam, and Warsaw. Understanding what this corporate structure means for CLOUD Act exposure requires examining five distinct dimensions, not just the headline incorporation country.
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2713) compels US persons to produce data held anywhere in the world. The statute defines US persons to include entities "organized or incorporated under, the laws of the United States or any State or Territory." Scaleway SAS is organized under French law. This is the foundational jurisdictional distinction that drives the scoring differential between 1/25 and 23/25.
The IaaS CLOUD Act Scoring Framework
The five-dimension scoring framework applied throughout this series:
D1: Corporate Jurisdiction — Is the IaaS company a US person under 18 U.S.C. § 2713? US-incorporated entities expose all managed data to CLOUD Act production orders. Score 0/5 (EU-incorporated, no US control) to 5/5 (US C-Corp with surveillance program history).
D2: Data Routing — Does EU-region data transit through or become accessible via US-based infrastructure? Management planes, API endpoints, CDN edge nodes, and backbone networks create routing exposure independent of physical DC location. Score 0/5 (EU-only routing) to 5/5 (documented US transit of data or metadata).
D3: Subprocessors — Does the provider rely on US-incorporated subprocessors for EU-region operations? Billing platforms, monitoring tools, security operations, and support infrastructure create supply-chain exposure. Score 0/5 (no US subprocessors with data access) to 5/5 (critical US-based subprocessor dependencies with production data access).
D4: Personnel Access — Can US-based engineers, support staff, or contractors access EU customer data? Privileged access from US-based personnel creates CLOUD Act compulsion vectors for individuals (not just corporate entities). Score 0/5 (EU-only access) to 5/5 (documented US-based privileged access).
D5: Legal Framework — Does the provider's ToS, DPA, or enterprise agreement invoke US jurisdiction? US choice-of-law provisions create additional legal exposure vectors. Score 0/5 (EU law exclusively) to 5/5 (US choice of law with US arbitration).
AWS EU Regions: CLOUD Act Score 23/25
Amazon Web Services, Inc. is a Delaware C-Corp. It participated in the NSA's PRISM program under FISA Section 702. As a US person, all data it manages globally falls under CLOUD Act jurisdiction.
D1: 5/5 — Amazon Web Services, Inc. (Delaware, EIN: 47-0956324). AWS EU contracting runs through Amazon Web Services EMEA SARL (Luxembourg) for contract law, but the data custodian and CLOUD Act target is the US parent entity. Standard Contractual Clauses under GDPR Art.46 are contractual instruments — they do not and cannot supersede US federal law when a valid CLOUD Act order is presented.
D2: 4/5 — AWS management plane (IAM, CloudTrail, CloudWatch, Control Tower, Organizations) operates globally with data accessible from us-east-1. AWS Route 53 (global DNS), CloudFront (US-controlled edge), and AWS Shield (DDoS with US operational center) process EU workload metadata through US-controlled infrastructure continuously.
D3: 5/5 — AWS GDPR Subprocessor List includes 15+ US-incorporated entities: Amazon.com Services LLC (Delaware), Amazon Data Services Inc. (Delaware), Amazon Connect Technology Services Inc. (Delaware). CDN, security monitoring, and billing involve multiple US-based subprocessors with access to EU-region operational metadata.
D4: 5/5 — AWS Premium/Enterprise Support operates globally with US-based engineers. AWS SOC maintains US-based personnel with privileged access to hypervisor and infrastructure layers underlying EU-region workloads.
D5: 4/5 — AWS Customer Agreement defaults to Washington State law for US customers. EU customers contract via EMEA SARL with Luxembourg law for commercial terms, but operational control and CLOUD Act compulsion applies to the US parent regardless of commercial contract jurisdiction.
AWS Total: 23/25
Azure EU Regions: CLOUD Act Score 22/25
Microsoft Corporation is a Washington C-Corp. It participated in PRISM since 2007 per Snowden documents (confirmed, never disputed). Azure EU regions (West Europe/North Europe/France Central/Germany West Central/Norway East/Sweden Central/Switzerland North) are operated by this US person.
D1: 5/5 — Microsoft Corporation (Redmond, Washington). Azure EU services contract through Microsoft Ireland Operations Limited for EU commercial terms, but the CLOUD Act target is Microsoft Corporation. The EU Data Boundary initiative is a voluntary technical measure — it does not remove legal CLOUD Act compulsion.
D2: 4/5 — Azure Active Directory (Entra ID) tenant metadata, Azure Monitor global service, Azure Policy, and the Azure Global WAN backbone with US routing nodes continuously process metadata from EU workloads. Microsoft's US-East-based control plane components receive telemetry from all Azure regions.
D3: 4/5 — Azure relies on LinkedIn Corporation (Delaware), GitHub Inc. (Delaware), and multiple Microsoft US subsidiaries for identity, developer tooling, and security operations that interact with EU-region customer data. Azure Defender and Microsoft Sentinel security operations maintain US-accessible log aggregation.
D4: 5/5 — Microsoft CSS (Customer Support Services) global team includes US-based engineers with privileged support access. Microsoft MSRC (Security Response Center) operates from Redmond with potential access to EU customer environments during security incidents.
D5: 4/5 — Microsoft Cloud Agreement defaults to Washington State law for US customers. EU Microsoft Customer Agreement uses Irish law for commercial terms but does not eliminate CLOUD Act compulsion on the US parent entity.
Azure Total: 22/25
GCP EU Regions: CLOUD Act Score 21/25
Google LLC is a Delaware LLC, wholly owned by Alphabet Inc. (Delaware C-Corp). Google participated in PRISM from 2009. GCP EU regions (europe-west1 through europe-west12, europe-north1, europe-central2) are operated by this US person.
D1: 5/5 — Google LLC (Delaware). GCP EU services contract through Google Cloud EMEA Limited (Ireland) commercially, but the US parent holds CLOUD Act exposure for all data under Google's management.
D2: 3/5 — Google's use of QUIC protocol (Google-controlled, US-operated infrastructure) for internal communications creates unique routing considerations. Google's global software-defined network (B4) routes traffic through US-based control plane nodes. Google Cloud CDN and Cloud Armor operate with US-accessible components.
D3: 4/5 — Google Workspace integration with GCP, Mandiant (Virginia LLC, Google acquisition 2022) for threat intelligence, reCAPTCHA (US-operated), and multiple Alphabet subsidiaries providing operational support create US subprocessor exposure for EU-region workloads.
D4: 5/5 — Google SRE (Site Reliability Engineering) is a global team with US-based members who can access production infrastructure. Google PSIRT and Google Cloud Trust & Safety operate with US-based personnel having security incident access to EU customer environments.
D5: 4/5 — Google Cloud Platform Terms of Service defaults to California law. EU customers contract under Google's data processing terms with Irish law commercially, but CLOUD Act compulsion applies to Google LLC regardless.
GCP Total: 21/25
Scaleway SAS: CLOUD Act Score 1/25
Scaleway SAS was incorporated in Paris, France in 1999, originally as Iliad Online. It is a Société par Actions Simplifiée (SAS) under French Code de commerce. The company is wholly owned by Iliad SA — a French Société Anonyme (SA) publicly traded on Euronext Paris (Compartment A), controlled by founder Xavier Niel who holds approximately 52% of Iliad through NJJ Holding.
This ownership chain is entirely French. Iliad SA is incorporated and headquartered in Paris. NJJ Holding is a French holding company. Xavier Niel is a French citizen. There is no US corporate entity in the Scaleway ownership chain that would create CLOUD Act exposure through corporate control.
D1: Corporate Jurisdiction — 0/5
Scaleway SAS (SIRET: 43311590400047, RCS Paris B 433 115 904) is not a US person under 18 U.S.C. § 2713. It is incorporated under French law with French corporate governance. The Iliad Group parent is a French public company (Euronext Paris: ILD), not a Delaware corporation or any other US entity.
This matters for CLOUD Act compulsion: a US District Court cannot issue a 18 U.S.C. § 2713 production order to Scaleway SAS requiring disclosure of EU customer data. The statutory scope requires the recipient to be a US person. Scaleway is not. Any US law enforcement request for Scaleway customer data would need to proceed through the EU-France mutual legal assistance treaty (MLAT) framework — a substantially slower process requiring French judicial authorization.
French law (notably the loi de blocage — Law 68-678 of July 26, 1968 as amended by Law 80-538 of July 16, 1980) explicitly prohibits French companies from responding to foreign legal demands for economic, commercial, industrial, financial, or technical documents without prior French government authorization. This adds an additional legal barrier beyond the absence of CLOUD Act applicability.
Scaleway DPA (Data Processing Agreement) is governed by French law with disputes resolved under French court jurisdiction. The contracting entity for EU customers is Scaleway SAS, not a US holding company with US dispute resolution.
D2: Data Routing — 0/5
Scaleway operates three availability zones, all within the EU/EEA:
- PAR1 (DC2): Paris, Île-de-France, France
- PAR2 (DC5): Paris, Île-de-France, France
- PAR3 (DC3): Paris, Île-de-France, France
- AMS1 (DC6): Amsterdam, Netherlands
- AMS2: Amsterdam, Netherlands
- AMS3: Amsterdam, Netherlands
- WAW1: Warsaw, Masovian Voivodeship, Poland
- WAW2: Warsaw, Masovian Voivodeship, Poland
- WAW3: Warsaw, Masovian Voivodeship, Poland
All nine availability zones are in EU member states (France, Netherlands, Poland). Scaleway's network backbone (fiber connections between zones, peering at AMS-IX and Equinix Paris) operates entirely within European infrastructure. Unlike AWS Global Accelerator or Azure Global WAN, Scaleway's internal routing does not transit US-based network nodes for EU-to-EU communication.
Scaleway Edge Services (CDN) operates from edge nodes within the Iliad/Scaleway network. While Scaleway has peering relationships with global internet exchanges, the management plane for customer workloads — the Scaleway Console, API endpoints (api.scaleway.com), and internal orchestration — runs on EU-based infrastructure operated by EU-based personnel.
D3: Subprocessors — 1/5
This is where Scaleway, like most cloud providers, has minimal but non-zero exposure. Scaleway's subprocessor list (publicly available in their DPA) includes a small number of tools for internal operations:
Scaleway uses operational tooling for customer support ticketing, billing reconciliation, and internal monitoring where some components may be US-incorporated software-as-a-service tools. Unlike AWS's 15+ US subprocessors with production data access, Scaleway's US-origin tooling is limited to operational metadata (support ticket text, billing records) rather than compute workload data.
The critical distinction: Scaleway's US-origin subprocessors (if any) do not have access to the compute data, storage contents, or network traffic of customer workloads running on Scaleway infrastructure. A support ticket system having US-law exposure does not extend to the customer database running on a Scaleway DEV1-XL instance in PAR2.
This warrants 1/5 rather than 0/5 due to the presence of any US-origin tooling in the subprocessor supply chain — a conservative scoring reflecting due diligence standards under GDPR Art.28 third-party risk assessment.
D4: Personnel Access — 0/5
Scaleway's engineering, infrastructure, and support teams are based in Paris (headquarters: 8 Rue de la Ville l'Evêque, 75008 Paris), with additional EU-based operations staff. There is no documentation of US-based Scaleway personnel with privileged access to production EU customer infrastructure.
Scaleway's support model operates from European time zones with European staff. Unlike AWS Premium Support's global follow-the-sun model with US-based engineers, Scaleway's enterprise support maintains EU-based personnel chains. Break-glass access to infrastructure for security incidents or hardware failures is documented as requiring EU-based authorization and execution.
D5: Legal Framework — 0/5
Scaleway's General Terms and Conditions (Conditions Générales d'Utilisation) are governed by French law (droit français). Disputes are subject to the jurisdiction of the Commercial Court of Paris (Tribunal de Commerce de Paris). There is no US choice-of-law provision, no US arbitration clause (no AAA or JAMS), and no governing law that creates a US legal vector for data compulsion.
Scaleway's DPA for GDPR compliance is governed by French law. As an EU-incorporated entity operating EU-only infrastructure, Scaleway does not need to include Standard Contractual Clauses for EU-to-Scaleway data flows — no third-country transfer under GDPR Art.44 occurs when EU customer data moves to Scaleway's Paris, Amsterdam, or Warsaw infrastructure.
Scaleway Total: 1/25 — Near-Zero CLOUD Act Exposure for IaaS
Three Named Risk Patterns for Scaleway Deployments
Even with a 1/25 CLOUD Act score, EU architects should understand the specific risk patterns that apply to Scaleway deployments.
Pattern 1: The Iliad Institutional Investor Exposure Theory
Iliad SA is a publicly traded company (Euronext Paris). Its shareholder register includes institutional investors — some of which may be US-incorporated investment funds, pension funds, or asset managers. A theoretical legal argument exists that US government could attempt to compel a US-person shareholder to exercise influence over Iliad to compel Scaleway data disclosure.
This is not a credible CLOUD Act risk in 2026. The CLOUD Act compels data custodians (entities that manage or control the data), not minority shareholders of non-US corporate parents. A US institutional investor holding 2% of Iliad SA common stock cannot compel Scaleway SAS to disclose customer data. This would require piercing multiple levels of corporate structure across French and EU law — a process that would require French judicial cooperation under MLAT, not a direct CLOUD Act production order.
The loi de blocage (French blocking statute) provides additional legal barrier: even if an attempt were made to compel Scaleway through a US shareholder, French law prohibits compliance with foreign legal demands for economic documents without French government authorization.
Practical CLOUD Act risk from institutional shareholding: negligible.
Pattern 2: The Object Storage Edge Delivery Architecture
Scaleway Object Storage (S3-compatible, available in PAR, AMS, and WAW) includes an optional Edge Services layer for CDN acceleration. EU architects using Scaleway Object Storage for static asset delivery should verify the geographic scope of edge nodes used for their specific use case.
Scaleway's documentation specifies that Edge Services operates from Scaleway's own network infrastructure within the EU. Unlike AWS CloudFront, which operates 450+ edge locations globally including US locations that may cache EU content, Scaleway Edge Services is designed for EU-region delivery.
For architects with strict data-at-rest and data-in-transit sovereignty requirements, the mitigation is straightforward: configure Scaleway Object Storage without Edge Services for sensitive data categories, or explicitly verify that the CDN edge nodes used for your storage buckets are EU-located. Scaleway's API provides bucket-level CDN configuration, allowing surgical control over which data uses edge delivery versus direct S3-protocol access.
CLOUD Act risk for EU-only Object Storage without Edge Services: none.
Pattern 3: The Console Session Metadata Trail
Like all cloud providers, the Scaleway Console generates session metadata: API calls, management operations, resource creation events, and billing events. This operational metadata about how customers use Scaleway infrastructure is held by Scaleway SAS, a French company.
The structural difference from AWS CloudTrail: Scaleway's console session logs are under French jurisdiction, subject to French law, and protected by the loi de blocage from foreign compulsion. When an EU architect logs into the Scaleway Console to manage a Kubernetes Kapsule cluster in PAR2, that session metadata is a French legal record — not a record held by a Delaware C-Corp.
This is not a risk pattern in the traditional sense — it is a structural protection. The same management metadata that creates CLOUD Act exposure when stored by AWS (as a US person) creates no CLOUD Act exposure when stored by Scaleway SAS (as a French person).
CLOUD Act risk for Scaleway Console metadata: none.
The Scaleway Product Portfolio: EU-Native IaaS/PaaS Scope
Scaleway's current (2026) product portfolio covers the full IaaS/PaaS spectrum relevant for EU-native cloud architectures:
Compute:
- Instances (DEV1, GP1, PRO2, ENT1 families — AMD EPYC and Intel Xeon)
- GPU Instances (NVIDIA H100 SXM, H100 PCIe, L40S for AI/ML workloads)
- Elastic Metal (bare metal, single-tenant)
- Apple Silicon (M4 Pro for macOS CI/CD — Paris)
Storage:
- Block Storage (high-performance NVMe SSD)
- Object Storage (S3-compatible — PAR, AMS, WAW)
- File Storage (NFS protocol, managed)
Networking:
- Private Networks / VPC (isolated Layer 2 networks)
- Load Balancers (regional, L4/L7)
- Flexible IPs (static IPv4/IPv6)
- DNS (managed, API-driven)
- Edge Services (CDN, optional)
- Public Gateways (NAT for private networks)
Managed Platform Services:
- Kubernetes Kapsule (managed K8s, EU control plane)
- Kubernetes Kosmos (multi-cloud K8s cluster integration)
- Serverless Functions (EU-region function execution)
- Serverless Containers (managed container runtime)
- Managed Databases (PostgreSQL 14-16, MySQL 8 — PAR, AMS, WAW)
- Managed Redis™ (EU-region cache clusters)
- NATS Messaging (managed message broker)
Developer / Identity:
- Scaleway IAM (Organizations, Projects, API Keys, Policies)
- Scaleway Secret Manager (managed secrets storage)
- Container Registry (OCI-compatible, EU-hosted)
- Transactional Email (SMTP/API, EU-hosted)
AWS to Scaleway Migration Architecture
| AWS Service | Scaleway Equivalent | CLOUD Act Score | Notes |
|---|---|---|---|
| EC2 (t3/m5/c5/r5) | Instances (DEV1/GP1/PRO2/ENT1) | 0→23/25 ↓ | AMD EPYC and Intel Xeon; similar instance types |
| S3 | Object Storage (S3-compatible) | 0→23/25 ↓ | S3 API-compatible; boto3/AWS SDK works with endpoint override |
| EKS | Kubernetes Kapsule | 0→23/25 ↓ | Managed K8s with EU control plane; CNCF-conformant |
| ELB/ALB/NLB | Load Balancer | 0→23/25 ↓ | L4/L7 routing, ACM certificates equivalent |
| RDS (PostgreSQL/MySQL) | Managed Databases | 0→23/25 ↓ | PostgreSQL 14-16, MySQL 8; automated backups |
| ElastiCache (Redis) | Managed Redis™ | 0→23/25 ↓ | Redis API-compatible managed service |
| Lambda | Serverless Functions | 0→23/25 ↓ | Go/Python/Node.js/PHP/Rust runtime; PAR/AMS |
| ECR | Container Registry | 0→23/25 ↓ | OCI-compatible; docker push/pull with EU endpoint |
| IAM | Scaleway IAM | 0→23/25 ↓ | Organizations/Projects/API Keys/Policies/Groups |
| Secrets Manager | Secret Manager | 0→23/25 ↓ | API-compatible secrets store with versioning |
| Route 53 | Scaleway DNS | 0→23/25 ↓ | Managed DNS; Terraform provider available |
| CloudFront | Edge Services | 0→23/25 ↓ | CDN optional; EU edge nodes |
| EBS | Block Storage | 0→23/25 ↓ | NVMe SSD; persistent volume equivalent |
| GPU (p3/p4/g4dn) | GPU Instances (H100/L40S) | 0→23/25 ↓ | NVIDIA H100 SXM for AI training in EU |
| CloudTrail | Scaleway Audit Logs | 0→23/25 ↓ | API activity logging under French jurisdiction |
The S3-compatibility of Scaleway Object Storage is particularly significant for migration workloads. Applications using AWS SDK with s3.amazonaws.com endpoints can be reconfigured to use s3.nl-ams.scw.cloud, s3.fr-par.scw.cloud, or s3.pl-waw.scw.cloud with API key credentials — typically requiring only endpoint and credential changes in configuration, not application code changes.
GDPR Article 44 Transfer Analysis
Article 44 of the GDPR prohibits transfer of personal data to third countries unless specific conditions are met (adequacy decision, SCCs, BCRs, etc.). This framework exists because EU-to-non-EU data flows carry jurisdiction-change risks.
For Scaleway, Article 44 is simply not triggered:
Transfer Analysis:
- Data subject location: EU
- Controller location: EU (Scaleway customer, typically EU-established)
- Processor location: Scaleway SAS, Paris, France — EU member state
- Data center locations: Paris (France), Amsterdam (Netherlands), Warsaw (Poland) — all EU member states
- Applicable law: French law (Scaleway SAS jurisdiction), GDPR (EU-wide)
- Supervisory authority: CNIL (Commission Nationale de l'Informatique et des Libertés) — France's data protection authority under GDPR Art.51
Result: No third-country transfer occurs. EU personal data processed by Scaleway SAS in EU/EEA data centers remains under EU jurisdiction throughout the processing lifecycle. GDPR Art.44 adequacy requirements are not relevant because no non-EU country receives the data.
Comparison with AWS: An EU company using AWS eu-central-1 (Frankfurt) transfers data to Amazon Web Services, Inc. — a US person. Under GDPR, this is a third-country transfer (US) requiring Art.44 compliance mechanisms (Standard Contractual Clauses, Transfer Impact Assessments). The Frankfurt physical location does not change the legal jurisdiction of the data custodian.
Standard Contractual Clauses: EU architects using AWS must implement SCCs (Commission Decision 2021/914) and conduct Transfer Impact Assessments under CJEU Schrems II (Case C-311/18) guidance. For Scaleway, neither SCCs nor Transfer Impact Assessments are needed — the transfer stays within EU jurisdictional scope.
CNIL Jurisdiction: The French Data Sovereignty Advantage
Scaleway SAS operates under CNIL jurisdiction. The CNIL (Commission Nationale de l'Informatique et des Libertés) is France's national supervisory authority under GDPR Art.51. CNIL is one of the largest and most technically active DPAs in the EU.
For EU businesses choosing Scaleway as their cloud provider:
- Data protection complaints and enforcement actions remain within EU jurisdiction (CNIL)
- French loi de blocage protects against foreign law enforcement compulsion
- French Conseil d'État (highest administrative court) provides judicial review path for any government access to Scaleway data
- EU-to-EU MLAT framework applies if US law enforcement seeks data — requiring French judicial authorization, not direct CLOUD Act compulsion
This jurisdictional clarity is structurally superior to AWS's situation, where GDPR enforcement (Irish DPC for EU matters) and CLOUD Act exposure (US DoJ) create a dual-jurisdiction environment where US law enforcement orders can supersede Irish DPC privacy protections.
The Scaleway Sovereign Stack for GDPR-Critical Workloads
For EU architects building GDPR-critical infrastructure that requires elimination of CLOUD Act exposure, the Scaleway-native stack eliminates US jurisdiction at every layer:
Compute: Scaleway Instances (ENT1 for production) — EU jurisdiction, EU personnel access only.
Storage: Scaleway Object Storage (FR-PAR or NL-AMS) without Edge Services for sensitive data — no US CDN exposure.
Database: Scaleway Managed Databases (PostgreSQL 16, Paris region) — managed PostgreSQL under French jurisdiction.
Secrets: Scaleway Secret Manager — EU-jurisdiction secrets storage, no US-based Secrets Manager equivalent in the supply chain.
Container Orchestration: Scaleway Kubernetes Kapsule (PAR or AMS) — managed K8s with EU control plane operated by Scaleway SAS personnel.
Identity: Scaleway IAM with Organizations and Projects structure — API keys and IAM policies managed under French law.
Serverless: Scaleway Functions in PAR region — serverless execution with EU-only runtime infrastructure.
Network: Scaleway Private Networks (VPC) with Public Gateways for egress — EU-contained Layer 2 networking.
GPU/AI: Scaleway GPU Instances (H100 SXM in PAR) for EU-sovereign AI model training and inference — eliminates CLOUD Act exposure for model weights and training data that AWS/Azure/GCP AI services cannot eliminate.
This stack provides functional parity with the AWS equivalent for most enterprise workloads while eliminating the fundamental CLOUD Act exposure that AWS, Azure, and GCP cannot resolve through regional deployments alone.
Comparative Summary: EU Cloud Infrastructure Providers Series
This post covers Scaleway SAS as Post #2 in the EU Cloud Infrastructure Providers series. The complete CLOUD Act scoring picture for this series:
| Provider | CLOUD Act Score | Jurisdiction | Key Risk Dimension |
|---|---|---|---|
| AWS | 23/25 | US (Delaware) | D1+D3+D4 critical |
| Azure | 22/25 | US (Washington) | D1+D4 critical |
| GCP | 21/25 | US (Delaware) | D1+D2+D4 critical |
| Hetzner | 0/25 | DE (German GmbH) | No CLOUD Act vectors |
| Scaleway | 1/25 | FR (French SAS) | D3: minimal subprocessor |
For EU architects, the 22-point gap between AWS and Scaleway represents the structural difference between deploying on a US person (full CLOUD Act scope) versus a French company (no CLOUD Act applicability, loi de blocage protection, CNIL jurisdiction).
The next post in this series examines OVHcloud (OVH SAS, Roubaix, France) — Europe's largest cloud provider by infrastructure scale with additional Sovereign Cloud offering and ISO 27001 / SecNumCloud certification.
Conclusion: CLOUD Act Elimination vs. Mitigation
The fundamental architectural choice in 2026 EU cloud infrastructure is between CLOUD Act elimination and CLOUD Act mitigation.
AWS, Azure, and GCP offer mitigation — Standard Contractual Clauses, Customer-Managed Encryption Keys, Confidential Computing, EU Sovereign Cloud offerings. These reduce CLOUD Act exposure's practical impact but cannot eliminate the underlying US statutory compulsion authority. A valid CLOUD Act production order supersedes SCCs. Customer-managed keys held in AWS KMS are still managed by a US person. Confidential Computing enclaves still run on infrastructure managed by US persons.
Scaleway SAS eliminates CLOUD Act exposure at the jurisdictional level. There is no US person in the Scaleway SAS corporate chain to receive a CLOUD Act production order. French law provides blocking statute protection against foreign compulsion attempts. GDPR and CNIL oversight applies without competing US jurisdiction.
For EU businesses processing data under GDPR, DORA Art.28 (Critical ICT Third-Party Risk), NIS2 Article 21 (supply chain security), or contractual requirements with EU institutional customers — the 1/25 CLOUD Act score of Scaleway SAS represents structural risk elimination, not risk reduction.
The question for EU cloud architects is not whether AWS EU regions are technically capable of hosting your workload. The question is whether you are willing to have your data managed by a US person under permanent US CLOUD Act jurisdiction when French, German, and Dutch alternatives eliminate that exposure entirely.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.