Alternativa apenas UE a AWS.
Amazon Web Services is the original public cloud — and the original Schrems II problem. The same EU regions that make AWS technically usable for European workloads do not change the parent jurisdiction: AWS Inc. is a Delaware corporation, AWS EMEA SARL is a Luxembourg subsidiary fully controlled by it, and the CLOUD Act applies to both. For audited workloads, regulated industries and any business that has had a customer ask "is your provider US-subpoenable?", the honest answer on AWS is yes. Below is the engineering-grade map for getting off it.
"Região UE" não é soberania. Quatro perguntas decidem.
Residência de dados diz onde os bits ficam. Soberania diz qual sistema jurídico pode forçar o acesso. A resposta tem de valer nos quatro pontos — caso contrário a stack não é soberana.
Onde os dados estão fisicamente armazenados?
Não "na nuvem" — qual datacenter, em qual país, sob qual jurisdição.
Quem mais está no seu caminho de dados?
Cada fornecedor que toca os dados: o CDN, o relay de e-mail, o rastreador de erros, o pipeline de analytics.
Quais leis podem forçar a divulgação?
Um fornecedor com sede nos EUA está sujeito ao FISA 702 e ao CLOUD Act — mesmo quando os dados estão em Frankfurt.
Quem detém realmente as chaves de cifragem?
Se o provedor de nuvem tem tanto os dados quanto as chaves, ele pode lê-los — independentemente de qualquer DPA.
Falha em jurisdição e custódia de chaves.
Bits na UE, casa-mãe nos EUA, subprocessadores americanos no caminho predefinido, chaves geridas pelo fornecedor.
Passa nos quatro.
Hospedado na UE em infraestrutura com sede europeia. Zero subprocessadores americanos no caminho padrão. Chaves do cliente ou de KMS europeu. Nomeados no seu DPA Artigo 28.
Porque é que as equipas estão a sair AWS
The drivers we hear in scoping calls are consistent: a procurement gate that now demands "no third-country data processor" (NIS2, DORA, public sector), a customer audit (typically B2B enterprise or healthcare) that flagged the AWS relationship, escalating egress and bandwidth costs that look worse every quarter, or a leadership-level concern after the 2024–2025 round of EU-US transfer mechanism uncertainty. The technical lift to leave AWS is rarely the blocker it appears to be. The real friction is choreography: zero-downtime database migrations, DNS cutover, observability continuity. That is where a managed-infrastructure partner saves months.
AWS serviços e os seus equivalentes apenas na UE
Uma migração não é "trocar uma caixa por outra". O mapeamento abaixo é o que executamos para clientes que saem de AWS por motivos Schrems II — plena jurisdição UE, sem casa-mãe US no caminho dos dados.
| AWS serviço | Alternativa apenas UE | Nota de engenharia |
|---|---|---|
| EC2 (compute) | Hetzner Cloud, OVH Public Cloud, IONOS Compute, Scaleway Instances, Leaseweb VMs | Per-vCPU and per-GB pricing on EU providers is dramatically lower; bare-metal options exist on Hetzner and OVH for reserved workloads. |
| S3 (object storage) | OVH Object Storage, Wasabi EU, Bunny Storage, self-hosted Ceph or MinIO on EU compute | S3-compatible APIs are universal; most application code is a single endpoint change. No egress fees on most EU providers. |
| RDS / Aurora (managed DB) | OVH Managed Databases, Scaleway Managed PostgreSQL, Aiven (FI), or self-managed PostgreSQL/MySQL with replication on EU compute | Streaming replication enables zero-downtime cutover. Managed EU PostgreSQL pricing is typically 30–50% lower than equivalent RDS. |
| CloudFront (CDN) | Bunny.net, KeyCDN | Bunny.net offers comparable POP density in EU and Middle East; cheaper per-GB; no US-default edge. |
| Route 53 (DNS) | Hetzner DNS, Bunny DNS, deSEC (DE non-profit) | For zone-only management, Hetzner DNS is free with hosting; deSEC is privacy-first and DNSSEC-by-default. |
| Lambda (serverless) | Scaleway Serverless Functions, Cloudflare Workers (note: US parent), or self-hosted OpenFaaS / Knative on EU Kubernetes | For sovereign deployments, self-hosted Knative on EU compute is the cleanest. Most Lambda workloads fit a small Kubernetes cluster. |
| SES (email) | Self-hosted Postfix on EU infra, Mailpace (NL), Tuta business, Brevo (FR) | For transactional volume under 1M/month, a properly-configured Postfix relay is operationally simpler and cheaper than SES. |
| SQS / SNS | Self-hosted RabbitMQ, NATS, or Redis Streams on EU compute | Managed message brokers are rare in the EU sovereign space. Self-managed is the standard pattern; we operate it for clients. |
| EKS (managed Kubernetes) | Scaleway Kapsule, OVH Managed Kubernetes, IONOS Managed K8s, or self-managed K3s/Talos on Hetzner | Managed K8s on EU providers has feature parity for 95% of workloads. We typically run Talos Linux on Hetzner bare metal for high-trust workloads. |
| CloudWatch / X-Ray | Self-hosted Prometheus + Grafana + Loki + Tempo on EU compute, or Grafana Cloud EU region | The OpenTelemetry standard makes the migration trivial; the operational gain is consolidated dashboards and zero per-metric pricing. |
| IAM | Hashicorp Vault on EU infra, plus per-platform IAM equivalents | No 1:1 replacement; cross-platform identity is rebuilt with Vault, OIDC providers (Keycloak), and per-tool roles. |
| WAF / Shield | Bunny.net WAF, ModSecurity / Coraza on EU edge, OVH Anti-DDoS | OVH includes large-scale anti-DDoS at no extra cost on most plans; Bunny WAF is rule-based and competitive. |
| KMS | Hashicorp Vault Transit on EU infra, GCP-style EU-KMS providers, or HSM-backed keys | For HYOK scenarios, on-premises HSM with cloud-side BYOK is the standard sovereign pattern. |
| Secrets Manager / SSM Parameter Store | Hashicorp Vault, Bitwarden Secrets Manager (US-headquartered — flag), Infisical (self-hosted) | Vault on EU infra is the production-grade answer. We deploy and operate it. |
Como migramos de AWS
Uma migração típica de mid-market decorre em três fases. Os números abaixo assumem uma equipa de engenharia de 6 a 10 pessoas e uma stack de aplicação moderadamente complexa.
Audit & dependency map
Inventory every AWS service in use, every IAM role, every Lambda, every cross-service call. Tag personal data flows. Output: a remediation plan with risk-ranked findings and an effort estimate per service.
Soft dependencies & egress prep
Replace CloudFront, Route 53, SES and CloudWatch first — zero application code changes for most. Move S3 buckets behind S3-compatible EU storage with dual-write during cutover. Pre-stage replicas of RDS in EU.
Core compute & DB cutover
Blue-green compute migration with DNS-level traffic shift. Streaming-replication database cutover during a low-traffic window. EKS workloads moved to managed EU K8s or self-managed Talos. Decommission AWS account once verified.
5-year TCO modelling on workloads we have actually migrated: typically 30–55% cheaper on EU sovereign infrastructure for predictable workloads, neutral to slightly higher for highly bursty workloads that benefit from sub-second autoscaling. Egress savings alone are often the difference between a positive and negative ROI.
Perguntas frequentes
Does using an AWS EU region (Frankfurt, Ireland, Stockholm) solve the Schrems II problem?
No. The data residency is in the EU but Amazon Web Services Inc. is the controller of the infrastructure under US law. The CLOUD Act allows US authorities to compel disclosure of data held by US-controlled entities anywhere in the world. The EDPB has explicitly flagged this as a Schrems II issue. AWS EMEA SARL is a Luxembourg subsidiary fully owned by AWS Inc.; that ownership chain is what the analysis turns on.
How long does an AWS exit take in practice?
For a mid-market application (10–50 EC2 instances, a couple of RDS databases, S3, CloudFront, SES) with a 6–10 person engineering team and competent operational support: 10–16 weeks elapsed time. With a managed-infrastructure partner driving the choreography (which is most of the actual work), 6–10 weeks.
What about AWS GovCloud or AWS Sovereign Cloud Europe?
AWS GovCloud is for US federal workloads and is not relevant to EU buyers. AWS European Sovereign Cloud (announced 2023, in build-out) is operated by EU-headquartered AWS staff in EU regions, but the parent legal entity remains Amazon Web Services Inc. Whether it is "sovereign enough" depends on your specific compliance regime; for many Schrems II analyses it is not sufficient because the parent jurisdiction is unchanged.
Will we lose features by leaving AWS?
Specific managed services (DynamoDB single-digit-ms, Aurora Serverless v2, Bedrock model access, SageMaker training on H100s) have no clean EU sovereign equivalents. For 90% of mid-market workloads — web applications, APIs, e-commerce, B2B SaaS, analytics on warehouses — the EU sovereign stack covers it. We tell you upfront if your workload sits in the 10% category.
Can we keep some AWS services and migrate the rest?
Yes — a hybrid is sometimes the right answer. The discipline is to keep AWS only for clearly non-personal workloads, and document the boundary in your DPA. We have run hybrids where AWS handles ML training (no personal data, batch-only) and the EU sovereign stack handles all customer-facing infrastructure.
What does a managed exit cost?
Project-based pricing, scoped after the audit. Typical mid-market AWS exit: €25–80k for the project, plus the ongoing managed-infrastructure retainer for the new EU stack. The first-year savings on AWS spend usually exceed the project cost.
Planeie a sua saída de AWS.
Chamada de scoping de 30 minutos. Mapeamos a sua stack contra alternativas apenas UE, estimamos o esforço de migração e dizemos-lhe se é a decisão certa.