Independent Reference · Cloud Storage EU Software Sovereignty Index
Not just "is it in the EU?" — the question that actually matters:
who can legally compel access to your data?
We scored 7 European cloud-storage providers on ultimate ownership,
parent-company jurisdiction, where your data physically sits, and whether the
provider can read it at all.
Last updated 2026-06-11 · v0.2 · sources cited per provider · CC BY 4.0
Key findings
- pCloud scores lowest (53). A "Swiss" brand, but it lets you pick a US (Dallas) data region and its default storage is not zero-knowledge — real US CLOUD Act exposure.
- Tresorit is owned by the Swiss state. Swiss Post (wholly owned by the Swiss Confederation) holds a majority stake since 2021.
- Jottacloud is now ~50% Telenor (itself ~54% Norwegian-state-owned) and offers no zero-knowledge option at all.
- Internxt is open-source, audited and end-to-end. Its consumer Drive runs on EU-owned OVHcloud infrastructure (verified 2026-06-11); a US region exists only for its separate object-storage product.
- Proton Drive tops the list (94): foundation-controlled, Swiss/German servers, zero-knowledge by default.
Brussels now scores cloud sovereignty too
On June 3, 2026 the European Commission unveiled its first comprehensive tech-sovereignty package. The centerpiece, a proposed Cloud and AI Development Act, introduces four trust tiers for cloud services used by public authorities, graded on ownership, control, supply-chain dependencies, data processing and infrastructure location. Providers that fail the sovereignty criteria would be barred from sensitive government contracts, and €2 billion is earmarked for open-source development (TechPolicy.Press, EU Commission).
Those are close to the dimensions this index has scored since day one: jurisdiction, ownership, data residency, encryption, transparency. The difference is scope. The Commission grades providers for government procurement; we grade them for your files.
The ranking
Click a column header to sort.
How we score
Each provider scored 0-100 across 5 transparent, equally-weighted dimensions (0-20 each). CLOUD Act exposure is a derived headline rating, not part of the score.
- Jurisdiction
- Country of incorporation AND controlling ownership. EU member = 20; EEA/EFTA with EU adequacy (CH/NO) = ~17-18; any non-EU/EEA controlling owner reduces.
- Data residency
- Where data physically sits. EU/EEA-only with no non-EU option = 20; non-EU option available (even opt-in) reduces; user-determined (self-host) scored on realistic EU hosting.
- Encryption
- Can the provider read your files? End-to-end zero-knowledge by default = 20; opt-in/add-on only = ~5-12; provider-held keys with no option = ~3.
- Ownership
- Independence and absence of non-EU control. Foundation/state-EU/bootstrapped independent = ~18-20; EU VC-backed = ~16-17; unverified or historical non-EU investors reduce.
- Transparency
- Open source + independent third-party audit = ~18-20; closed but certified/audited = ~10-12; closed with no public audit = ~7-8.
Compiled from primary sources where possible (company security/legal pages, registries, official press releases). 'unverified' items are flagged per provider. This is an informational assessment, not legal advice. Corrections welcome.
Provider profiles
#1 Proton Drive
94/100 CLOUD Act: Low - Incorporation
- Switzerland (EFTA, EU adequacy)
- Ultimate ownership
- Controlled by the non-profit Proton Foundation (Swiss, takeover-protected) since 2024; remainder held by employees, FONGIT and users. Early US VC (CRV) fully exited 2021. No current VC/PE, no non-EU control.
- Data residency
- Switzerland + Germany (company-wide also Norway). No US/non-EFTA location. Proton owns its own hardware.
- Encryption
- End-to-end, zero-knowledge by default. Files encrypted client-side (OpenPGP/ECC); user holds keys; Proton cannot read contents or filenames.
- Open source
- Client apps open source + independently audited
#2 Nextcloud
88/100 CLOUD Act: Low (when EU-hosted/on-prem; rises if hosted on US-owned cloud) - Incorporation
- Germany (EU)
- Ultimate ownership
- Independent, bootstrapped, founder/employee-owned (Nextcloud GmbH, HRB 227086). No venture capital, no parent/holding company, no non-EU ownership.
- Data residency
- Self-hosted: data resides wherever the operator installs it. Can be fully on-prem or on EU infrastructure (Hetzner/OVH). No first-party cloud holding user files.
- Encryption
- Server-side encryption (admin-held keys) and optional end-to-end (user-held keys) — both opt-in. The self-hoster, not Nextcloud GmbH, controls keys.
- Open source
- Yes (fully open source)
#3 Internxt
86/100 CLOUD Act: Low (Medium for US object-storage region) - Incorporation
- Spain (EU)
- Ultimate ownership
- Founder-controlled (Fran Villalba Segarra); ~$8.5M raised from EU/EEA-adjacent investors (Angels Capital ES, Prosegur Tech ES, Andorra Telecom). No controlling US investor identified. €1.4M Spanish CDTI/EU-supported grant.
- Data residency
- Primarily European: Internxt names OVHcloud (France, EU-owned) as its infrastructure partner and states files are 'stored across multiple European cloud data centers' (provider statement, checked 2026-06-11). A US Object-Storage region (us-central-1) exists for the separate S3-compatible product, not consumer Drive.
- Encryption
- End-to-end, zero-knowledge by default; user-held mnemonic key; open source; independently audited by Securitum (2024/2025), no severe findings.
- Open source
- Yes (github.com/internxt) + audited
#4 Tresorit
80/100 CLOUD Act: Low - Incorporation
- Switzerland (HQ Zurich; founded 2011 in Hungary)
- Ultimate ownership
- Majority-owned by Swiss Post (Swisspost) since July 2021 — Swiss Post is wholly owned by the Swiss Confederation (state-owned). Operates as an independent subsidiary.
- Data residency
- Default Ireland (EU); Swiss customers default to Switzerland. Business/Enterprise can select ~12 regions incl. US (East/West) — opt-in, not default.
- Encryption
- End-to-end, zero-knowledge by default. Client-side keys (RSA-4096 + AES-256); Tresorit cannot access contents or keys.
- Open source
- Closed source; ISO 27001 / SOC 2 / HIPAA certified
#5 kDrive (Infomaniak)
71/100 CLOUD Act: Low - Incorporation
- Switzerland (EFTA, EU adequacy)
- Ultimate ownership
- Independent, Swiss-controlled (Infomaniak Network SA, Geneva). No VC/PE, no public listing, no parent. Majority of shares moving into a public-interest foundation from 2026. No non-EU ownership.
- Data residency
- Switzerland only — Infomaniak's own data centers (Geneva + Winterthur/Zurich). No non-EU/EFTA option.
- Encryption
- Encryption at rest (AES, provider-held keys) + TLS — NOT zero-knowledge by default. Optional opt-in 'Vault' provides user-held-key E2E for selected files.
- Open source
- Closed source; runs own infrastructure
#6 Jottacloud
63/100 CLOUD Act: Low - Incorporation
- Norway (EEA, not EU)
- Ultimate ownership
- As of March 2025, a 50/50 JV between Hawk Infinity and Telenor Amp (merger with Telenor Software Lab). Telenor ASA is ~54% Norwegian-state-owned. No non-EEA ownership.
- Data residency
- Norway only — own server center near Stavanger. No non-EEA option.
- Encryption
- Encryption at rest (AES-256, provider-held keys) + TLS 1.3. NO zero-knowledge / client-key option ('Jottacloud does not support creating your own private encryption keys').
- Open source
- Closed source
#7 pCloud
53/100 CLOUD Act: Medium-High - Incorporation
- Switzerland (HQ Baar; operations in Bulgaria, EU)
- Ultimate ownership
- Founder-led, independent (Tunio Zafer, Anton Titov); single ~$3M round in 2015. Cross-checked against Crunchbase, PitchBook and Dealroom on 2026-06-11: no acquisition and no parent company identified. Swiss registry cap table not publicly confirmed.
- Data residency
- User chooses at signup: EU (Luxembourg) OR US (Dallas, Texas). The US region is a real, selectable option placing data under US jurisdiction.
- Encryption
- Server-side AES-256 at rest by default with provider-held keys (NOT zero-knowledge). Zero-knowledge only via paid 'pCloud Crypto' add-on, per-folder, opt-in.
- Open source
- Closed source; ISO 27001 / GDPR