I kind of share the opinion of the FSF Europe that it is less important where software comes from compared to whether it’s libre, but for cloud hardware I really hope that we manage to create competitive European offerings. Maybe we’re lucky and this European initiative will produce more than five Fraunhofer institutes and a gift to SAP.
I would say there’s even less chance nowadays to generate a fully private set of European alternatives to American cloud offerings.
Europes bureaucratization and the growth of the size of states has increased the last 10 years. I have less and less hope that we’re able to set the right free market conditions for real competition to happen.
That doesn’t mean that won’t be alternatives to American offerings, but most probably will come from somewhere else (Singapore, China, Taiwan…)
> set the right free market conditions for real competition to happen
Just as a curiosity, what exactly are those "right free market conditions" and where have those been successfully implemented before? Because I think most of us (Europeans) are desperately trying to avoid replicating the American experiment, so if that's the "right free market conditions" I think we're trying to avoid those on purpose.
But maybe you're thinking of some other place, then I'm eager ears to hear what worked elsewhere :)
"You can't do X" is a much different experience from "you can do X, but you need to spend a year and thousands of man-hours of paperwork applying for permission to do it".
In China, if the five-year plan prioritizes something, businesses will be up and running in months. In France, if the French parliament enacts a law prioritizing something, businesses still have to fight individual departments or local governments that have their own ideas about how they should regulate it.
I can't believe we're talking about China in the context of a Cloud sovereignty issue and this is even a question.
Having worked for these Cloud providers China has consistently used bureaucracy to exfiltrate Cloud technologies and to tip the scales of effectiveness of offerings through levers with China Telecom/Unicom. Analyzing the backbone, you could see it in real time.
China basically offsets its bureaucracy by doing the one thing Europe has not done so far in this space: overtly hurt foreign competitors. It doesn't matter how superior your offerings are if the end customers end up throttled creating a less desirable experience than the less-featured, stable domestic competitor.
Unfortunately - the elephant in the room is China got to where it was by being overtly adversarial with the US from the jump after 2010 which translated to a number of anti-competitive measures. The EU's in a spot because it's mostly responding to Trump and a poorly written US law. The US and EU are weird friends in that we could both exfiltrate each other's tech, patents, and industrial assets and move on with business but that's not actually what either side actually wants.
China weaponizing bureaucracy towards foreign companies isn’t really relevant though.
AFAIK domestic companies operating in China don’t have to endure anywhere near the amount of red tape that EU companies typically do when operating in the EU.
I wonder is the GP is referring to the CLOUD Act, as it is true that US companies cannot be compliant with both the GDPR and the CLOUD Act, but it doesn't weaken the case for European tech sovereignty.
Sounds like a broad blanket statement, have any specifics about this?
GDPR and cybersecurity laws are designed to be compatible, not mutually exclusive, but I'm sure there are edge-cases. Still, what exact situation did you find yourself in here in order to believe they're mutually exclusive?
All US companies selling to European customers have to comply with GDPR. European companies selling only to non-European customers don’t have to comply with GDPR. It’s all about who your users are. Not where your company is registered.
I think what OP means is that a US company cannot simultaneously comply with the CLOUD act and the GDPR. That case has also been made by some courts in the EU, that US law and practice are incompatible with the requirements of the GDPR. US companies who claim to process data in accordance with the GDPR seem to be deceiving their customers. Maybe I'm wrong but it seems to me that companies in the EU who rely on US services, corporations in the US, and even governments themselves keep quit about this unpleasant truth. It means that Microsoft Windows violates the GDPR, Google violates it, every US social network violates it, etc.
Of course, as someone else mentioned, that is not an argument against EU sovereignty but rather one of its motors.
> European companies selling only to non-European customers don’t have to comply with GDPR.
Usually they do. European company processing personal data of non-EU customers falls with article 3(1) "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
Of course if they do not process any personal data then it wouldn't apply but that's pretty unlikely (and if that was the case the EU customers data wouldn't fall within GDPR either).
> Europes bureaucratization and the growth of the size of states has increased the last 10 years.
None of these things matter. They're trivially set aside. All that matters is how many insane threats the US Gov keeps making. Hopefully as many as possible. This is what creates demand, and from demand, everything else follows automatically.
Like, how can you not see this based on recent events? I'm willing to bet a house that in Feb 2026 there will be much more relative movement from US to EU clouds than in Feb 2015. Despite all of that "increased bureaucracy".
Ok, but it's not like nothing was done after Draghi report - EU formed at least 5 committees and commissioned multiple think-tanks to develop reports about possible development of the pathway to the programme that will work on bureaucracy and overregulation.
We already have excellent cloud providers in Europe. But most importantly, most businesses using the cloud would be better off with simple on-prem solutions. So much cheaper to operate and control.
Until you factor in the salaries of the new employees you have to hire now, the cost of that hiring process, the compliance and security implications of operating servers on your premises, the ongoing maintenance of the software and operating systems, the new infrastructure to maintain, including but not limited to backup power supply and overall redundancy, the need to manage the lifecycle of the new hard- and software, the documentation for all of this… I could go on for a while.
It's not like these cloud solutions are just solving laziness.
A lot of this could be standardized and packaged into a product, a modern take on the 'server appliance.' Unpack some gear, plug it together according to a nice diagram, connect to a management console that feels familiar to anyone who's deployed to the cloud.
Listened to a story about a fairly large company that switched to cloud and then back to on-premise. When they went cloud they quickly found out that they needed employees to manage the cloud infrastructure. The employee costs were similar for both setup.
Compliance and security testing does not go away just because you use cloud. The steps and questions will be different, but regulations like NIS and GDPR have extensive requirements regardless if you implement it yourself or buy it from an external supplier.
I would also not recommend to go with a single cloud solution with no backup solution and overall redundancy, unless a $5 voucher is good enough compensation for the service being down a whole day. The general recommendation after the latest waves of outages was for cloud users to use multiple cloud providers and multiple backup solution. It is just like how on-premise solutions need off-premise backups.
> Compliance and security testing does not go away just because you use cloud. The steps and questions will be different, but regulations like NIS and GDPR have extensive requirements regardless if you implement it yourself or buy it from an external supplier.
That’s a bit disingenuous. If I don’t operate a physical server rack, I also do not need to take care of physical access control, fire suppression policies, camera monitoring, key handling, and a wide range of other measures I would be otherwise obliged to take care of under GDPR. You can absolutely outsource classes of problems. What’s true is that that doesn’t lift the responsibility from you to check your cloud provider fulfils these obligations, but that’s very different from having to fulfil them yourself.
Go through a security review. It not as simple as just saying "we outsource that so we have no idea what they do or how they manage the data". It is disingenuous to claim that people can just outsource the whole problem and not care.
This would be part of the responsibility of the cloud managers, which need to be hired, paid and trained, on top of the cost of paying the cloud providers. There is no free lunch.
I am responsible for security reviews. I never claimed it was that simple, nor that there was free lunch. I said it is easier to outsource it than to handle it yourself to an equal level of what a cloud provider is able to do, from a legal and operational perspective.
Easier is a very subjective measurement. Lets compare two solutions with different hires. One hire system administrators that rent space in a serverhall. The other hire cloud managers that rent space in the cloud.
What can we definitive say about the difference be in salaries, training, and team size? Can we say anything specific about legal and operational perspective?
Sorry but I think it is indeed much easier to have a cloud provider take care of those things. That's partly how we came to the situation we are in: a lot of people outsourced this type of work to Microsoft or AWS, because it was easier.
I get what you are saying, that responsibility is still yours for making the correct choices, and to know what the cloud providers are doing. In the real world though hardly anybody cares, even though we have threats like the CLOUD act in place. So, yeah, people should care but ultimately they often don't.
Yes, it is true that no one ever got fired for buying IBM. It is also very common that people just use an AI for reviews and then deal with the fallout if anyone actually calls them on the bluff. Paying fines, if anyone do care, are just part of doing business.
However in the same way, it doesn't then matter much if you are using the cloud or not. The work needing to copy the output of an AI to fill in the forms takes similar amount of time.
First off, servers on someone else's premises are by definition not on-prem; and second, it still leaves you with a lot of the maintenance, management, and documentation overhead that comes with operating infrastructure equipment.
I'm not sure it will convince the "haters" nor they'll get it, but I'll keep it close to share with some people that are confused but open enough to understand the nuance.
Exactly. People used to think that aws is somehow convenient(partially true) and much cheaper which it absolutely isn't. Hooking on anything trendy and pretending it solve all the issues is tech illness.
For example micro services. You do not need infrastructure heavy software paradigms for large majority of use cases but it was just blindly accepted as new standart which we are now, again, moving away.
Right, but have you tried recruiting someone recently who is capable of running a pair of local servers (including organizing redundant power feeds), upgrading the OS on them with no downtime, and arranging for off-site backups of the enterpris's data?
These used to be the skills of a generalist sysadmin for a small-site with on-prem services.
Those skills are no longer available on the market. Students in the local apprenticeship program have one class about hardware, and they don't even touch it, just talk about it.
Offer just half of the typical AWS cloud bill and you'll magically have lots of candidates! But greed often doesn't let companies pay any more than "market rate" even if it means paying twice that to AWS or a vendor instead.
Just hired a 45yo who excels and loves and thrives doing this stuff. Proxmox, local storage, local backups + offsite backups. 1Pb of data, colocation costs are 5k/month. Guess AWS costs for similar
No, most wouldn’t. Too much risk and overhead for most companies to do so… most companies should and do just focus on the business value they add, rather than the underlying physical infra
They are not European. They are French, or Swiss, or Scandinavian, each of those countries who may sooner or later not align anymore with your strategic interests. Countries should only trust themselves for sensitive stuff.
> Please provide a list, no sarcasm. And please don’t put Hetzner on it, as it is not a cloud provider.
In what way are they not a "cloud" provider? Because their managed services portfolio isn't as wide as AWS or Azure? What about Scaleway's services then?
The implied question was what OP's idea of "the cloud" is, where they draw the line between "cloud" and server host. It's possible they simply aren't familiar with the Iaas/PaaS terminology.
I posted a link to what most cloud-native developers understand to be "cloud" a few times already. If IaaS is the only offering on the table, it's not cloud.
In my book a cloud provider is a provider where you can spin up VMs at scale, offers multiple geographic regions across the world, offers managed complementary services such as S3, CDN, GLB, IAM, Managed Databases, backup & restore, FaaS, container registry, managed K8s or another container orchestration platform, PoPs around the world.
Hetzner has an S3 compatible offering, a VPS offering and that's it. Their core business is renting physical servers. And I see lately they offer a load balancing service.
You know, we used to have a single tech company providing essentially an entire tech stack to its customers. Its core enterprise pricing provided a platform with impressive compute capabilities, high redundancy, global support, strong backward compatibility and the backing of a company providing consulting and an ecosystem made of a lot of other software products. That company is still alive and well, although that product is probably less appealing now to new customers.
I'm talking about IBM mainframes.
Eventually, as the Internet (networking) and open source technologies (like Git and Linux) become more and more widespread, people realized they could build their services by combining products from different vendors (not to mention FOSS). I'm talking about the 1990s-2000s.
Now, after 20-30 years, we're thinking that the same company must provide the entire tech stack or lose relevancy as a provider.
To be clear, AWS and mainframes are pretty different from a technical standpoint, but I do wonder if we're kinda repeating the same cycle over and over. Asking the same company to provide everything and then build stuff with different products, to then find a new company which can provide everything and so on.
It's one thing to say that a lot of AWS/Azure/Google users take advantage of many managed services.
But saying something is not a cloud provider because they don't provide a specific SaaS is kinda weird, especially if you read the NIST definition of cloud computing or when you consider that not every AWS user is using more than a handful of services (does that make AWS a cloud provider only for more "advanced" users?).
Sure, smaller cloud providers don't usually have all those services, but this doesn't mean they are not cloud providers. They cannot attract users who are more familiar with specific managed services, but they can probably satisfy the needs of other users who are more than happy with a smaller feature set.
Also, limiting yourself to a smaller portion of AWS/Azure/GCP services can facilitate migrations to other cloud platforms (think AWS -> Azure or viceversa), because you're less tied to specific proprietary tooling.
> because they don't provide a specific SaaS is kinda weird
I think for most business stakeholders it's not about the number of services but rather the coverage of business-critical needs. When you have access to Azure Entra, you know that you can cover 90%+ of your auth needs with that service. If you have access to AWS S3, you know that your various storage needs would be possible to cover with that. If a managed Postgres is available, you know that most of the IT systems you run would be able to take advantage of that. You look at Azure their IAM/audit/observability offerings and it's the same.
When you look at Hetzner as a business stakeholder, all you see are bare servers and and one object storage service that you are not sure of how battle-tested it is. And then you start thinking: "okay, I will need to run k8s or some other workload orchestration approach, my IT systems need Postgres/MySQL/SQL Server etc, I need auth, I need audit, I will need to build, operate, maintain all of that in-house". I am not saying that this is a wrong path for everyone, but Hetzner essentially leaves you no choice. And many business stakeholders who have been operating their own own-prem infra or colocated or rented IaaS plus a large dev team for decades and have since switched to one of the hyperscalers and reduced their dev/IT headcount - may not want to go back to the old model.
> limiting yourself to a smaller portion of AWS/Azure/GCP services can facilitate migrations to other cloud platforms.
Yes, which is why you insist (where possible/reasonable) on Postgres-compatible DBMS offerings, IdP solutions based on OIDC, observability on OpenTelemetry.
> Sure, smaller cloud providers don't usually have all those services, but this doesn't mean they are not cloud providers
Yes, it could mean that they are not cloud providers.
> but they can probably satisfy the needs of other users who are more than happy with a smaller feature set
Please see the linked article. This is essentially "users who are happy to build some of the furniture themselves".
I agree that there is a difference between "wood" and "furniture".
Although maybe a more apt comparison is IKEA vs another furniture store.
With IKEA you have a relatively basic "style". You'd be hard to pressed a 1800 style table, for example, but if you are a student or someone who just wants to live in a new place, it's a pretty solid store to go. However, they give you the pieces (not just basic wood, already pre-made pieces) and you have to put them together.
Other furnitures have a lot more choices in terms of styles and they allow you to just buy stuff without any DIY needed.
Different offerings in the same space (no one in IKEA is asking you to cut wood and make your own chair legs or whatever), both valid.
Furniture metaphores aside, what I'm saying is that there is a subset of users which is completely fine with those services, which are still provided in a self-service, pay-per-use way without the need to have admin rights over the entire platform. That's a cloud provider. A more limited one, sure, but it can still be a cloud provider.
And when it comes to business stakeholders, coverage is important, but so are other concerns, including the ability to move out when needed (which still requires some sensible technical choice, because if you go "all in" you're complicating your exit strategy), or even concerns like the ones mentioned in the OP.
Obviously, each company has its own risk aversion and its own decision making process, and so far market share heavily favors the Big Three even outside of the US, but this doesn't mean alternative options should be dismissed as "not cloud providers" just because they don't provide all those services.
I have used Hetzner off and on for years, nice products and services.
I don’t care what provider you use, if your business or app use case needs any sort of reliability have a plan for reinstalling code and data on alternate providers quickly as possible.
There are horror stories of people and companies being cut off because of pressure from the US government, or having one of the Google/Microsoft/Amazon tech giants cancelling accounts.
Really, in today’s world, why totally rely on anyone?
EDIT: it seems prudent to maintain a cloud account in Europe, US, and Asia and have a plan for moving application code and data around if required. Outside the US I have mostly only used Hetzner, but Alibaba has impressive looking services.
Sure they might not have all the same offerings but they are really easy to abstract upon and personally I feel like hetzner is seriously one of the best cloud providers.
Hetzner is absolutely 10x more competitive than AWS. It's actually hard to match the competitiveness of hetzner with their scale actually. I seriously can't understate this enough but AWS being competitive is really somewhat of a mass delusion or maybe the fact that Companies don't know other alternatives exist but I genuinely find it absolutely strange.
Also, just go ahead and try hetzner and see their competitiveness out for yourself. Seriously, one of the best (netcup another german hosting is really great too and they can be even cheaper at times and its something I personally use and can vouch for both netcup/hetzner)
Without a viable MS Office/Google Docs alternative it's all rather performative. If those get blocked the entire bureaucratic machine stops dead. Hell block just excel and entire countries might actually collapse.
I have seen transitions from MS suite at universities and I don't think what you are saying is true.
First assumption is that there are no alternatives so you can't replace Excel as a software. Obvious ones for Excel - LibreOffice, Collabora, OnlyOffice or Grist (which i highly recommend). The paradoxical problem is there is no clear THE ONE so organizations get into decision paralysis and never move anywhere.
The other assumption is that even if there were alternatives people will not adopt them. In reality this is rarely issue. Turns out users/employees/students actually don't care much what software they have to use. They just use what is available or what they are told to use. So the reason why people use MS Office is actually because it's mandated from the top. Lawyers use it because state/gov/court communication requires it. Students use it because they need to submit thesis in MS Word. It's socially locked in.
I've been at a university which switched over the summer from MS Office to LibreOffice. The results were boring. 40k people just adopted it, no drama, some liked it more (works on linux yay), took some people few weeks to learn/adjust. People are used learning new things.
So can we stop with that story that 40 year old software which barely changed in last 20 years can't be replaced?
This whole digital sovereignty is i think extremely scary proposition for Microsoft because just as they are now mandated solution by most western world... they are one law away (all state/university communication must be with libre software) to be on the other side of their current mandate / lock in.
Well I hope you're right, the transitions I've seen proposed were mostly shot down because people refused to learn anything new and due to nebulous certification requirements that Microsoft of course has.
Speaking of OnlyOffice, I've seen it crop up more and more lately and apparently it's Latvian, so maybe that will be the one eventually. Though my experience with it has been that it's not very stable (lots of crashing around embedding video anyway) and has a smaller feature set.
That's the point though: there was never a particularly compelling reason to move so no one did. 5 years ago "what if America starts making threats?" would've been a ridiculous notion.
Proton drive is fine, their docs service is usable but could use improvement. Their secure and private file and docs sharing with other Proton users could be a great feature, if you need it.
EDIT: I just re-tried Proton docs and spreadsheets - much improved docs, and I think the spreadsheets are a new feature; looks OK but I am on mobile right now so minimal testing.
