DNS: GDPR Assessment & EU Alternatives

In the Sovereignty Scan we currently list 2 EU/EEA providers and 0 providers from the UK/Switzerland in the dns area. EU providers are directly subject to GDPR with no third-country transfer; the UK and Switzerland have adequacy decisions from the EU Commission. Each recommendation includes the hosting region, ownership chain, and a brief migration plan.

Not automatically. However, US providers are subject to the CLOUD Act and FISA 702. Government access remains legally possible, even with EU hosting. For each of the 4 US providers in this category, Schrems II requires standard contractual clauses plus a Transfer Impact Assessment. The EU-US Data Privacy Framework (DPF) simplifies the transfer but does not eliminate the CLOUD Act.

Three criteria matter: (1) the registered seat and parent company of the provider, (2) the hosting region (ideally EU/EEA), and (3) the subprocessor list. Many EU providers use US subprocessors for email delivery or hosting and are therefore still exposed to the CLOUD Act. On each vendor profile in this category you will find these three points plus a migration estimate in business days.

An ‘EU region’ of a US provider (e.g., AWS Frankfurt, Salesforce EU) is physically located in the EU but belongs to a US corporation and thus falls under US law. A genuine EU alternative has its legal seat and parent company in the EU, EU hosting, and no US subprocessors in the contract chain. Only the second option rules out the CLOUD Act.