Alternativa solo UE a Cloudflare.
Cloudflare is the most US-exposed vendor in most "EU" stacks because it sits in front of the user — every visitor connects to a Cloudflare edge server before reaching your origin. The EU regions of Cloudflare are EU-located edges, but the parent company is a Delaware corporation with US-controlled key material and US-controlled traffic logs. For Schrems II purposes, Cloudflare in front of personal-data traffic is one of the most defensible problems to remove first, because the alternatives — Bunny.net (SI) and KeyCDN (CH) — have comparable feature sets and dramatically simpler legal stories.
"Regione UE" non è sovranità. Quattro domande decidono.
La residenza dei dati indica dove sono i bit. La sovranità indica quale sistema giuridico può imporre l'accesso. La risposta deve reggere su tutte e quattro — altrimenti lo stack non è sovrano.
Dove sono fisicamente archiviati i dati?
Non "nel cloud" — quale datacenter, in quale paese, sotto quale giurisdizione.
Chi altro è nel suo percorso dei dati?
Ogni fornitore che tocca i dati: il CDN, il relay e-mail, il tracker degli errori, la pipeline di analytics.
Quali leggi possono imporre la divulgazione?
Un fornitore con sede negli USA è soggetto al FISA 702 e al CLOUD Act — anche quando i dati sono a Francoforte.
Chi detiene effettivamente le chiavi di cifratura?
Se il provider cloud detiene sia i dati che le chiavi, può leggerli — indipendentemente dal DPA.
Fallisce su giurisdizione e custodia delle chiavi.
Bit nell'UE, casa madre statunitense, sub-responsabili americani nel percorso predefinito, chiavi gestite dal fornitore.
Passa su tutte e quattro.
Ospitato in UE su infrastruttura con sede europea. Zero sub-responsabili statunitensi nel percorso predefinito. Chiavi del cliente o di KMS europeo. Elencati per nome nel suo DPA Articolo 28.
Perché i team se ne vanno Cloudflare
The pattern we see: a privacy or DPO review identifies Cloudflare as a US subprocessor that processes every visitor request including IP addresses, browser fingerprints (via Bot Management) and cookies. Under Schrems II that is a transfer that needs supplementary measures — typically encryption that Cloudflare cannot read, which defeats the WAF and Bot Management features that were the reason for using Cloudflare. The simpler answer is to swap to an EU-jurisdictional provider where the legal analysis collapses to "no transfer." Bunny.net is the standard target and the migration is genuinely a few hours of DNS and configuration work.
Cloudflare servizi e i loro equivalenti solo UE
Una migrazione non è "scambiare una scatola con un'altra". La mappatura sottostante è ciò che eseguiamo per i clienti che lasciano Cloudflare per motivi Schrems II — piena giurisdizione UE, nessuna casa madre USA nel percorso dei dati.
| Cloudflare servizio | Alternativa solo UE | Nota di ingegneria |
|---|---|---|
| Cloudflare CDN | Bunny.net, KeyCDN (CH) | Bunny has 110+ POPs including dense EU coverage. Per-GB pricing is roughly half Cloudflare's comparable plan. Migration is a CNAME flip plus origin pull configuration. |
| Cloudflare WAF | Bunny WAF, ModSecurity / Coraza on EU edge, OVH Anti-DDoS rules | Bunny's WAF covers OWASP Top 10 with rule-based controls. For deep custom rules, ModSecurity on a self-managed edge is the production pattern. |
| Cloudflare DDoS protection | OVH Anti-DDoS (included on most plans), Bunny DDoS protection | OVH has invested heavily in their VAC scrubbing infrastructure; for large-scale L3/L4 attacks they are demonstrably competitive with Cloudflare. |
| Cloudflare DNS | Hetzner DNS, Bunny DNS, deSEC (DE non-profit) | For most use cases Hetzner or Bunny is sufficient. deSEC is privacy-first with mandatory DNSSEC. |
| Cloudflare R2 (storage) | Bunny Storage, OVH Object Storage, Wasabi EU, self-hosted MinIO | R2's zero-egress story is unique; on EU providers, egress is also typically free or very low, so the cost argument transfers. |
| Cloudflare Workers | Bunny Edge Scripting, self-hosted edge functions on Knative, EU-based serverless platforms | Workers is the hardest single Cloudflare product to replace. For most use cases (request rewriting, A/B testing, simple APIs), Bunny Edge Scripting covers it. For complex Workers (Durable Objects), self-hosted is the pattern. |
| Cloudflare Pages | Bunny CDN + EU object storage, GitLab Pages (EU instance), self-hosted Coolify | Pages' main value is the build pipeline; that piece moves to your CI provider. |
| Cloudflare Tunnel (Argo) | Tailscale (US — flag), Twingate (US — flag), Wireguard self-managed, Netbird (DE) | Netbird is DE-headquartered and provides the "no-public-IP" pattern with EU jurisdiction. Wireguard self-managed is the standard sovereign answer. |
| Cloudflare Access (zero trust) | Pomerium self-hosted, Authelia self-hosted, Boundary by Hashicorp on EU infra | For internal-only applications, an OIDC-protected reverse proxy on EU infrastructure is functionally equivalent. |
| Cloudflare Stream (video) | Bunny Stream, OVH Streaming, self-hosted Mediamtx with EU-only POPs | Bunny Stream offers comparable HLS/DASH delivery with EU-only edge option. |
| Cloudflare Bot Management | CrowdSec (FR), DataDome (FR), Cloudflare → Bunny + custom rules | CrowdSec is FR-headquartered and increasingly capable. For high-traffic e-commerce, DataDome (also FR) is the enterprise alternative. |
Come migriamo da Cloudflare
Una tipica migrazione di mid-market si svolge in tre fasi. I numeri qui sotto assumono un team di ingegneria di 6-10 persone e uno stack applicativo moderatamente complesso.
Inventory & risk-rank
List every Cloudflare product in use: CDN, DNS, WAF rules, Workers, Pages, R2, Tunnel, Access. Map each to a personal-data exposure (does it touch PII?) and migration complexity. Output: priority list, usually CDN/DNS first.
Soft swap (CDN, DNS, R2)
Provision Bunny pull zones for the same hostnames. Test with a staging hostname. Cut DNS over with low TTL pre-stage. R2 → Bunny Storage migration via parallel-write. WAF rules ported manually to Bunny WAF.
Hard pieces (Workers, Tunnel, Access)
Worker code reviewed and either ported to Bunny Edge Scripting, rewritten as origin-side middleware, or self-hosted on Knative. Tunnel replaced with Netbird or self-managed Wireguard. Access replaced with Pomerium or Authelia. Pages workloads moved to GitLab Pages or self-hosted.
Cloudflare-to-Bunny migrations almost always reduce monthly spend by 40–70% at typical mid-market volumes. The exceptions are Workers-heavy stacks (where the equivalent self-hosted infrastructure has higher fixed cost) and high-traffic Pages stacks (where Cloudflare's aggressive free tier is hard to match).
Domande frequenti
Cloudflare has EU-only data plans now — does that solve it?
Cloudflare's "Data Localization Suite" can keep EU traffic on EU edges and EU keys, which addresses residency. It does not address jurisdiction: Cloudflare Inc. remains a US corporation subject to the CLOUD Act. For most Schrems II analyses, the data-localization product is an improvement but not full sovereignty.
Will switching CDN affect performance for European visitors?
For European users specifically, Bunny.net often performs equal or better than Cloudflare because their EU POP density is higher per-traffic. Real-world tests on e-commerce migrations have shown TTFB improvements of 10–30ms for EU-specific traffic. For global users (US, APAC), Cloudflare's POP count is larger.
How do we handle Cloudflare Workers replacement?
Three patterns depending on the Worker: (1) trivial request rewrites move to Bunny Edge Scripting unchanged, (2) Workers that talk to KV / Durable Objects need a re-architect — typically the logic moves to the origin and uses Redis or Postgres, (3) Workers acting as API endpoints become small Knative services on EU infrastructure.
Is Bunny.net a real Schrems II–safe alternative?
Bunny.net is BunnyWay d.o.o., headquartered in Ljubljana, Slovenia (EU member). The legal entity is fully under EU jurisdiction. Their published subprocessor list is short and EU-focused. For Schrems II, the analysis collapses to "no third-country transfer" which is materially easier than Cloudflare's data-localization story.
What about Fastly or Akamai?
Both US-headquartered. Fastly is San Francisco; Akamai is Cambridge, MA. Same CLOUD Act analysis as Cloudflare. They are not Schrems II–easier than Cloudflare; they are different US providers with different feature sets.
How long does a Cloudflare migration take?
For a typical workload (CDN, DNS, basic WAF, no Workers): 1–2 weeks elapsed. For a Workers-heavy or Tunnel-dependent setup: 4–8 weeks. We can run the whole thing as a managed migration if you want it done without burning your team's capacity.
Pianifica la tua uscita da Cloudflare.
Chiamata di scoping di 30 minuti. Mappiamo il tuo stack rispetto alle alternative solo UE, stimiamo lo sforzo di migrazione e ti diciamo se è la scelta giusta.