Independent Reference · Cloud Storage

EU Software Sovereignty Index

Not just "is it in the EU?" — the question that actually matters: who can legally compel access to your data? We scored 7 European cloud-storage providers on ultimate ownership, parent-company jurisdiction, where your data physically sits, and whether the provider can read it at all.

Last updated 2026-06-11 · v0.2 · sources cited per provider · CC BY 4.0

Key findings

Brussels now scores cloud sovereignty too

On June 3, 2026 the European Commission unveiled its first comprehensive tech-sovereignty package. The centerpiece, a proposed Cloud and AI Development Act, introduces four trust tiers for cloud services used by public authorities, graded on ownership, control, supply-chain dependencies, data processing and infrastructure location. Providers that fail the sovereignty criteria would be barred from sensitive government contracts, and €2 billion is earmarked for open-source development (TechPolicy.Press, EU Commission).

Those are close to the dimensions this index has scored since day one: jurisdiction, ownership, data residency, encryption, transparency. The difference is scope. The Commission grades providers for government procurement; we grade them for your files.

The ranking

Click a column header to sort.

# Provider Score CLOUD Act Jurisdiction Data residency Encryption (default)
1 Proton Drive 94 Low Switzerland (EFTA, EU adequacy) Switzerland + Germany (company-wide also Norway). No US/non-EFTA location. Proton owns its own hardware. E2E by default
2 Nextcloud 88 Low (when EU-hosted/on-prem; rises if hosted on US-owned cloud) Germany (EU) Self-hosted: data resides wherever the operator installs it. Can be fully on-prem or on EU infrastructure (Hetzner/OVH). No first-party cloud holding user files. E2E opt-in
3 Internxt 86 Low (Medium for US object-storage region) Spain (EU) Primarily European: Internxt names OVHcloud (France, EU-owned) as its infrastructure partner and states files are 'stored across multiple European cloud data centers' (provider statement, checked 2026-06-11). A US Object-Storage region (us-central-1) exists for the separate S3-compatible product, not consumer Drive. E2E by default
4 Tresorit 80 Low Switzerland (HQ Zurich; founded 2011 in Hungary) Default Ireland (EU); Swiss customers default to Switzerland. Business/Enterprise can select ~12 regions incl. US (East/West) — opt-in, not default. E2E by default
5 kDrive (Infomaniak) 71 Low Switzerland (EFTA, EU adequacy) Switzerland only — Infomaniak's own data centers (Geneva + Winterthur/Zurich). No non-EU/EFTA option. E2E opt-in
6 Jottacloud 63 Low Norway (EEA, not EU) Norway only — own server center near Stavanger. No non-EEA option. Provider holds keys
7 pCloud 53 Medium-High Switzerland (HQ Baar; operations in Bulgaria, EU) User chooses at signup: EU (Luxembourg) OR US (Dallas, Texas). The US region is a real, selectable option placing data under US jurisdiction. Provider holds keys

How we score

Each provider scored 0-100 across 5 transparent, equally-weighted dimensions (0-20 each). CLOUD Act exposure is a derived headline rating, not part of the score.

Jurisdiction
Country of incorporation AND controlling ownership. EU member = 20; EEA/EFTA with EU adequacy (CH/NO) = ~17-18; any non-EU/EEA controlling owner reduces.
Data residency
Where data physically sits. EU/EEA-only with no non-EU option = 20; non-EU option available (even opt-in) reduces; user-determined (self-host) scored on realistic EU hosting.
Encryption
Can the provider read your files? End-to-end zero-knowledge by default = 20; opt-in/add-on only = ~5-12; provider-held keys with no option = ~3.
Ownership
Independence and absence of non-EU control. Foundation/state-EU/bootstrapped independent = ~18-20; EU VC-backed = ~16-17; unverified or historical non-EU investors reduce.
Transparency
Open source + independent third-party audit = ~18-20; closed but certified/audited = ~10-12; closed with no public audit = ~7-8.

Compiled from primary sources where possible (company security/legal pages, registries, official press releases). 'unverified' items are flagged per provider. This is an informational assessment, not legal advice. Corrections welcome.

Provider profiles

#1

Proton Drive

94/100 CLOUD Act: Low
Incorporation
Switzerland (EFTA, EU adequacy)
Ultimate ownership
Controlled by the non-profit Proton Foundation (Swiss, takeover-protected) since 2024; remainder held by employees, FONGIT and users. Early US VC (CRV) fully exited 2021. No current VC/PE, no non-EU control.
Data residency
Switzerland + Germany (company-wide also Norway). No US/non-EFTA location. Proton owns its own hardware.
Encryption
End-to-end, zero-knowledge by default. Files encrypted client-side (OpenPGP/ECC); user holds keys; Proton cannot read contents or filenames.
Open source
Client apps open source + independently audited

Caveats / confidence (high): Exact cap-table splits not public; whether Drive data specifically replicates to Norway is unverified.

Sources: [1] · [2] · [3]

#2

Nextcloud

88/100 CLOUD Act: Low (when EU-hosted/on-prem; rises if hosted on US-owned cloud)
Incorporation
Germany (EU)
Ultimate ownership
Independent, bootstrapped, founder/employee-owned (Nextcloud GmbH, HRB 227086). No venture capital, no parent/holding company, no non-EU ownership.
Data residency
Self-hosted: data resides wherever the operator installs it. Can be fully on-prem or on EU infrastructure (Hetzner/OVH). No first-party cloud holding user files.
Encryption
Server-side encryption (admin-held keys) and optional end-to-end (user-held keys) — both opt-in. The self-hoster, not Nextcloud GmbH, controls keys.
Open source
Yes (fully open source)

Caveats / confidence (high): Exposure is deployment-dependent: hosting on AWS/Azure/GCP reintroduces US reach. Exact shareholder split paywalled (registry).

Sources: [1] · [2] · [3]

#3

Internxt

86/100 CLOUD Act: Low (Medium for US object-storage region)
Incorporation
Spain (EU)
Ultimate ownership
Founder-controlled (Fran Villalba Segarra); ~$8.5M raised from EU/EEA-adjacent investors (Angels Capital ES, Prosegur Tech ES, Andorra Telecom). No controlling US investor identified. €1.4M Spanish CDTI/EU-supported grant.
Data residency
Primarily European: Internxt names OVHcloud (France, EU-owned) as its infrastructure partner and states files are 'stored across multiple European cloud data centers' (provider statement, checked 2026-06-11). A US Object-Storage region (us-central-1) exists for the separate S3-compatible product, not consumer Drive.
Encryption
End-to-end, zero-knowledge by default; user-held mnemonic key; open source; independently audited by Securitum (2024/2025), no severe findings.
Open source
Yes (github.com/internxt) + audited

Caveats / confidence (medium-high): Consumer-Drive EU residency is provider-stated (OVHcloud partnership confirmed on Internxt's data-center page 2026-06-11), not independently audited. The us-central-1 region belongs to the separate Object Storage product. E2E mitigates either way (ciphertext only).

Sources: [1] · [2] · [3]

#4

Tresorit

80/100 CLOUD Act: Low
Incorporation
Switzerland (HQ Zurich; founded 2011 in Hungary)
Ultimate ownership
Majority-owned by Swiss Post (Swisspost) since July 2021 — Swiss Post is wholly owned by the Swiss Confederation (state-owned). Operates as an independent subsidiary.
Data residency
Default Ireland (EU); Swiss customers default to Switzerland. Business/Enterprise can select ~12 regions incl. US (East/West) — opt-in, not default.
Encryption
End-to-end, zero-knowledge by default. Client-side keys (RSA-4096 + AES-256); Tresorit cannot access contents or keys.
Open source
Closed source; ISO 27001 / SOC 2 / HIPAA certified

Caveats / confidence (high): Exact Swiss Post stake undisclosed ('majority'). Underlying host reported as Microsoft Azure but unverified from primary source. US residency option lowers residency score despite EU default.

Sources: [1] · [2] · [3]

#5

kDrive (Infomaniak)

71/100 CLOUD Act: Low
Incorporation
Switzerland (EFTA, EU adequacy)
Ultimate ownership
Independent, Swiss-controlled (Infomaniak Network SA, Geneva). No VC/PE, no public listing, no parent. Majority of shares moving into a public-interest foundation from 2026. No non-EU ownership.
Data residency
Switzerland only — Infomaniak's own data centers (Geneva + Winterthur/Zurich). No non-EU/EFTA option.
Encryption
Encryption at rest (AES, provider-held keys) + TLS — NOT zero-knowledge by default. Optional opt-in 'Vault' provides user-held-key E2E for selected files.
Open source
Closed source; runs own infrastructure

Caveats / confidence (medium-high): Default is provider-key (non-Vault files readable to Infomaniak under Swiss legal process). Exact second data-center city and 2026 foundation share split unverified.

Sources: [1] · [2] · [3]

#6

Jottacloud

63/100 CLOUD Act: Low
Incorporation
Norway (EEA, not EU)
Ultimate ownership
As of March 2025, a 50/50 JV between Hawk Infinity and Telenor Amp (merger with Telenor Software Lab). Telenor ASA is ~54% Norwegian-state-owned. No non-EEA ownership.
Data residency
Norway only — own server center near Stavanger. No non-EEA option.
Encryption
Encryption at rest (AES-256, provider-held keys) + TLS 1.3. NO zero-knowledge / client-key option ('Jottacloud does not support creating your own private encryption keys').
Open source
Closed source

Caveats / confidence (high): Provider can access plaintext under Norwegian legal process (no ZK option). Merger closing presumed but not confirmed; Telenor's exact state-ownership % medium-confidence. Norway = EEA, not EU (outside CJEU jurisdiction).

Sources: [1] · [2] · [3]

#7

pCloud

53/100 CLOUD Act: Medium-High
Incorporation
Switzerland (HQ Baar; operations in Bulgaria, EU)
Ultimate ownership
Founder-led, independent (Tunio Zafer, Anton Titov); single ~$3M round in 2015. Cross-checked against Crunchbase, PitchBook and Dealroom on 2026-06-11: no acquisition and no parent company identified. Swiss registry cap table not publicly confirmed.
Data residency
User chooses at signup: EU (Luxembourg) OR US (Dallas, Texas). The US region is a real, selectable option placing data under US jurisdiction.
Encryption
Server-side AES-256 at rest by default with provider-held keys (NOT zero-knowledge). Zero-knowledge only via paid 'pCloud Crypto' add-on, per-folder, opt-in.
Open source
Closed source; ISO 27001 / GDPR

Caveats / confidence (medium-high): Default non-ZK + selectable US (Dallas) region = highest exposure of the cluster. Exposure drops to Low only for files in the paid Crypto folder on the EU region. Independence cross-checked via three funding databases (2026-06-11); Swiss registry confirmation still outstanding.

Sources: [1] · [2] · [3]

Want the full hands-on reviews behind these scores? Read our European Google Drive alternatives and Dropbox alternatives guides. Spotted an error? This index is maintained — corrections welcome.