Cloud technology has become a fundamental pillar of the modern IT landscape. At its core, the concept revolves around software solutions no longer running locally on a user's device but instead operating on powerful servers hosted in data centers. These data centers are often distributed across the globe, interconnected via networks, and collectively form what we call the cloud infrastructure. Depending on the provider, the underlying operating model can vary: while some companies run their own servers or data centers, others rely on external cloud infrastructure providers that offer standardized computing resources.
But performance and pricing aren’t the only factors to consider when selecting the right cloud provider. Not all clouds are created equal. Significant differences exist between EU-based and non-EU providers, especially when it comes to information security. For instance, the U.S. CLOUD Act introduces legal uncertainties for American providers, while data protection laws in countries like China and Australia can also present unique challenges.
This article explores these differences and offers a side-by-side comparison of six leading cloud infrastructure providers, with a particular emphasis on security considerations for companies operating within the EU.
What exactly is cloud infrastructure?
Cloud infrastructure includes all the technical and organizational components that IT subcontractors provide – such as servers, networks, and firewalls. Many companies hire cloud infrastructure providers (Infrastructure-as-a-Service) as subcontractors to make their IT resources more flexible and scalable, without having to operate their own hardware.
Take Stackfield as an example: As a growing SaaS provider, the company continuously requires more powerful servers to handle increasing data traffic. Rather than investing in costly physical hardware, the company can contract a cloud infrastructure provider that supplies computing power, storage, and network resources through its data center.
These data centers are extensive facilities that, depending on the provider, may be operated in various locations worldwide. In Stackfield’s case, their data centers are located exclusively in Germany. The physical infrastructure is handled by a contracted subcontractor that ensures reliable and redundant power supply, cooling, and maintenance of the hardware.
Which services do cloud infrastructure providers typically offer?
Cloud providers typically offer a variety of services, ranging from basic data storage to advanced computing capabilities. The lines between physical infrastructure and digital services are becoming increasingly blurred. Many providers now go beyond just offering technical resources and are integrating tailored software solutions into their offerings. For businesses that outsource their IT to subcontractors, the following services are particularly relevant:
- Infrastructure-as-a-Service (IaaS): Virtual machines, storage, and networking resources that businesses can use flexibly without having to maintain physical servers.
- Platform-as-a-Service (PaaS): Development environments that allow companies to deploy and manage software without maintaining their own servers.
- Software-as-a-Service (SaaS): Cloud-based applications such as email platforms, office tools, or project management systems like Stackfield.
- Backup and Disaster Recovery Services: Automated data backups and recovery solutions to minimize downtime and data loss in the event of a failure.
- Managed Security Services: Protection against cyber threats through tools like firewalls, encryption, and continuous threat monitoring.
When subcontracting cloud services, it is crucial to ensure that the provider’s offerings align with the company’s data protection and information security policies as well as with the legal requirements of the country in which the business operates.
What are the differences between EU and non-EU providers?
International cloud infrastructure providers are often subject to national laws that allow foreign governments to access corporate data. One of the most critical examples is the U.S. CLOUD Act, which compels American companies to cooperate with U.S. authorities – even if their data is stored in data centers located within the EU.
This U.S. law applies even when U.S. companies are hired as subcontractors by an EU company. In other words, the U.S. government may legally demand access to sensitive data belonging to EU companies.
Similar regulations exist in other countries as well:
- China: Chinese companies are legally obligated to hand over data upon government request – including data from EU entities. China's cybersecurity laws allow for extensive state control and surveillance.
- Russia: Companies must store data on Russian citizens within the country, and local authorities are granted broad access rights.
- Australia: The 'Telecommunications and Other Legislation Amendment (TOLA) Act' permits the government to access encrypted data and requires companies to assist in decrypting it if necessary.
- India: With the introduction of the 'Digital Personal Data Protection (DPDP) Act' in 2023, India now has its first comprehensive data protection law. However, the government still reserves the right to access sensitive data under certain conditions.
- Japan: While Japanese data protection regulations are considered stringent, authorities may still access sensitive information under specific legal circumstances.
- Israel: Despite maintaining high security standards, the Israeli government retains the authority to access data, particularly in matters of national security.
The European Commission conducts what are known as adequacy decisions to evaluate whether a third country – meaning a country outside the European Economic Area (EEA) – offers a level of data protection comparable to that of the EU. If the Commission determines that a country’s safeguards are sufficient, it issues an adequacy decision. This allows personal data to be transferred to that country without requiring additional safeguards.
The United States presents a unique case in the context of EU adequacy decisions.The EU-U.S. Data Privacy Framework is an agreement intended to enable lawful data transfers between the EU and the U.S. Based on this framework, the European Commission has issued an adequacy decision for the U.S. However, due to the CLOUD Act and political unpredictability – especially under the administration of Donald Trump – data security can not be fully guaranteed.
By contrast, EU-based cloud providers are governed by the General Data Protection Regulation (GDPR), offering significantly greater legal clarity and security. They must adhere to strict privacy standards, and access to data by third parties is heavily restricted under European law.
Why is it more secure for EU companies to work with EU-based subcontractors?
Storing data with EU-based cloud providers significantly reduces the risk of unauthorized access by non-EU governments. Companies benefit from a clear and reliable legal framework, avoiding the uncertainties and economic risks often associated with international data transfers. This way, information security remains firmly under European jurisdiction.
Moreover, many European cloud infrastructure providers adhere to transparent and verifiable security standards. They are subject to regular audits and must continuously adapt their systems to meet the stringent requirements of the General Data Protection Regulation (GDPR). Beyond legal and technical advantages, partnering with EU subproviders also delivers economic benefits: businesses help strengthen local service providers, foster European digital sovereignty, and reduce dependency on non-European tech giants.
A comparison of six cloud infrastructure providers
IONOS 🇩🇪
IONOS is a German cloud infrastructure provider that places a strong emphasis on GDPR compliance and rigorous security standards. All customer data is stored exclusively within Europe, providing a high level of legal certainty.
Amazon Web Services (AWS) 🇺🇸
As the global market leader in cloud infrastructure, AWS offers powerful and scalable services. However, as a U.S.-based company, it falls under the scope of the CLOUD Act. Even with European data centers, there remains a risk that U.S. authorities could gain access to stored data.
Google Cloud 🇺🇸
Like AWS, Google Cloud is also governed by the CLOUD Act. While the company has made significant investments in encryption and security technologies, the underlying legal uncertainties associated with U.S. jurisdiction still pose potential risks for EU companies.
OVHcloud 🇫🇷
OVHcloud is a French provider known for its strong commitment to information sovereignty. Governed by European data protection laws, the company operates multiple data centers throughout Europe.
Microsoft Azure 🇺🇸
Despite offering European-based data centers and implementing various compliance initiatives, Microsoft – as a U.S. company – is ultimately subject to the CLOUD Act. This means that legal access to sensitive data by U.S. authorities remains a possibility, even when data is hosted within the EU.
Alibaba Cloud 🇨🇳
As part of the Alibaba Group, Alibaba Cloud is subject to China's cybersecurity regulations, which allow government agencies broad access to corporate data. For EU organizations, this introduces significant data protection concerns and potential compliance risks.
Conclusion: True data security is only achievable with EU-based subcontractors
The analysis makes one thing clear: EU-based providers are the safest choice for European companies. While international providers offer similar services, they are ultimately subject to foreign laws, which can pose serious risks to data security. In contrast, European cloud infrastructure providers not only ensure legal compliance under the GDPR – they also promote digital sovereignty and reduce dependence on non-European vendors.
At Stackfield, for example, only subcontractors based within Europe are used – for both data processing and data storage. The company carefully assess the corporate structures of potential subcontractors to ensure that the CLOUD Act is not applicable under any circumstance. This guarantees that no data access or control by non-EU third countries is possible.
What’s more, this strict security model is reinforced by genuine end-to-end encryption, which guarantees that even Stackfield employees cannot access customer data. As a result, Stackfield meets the highest standards of information security and compliance.