Scaleway Kapsule vs OVHcloud Kubernetes 2026: EU-Native Managed K8s Compared

Post #4 in the sota.io EU Managed Kubernetes Series

The EU Managed Kubernetes Series has documented the CLOUD Act exposure of the major U.S. providers: AWS EKS at 21/25, Azure AKS at 21/25, Google GKE at 20/25, and DigitalOcean DOKS at 17/25. All four are U.S.-domiciled corporations subject to CLOUD Act warrants — meaning U.S. law enforcement can compel them to disclose your Kubernetes Secrets, workload data, and control-plane metadata regardless of where the servers physically reside.

This post covers the two genuine EU-native alternatives: Scaleway Kapsule and OVHcloud Managed Kubernetes. Both are operated by French companies with no U.S. parent. Both offer managed Kubernetes in European data centers. Neither is subject to the CLOUD Act. But they differ significantly in pricing, feature sets, maturity, and ecosystem support.

CLOUD Act Score Summary:

• Scaleway Kapsule: 0/25 — Scaleway SAS, subsidiary of Iliad SA (French telecom group)
• OVHcloud Kubernetes: 1/25 — OVH SAS, Euronext-listed French company (minor U.S. sub-processor exposure)

Scaleway SAS — Corporate Background

Scaleway SAS is a wholly owned subsidiary of Iliad SA — the French telecommunications group founded by Xavier Niel, also known for Free (the French ISP) and a major shareholder in Tele2. Iliad is listed on Euronext Paris (ILD). There is no U.S. parent company, no U.S. holding structure, and no legal path for U.S. law enforcement to compel Scaleway under the CLOUD Act.

The Kapsule managed Kubernetes product was launched in 2019 and runs exclusively on Scaleway's own bare-metal and virtual infrastructure in its European data centers.

OVH SAS — Corporate Background

OVHcloud (formerly OVH) is Europe's largest cloud provider by server count, with over 450,000 servers across its global network. Founded in 1999 by Octave Klaba in Roubaix, France, it went public on Euronext Paris in 2021 (ticker: OVH). The company has no U.S. parent, but does operate OVH US LLC, a U.S. subsidiary serving North American customers. This subsidiary introduces a minor CLOUD Act exposure — hence the 1/25 score rather than 0/25.

CLOUD Act 5-Dimension Risk Matrix

Scaleway Kapsule: 0/25

OVHcloud Kubernetes: 1/25

Full series comparison:

• AWS EKS: 21/25
• Azure AKS: 21/25
• Google GKE: 20/25
• DigitalOcean DOKS: 17/25
• OVHcloud Kubernetes: 1/25 — near-zero risk
• Scaleway Kapsule: 0/25 — minimal risk, cleanest EU-native profile

Scaleway Kapsule — Architecture and Features

Scaleway Kapsule is a managed Kubernetes service built on top of Scaleway's proprietary Elements infrastructure. Key characteristics:

Scaleway Kapsule Architecture
──────────────────────────────────────────────────────
No CLOUD Act Jurisdiction

├── Control Plane (Scaleway-managed, Paris/Amsterdam)
│   ├── Kubernetes API Server (Scaleway SAS infrastructure)
│   ├── etcd cluster (encrypted — Scaleway-controlled keys)
│   ├── kube-scheduler
│   └── kube-controller-manager
│                                           ↑
│           French law governs data disclosure → GDPR Art.48 applies
│
└── Worker Nodes (Scaleway Instances)
    ├── PAR1 / PAR2 (Paris, France)
    ├── AMS1 (Amsterdam, Netherlands)
    └── WAW1 (Warsaw, Poland)
──────────────────────────────────────────────────────

Key features:

• Kubernetes versions: Maintained within 6 months of upstream release
• Node types: DEV1 (burstable), GP1 (general purpose), RENDER (GPU) instances
• Autoscaling: Cluster Autoscaler supported
• Load balancing: Scaleway Load Balancer integration (€0.006/hr)
• Storage: Block volumes (BSS), Object Storage (S3-compatible)
• Networking: Scaleway VPC (Private Networks), no egress fees within region
• Control plane: Managed, no charge for control plane (included in node costs)
• Multi-AZ: Available across Scaleway availability zones

Pricing (Scaleway Kapsule, 2026):

For a production-ready 3-node cluster with storage and load balancing: approximately €72/month.

OVHcloud Managed Kubernetes — Architecture and Features

OVHcloud Managed Kubernetes (formerly OVH Kubernetes) is built on OVHcloud's Public Cloud infrastructure, using OpenStack underneath and OVHcloud-managed Kubernetes control planes.

OVHcloud Managed Kubernetes Architecture
──────────────────────────────────────────────────────
French Law Jurisdiction (OVH SAS)

├── Control Plane (OVHcloud-managed)
│   ├── Kubernetes API Server (OVHcloud infrastructure)
│   ├── etcd cluster (OVHcloud-managed keys)
│   ├── Control plane nodes across OVHcloud AZs
│   └── Free — included at no extra charge
│                                           ↑
│          French/EU law governs — GDPR Art.28 processor chain EU-only
│
└── Worker Nodes (OVHcloud Instances)
    ├── GRA (Gravelines, France)
    ├── DE1 (Frankfurt, Germany)
    ├── UK1 (London, UK — post-Brexit caution)
    ├── WAW (Warsaw, Poland)
    └── 30+ global locations
──────────────────────────────────────────────────────

Key features:

• Kubernetes versions: Certified Kubernetes (CNCF conformant)
• Instance types: b2-7 (dev), b2-15/b2-30 (production), c2-7 (CPU-optimized)
• Autoscaling: Full Cluster Autoscaler support
• Load balancing: OVHcloud Load Balancer (integrated via cloud-controller-manager)
• Storage: Block Storage, Object Storage (S3-compatible, OpenStack Swift API)
• Networking: OVHcloud vRack (private networking), Floating IPs
• Control plane: Managed, free (no control plane charge)
• ETCD backup: Automated etcd snapshots
• Private Registry: OVHcloud Harbor-based container registry integration

Pricing (OVHcloud Kubernetes, 2026):

For a production-ready 3-node cluster with storage and load balancing: approximately €74.50/month.

Side-by-Side Feature Comparison

Versus U.S. hyperscalers (comparable 3-node production cluster):

• Azure AKS (CLOUD Act 21/25): ~€160-220/mo (control plane €72/mo + nodes)
• Google GKE (CLOUD Act 20/25): ~€140-180/mo
• DigitalOcean DOKS (CLOUD Act 17/25): ~€130/mo (3× DO-4 Droplets)
• Scaleway Kapsule (0/25): ~€72/mo — 2–3× cheaper than hyperscalers

GDPR Implications: EU-Native vs. U.S.-Domiciled Managed Kubernetes

Article 28 — Processor Requirements

Under GDPR Art. 28, your cloud provider is a data processor. When you run workloads that involve personal data (user identifiers, IP addresses, behavioral data), the control plane — which can access Kubernetes Secrets, ConfigMaps, and etcd data — is within scope.

For U.S.-domiciled providers (GKE, AKS, EKS, DOKS):

• Standard Contractual Clauses (SCCs) required for GDPR Art. 46 lawful transfer
• CLOUD Act warrants can override SCCs without notification to the data subject
• EU Data Boundary (Microsoft) or EU-specific regions don't remove CLOUD Act jurisdiction over the corporate entity

For EU-native providers (Scaleway, OVHcloud):

• No international data transfer — data remains within EU legal jurisdiction
• No CLOUD Act pathway — French law governs disclosure requests
• GDPR Chapter V (international transfers) does not apply
• DPA (Data Processing Agreement) under French law suffices

Article 48 — Transfers Not Authorized by Union Law

GDPR Art. 48 explicitly states that judgments of third-country courts requiring transfer of personal data "shall only be recognized or enforceable if based on an international agreement." The CLOUD Act has no bilateral agreement with the EU in force as of 2026. Using Scaleway or OVHcloud eliminates this legal ambiguity entirely.

When to Choose Scaleway Kapsule

Best for:

• Startups and SMEs requiring the cleanest possible GDPR and CLOUD Act profile
• Healthcare, fintech, or legal tech workloads handling sensitive EU personal data
• Development teams already using Scaleway Elements (compute, object storage)
• Organizations requiring French data sovereignty (government, defense supply chain)
• Cost-sensitive teams: Scaleway's DEV instances are among the most affordable managed K8s entry points in Europe

Considerations:

• Smaller ecosystem footprint than OVHcloud or hyperscalers
• Fewer data center locations (Paris, Amsterdam, Warsaw vs. OVHcloud's 30+)
• Less mature enterprise support tier compared to OVHcloud Business/Enterprise

Example use case: A French healthtech startup storing patient records must process data exclusively under French law. Scaleway Kapsule (0/25) eliminates the need for SCCs, DPA review under CLOUD Act scenarios, and transfer impact assessments — reducing compliance overhead significantly.

When to Choose OVHcloud Managed Kubernetes

Best for:

• Enterprises requiring broader EU geographic coverage (Frankfurt, Warsaw, Gravelines)
• Teams needing OVHcloud's vRack private network for hybrid cloud connectivity
• Organizations already using OVHcloud Dedicated Servers or Public Cloud
• Workloads requiring GPU nodes at scale (A100 availability)
• Enterprise support requirements (OVHcloud Business/Enterprise SLAs with dedicated TAMs)
• Higher-compliance environments needing automated etcd snapshots and Harbor registry

Considerations:

• OVH US LLC subsidiary introduces a minor CLOUD Act exposure (1/25 — still very low)
• Slightly higher entry-level pricing than Scaleway
• OpenStack underpinning adds operational complexity for teams unfamiliar with it

Example use case: A German B2B SaaS serving automotive manufacturers needs Frankfurt data residency, private vRack connectivity to on-premise VMs, and enterprise support SLA. OVHcloud Managed Kubernetes provides all three while maintaining near-zero CLOUD Act exposure.

Migration Guide: Migrating from DOKS / GKE / AKS to Scaleway or OVHcloud

Pre-Migration Checklist

# 1. Export all namespace manifests from current cluster
kubectl get all -A -o yaml > cluster-export.yaml

# 2. Export Helm releases
helm list -A > helm-releases.txt

# 3. Export Secrets (encrypted backup — do NOT commit to git)
kubectl get secrets -A -o yaml | \
  kubeseal --format=yaml > sealed-secrets-backup.yaml

# 4. Document persistent volume claims
kubectl get pvc -A -o yaml > pvc-export.yaml

# 5. Export ConfigMaps
kubectl get configmaps -A -o yaml > configmap-export.yaml

Step 1: Provision Target Cluster

Scaleway Kapsule via Terraform:

terraform {
  required_providers {
    scaleway = {
      source  = "scaleway/scaleway"
      version = "~> 2.0"
    }
  }
}

provider "scaleway" {
  zone   = "fr-par-1"
  region = "fr-par"
}

resource "scaleway_k8s_cluster" "prod" {
  name    = "prod-cluster"
  version = "1.29"
  cni     = "cilium"
  
  auto_upgrade {
    enable                        = true
    maintenance_window_start_hour = 3
    maintenance_window_day        = "sunday"
  }
}

resource "scaleway_k8s_pool" "workers" {
  cluster_id  = scaleway_k8s_cluster.prod.id
  name        = "workers"
  node_type   = "GP1-XS"
  size        = 3
  autoscaling = true
  min_size    = 2
  max_size    = 10
}

OVHcloud Kubernetes via Terraform:

terraform {
  required_providers {
    ovh = {
      source  = "ovh/ovh"
      version = "~> 0.40"
    }
  }
}

provider "ovh" {
  endpoint = "ovh-eu"
}

resource "ovh_cloud_project_kube" "prod" {
  service_name = var.ovh_project_id
  name         = "prod-cluster"
  region       = "DE1"
  version      = "1.29"
}

resource "ovh_cloud_project_kube_nodepool" "workers" {
  service_name  = var.ovh_project_id
  kube_id       = ovh_cloud_project_kube.prod.id
  name          = "workers"
  flavor_name   = "b2-15"
  desired_nodes = 3
  min_nodes     = 2
  max_nodes     = 10
  autoscale     = true
}

Step 2: Configure kubectl Access

# Scaleway Kapsule
scw k8s kubeconfig install <cluster-id>
kubectl config use-context scaleway-<cluster-id>

# OVHcloud Kubernetes
ovhai kubernetes get kubeconfig <cluster-name> > ~/.kube/ovhcloud.yaml
export KUBECONFIG=~/.kube/ovhcloud.yaml

Step 3: Migrate Workloads

# Apply namespaces and RBAC first
kubectl apply -f cluster-export.yaml --prune=false

# Redeploy Helm releases (use saved values)
for release in $(helm list -n production -q); do
  helm upgrade --install "$release" \
    <chart-repo>/<chart> \
    -f "helm-values/$release.yaml" \
    -n production
done

# Verify pods are running
kubectl get pods -A --field-selector=status.phase!=Running

Step 4: Migrate Persistent Data

# Use Velero for stateful workload migration
velero backup create pre-migration --include-namespaces=production
velero restore create --from-backup pre-migration \
  --namespace-mappings production:production

Step 5: DNS Cutover

# Update load balancer IP in DNS (low TTL first)
dig +short <old-lb-ip> 
kubectl get svc -n ingress-nginx  # Get new LB IP

# Update DNS records
# Lower TTL to 60s 24h before cutover
# After verification: restore normal TTL (300-3600s)

Cost Comparison: Full Year TCO

Migrating from AKS to Scaleway Kapsule saves approximately €1,536/year on a 3-node cluster — while simultaneously eliminating CLOUD Act exposure entirely.

Choosing Between Scaleway and OVHcloud

What About Hetzner k3s?

Hetzner Online GmbH (Nuremberg, Bavaria) is another popular EU-native option, though it does not offer a managed Kubernetes product. Teams deploying k3s or RKE2 on Hetzner Cloud VMs achieve 0/25 CLOUD Act status (Hetzner is a private German GmbH with no U.S. parent). The tradeoff: self-managed control plane requires more operational effort but eliminates managed Kubernetes pricing. The EU Managed Kubernetes Comparison Finale covers Hetzner k3s in detail.

GDPR Compliance Checklist for EU-Native Managed Kubernetes

□ DPA signed with Scaleway SAS or OVH SAS (Art. 28)
□ CLOUD Act exposure confirmed: 0/25 (Scaleway) or 1/25 (OVHcloud)
□ No international data transfers (GDPR Chapter V — not applicable)
□ Kubernetes Secrets encrypted at rest (provider-managed keys)
□ etcd access restricted to control plane (not exposed to internet)
□ RBAC configured with least-privilege (Art. 25 data minimization)
□ Network policies enabled (Cilium / Calico — isolate namespaces)
□ PodSecurityAdmission configured (replace deprecated PodSecurityPolicy)
□ Logging retained in EU jurisdiction (Loki, Grafana on EU infra)
□ Monitoring in EU jurisdiction (AppSignal EU / Grafana Cloud EU)
□ Image registry in EU (Scaleway Container Registry / OVHcloud Harbor)
□ No U.S. CDN for control plane traffic (confirm no Cloudflare US routing)

Summary

For European development teams evaluating managed Kubernetes, Scaleway Kapsule and OVHcloud Managed Kubernetes represent the two highest-fidelity GDPR and CLOUD Act options available in 2026:

Scaleway Kapsule (0/25): The cleanest EU-native managed Kubernetes profile. No U.S. parent, no CLOUD Act exposure, no international transfer complexity under GDPR Chapter V. Pricing is among the most competitive in Europe. Best for startups, French data sovereignty requirements, and cost-sensitive production workloads.

OVHcloud Kubernetes (1/25): Near-zero CLOUD Act risk with broader geographic coverage and stronger enterprise support tiers. OVH US LLC introduces one minor exposure vector, but OVHcloud remains among the safest enterprise Kubernetes choices in Europe. Best for enterprises needing Frankfurt or multi-EU-region deployments with vRack private networking.

Both providers score between 15 and 21 points lower than the U.S. hyperscalers on CLOUD Act exposure — while matching or beating them on price. For regulated EU workloads, the compliance simplification alone (no Art. 46 SCCs, no CLOUD Act transfer impact assessment) justifies the migration.

The EU Managed Kubernetes Series concludes with Post #5: EU Managed Kubernetes Comparison 2026 — Full Finale, covering all providers including Hetzner k3s, self-managed options, and a final recommendation matrix.

For managed EU-native application deployments without Kubernetes complexity, sota.io provides one-command deploys on Hetzner Germany infrastructure with zero CLOUD Act exposure.