EU-hosted vs EU-owned: how to think about risk
A tool hosted in the EU isn't the same as a tool owned by an EU company. Here's why the distinction matters and how to assess your real risk.
TL;DR
Hosting location and corporate ownership are two different risk vectors. EU hosting helps with data residency, but EU ownership addresses jurisdiction risk. Most teams need to consider both.
Key Takeaways
- EU-hosted means servers are physically in the EU — but the company may still be subject to non-EU law.
- EU-owned means the parent company is incorporated in an EU/EEA country and subject to EU jurisdiction.
- The CLOUD Act can compel US-owned companies to hand over data from EU servers.
- For sensitive data (customer records, HR, financial), EU ownership reduces your jurisdictional risk.
- A practical approach: map your tools into a 2x2 matrix of hosted/not-hosted and owned/not-owned.
The confusion is understandable
When vendors say "your data is in the EU," most buyers assume that settles the sovereignty question. But hosting location and corporate jurisdiction are separate risk vectors, and conflating them creates blind spots.
What "EU-hosted" actually means
EU-hosted means the servers processing and storing your data are physically located within the European Union (or EEA). This is good for:
- GDPR data transfer rules — no need for Standard Contractual Clauses for the storage layer
- Latency — faster access for EU-based teams
- Regulatory optics — easier to demonstrate residency in audits
What "EU-owned" actually means
EU-owned means the ultimate parent company is incorporated in an EU/EEA member state. This matters because:
- The company is primarily subject to EU law, not US or Chinese law
- No foreign government can compel data access through extraterritorial legislation like the CLOUD Act
- Corporate governance follows EU standards
The 2x2 matrix
| | EU-hosted | Not EU-hosted |
|---|---|---|
| EU-owned | Best case: full sovereignty alignment | Data residency gap, but jurisdiction is clean |
| Not EU-owned | Common setup: residency is ok, jurisdiction is not | Maximum risk for EU data protection |
Most large US SaaS companies fall into the bottom-left quadrant: they offer EU hosting but remain subject to US jurisdiction. This is the scenario that creates the most confusion.
Practical recommendations
- For regulated industries (finance, health, public sector): strongly prefer EU-owned tools for systems that handle personal or classified data.
- For general business use: EU-hosted with a strong DPA may be acceptable for lower-risk systems (project management, design tools).
- For everyone: at minimum, know which quadrant each of your critical tools sits in. Don't assume "EU servers" means full protection.
Frequently Asked Questions
Can a US company truly guarantee EU data stays in the EU?
Is EU-owned always better than EU-hosted?
What about UK companies post-Brexit?
Related Posts
Data residency: what matters, what doesn't
Data residency is a hot topic but not everything about it is equally important. Here's what to actually focus on.
A pragmatic guide to replacing US tools: where it's easy, where it's hard
Not all tool categories are created equal when it comes to finding European alternatives. Here's an honest difficulty map.
What 'digital sovereignty' means in practice (not slogans)
Digital sovereignty is everywhere in EU policy documents. But what does it actually mean for a team choosing software? We break it down.