Alternativa apenas UE a Alibaba Cloud.
Alibaba Cloud (Aliyun) is the largest cloud provider in Asia and the third-largest globally. Alibaba Group Holding Limited is incorporated in the Cayman Islands but operationally and effectively controlled from China. The PRC National Intelligence Law (2017) Article 7 obliges Chinese organisations to "support, assist and cooperate with state intelligence work" — which is the Chinese equivalent of the US CLOUD Act and arguably broader. The Frankfurt and London regions of Alibaba Cloud are EU-located but PRC-controlled. For EU buyers needing Schrems II–style sovereignty, Alibaba Cloud raises a third-country exposure that is legally even less defensible than US providers.
"Região UE" não é soberania. Quatro perguntas decidem.
Residência de dados diz onde os bits ficam. Soberania diz qual sistema jurídico pode forçar o acesso. A resposta tem de valer nos quatro pontos — caso contrário a stack não é soberana.
Onde os dados estão fisicamente armazenados?
Não "na nuvem" — qual datacenter, em qual país, sob qual jurisdição.
Quem mais está no seu caminho de dados?
Cada fornecedor que toca os dados: o CDN, o relay de e-mail, o rastreador de erros, o pipeline de analytics.
Quais leis podem forçar a divulgação?
Um fornecedor com sede nos EUA está sujeito ao FISA 702 e ao CLOUD Act — mesmo quando os dados estão em Frankfurt.
Quem detém realmente as chaves de cifragem?
Se o provedor de nuvem tem tanto os dados quanto as chaves, ele pode lê-los — independentemente de qualquer DPA.
Falha em jurisdição e custódia de chaves.
Bits na UE, casa-mãe nos EUA, subprocessadores americanos no caminho predefinido, chaves geridas pelo fornecedor.
Passa nos quatro.
Hospedado na UE em infraestrutura com sede europeia. Zero subprocessadores americanos no caminho padrão. Chaves do cliente ou de KMS europeu. Nomeados no seu DPA Artigo 28.
Porque é que as equipas estão a sair Alibaba Cloud
Alibaba Cloud usage in EU mid-market is concentrated in specific patterns: cross-border e-commerce serving Chinese consumers, EU subsidiaries of Chinese parent companies, or companies that adopted Aliyun for genuinely China-specific compute and now find the EU side under regulatory pressure. The triggers we see for migration: EU customers (B2B) refusing data processing through Aliyun, NIS2 essential-entity classification flagging PRC providers as supply-chain risk, or board-level concern after the 2024 EU regulatory tightening on Chinese cloud and AI providers. The EU sovereign stack handles the EU-side workloads cleanly; China-specific workloads remain on a documented hybrid where appropriate.
Alibaba Cloud serviços e os seus equivalentes apenas na UE
Uma migração não é "trocar uma caixa por outra". O mapeamento abaixo é o que executamos para clientes que saem de Alibaba Cloud por motivos Schrems II — plena jurisdição UE, sem casa-mãe US no caminho dos dados.
| Alibaba Cloud serviço | Alternativa apenas UE | Nota de engenharia |
|---|---|---|
| Elastic Compute Service (ECS) | Hetzner Cloud, OVH Public Cloud, Scaleway Instances, IONOS | Standard VM migration. Image rebuild from CentOS/Aliyun Linux to Rocky/Alma/Debian. Most application stacks transfer without changes. |
| Object Storage Service (OSS) | OVH Object Storage, Wasabi EU, Bunny Storage, MinIO self-hosted | OSS supports S3-compatible API; the migration is endpoint config plus data sync. |
| ApsaraDB RDS | OVH Managed Databases, Aiven (FI), Scaleway Managed DB, self-managed PostgreSQL/MySQL | RDS uses MySQL/PostgreSQL/SQL Server underneath; migration via logical replication or dump/restore depending on size. |
| Container Service for Kubernetes (ACK) | Scaleway Kapsule, OVH Managed K8s, Talos on Hetzner | ACK is upstream Kubernetes with Aliyun-specific addons; standard nginx-ingress and cert-manager replace ACK-specific equivalents. |
| Function Compute (FaaS) | OpenFaaS, Knative on EU K8s, Scaleway Serverless Functions | Function migration is mechanical; runtime models port cleanly. |
| Server Load Balancer (SLB) | Hetzner Cloud LB, OVH Load Balancer, HAProxy self-managed | Standard L4/L7 load balancing on all EU options. |
| Anti-DDoS Pro | OVH Anti-DDoS (included), Bunny.net DDoS, NaWas (NL DDoS scrubbing) | OVH and NaWas (operated by SIDN, NL) have credible large-scale DDoS scrubbing under EU jurisdiction. |
| Web Application Firewall | Bunny WAF, ModSecurity / Coraza, F5 NGINX Plus | Rule sets transfer; OWASP Top 10 coverage is standard everywhere. |
| CDN | Bunny.net, KeyCDN | For EU-only delivery, Bunny is the standard target; for serving Chinese mainland traffic, Aliyun CDN remains the practical choice for that specific traffic. |
| Alibaba Cloud DNS | Hetzner DNS, Bunny DNS, deSEC | Standard zone migration. |
| Tablestore (NoSQL) | ScyllaDB self-hosted, Cassandra on EU compute, PostgreSQL with appropriate indexing | For wide-column workloads, ScyllaDB is the modern open-source pattern. |
| PolarDB | PostgreSQL or MySQL on EU managed services, or self-managed | PolarDB is MySQL/PostgreSQL-compatible; logical replication handles the migration. |
Como migramos de Alibaba Cloud
Uma migração típica de mid-market decorre em três fases. Os números abaixo assumem uma equipa de engenharia de 6 a 10 pessoas e uma stack de aplicação moderadamente complexa.
Audit + traffic-region split
Inventory Aliyun services and classify by traffic region: serving Chinese mainland users (may stay on Aliyun, document exposure for EU data), serving EU users (priority migration to sovereign EU stack). Output: phased plan with explicit boundary.
EU-facing workloads cutover
EU traffic gradually shifted to the EU sovereign stack. Database replicas pre-staged. Storage sync. Edge migrations to Bunny.net.
Decommission EU side of Aliyun
Final cutover of EU workloads. Aliyun account scoped down to China-mainland-only workloads if those remain. EU customer DPAs updated to reflect new processor list.
Aliyun-to-EU cost comparison varies more than US migrations. For pure compute, EU sovereign stack is competitive or cheaper. For Aliyun-specific managed services (PolarDB at scale, Tablestore), the migration may not be cost-driven but compliance-driven. The strongest case is regulatory: GDPR penalties for inadequate Schrems II–style safeguards on PRC providers can dwarf any infrastructure cost difference.
Perguntas frequentes
What is the legal regime that makes Alibaba Cloud problematic for EU data?
Three primary instruments: the PRC Cybersecurity Law (2017) requires storage of certain data within China and grants government access; the Data Security Law (2021) extends data-handling obligations and allows extraterritorial application; Article 7 of the National Intelligence Law (2017) compels cooperation with state intelligence work. The combined effect is that PRC-controlled entities are required to provide access to data on government request. For GDPR purposes, this is a third-country transfer with high regulatory exposure.
But Alibaba Cloud International is registered in Singapore — does that change things?
Marginally. Alibaba Cloud Singapore is a subsidiary of Alibaba Group Holding Limited (Cayman Islands) which is operationally controlled from Hangzhou. The same parent jurisdiction analysis that affects US subsidiaries applies here, with the additional consideration that PRC laws have explicit extraterritorial provisions.
We need to serve customers in mainland China — how does that work?
A documented hybrid: Aliyun (or another PRC provider) for China-mainland-served traffic, EU sovereign stack for EU-served traffic, with a strict boundary on personal data. The boundary is documented in the DPA and reviewed quarterly. Many of our cross-border e-commerce clients run exactly this pattern.
Are there sovereign EU alternatives for the China-specific services?
For services that exist specifically because of China-side traffic patterns (PolarDB-X for cross-region active-active in PRC, Aliyun CDN for mainland delivery), there are no EU sovereign equivalents because the use case is China-specific. For everything else (compute, storage, basic managed databases), the EU sovereign stack covers it cleanly.
How long does an Alibaba Cloud exit take?
For typical EU-side workloads (compute, RDS, OSS, ACK): 8–14 weeks elapsed time. For mixed cross-border workloads where the China side stays: 6–10 weeks for the EU-side migration only. The hybrid model often takes longer to design than execute.
What about Huawei Cloud or Tencent Cloud?
Same legal analysis as Alibaba Cloud. All three are PRC-controlled entities subject to the same combination of Cybersecurity Law, Data Security Law and National Intelligence Law obligations. From a Schrems II perspective, the analysis is materially identical.
Planeie a sua saída de Alibaba Cloud.
Chamada de scoping de 30 minutos. Mapeamos a sua stack contra alternativas apenas UE, estimamos o esforço de migração e dizemos-lhe se é a decisão certa.