Alternativa solo UE a AWS.
Amazon Web Services is the original public cloud — and the original Schrems II problem. The same EU regions that make AWS technically usable for European workloads do not change the parent jurisdiction: AWS Inc. is a Delaware corporation, AWS EMEA SARL is a Luxembourg subsidiary fully controlled by it, and the CLOUD Act applies to both. For audited workloads, regulated industries and any business that has had a customer ask "is your provider US-subpoenable?", the honest answer on AWS is yes. Below is the engineering-grade map for getting off it.
"Regione UE" non è sovranità. Quattro domande decidono.
La residenza dei dati indica dove sono i bit. La sovranità indica quale sistema giuridico può imporre l'accesso. La risposta deve reggere su tutte e quattro — altrimenti lo stack non è sovrano.
Dove sono fisicamente archiviati i dati?
Non "nel cloud" — quale datacenter, in quale paese, sotto quale giurisdizione.
Chi altro è nel suo percorso dei dati?
Ogni fornitore che tocca i dati: il CDN, il relay e-mail, il tracker degli errori, la pipeline di analytics.
Quali leggi possono imporre la divulgazione?
Un fornitore con sede negli USA è soggetto al FISA 702 e al CLOUD Act — anche quando i dati sono a Francoforte.
Chi detiene effettivamente le chiavi di cifratura?
Se il provider cloud detiene sia i dati che le chiavi, può leggerli — indipendentemente dal DPA.
Fallisce su giurisdizione e custodia delle chiavi.
Bit nell'UE, casa madre statunitense, sub-responsabili americani nel percorso predefinito, chiavi gestite dal fornitore.
Passa su tutte e quattro.
Ospitato in UE su infrastruttura con sede europea. Zero sub-responsabili statunitensi nel percorso predefinito. Chiavi del cliente o di KMS europeo. Elencati per nome nel suo DPA Articolo 28.
Perché i team se ne vanno AWS
The drivers we hear in scoping calls are consistent: a procurement gate that now demands "no third-country data processor" (NIS2, DORA, public sector), a customer audit (typically B2B enterprise or healthcare) that flagged the AWS relationship, escalating egress and bandwidth costs that look worse every quarter, or a leadership-level concern after the 2024–2025 round of EU-US transfer mechanism uncertainty. The technical lift to leave AWS is rarely the blocker it appears to be. The real friction is choreography: zero-downtime database migrations, DNS cutover, observability continuity. That is where a managed-infrastructure partner saves months.
AWS servizi e i loro equivalenti solo UE
Una migrazione non è "scambiare una scatola con un'altra". La mappatura sottostante è ciò che eseguiamo per i clienti che lasciano AWS per motivi Schrems II — piena giurisdizione UE, nessuna casa madre USA nel percorso dei dati.
| AWS servizio | Alternativa solo UE | Nota di ingegneria |
|---|---|---|
| EC2 (compute) | Hetzner Cloud, OVH Public Cloud, IONOS Compute, Scaleway Instances, Leaseweb VMs | Per-vCPU and per-GB pricing on EU providers is dramatically lower; bare-metal options exist on Hetzner and OVH for reserved workloads. |
| S3 (object storage) | OVH Object Storage, Wasabi EU, Bunny Storage, self-hosted Ceph or MinIO on EU compute | S3-compatible APIs are universal; most application code is a single endpoint change. No egress fees on most EU providers. |
| RDS / Aurora (managed DB) | OVH Managed Databases, Scaleway Managed PostgreSQL, Aiven (FI), or self-managed PostgreSQL/MySQL with replication on EU compute | Streaming replication enables zero-downtime cutover. Managed EU PostgreSQL pricing is typically 30–50% lower than equivalent RDS. |
| CloudFront (CDN) | Bunny.net, KeyCDN | Bunny.net offers comparable POP density in EU and Middle East; cheaper per-GB; no US-default edge. |
| Route 53 (DNS) | Hetzner DNS, Bunny DNS, deSEC (DE non-profit) | For zone-only management, Hetzner DNS is free with hosting; deSEC is privacy-first and DNSSEC-by-default. |
| Lambda (serverless) | Scaleway Serverless Functions, Cloudflare Workers (note: US parent), or self-hosted OpenFaaS / Knative on EU Kubernetes | For sovereign deployments, self-hosted Knative on EU compute is the cleanest. Most Lambda workloads fit a small Kubernetes cluster. |
| SES (email) | Self-hosted Postfix on EU infra, Mailpace (NL), Tuta business, Brevo (FR) | For transactional volume under 1M/month, a properly-configured Postfix relay is operationally simpler and cheaper than SES. |
| SQS / SNS | Self-hosted RabbitMQ, NATS, or Redis Streams on EU compute | Managed message brokers are rare in the EU sovereign space. Self-managed is the standard pattern; we operate it for clients. |
| EKS (managed Kubernetes) | Scaleway Kapsule, OVH Managed Kubernetes, IONOS Managed K8s, or self-managed K3s/Talos on Hetzner | Managed K8s on EU providers has feature parity for 95% of workloads. We typically run Talos Linux on Hetzner bare metal for high-trust workloads. |
| CloudWatch / X-Ray | Self-hosted Prometheus + Grafana + Loki + Tempo on EU compute, or Grafana Cloud EU region | The OpenTelemetry standard makes the migration trivial; the operational gain is consolidated dashboards and zero per-metric pricing. |
| IAM | Hashicorp Vault on EU infra, plus per-platform IAM equivalents | No 1:1 replacement; cross-platform identity is rebuilt with Vault, OIDC providers (Keycloak), and per-tool roles. |
| WAF / Shield | Bunny.net WAF, ModSecurity / Coraza on EU edge, OVH Anti-DDoS | OVH includes large-scale anti-DDoS at no extra cost on most plans; Bunny WAF is rule-based and competitive. |
| KMS | Hashicorp Vault Transit on EU infra, GCP-style EU-KMS providers, or HSM-backed keys | For HYOK scenarios, on-premises HSM with cloud-side BYOK is the standard sovereign pattern. |
| Secrets Manager / SSM Parameter Store | Hashicorp Vault, Bitwarden Secrets Manager (US-headquartered — flag), Infisical (self-hosted) | Vault on EU infra is the production-grade answer. We deploy and operate it. |
Come migriamo da AWS
Una tipica migrazione di mid-market si svolge in tre fasi. I numeri qui sotto assumono un team di ingegneria di 6-10 persone e uno stack applicativo moderatamente complesso.
Audit & dependency map
Inventory every AWS service in use, every IAM role, every Lambda, every cross-service call. Tag personal data flows. Output: a remediation plan with risk-ranked findings and an effort estimate per service.
Soft dependencies & egress prep
Replace CloudFront, Route 53, SES and CloudWatch first — zero application code changes for most. Move S3 buckets behind S3-compatible EU storage with dual-write during cutover. Pre-stage replicas of RDS in EU.
Core compute & DB cutover
Blue-green compute migration with DNS-level traffic shift. Streaming-replication database cutover during a low-traffic window. EKS workloads moved to managed EU K8s or self-managed Talos. Decommission AWS account once verified.
5-year TCO modelling on workloads we have actually migrated: typically 30–55% cheaper on EU sovereign infrastructure for predictable workloads, neutral to slightly higher for highly bursty workloads that benefit from sub-second autoscaling. Egress savings alone are often the difference between a positive and negative ROI.
Domande frequenti
Does using an AWS EU region (Frankfurt, Ireland, Stockholm) solve the Schrems II problem?
No. The data residency is in the EU but Amazon Web Services Inc. is the controller of the infrastructure under US law. The CLOUD Act allows US authorities to compel disclosure of data held by US-controlled entities anywhere in the world. The EDPB has explicitly flagged this as a Schrems II issue. AWS EMEA SARL is a Luxembourg subsidiary fully owned by AWS Inc.; that ownership chain is what the analysis turns on.
How long does an AWS exit take in practice?
For a mid-market application (10–50 EC2 instances, a couple of RDS databases, S3, CloudFront, SES) with a 6–10 person engineering team and competent operational support: 10–16 weeks elapsed time. With a managed-infrastructure partner driving the choreography (which is most of the actual work), 6–10 weeks.
What about AWS GovCloud or AWS Sovereign Cloud Europe?
AWS GovCloud is for US federal workloads and is not relevant to EU buyers. AWS European Sovereign Cloud (announced 2023, in build-out) is operated by EU-headquartered AWS staff in EU regions, but the parent legal entity remains Amazon Web Services Inc. Whether it is "sovereign enough" depends on your specific compliance regime; for many Schrems II analyses it is not sufficient because the parent jurisdiction is unchanged.
Will we lose features by leaving AWS?
Specific managed services (DynamoDB single-digit-ms, Aurora Serverless v2, Bedrock model access, SageMaker training on H100s) have no clean EU sovereign equivalents. For 90% of mid-market workloads — web applications, APIs, e-commerce, B2B SaaS, analytics on warehouses — the EU sovereign stack covers it. We tell you upfront if your workload sits in the 10% category.
Can we keep some AWS services and migrate the rest?
Yes — a hybrid is sometimes the right answer. The discipline is to keep AWS only for clearly non-personal workloads, and document the boundary in your DPA. We have run hybrids where AWS handles ML training (no personal data, batch-only) and the EU sovereign stack handles all customer-facing infrastructure.
What does a managed exit cost?
Project-based pricing, scoped after the audit. Typical mid-market AWS exit: €25–80k for the project, plus the ongoing managed-infrastructure retainer for the new EU stack. The first-year savings on AWS spend usually exceed the project cost.
Pianifica la tua uscita da AWS.
Chiamata di scoping di 30 minuti. Mappiamo il tuo stack rispetto alle alternative solo UE, stimiamo lo sforzo di migrazione e ti diciamo se è la scelta giusta.