Europees-only alternatief voor AWS.
Amazon Web Services is the original public cloud — and the original Schrems II problem. The same EU regions that make AWS technically usable for European workloads do not change the parent jurisdiction: AWS Inc. is a Delaware corporation, AWS EMEA SARL is a Luxembourg subsidiary fully controlled by it, and the CLOUD Act applies to both. For audited workloads, regulated industries and any business that has had a customer ask "is your provider US-subpoenable?", the honest answer on AWS is yes. Below is the engineering-grade map for getting off it.
"EU-regio" is geen soevereiniteit. Vier vragen bepalen het.
Data-residency vertelt waar de bits staan. Soevereiniteit vertelt welk rechtssysteem toegang kan afdwingen. Het antwoord moet op alle vier kloppen — anders is de stack niet soeverein.
Waar staat de data fysiek opgeslagen?
Niet "in de cloud" — welk datacenter, in welk land, onder welke rechtsmacht.
Wie zit er nog meer in uw datapad?
Iedere leverancier die data raakt: de CDN, de e-mailrelay, de error-tracker, de analytics-pipeline.
Wiens wetten kunnen openbaarmaking afdwingen?
Een leverancier met hoofdkantoor in de VS valt onder FISA 702 en de CLOUD Act — ook als de bits in Frankfurt staan.
Wie heeft daadwerkelijk de encryptiesleutels?
Als de cloudprovider zowel de data als de sleutels heeft, kan hij de data lezen — ongeacht welke DPA dan ook.
Faalt op rechtsmacht en sleutelbeheer.
EU-bits, Amerikaanse moedermaatschappij, US-subprocessoren in het standaardpad, sleutels beheerd door provider.
Slaagt op alle vier.
EU-gehost op EU-hoofdkantoor infrastructuur. Nul US-subprocessoren in het standaardpad. Klant- of EU-KMS-sleutels. Bij naam vermeld in uw Artikel 28 DPA.
Waarom teams weggaan AWS
The drivers we hear in scoping calls are consistent: a procurement gate that now demands "no third-country data processor" (NIS2, DORA, public sector), a customer audit (typically B2B enterprise or healthcare) that flagged the AWS relationship, escalating egress and bandwidth costs that look worse every quarter, or a leadership-level concern after the 2024–2025 round of EU-US transfer mechanism uncertainty. The technical lift to leave AWS is rarely the blocker it appears to be. The real friction is choreography: zero-downtime database migrations, DNS cutover, observability continuity. That is where a managed-infrastructure partner saves months.
AWS diensten en hun EU-only equivalenten
Een migratie is niet "vervang één doos door een andere". De mapping hieronder is wat we draaien voor klanten die weggaan bij AWS op basis van Schrems II — volledige EU-rechtsmacht, geen US-moeder in het datapad.
| AWS dienst | EU-only alternatief | Engineering-notitie |
|---|---|---|
| EC2 (compute) | Hetzner Cloud, OVH Public Cloud, IONOS Compute, Scaleway Instances, Leaseweb VMs | Per-vCPU and per-GB pricing on EU providers is dramatically lower; bare-metal options exist on Hetzner and OVH for reserved workloads. |
| S3 (object storage) | OVH Object Storage, Wasabi EU, Bunny Storage, self-hosted Ceph or MinIO on EU compute | S3-compatible APIs are universal; most application code is a single endpoint change. No egress fees on most EU providers. |
| RDS / Aurora (managed DB) | OVH Managed Databases, Scaleway Managed PostgreSQL, Aiven (FI), or self-managed PostgreSQL/MySQL with replication on EU compute | Streaming replication enables zero-downtime cutover. Managed EU PostgreSQL pricing is typically 30–50% lower than equivalent RDS. |
| CloudFront (CDN) | Bunny.net, KeyCDN | Bunny.net offers comparable POP density in EU and Middle East; cheaper per-GB; no US-default edge. |
| Route 53 (DNS) | Hetzner DNS, Bunny DNS, deSEC (DE non-profit) | For zone-only management, Hetzner DNS is free with hosting; deSEC is privacy-first and DNSSEC-by-default. |
| Lambda (serverless) | Scaleway Serverless Functions, Cloudflare Workers (note: US parent), or self-hosted OpenFaaS / Knative on EU Kubernetes | For sovereign deployments, self-hosted Knative on EU compute is the cleanest. Most Lambda workloads fit a small Kubernetes cluster. |
| SES (email) | Self-hosted Postfix on EU infra, Mailpace (NL), Tuta business, Brevo (FR) | For transactional volume under 1M/month, a properly-configured Postfix relay is operationally simpler and cheaper than SES. |
| SQS / SNS | Self-hosted RabbitMQ, NATS, or Redis Streams on EU compute | Managed message brokers are rare in the EU sovereign space. Self-managed is the standard pattern; we operate it for clients. |
| EKS (managed Kubernetes) | Scaleway Kapsule, OVH Managed Kubernetes, IONOS Managed K8s, or self-managed K3s/Talos on Hetzner | Managed K8s on EU providers has feature parity for 95% of workloads. We typically run Talos Linux on Hetzner bare metal for high-trust workloads. |
| CloudWatch / X-Ray | Self-hosted Prometheus + Grafana + Loki + Tempo on EU compute, or Grafana Cloud EU region | The OpenTelemetry standard makes the migration trivial; the operational gain is consolidated dashboards and zero per-metric pricing. |
| IAM | Hashicorp Vault on EU infra, plus per-platform IAM equivalents | No 1:1 replacement; cross-platform identity is rebuilt with Vault, OIDC providers (Keycloak), and per-tool roles. |
| WAF / Shield | Bunny.net WAF, ModSecurity / Coraza on EU edge, OVH Anti-DDoS | OVH includes large-scale anti-DDoS at no extra cost on most plans; Bunny WAF is rule-based and competitive. |
| KMS | Hashicorp Vault Transit on EU infra, GCP-style EU-KMS providers, or HSM-backed keys | For HYOK scenarios, on-premises HSM with cloud-side BYOK is the standard sovereign pattern. |
| Secrets Manager / SSM Parameter Store | Hashicorp Vault, Bitwarden Secrets Manager (US-headquartered — flag), Infisical (self-hosted) | Vault on EU infra is the production-grade answer. We deploy and operate it. |
Hoe we migreren af van AWS
Een typische mid-market migratie loopt in drie fasen. De getallen hieronder gaan uit van een team van 6-10 engineers en een gemiddeld complexe applicatie-stack.
Audit & dependency map
Inventory every AWS service in use, every IAM role, every Lambda, every cross-service call. Tag personal data flows. Output: a remediation plan with risk-ranked findings and an effort estimate per service.
Soft dependencies & egress prep
Replace CloudFront, Route 53, SES and CloudWatch first — zero application code changes for most. Move S3 buckets behind S3-compatible EU storage with dual-write during cutover. Pre-stage replicas of RDS in EU.
Core compute & DB cutover
Blue-green compute migration with DNS-level traffic shift. Streaming-replication database cutover during a low-traffic window. EKS workloads moved to managed EU K8s or self-managed Talos. Decommission AWS account once verified.
5-year TCO modelling on workloads we have actually migrated: typically 30–55% cheaper on EU sovereign infrastructure for predictable workloads, neutral to slightly higher for highly bursty workloads that benefit from sub-second autoscaling. Egress savings alone are often the difference between a positive and negative ROI.
Veelgestelde vragen
Does using an AWS EU region (Frankfurt, Ireland, Stockholm) solve the Schrems II problem?
No. The data residency is in the EU but Amazon Web Services Inc. is the controller of the infrastructure under US law. The CLOUD Act allows US authorities to compel disclosure of data held by US-controlled entities anywhere in the world. The EDPB has explicitly flagged this as a Schrems II issue. AWS EMEA SARL is a Luxembourg subsidiary fully owned by AWS Inc.; that ownership chain is what the analysis turns on.
How long does an AWS exit take in practice?
For a mid-market application (10–50 EC2 instances, a couple of RDS databases, S3, CloudFront, SES) with a 6–10 person engineering team and competent operational support: 10–16 weeks elapsed time. With a managed-infrastructure partner driving the choreography (which is most of the actual work), 6–10 weeks.
What about AWS GovCloud or AWS Sovereign Cloud Europe?
AWS GovCloud is for US federal workloads and is not relevant to EU buyers. AWS European Sovereign Cloud (announced 2023, in build-out) is operated by EU-headquartered AWS staff in EU regions, but the parent legal entity remains Amazon Web Services Inc. Whether it is "sovereign enough" depends on your specific compliance regime; for many Schrems II analyses it is not sufficient because the parent jurisdiction is unchanged.
Will we lose features by leaving AWS?
Specific managed services (DynamoDB single-digit-ms, Aurora Serverless v2, Bedrock model access, SageMaker training on H100s) have no clean EU sovereign equivalents. For 90% of mid-market workloads — web applications, APIs, e-commerce, B2B SaaS, analytics on warehouses — the EU sovereign stack covers it. We tell you upfront if your workload sits in the 10% category.
Can we keep some AWS services and migrate the rest?
Yes — a hybrid is sometimes the right answer. The discipline is to keep AWS only for clearly non-personal workloads, and document the boundary in your DPA. We have run hybrids where AWS handles ML training (no personal data, batch-only) and the EU sovereign stack handles all customer-facing infrastructure.
What does a managed exit cost?
Project-based pricing, scoped after the audit. Typical mid-market AWS exit: €25–80k for the project, plus the ongoing managed-infrastructure retainer for the new EU stack. The first-year savings on AWS spend usually exceed the project cost.
Plan je exit van AWS.
Gesprek van 30 minuten. We mappen je stack tegen EU-only alternatieven, schatten de migratie-inspanning en zeggen je of het de juiste keuze is.