Get out of the US cloud: Sovereign SaaS offers at overview + recommendations for action

The need for digital sovereignty for European companies

Digital transformation is progressing relentlessly, and cloud computing, especially Software-as-a-Service (SaaS), has become an indispensable tool for businesses of all sizes. It enables flexibility, scalability, and access to innovative technologies. At the same time, this development has led to a significant dependence on a few, mostly US-based, cloud providers.

Suitable for:

• Why the US Cloud Act is a problem and risk for Europe and the rest of the world: a law with far -reaching consequences

Problem statement: Growing dependence on US cloud providers

The European cloud market is clearly dominated by the major US hyperscalers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). These providers control a large share of the global market. Even leading European providers like SAP and Deutsche Telekom achieve only small market shares in Europe by comparison. This concentration carries an inherent risk: a large portion of the global, and especially the European, cloud infrastructure is potentially subject to US jurisdiction. Consequently, awareness of the risks associated with this dependency is growing in European companies and increasingly in public administrations as well. Concerns regarding data protection, data security, and the loss of control over critical data and processes are coming to the fore. The question of digital sovereignty is becoming a strategic imperative.

Relevance of data sovereignty and GDPR compliance

At the heart of European concerns lies the General Data Protection Regulation (GDPR). Since 2018, it has formed the strict legal framework for the protection of personal data in the European Union and regulates in detail its processing and transfer, particularly to countries outside the EU. For European companies, GDPR compliance is not only a legal obligation but also a crucial factor in maintaining the trust of customers and business partners. In parallel, the concept of digital sovereignty is gaining importance. It describes Europe's ambition to regain or maintain control over its own data, technologies, and digital infrastructures. This is not only a matter of data protection but also an industrial policy objective aimed at strengthening the European economy and competitiveness in a globalized digital world. For companies, this means the need to rethink cloud strategies and proactively seek solutions that are both legally compliant and trustworthy, ensuring their operational capability.

Suitable for:

• AI integration of an independent and cross-data source-wide AI platform for all company matters

Objectives and structure of the report

This report is aimed at European business and IT decision-makers facing the challenge of developing a future-proof and risk-aware cloud strategy. Its goal is to provide a sound basis for decision-making by:

• Analyzes the specific risks that arise for European companies from the use of US-based SaaS services, particularly with regard to the conflict between GDPR and US laws such as the CLOUD Act and FISA 702.
• Defines what is meant by “sovereign SaaS offerings” in the European context and what criteria they must meet.
• This is a market overview of European SaaS providers that position themselves as sovereign alternatives, categorized by application areas.
• It compares important alternatives in key categories with regard to features, pricing, and, most importantly, the implementation of data sovereignty and GDPR compliance.
• Specialized solutions for sensitive sectors such as public administration, healthcare and finance were highlighted.
• Presents relevant EU initiatives (such as Gaia-X) and certifications (such as EUCS, BSI C5) that promote cloud sovereignty.
• It draws a conclusion and derives recommendations for the strategic direction of companies.

Risk analysis: US cloud services and the challenges for European companies

The use of cloud services, particularly SaaS offerings, from providers based in the United States presents European companies with significant legal and operational challenges. These arise primarily from the fundamental conflict between strict European data protection regulations and far-reaching US surveillance and data access laws.

The core conflict: GDPR vs. US surveillance laws

The General Data Protection Regulation (GDPR) forms the foundation of European data protection. It establishes high standards for the processing of personal data of EU citizens. Articles 44 et seq. of the GDPR, which regulate the transfer of such data to third countries (countries outside the EU/EEA), are particularly relevant for cloud usage. Such a transfer is only permissible if the third country provides an “adequate level of protection” (as determined by an adequacy decision of the EU Commission) or if “appropriate safeguards” (such as standard contractual clauses or binding corporate rules) are in place and enforceable rights and effective legal remedies are available to data subjects. Furthermore, Article 48 of the GDPR explicitly prohibits the transfer of data to authorities of a third country based on their decisions or judgments, unless an international agreement, such as a mutual legal assistance treaty, exists. Several US laws, which grant US authorities extensive access rights to data, even if it is stored outside the USA, contradict this European standard of protection

• The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act): This law, passed in 2018, empowers US law enforcement agencies and intelligence services to demand that US communications and technology companies hand over data under their control—regardless of where in the world that data is stored. This explicitly includes data located in data centers within the European Union. The CLOUD Act thus undermines the territoriality principle of data protection and directly contradicts the requirements of the GDPR, particularly Article 48. It was enacted, in part, as a response to a protracted legal dispute between Microsoft and the US government over access to emails stored on servers in Ireland, and it modernized older access regulations from the post-September 11, 2001 era, such as the Patriot Act. While the CLOUD Act provides mechanisms for a provider to challenge a disclosure order if it violates the law of another state (such as the GDPR), the practical effectiveness of these mechanisms, particularly with regard to national security orders, is highly controversial and offers no reliable guarantee for European companies. Providers are thus caught in a dilemma: if they comply with a CLOUD Act order without an EU legal basis, they risk massive GDPR fines; if they refuse disclosure citing the GDPR, they face sanctions under US law.
• FISA Section 702 (Foreign Intelligence Surveillance Act): This provision, part of the FISA Amendments Act of 2008, allows US intelligence agencies such as the NSA to conduct targeted surveillance of the electronic communications of non-US persons located outside the US. The surveillance is carried out to obtain “foreign intelligence information.” FISA 702 obliges US providers of electronic communication services (ECSPs), which include many large cloud and SaaS providers, to cooperate with the authorities. The scope of potentially collected data is very broad and can include not only metadata but also the content of communications, even those of uninvolved third parties who merely mention a target individual. The surveillance programs under FISA 702 (such as PRISM and Upstream) were a central point of criticism in the Schrems II ruling of the European Court of Justice (see below). Criticism is also leveled at the lack of effective legal remedies for affected EU citizens and the potential for mass surveillance, even though US authorities deny this.
• Executive Order 12333 and others: In addition to the CLOUD Act and FISA 702, other legal bases exist, such as Executive Order 12333, which grant US intelligence agencies extensive powers to conduct surveillance abroad, often without judicial oversight or specific legal restrictions on non-US persons.

This fundamental legal conflict creates a situation in which the use of cloud services from US providers poses inherent risks for European companies.

Specific risks for European companies

The legal conflict described poses tangible risks for European companies that use US-based SaaS services:

• Data breaches & fines: Disclosing personal data to US authorities under the CLOUD Act or FISA 702, without a valid legal basis under EU law (e.g., a mutual legal assistance treaty), constitutes a clear violation of the GDPR, particularly Article 48. This can lead to substantial fines of up to 4% of global annual turnover, as well as civil claims for damages from data subjects. The mere use of a US cloud service can be considered potentially non-compliant with the GDPR if the provider cannot guarantee that it will not disclose data in violation of the GDPR.
• Loss of data sovereignty and control: Contractual assurances from US providers that data is stored only in EU data centers do not offer effective protection against US access under the CLOUD Act or FISA. US laws can override these assurances and even technical safeguards. Even data encryption is not a panacea if the US provider controls the encryption keys, as they could be compelled to disclose them. Similarly, access control mechanisms can be circumvented and audit logs can be viewed without the data owner's knowledge, violating the transparency requirements of the GDPR. European companies thus effectively lose control over who accesses their data and under what circumstances.
• Industrial espionage and loss of trade secrets: The potential outflow of sensitive company data poses a particularly serious risk. This includes intellectual property, research and development data, prototypes, strategic plans, financial data, and confidential customer data and communications. The concern that US authorities could use their access rights for economic purposes (industrial espionage) is a major driver for European companies to seek alternatives or implement additional protective measures. The loss of such information can lead to significant financial losses, reputational damage, and the loss of competitive advantages.
• Legal uncertainty and loss of trust: The unresolved conflict between European data protection law and US access rights creates significant legal uncertainty for companies using US services. This uncertainty complicates long-term planning and compliance efforts. Furthermore, the continued use of services where data protection cannot be guaranteed can severely undermine the trust of customers, employees, and business partners.
• Geopolitical risks: Laws like the CLOUD Act are viewed in the context of global trends toward increased state surveillance and a potential fragmentation of the internet (“Splinternet”). Comparisons are drawn to similar laws in other countries, such as China’s National Intelligence Law. Furthermore, excessive dependence on technology providers from a single non-European region poses strategic risks to Europe’s digital autonomy and resilience.

The risks of using US cloud services extend far beyond potential GDPR penalties. They include the loss of critical business data, reputational damage, and the threat to competitiveness due to the potential misuse of access rights for industrial espionage. These often difficult-to-quantify, but potentially existential, "collateral" risks are easily underestimated when focusing solely on GDPR compliance.

The Schrems II ruling and the Data Privacy Framework (DPF)

The legal uncertainty surrounding transatlantic data transfers was significantly exacerbated by the European Court of Justice's (ECJ) Schrems II ruling in July 2020. The ECJ declared the then-applicable EU-US Privacy Shield agreement invalid. The reasoning: US surveillance laws, particularly FISA 702 and related programs, permit infringements on the fundamental rights of EU citizens (data protection, privacy) that are not limited to what is strictly necessary and do not offer equivalent protection to that afforded in the EU. Furthermore, there is a lack of effective legal remedies for affected individuals in the US against such surveillance measures. While the ruling confirmed the general validity of Standard Contractual Clauses (SCCs) as an alternative instrument for data transfers, the ECJ clarified that data exporters cannot rely blindly on SCCs. As part of a case-by-case assessment (Transfer Impact Assessment – ​​TIA), it must be examined whether the law and practices in the destination country (here, the USA) guarantee a level of protection that is “essentially equivalent” to that in the EU. If this is not the case due to surveillance laws – as the CJEU suggested for the USA – additional measures (supplementary measures) must be taken (e.g., strong encryption where the recipient has no access to the keys) to ensure protection. If even this is not possible, the data transfer must be suspended. The CLOUD Act was seen in this context as a factor that further undermines the argument for an equivalent level of protection. In response to the legal uncertainty created by Schrems II and to put data flows between the EU and the USA on a more solid footing, the EU Commission and the US government agreed on the EU-US Data Privacy Framework (DPF). This entered into force in July 2023 through a new adequacy decision by the EU Commission. The Data Protection Framework (DPF) is intended to address the concerns raised by the European Court of Justice (ECJ) in the Schrems II ruling by providing additional safeguards on the US side: US intelligence agencies' access to EU citizens' data is to be limited to what is necessary and proportionate, and a new, two-tiered legal remedy mechanism (including the Data Protection Review Court – DPRC) has been established for EU citizens. Companies in the US can obtain DPF certification, and data transfers from the EU to these certified companies are then considered permissible without the need for additional instruments such as Standard Contractual Clauses (SCCs) or other measures. However, significant doubts and risks remain regarding the stability and effectiveness of the DPF

• Fundamental US laws remain in effect: The CLOUD Act and FISA 702 were not amended by the DPF. The fundamental powers of US authorities to access data continue to exist.
• Doubts about the European Court of Justice's (ECJ) scrutiny: Many data protection experts and activists doubt that the safeguards provided for in the Data Protection Fund (DPF) and the new legal remedy mechanism would withstand renewed scrutiny by the ECJ. In particular, the independence and enforcement power of the Data Protection Regulatory Commission (DPRC) are being questioned.
• Continuous monitoring is required: Pursuant to Article 45(4) of the GDPR, the European Commission is obligated to continuously monitor developments in the USA and to regularly review their adequacy. The first review took place in summer 2024. Recent developments, such as the extension and potential expansion of FISA 702, could again jeopardize the basis of the DPF.
• Risk for companies: Companies that rely solely on the DPF are taking a significant risk. Should the European Court of Justice also declare the DPF invalid in the future (a “Schrems III” scenario), data transfers based on it would become illegal again overnight. Companies that then lack a “Plan B” (e.g., switching to an EU provider or implementing effective additional measures) cannot expect leniency.

The core conflict between US law on broad data access and the EU fundamental right to data protection thus remains even under the DPF. The US laws that cause the problem remain in force. The DPF represents more of a political and potentially temporary stopgap than a final legal solution. The fundamental problem of potentially GDPR-violating access by US authorities to the data of European citizens and companies has not been resolved.

Definition and criteria: What does “sovereign SaaS” mean?

Given the risks described, European companies are increasingly seeking alternatives that offer them greater control, security, and legal compliance. In this context, the terms “sovereign cloud” or “sovereign SaaS” are frequently used. But what exactly do these terms mean, and what criteria must an offering meet to be considered sovereign in the European context?

Key elements of sovereignty in the cloud context

Digital sovereignty in the cloud environment is a multifaceted concept that goes beyond the mere technical provision of services. It can be understood through several core elements:

• Data sovereignty: This is the central principle. It states that data is subject to the laws and regulations of the jurisdiction in which it is located or was collected. For Europe, this primarily means the full application of EU data protection law (especially the GDPR) and protection against access by authorities from third countries based on extraterritorial laws such as the US CLOUD Act. The customer retains full control over who may access their data and under what conditions.
• Data residency and data localization:
  • Data residency means that customer data (including metadata and backups) is guaranteed to be stored and processed within a defined geographical region, typically the EU or the EEA. This is a necessary condition for data sovereignty in the EU context, but not sufficient in itself if the provider is subject to non-European laws.
  • Data localization is a stricter requirement that stipulates that data may not leave the borders of a specific country. Such laws are rare within the EU, but may be relevant for specific national regulations or sectors.
• Operational sovereignty: This element refers to control over the operation of the cloud infrastructure and the services running on it. Key aspects include:
  • Operation by EU personnel and EU legal entities: It must be ensured that personnel with physical or logical access to the cloud environment and customer data are based in the EU and subject to EU law. Access from outside the EU must be prevented or strictly controlled through technical and organizational measures.
  • EU corporate headquarters and structure: The cloud provider itself, or at least the legal entity responsible for operations in the EU, should have its headquarters in an EU/EEA member state and thus be primarily subject to European law. It is also crucial that there are no dependencies on parent companies or subsidiaries in third countries (especially the USA) that could force compliance with their laws (such as the CLOUD Act or FISA).
  • Transparency and auditability: Customers need transparency regarding operational processes, subcontractors, and implemented security measures. The ability to independently review and audit access and processes is a key characteristic of operational sovereignty.
• Technological sovereignty: This refers to the ability to understand, control, validate, and ideally also (further) develop the underlying key technologies. Aspects of this include:
  • Use of open standards and open-source software: Open standards and open-source software promote interoperability between different providers and solutions, increase transparency (since the code is auditable), reduce the risk of vendor lock-in, and facilitate security audits. They often form the basis for European technology stacks such as the Sovereign Cloud Stack (SCS).
  • Interoperability and portability: The ability to easily migrate data and applications between different cloud providers or back to one's own infrastructure (on-premise) is a sign of independence and flexibility.
  • Control over the technology stack: In the long term, technological sovereignty aims to reduce dependence on proprietary hardware and software components from non-European sources and to build up European expertise.

Suitable for:

• Independent AI platforms as a strategic alternative for European companies

Demarcation and misunderstandings

The term “sovereign cloud” is not legally protected and is often used by various providers as a marketing tool, with the underlying concepts and measures varying considerably. It is therefore crucial for companies to carefully examine what a provider means by sovereignty and what specific guarantees they offer. A common misconception is that storing data in a data center within the EU is sufficient to guarantee sovereignty. This is not the case. As explained in Section II, the US CLOUD Act allows access to data belonging to US companies regardless of where it is stored. Data residency in the EU therefore does not protect against US access if the provider itself or its parent company is US-based or otherwise subject to US jurisdiction. Another misconception is that sovereign cloud offerings inevitably entail functional limitations or a slower pace of innovation compared to global hyperscalers. While this may be true in some cases, as local providers often lack the same economies of scale and research budgets, the primary goal of sovereign solutions is not restriction, but rather combining the advantages of cloud computing (flexibility, scalability) with the requirements of control, security, and compliance. Many European providers rely on open technologies to enable innovation and adaptability.

Criteria for sovereign SaaS providers from an EU perspective

Based on the core elements of sovereignty, concrete criteria can be derived by which European companies can evaluate SaaS providers:

• Data Protection & Compliance: The provider must demonstrably comply with the requirements of the GDPR. This should be documented by a data processing agreement (DPA) in accordance with Article 28 GDPR and appropriate technical and organizational measures (TOMs). Compliance with other relevant EU and national regulations (e.g., for specific sectors) must also be ensured.
• Data location & processing: It must be contractually guaranteed that all customer data, including metadata, configuration data and backups, are stored and processed exclusively within the EU or the EEA.
• Operation & Access Control: The operation of the services and access to customer data must be carried out by personnel based in the EU and belonging to an EU legal entity. Strict technical and organizational measures must be implemented to prevent unauthorized access, particularly from outside the EU.
• Corporate Structure & Jurisdiction: The provider should have its headquarters and principal legal control within the EU/EEA. There must be no corporate affiliations or branches in third countries (especially the USA) that would place the provider under their jurisdiction and potentially compel the disclosure of data (e.g., through the CLOUD Act or FISA).
• Transparency: The provider should be transparent about its operational processes, the use of subcontractors, the locations of data processing, and the implemented security measures. The possibility of auditing by the customer or independent third parties should be provided.
• Technology & Interoperability: The preferred use of open standards (e.g. APIs) and/or open source software facilitates integration, testing and potential switching to other providers (avoiding vendor lock-in).
• Certifications & Attestations: Recognized certifications and attestations can serve as proof of compliance with security and compliance standards and build trust. Particularly relevant are ISO 27001, BSI C5 (in Germany), and, in the future, EUCS.

It is becoming clear that digital sovereignty in the SaaS context is a multidimensional concept. It's not just about where data is stored, but also about who processes it and how, which laws the provider is subject to, and which technological foundations are used. Companies must therefore consider which dimensions of sovereignty are most important to them when selecting a provider and how well the provider meets these specific requirements. Simply having data residency within the EU is often insufficient to effectively mitigate risks, particularly those posed by US laws. At the same time, companies often face a dilemma: the desire for maximum sovereignty and control must be balanced against potential disadvantages in terms of functionality, speed of innovation, or costs, which can arise with some European or strictly sovereign providers compared to global hyperscalers. Many European providers view the use of open-source software as a strategic approach to ensuring transparency, trust, and adaptability, even if they may not be at the forefront of every new technological development.

Benefit from Xpert.Digital's extensive, fivefold expertise in a comprehensive service package | R&D, XR, PR & Digital Visibility Optimization - Image: Xpert.Digital

Xpert.Digital has in-depth knowledge of various industries. This allows us to develop tailor-made strategies that are tailored precisely to the requirements and challenges of your specific market segment. By continually analyzing market trends and following industry developments, we can act with foresight and offer innovative solutions. Through the combination of experience and knowledge, we generate added value and give our customers a decisive competitive advantage.

More about it here:

• Use the 5x expertise of Xpert.Digital in one package - starting at just €500/month

Market overview: Sovereign SaaS alternatives from the EU

The European Software-as-a-Service (SaaS) market offers a growing number of providers positioning themselves as alternatives to the dominant US players. Many of them place a special focus on data protection, GDPR compliance, and digital sovereignty to meet the specific needs of European businesses and organizations.

Criteria for selecting providers

The following overview focuses on SaaS providers that meet the following criteria:

• Origin: The company's headquarters are located in a member state of the European Union (EU), the European Economic Area (EEA) or Switzerland (CH), as Switzerland has an adequacy decision from the EU Commission and is often closely integrated into the European Economic Area.
• Positioning: The provider explicitly positions itself as a sovereign or data protection-compliant alternative or exhibits essential characteristics of digital sovereignty (e.g., exclusive hosting in the EU/EEA, demonstrable GDPR compliance, no subjection to US laws such as the CLOUD Act/FISA, use of open source).
• Relevance: The provider was mentioned in the underlying research sources or is known as a relevant alternative in its category.

For better clarity, the providers are grouped according to common SaaS categories.

Categorized overview of European SaaS providers

The following table provides an overview of selected European SaaS providers, organized by functional area. It serves as a starting point for a more detailed evaluation.

Overview of European SaaS providers by category

Overview of European SaaS providers by category – Image: Xpert.Digital

(Note: This table is a selection and is not exhaustive. The information is based on available sources and is subject to change. Independent verification by the company is essential.)

The overview of European SaaS providers showcases a wide range of solutions, categorized by type. In the collaboration and office sector, providers like Nextcloud Hub from Germany offer an open-source platform for files, communication, groupware, and office applications. This platform can be self-hosted or hosted by a provider and prioritizes data sovereignty. Open-Xchange App Suite, also from Germany, provides a comprehensive solution for email, groupware, drive, and documents, particularly for providers and businesses, and complies with ISO 27001 standards. ONLYOFFICE from Latvia delivers an office suite with collaboration features and a workspace (including CRM and email). It is both cloud- and on-premises-compatible and GDPR-compliant. Collabora Online, based on LibreOffice, is frequently integrated with platforms like Nextcloud. TeamDrive, also from Germany, focuses on highly secure cloud storage with end-to-end encryption and a zero-knowledge principle. Conceptboard, also from Germany, offers an online whiteboard for visual collaboration using EU servers and without US involvement. CryptPad from France combines open source and end-to-end encrypted collaboration. Stackfield from Germany provides a GDPR-compliant platform for chat, tasks, and video.

In the CRM & Sales sector, Zeeg from Germany stands out with its GDPR-compliant appointment scheduling, while CentralStationCRM offers a simple CRM solution for SMEs. SAP CRM, as part of the SAP suite, is geared towards enterprises. For cloud storage solutions, providers like pCloud from Switzerland feature optional end-to-end encryption and lifetime plans. Tresorit combines high security, zero-knowledge access, and compliance for Europe. Proton Drive, also from Switzerland, offers encrypted file hosting. German providers like IONOS HiDrive and international options like Infomaniak kDrive complete the range of offerings.

For video conferencing, OpenTalk from Germany, with its particular focus on security and GDPR compliance, and the open-source solution Jitsi Meet are worth highlighting. eyeson from Austria offers cloud-based video meetings, while Univid from Sweden concentrates on webinars. In web analytics, Matomo offers an open-source option with full data control, Plausible Analytics emphasizes ease of use and data privacy, etracker from Germany avoids cookies, and Piwik PRO is aimed at businesses.

Marketing automation is covered by providers like Brevo (formerly Sendinblue) with servers in Germany/EU and Evalanche, which focuses on B2B and is ISO certified. Personio is a leader in HR software, offering a comprehensive platform for SMEs, complemented by solutions like HRworks and Rexx Systems, which offer both cloud and on-premises models. OpenProject is a German open-source project management solution, while Zenkit stands out with its flexible workspaces. Secure email providers like Tutanota and Proton Mail prioritize data protection and end-to-end encryption. Single sign-on is provided by Bare.ID, based in Germany, with GDPR-compliant security. For survey tools, LamaPoll and LimeSurvey impress with their customizability and German server standards. QuestionPro, in its EU version, completes the list with extensive features and GDPR compliance.

This overview highlights the remarkable diversity and specialization within the European SaaS market. Particularly in areas where data protection and security have traditionally played a major role – such as collaboration, secure communication, cloud storage, and web analytics – a wide range of alternatives exists. Many of these providers are small or medium-sized enterprises (SMEs) or specialized niche players from various European countries. They often place a strong emphasis on GDPR compliance and the specific needs of the European market, which is reflected in features such as EU hosting, German-language support, or specific compliance certifications.

The strategic importance of open-source software for many European providers is also striking. Particularly in the areas of collaboration (Nextcloud, CryptPad), office applications (ONLYOFFICE, Collabora), project management (OpenProject), web analytics (Matomo), and video conferencing (Jitsi, OpenTalk), open-source technologies often form the basis. This is more than just a technical detail; it's a conscious decision that promotes transparency (through accessible code), adaptability, auditability, and the avoidance of vendor lock-in. These aspects are key building blocks for digital sovereignty and enable European providers to offer trustworthy and flexible solutions without necessarily having access to the enormous development budgets of global hyperscalers. This gives customers greater control and insight into the technology they use.

Comparison of selected EU alternatives

Following the general market overview, a more detailed comparison of selected, representative European SaaS alternatives in key categories now follows. The focus is on core functions, pricing models, unique selling points, and in particular the implementation of data sovereignty and GDPR compliance.

Methodology of comparison

The selection of providers for the detailed comparison is based on their relevance and frequency of mention in the underlying sources, as well as their positioning as direct European alternatives to well-known US services. The comparison relies on information from the specific provider snippets and other relevant data points from the general snippets. The criteria include:

• Core functions: What does the software do at its core?
• Pricing model: What is the pricing structure (subscription, freemium, lifetime, on-premise)?
• Data location/hosting: Where is the data hosted (EU/DE guaranteed)? Are there self-hosting options?
• Encryption: Which encryption methods are used (especially end-to-end, zero-knowledge)?
• Certifications/Compliance: What relevant certificates (ISO 27001, BSI C5 etc.) and compliance commitments (GDPR) exist?
• Strengths/weaknesses regarding sovereignty: Special features or limitations regarding data control, transparency and independence.

Detailed comparison by category

Detailed comparison of important EU SaaS alternatives

Detailed comparison of important EU SaaS alternatives – Image: Xpert.Digital

A detailed comparison of key EU SaaS alternatives reveals that Nextcloud Hub, as a modular platform, offers features such as file synchronization and sharing, video conferencing, groupware, and office integration, while Open-Xchange App Suite, as an integrated suite, focuses on email, calendar, contacts, and storage. Nextcloud Hub allows for complete control through self-hosting and offers optional end-to-end encryption, but has higher IT requirements for self-hosting. Open-Xchange stands out with its ISO certification and EU-compliant data protection, but is cloud-dependent on the provider. In the CRM sector, Zeeg scores points with its clear GDPR compliance and hosting in Germany, while CentralStationCRM impresses with its simplicity and focus on SMEs. Both providers offer freemium models and guarantee GDPR-compliant data locations. In the cloud storage sector, pCloud offers advantages in terms of flexibility with lifetime plans and EU storage options; however, end-to-end encryption is optional and comes at a cost. Tresorit, on the other hand, scores points with consistent zero-knowledge encryption and high compliance, but is more expensive. ONLYOFFICE and Collabora Online offer comprehensive office alternatives with a strong EU focus and open-source options, with ONLYOFFICE shining through its Microsoft compatibility and collaboration features. Collabora Online is tightly integrated with platforms like Nextcloud and is therefore less focused on standalone functionality. In the area of ​​video conferencing, OpenTalk stands out with features such as webinars, polls, and a clear GDPR focus, while Jitsi Meet, as a free open-source solution, offers maximum self-control and simplicity. Both solutions offer on-premises options and strong data protection features, with OpenTalk distinguished by its BSI IT security seal.

A detailed comparison underscores that there is rarely a single "best" European alternative. The choice depends heavily on the specific requirements and priorities of the company. Clear trade-offs emerge, for example, between maximum security and price (pCloud vs. Tresorit) or between comprehensive control through self-hosting and the convenience of a managed SaaS solution (Nextcloud vs. OX App Suite Cloud). Companies must weigh which aspect—feature range, ease of use, cost, or the degree of sovereignty and security—is most important to them.

A key characteristic of many European providers is the flexibility of their operating models. Solutions like Nextcloud, ONLYOFFICE, OpenTalk, and Jitsi offer both cloud-based (SaaS) and on-premises or self-hosted options. This gives companies the ability to determine their own level of control and sovereignty. They can opt for the convenience of a SaaS solution from a trusted European provider or choose maximum control over data and infrastructure by operating it in their own data center. This choice directly addresses the core need for control that drives the sovereignty debate.

Integration of an independent and cross-data source-wide AI platform for all company matters-Image: Xpert.digital

Ki-Gamechanger: The most flexible AI platform-tailor-made solutions that reduce costs, improve their decisions and increase efficiency

Independent AI platform: Integrates all relevant company data sources

• This AI platform interacts with all specific data sources
  • From SAP, Microsoft, Jira, Confluence, Salesforce, Zoom, Dropbox and many other data management systems
• Fast AI integration: tailor-made AI solutions for companies in hours or days instead of months
• Flexible infrastructure: cloud-based or hosting in your own data center (Germany, Europe, free choice of location)

• Highest data security: Use in law firms is the safe evidence
• Use across a wide variety of company data sources
• Choice of your own or various AI models (DE, EU, USA, CN)

Challenges that our AI platform solves

• A lack of accuracy of conventional AI solutions
• Data protection and secure management of sensitive data
• High costs and complexity of individual AI development
• Lack of qualified AI
• Integration of AI into existing IT systems

More about it here:

• AI integration of an independent and cross-data source-wide AI platform for all company matters

Specialized solutions: Sovereign SaaS for sensitive sectors

While the SaaS solutions discussed so far are often applicable across industries, there are sectors with particularly high demands on security, compliance, and digital sovereignty. These include, in particular, public administration, healthcare, and the financial sector. Specialized offerings and regulatory frameworks are developing in these areas, promoting or even mandating the use of sovereign cloud solutions.

Public administration

The public sector in Germany and Europe has an inherent interest in digital sovereignty to ensure control over citizens' data and critical government processes. The requirements often go beyond standard GDPR compliance and include specific security standards such as the BSI IT Baseline Protection or the BSI C5 criteria catalog. Interoperability between different authorities and levels of government, as well as a preference for open-source software to avoid dependencies, are also important aspects.

Several initiatives aim to create a sovereign cloud infrastructure for administration:

• German Administrative Cloud Strategy (DVS): This strategy, driven by the IT Planning Council and FITKO, aims to establish a federal, secure, interoperable, and sovereign cloud ecosystem for the federal government, states, and municipalities. It relies on open standards, a multi-cloud approach, and the integration of public IT service providers (such as Dataport, AKDB, and IT.NRW), which play a central role and enjoy a high level of trust. In the future, external, DVC-compliant providers will also be able to be integrated. A key element is the Cloud Service Portal (CSP) as a marketplace for standardized and certified cloud services.
• Federal Cloud / Federal IT Operations Platform: The ITZBund already operates cloud platforms (SaaS, PaaS) for federal authorities, which are to be consolidated in 2025 and meet high requirements for security and data protection.
• Center for Digital Sovereignty (ZenDiS): This institution specifically promotes the use of open source software in public administration and supports projects such as OpenDesk, an open source alternative to Microsoft 365, which is specifically developed for the public sector.
• Gaia-X and Sovereign Cloud Stack (SCS): These European initiatives provide important technical foundations and standards for building sovereign cloud infrastructures, which DVS also intends to utilize. SCS, an open-source stack based on OpenStack and Kubernetes, is already being used by several German providers (e.g., plusserver).

Concrete, sovereign SaaS offerings for public administration come from both public IT service providers (e.g., Conceptboard by IT.NRW, dDataBox by Dataport) and specialized commercial providers, who often hold BSI C5 certifications and are available via marketplaces such as govdigital (e.g., plusserver, STACKIT, IONOS, OVHcloud). Open-source solutions like Nextcloud or OpenDesk also play an important role.

Suitable for:

• Dependent on the US cloud? Germany's battle for the cloud: How they plan to compete with AWS (Amazon) and Azure (Microsoft)

Healthcare

The healthcare sector processes extremely sensitive personal data (health data as defined in Article 9 of the GDPR), which is subject to special protection. In addition to the GDPR and medical confidentiality, specific national laws apply, such as the Patient Data Protection Act (PDSG) and, more recently, the Digital Healthcare Act (DigiG). Security, availability, and confidentiality are of paramount importance in this context.

A key driver for the use of sovereign cloud solutions in the German healthcare system is the Digital Act (DigiG), which came into force in March 2024. While the new Section 393 of the German Social Code, Book V (SGB V) explicitly permits the processing of social and health data using cloud computing, it attaches very strict conditions to this:

• Data processing only in the EU/EEA/CH or adequacy decision country: The processing of data may only take place domestically, in an EU/EEA state, Switzerland or a third country with an adequacy decision by the EU Commission.
• BSI C5 certification becomes mandatory: From July 1, 2024, cloud service providers that process social or health data on behalf of healthcare providers (doctors, hospitals, health insurance funds, etc.) must be able to present a valid BSI C5 certification. Until June 30, 2025, a Type 1 certification (adequacy of controls) is sufficient; from July 1, 2025, a Type 2 certification (proof of effectiveness over a period of time) is mandatory.
• This also applies to SaaS providers: This obligation applies not only to infrastructure (IaaS) or platform (PaaS) providers, but also explicitly to Software-as-a-Service (SaaS) providers whose applications are used in the cloud (e.g. hospital information systems (HIS), practice management systems (PMS), appointment booking systems, DiGAs).
• Implementation of customer controls: The using institution (clinic, practice, etc.) must in turn implement the end-user controls mentioned in the audit report of the cloud provider.

This regulation significantly tightens the requirements for cloud services in the healthcare sector, effectively making the BSI C5 certification a prerequisite for providers in this market. Cloud providers such as Open Telekom Cloud, AWS (Frankfurt region), Azure, GCP, and German providers like plusserver, STACKIT, and IONOS already hold C5 certifications for their infrastructures. Now, the SaaS solutions for healthcare built upon these infrastructures (HIS, practice management systems, electronic patient record components, etc.) must also provide this certification. Examples of companies active in the healthcare cloud environment and/or seeking relevant certifications include Gini, Doctolib, and Kite Consult. According to Gematik, the electronic patient record itself is hosted on servers in Germany and the EU in compliance with the GDPR.

Finance

The financial sector (banks, insurance companies, financial service providers) is also highly regulated and processes extremely sensitive data. Strict regulatory requirements apply here, imposed by the German Federal Financial Supervisory Authority (BaFin) (e.g., BAIT, KAIT, VAIT, ZAIT), as well as increasingly harmonized European regulations. High standards for IT security, risk management, resilience, and auditability are standard practice.

Key regulatory drivers for the deployment of secure and sovereign cloud solutions include:

• NIS2 Directive: Banks and financial market infrastructures generally fall under the categories of “essential” or “important” entities according to NIS2. They must therefore meet stricter requirements regarding risk management, supply chain security (including cloud providers), incident reporting, and management accountability.
• DORA (Digital Operational Resilience Act): This EU regulation specifically aims to strengthen digital operational resilience in the financial sector. It sets out detailed requirements for the management of ICT risks, the reporting of serious ICT-related incidents, digital resilience testing, and, in particular, the management of risks by third-party ICT service providers, including cloud providers. DORA requires, among other things, clear contractual agreements with cloud providers and audit rights.

Cloud providers seeking to serve financial institutions must demonstrate their ability to meet these regulatory requirements. This is often achieved through certifications such as BSI C5 or ISO 27001, specific contractual assurances, and transparent disclosure of their security architecture and processes. Providers like plusserver, T-Systems, Microsoft with its EU Data Boundary, and AWS with its European Sovereign Cloud are specifically positioning themselves for this regulated market.

In addition, there are specialized SaaS providers offering compliance solutions for the financial sector, such as for anti-money laundering (AML), Know Your Customer (KYC), sanctions list screening, fraud detection, and market abuse monitoring. Examples of providers with a European presence include ACTICO (Germany), Pelican AI (UK?), Sopra Financial Technology (Germany/France), Otris (Germany), and ViClarity (Ireland/US?).

In these highly sensitive sectors, it is becoming clear that the decision to use sovereign cloud solutions is no longer solely a matter of risk minimization, but is increasingly driven by legal requirements and stringent compliance obligations. The need to demonstrate certifications such as BSI C5 shifts the basis for decision-making from a voluntary risk assessment to a mandatory prerequisite for market participation.

This presents SaaS providers with new challenges. While previously the infrastructure provider (IaaS/PaaS) often held the relevant certifications, regulations such as Section 393 of the German Social Code, Book V (SGB V) now explicitly require SaaS providers to also provide corresponding documentation, such as the BSI C5 certification. The costs and effort involved in obtaining and maintaining such certifications are considerable and could pose a significant obstacle, particularly for smaller, innovative SaaS companies, potentially leading to market consolidation in these regulated sectors.

Suitable for:

• US policy inspires EU tech companies? Data sovereignty of US dominance: The future of the cloud in Europe

Promoting sovereignty: EU initiatives and certifications

To strengthen Europe's digital sovereignty and create a trustworthy framework for cloud computing, various initiatives and certification standards have been launched at the European and national levels. These aim to promote interoperability, harmonize security standards, and increase trust in cloud services.

Gaia-X: Vision of a federated European data infrastructure

Gaia-X is one of the most prominent European initiatives for strengthening digital sovereignty. Launched in 2019 by Germany and France, it now involves numerous partners from business, science, and politics in many European countries.

• Objectives: The core objective of Gaia-X is to create a secure, federated, and interoperable data infrastructure based on European values ​​such as data protection (GDPR), transparency, trust, and self-determination. It aims to increase Europe's digital independence from non-European providers, enable innovation through secure data exchange, and strengthen the competitiveness of European companies.
• Architecture and Approach: It is important to understand that Gaia-X itself is not a cloud provider, nor is it building its own “European super-cloud.” Instead, Gaia-X defines a set of rules, common standards, and architectural elements for a decentralized ecosystem of networked, interoperable data spaces and cloud infrastructure services. It is based on principles such as openness, transparency, modularity, and the use of open standards and open-source software. The Gaia-X Association for Data and Cloud (AISBL) is developing specifications, rules, policies, and a framework for verifying compliance (Gaia-X Compliance), which is to be implemented through so-called Gaia-X Digital Clearing Houses (GXDCH).
• Components and projects: Within the Gaia-X framework, concrete building blocks and projects are emerging. The Sovereign Cloud Stack (SCS) is an important example: a standardized, open-source-based technology stack (based on OpenStack, Kubernetes, etc.) for building Gaia-X-compliant, sovereign cloud infrastructures (IaaS/PaaS). It is intended to serve as the technical foundation for interoperable and sovereign cloud offerings, including the German Administrative Cloud.
• Use Cases: To demonstrate the benefits of Gaia-X, concrete data spaces and applications are being developed in various domains. Examples can be found in Industry 4.0 (e.g., Catena-X for the automotive industry), mobility, energy, finance, public administration, and especially in healthcare. Projects such as TEAM-X, Health-X dataLOFT, and GAIA-Med aim to enable the secure and sovereign exchange of health data for improved care and research.
• Challenges: Despite its ambitious goals, Gaia-X also faces challenges and criticism. These include the complexity of the project, slow progress in practical implementation, sometimes unclear definitions, and the fear that the initiative could be dominated by established global hyperscalers. It has also been criticized that the focus was too heavily on the infrastructure layer (IaaS/PaaS) for too long, neglecting the application layer (SaaS).

EUCS: European Cybersecurity Certification Scheme for Cloud Services

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is a certification framework developed by the European Cybersecurity Agency (ENISA) under the EU Cybersecurity Act (CSA).

• Purpose: The main objective is to harmonize cybersecurity requirements and certifications for cloud services (IaaS, PaaS, SaaS) across the EU. It aims to create a unified standard to overcome fragmentation caused by different national certification schemes (such as SecNumCloud in France or C5 in Germany) and to strengthen the digital single market. For cloud users, EUCS is intended to create greater transparency and trust by demonstrating that certified services meet specific security standards.
• Assurance Levels: The scheme defines three (or in earlier drafts four) security levels ('Basic', 'Substantial', 'High', and possibly 'High+') that reflect different levels of risk and attacker capabilities. With increasing levels, the requirements for implemented security measures (e.g., network, storage, encryption security, penetration tests) and the rigor of evaluation by accredited Conformity Assessment Bodies (CABs) also increase.
• Voluntary vs. mandatory: EUCS certification is generally voluntary. However, the Cybersecurity Act and the NIS2 Directive allow EU member states to mandate the use of certified ICT services for certain sectors, particularly for critical infrastructure (KRITIS). It is therefore likely that EUCS will become a de facto mandatory requirement or a key criterion in tenders, at least in regulated sectors.
• Sovereignty debate: A central and controversial point in the development of the EUCS was the question of specific sovereignty requirements, particularly for the highest security level ('High' or 'High+'). Earlier drafts stipulated that data localization within the EU was mandatory for this level, and that the provider had to have its headquarters and global center in an EU member state to ensure protection against non-European laws (such as the CLOUD Act). However, these requirements were apparently removed or weakened in later drafts (as of 2024). This drew sharp criticism from European cloud providers (especially SMEs), industry associations, and data protection advocates, who fear that it weakens Europe's digital sovereignty, cements dependence on non-European hyperscalers, and exposes the data of European citizens and businesses to increased risk. The debate on the final design of these requirements continues.

BSI C5: German standard for cloud security

The Cloud Computing Compliance Criteria Catalogue (C5) of the German Federal Office for Information Security (BSI) is an established catalog of criteria that defines specific minimum requirements for the information security of cloud services.

• Purpose and content: C5 is designed to guide cloud customers in selecting secure providers and to establish a foundation for their risk management. It is based on internationally recognized standards such as ISO/IEC 27001, but supplements these with cloud-specific requirements and places particular emphasis on transparency through so-called environmental parameters. These parameters provide information on aspects such as data location, jurisdiction, certifications, and disclosure obligations to government agencies, which should help customers better assess risks (e.g., from industrial espionage or data breaches). The catalog comprises 17 subject areas, including information security organization, personnel security, asset management, cryptography, identity and access management, incident management, and physical security.
• Audit Certificate (Type 1 & Type 2): Compliance with the C5 criteria is demonstrated by an audit certificate issued by an independent, qualified auditor. There are two types of audit certificates: Type 1 certifies the adequacy of the design and implementation of the security controls as of a specific date. Type 2 additionally confirms the operational effectiveness of these controls over a defined audit period (usually 6 to 12 months). The Type 2 audit certificate is considered more comprehensive and will be required for follow-up audits and in the healthcare sector from July 2025.
• Relevance: C5 has become a de facto standard for secure cloud computing in Germany, particularly for public administration and highly regulated sectors such as healthcare and finance. As previously mentioned, C5 certification will become legally mandatory for cloud services in healthcare through the Digital Infrastructure Act (DigiG) starting in July 2024/2025. Many German and European, as well as international, cloud providers (for their EU regions) have C5 certifications for their services.

Other relevant standards

In addition to the aforementioned initiatives and certifications, established international standards also play an important role:

• ISO/IEC 27001: The globally recognized standard for Information Security Management Systems (ISMS). It defines a systematic approach to managing sensitive business information to ensure its confidentiality, integrity, and availability. ISO 27001 certification is often a prerequisite for cloud providers and serves as a foundation for more specific standards such as C5.
• ISO/IEC 27017: This standard provides a code of practice with specific control measures for information security in cloud environments, supplementing ISO/IEC 27002.
• ISO/IEC 27018: Focuses on the protection of personally identifiable information (PII) in public clouds acting as data processors. It contains guidelines closely aligned with European data protection principles and can serve as a supplement to C5, which does not primarily cover data protection.

These various initiatives and standards should not necessarily be seen as competitors, but rather as complementary. Gaia-X provides the vision and rules for a sovereign ecosystem, EUCS aims to harmonize certification across the EU, and national standards such as BSI C5 already offer concrete, established requirements and testing mechanisms. The challenge will be to meaningfully integrate these approaches and create a coherent framework that meets Europe's sovereignty aspirations while also being practical for providers and users. However, the current debate surrounding the sovereignty requirements in EUCS demonstrates that further political and technical work is still required.

It is important for companies to understand that certifications such as BSI C5 or ISO 27001 are valuable anchors of trust, creating transparency and facilitating the demonstration of security efforts. However, they are not panaceas and do not replace the customer's own risk assessment and due diligence. For example, a C5 certification for a US provider does not change its subjection to the CLOUD Act. Shared responsibility for the security of cloud usage remains between provider and customer, and companies must always verify whether the provider's measures are sufficient for their specific requirements and risks.

Suitable for:

• Data Management Systems in Transition: Strategies for Business Success in the Age of AI

Strategic advantages of switching to EU SaaS providers

The analysis of the risks associated with using US-based cloud services and the examination of the growing market for sovereign European SaaS alternatives allow for a clear conclusion: For European companies, addressing their cloud strategy from the perspective of digital sovereignty is not only advisable, but increasingly a strategic necessity.

Summary of results

The key findings of this report can be summarized as follows:

• Persistent risks with US providers: Using SaaS services from companies subject to US jurisdiction poses significant and ongoing risks for European companies. The fundamental conflict between the EU GDPR and US laws such as the CLOUD Act and FISA 702 leads to potential data breaches, high fines, loss of data control, and the risk of industrial espionage. Even the current EU-US Data Privacy Framework (DPF) does not resolve this fundamental conflict, and its long-term stability is uncertain (see Section II).
• Sovereignty as a multidimensional concept: “Sovereign SaaS” in the European context means more than just storing data in EU data centers. It includes compliance with European law (especially GDPR), protection against non-European access, operation by EU entities and personnel, and ideally, technological openness and interoperability to avoid dependencies (see Section III).
• Growing market for EU alternatives: A diverse and growing market of SaaS providers exists, headquartered and operating in the EU/EEA/CH. These providers offer solutions in numerous categories, often with a strong focus on data protection, security, and local needs. Many strategically rely on open source to maximize transparency and control (see Sections IV and V).
• Regulatory pressure in sensitive sectors: In areas such as public administration, healthcare and the financial sector, the use of demonstrably secure and sovereign cloud solutions (often with BSI C5 certification or comparable evidence) is increasingly becoming mandatory through legislation (e.g. DigiG, DORA, NIS2) and strategic requirements (e.g. DVS) (see Section VI).
• Framework conditions through initiatives and standards: European initiatives such as Gaia-X and certifications such as the planned EUCS, as well as established national standards such as BSI C5, create important framework conditions, promote interoperability and are intended to strengthen trust in sovereign cloud offerings (see section VII).

Strategic advantages of EU SaaS alternatives

Switching to or primarily choosing European SaaS providers that meet sovereignty criteria offers companies strategic advantages beyond mere risk minimization:

• Improved compliance and legal certainty: Using providers that are exclusively subject to EU law and guarantee that data is processed within the EU significantly reduces the risk of GDPR violations and conflicts with non-European laws. This creates a more stable and predictable legal basis for data processing.
• Increased data control and security: European providers with a focus on sovereignty often offer a higher level of control over your own data. This can be achieved through self-hosting options, consistent end-to-end encryption (zero-knowledge), transparent operating processes, and the exclusion of access by third-country authorities.
• Strengthened digital sovereignty: Choosing European providers reduces strategic dependencies on non-European technology companies. It supports the development of a resilient digital ecosystem in Europe and strengthens the local digital economy.
• Local Support & Cultural Proximity: European providers can often offer more accessible and understandable customer service in the local language and time zone. They frequently have a deeper understanding of the specific requirements and customs of the European market, which can facilitate cooperation and contract negotiations.
• Building trust: The use of demonstrably data protection-compliant and sovereign solutions signals a strong commitment to data protection and security to customers, partners, and employees. This can become a significant advantage in terms of trust and competitiveness.

Recommendations for European companies

To leverage the benefits of sovereign SaaS solutions and manage the risks of cloud adoption, European companies should consider the following steps:

• Conduct an individual risk analysis: Critically evaluate the SaaS services you are currently using (especially US-based ones). Analyze the type of data processed (sensitivity, personal data), the applicable regulatory requirements (GDPR, industry-specific regulations), and the potential impact of unauthorized data access or service outages on your business.
• Define sovereignty requirements: Determine the level of data sovereignty, operational control, and technological independence that is necessary and desirable for your organization. Not every application requires the same level of sovereignty. Prioritize based on risk and strategic importance.
• Systematically evaluate the market for EU alternatives: Use market overviews (such as the one in this report) and your own research to identify potential European SaaS providers that meet your functional and sovereignty-related requirements. Consider provider size, specialization, references, and future viability.
• Thorough due diligence is essential when selecting a provider: Don't rely on marketing claims. Critically examine the provider's information regarding data locations (including backups and metadata), operating personnel, company structure (ownership, registered office), subcontractors used, encryption technologies (especially end-to-end/zero-knowledge encryption), and security measures. Request data processing agreements (DPAs), technical and organizational measures (TOMs), and relevant certificates or attestations (e.g., ISO 27001, BSI C5) and review them carefully.
• Develop a migration strategy and exit plan: Carefully plan any potential migration. Consider costs, the technical effort required for data migration, necessary interface adjustments, and change management for your employees. Ensure interoperability and define a clear exit strategy to facilitate a future provider switch or data reversibility.
• Consider Open Source as an option: Evaluate whether open-source-based SaaS solutions, either as a managed service from an EU provider or self-hosted, represent a suitable alternative to achieve maximum transparency, adaptability and control.
• Monitor the regulatory landscape: Stay informed about developments in transatlantic data traffic (DPF verification), European certification standards (EUCS), and relevant laws (NIS2, DORA, industry-specific regulations), as these can significantly influence your cloud strategy.

The decision for or against the use of specific cloud services, particularly regarding US providers versus European alternatives, is far more than a technical or purely compliance-related question. It is a strategic decision with long-term implications for legal certainty, data security, control over critical business processes, and ultimately, the resilience and competitiveness of the company in the global digital arena. The analyzed risks of dependence on non-European providers are substantial and are exacerbated rather than mitigated by the current geopolitical and legal situation.

At the same time, switching to European alternatives is not a given. Companies must carefully weigh whether the advantages in terms of compliance and control outweigh the potential disadvantages regarding functionality, speed of innovation, or migration effort. A thorough analysis of their own needs, a realistic assessment of the available alternatives, and careful transition planning are crucial for success. However, the European market increasingly offers viable and trustworthy options that allow companies to leverage the benefits of the cloud without compromising their digital sovereignty.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the AI ​​strategy

☑️ Pioneer Business Development

Konrad Wolfenstein

I would be happy to serve as your personal advisor.

You can contact me by filling out the contact form below or simply call me on +49 7348 4088 965 (Munich) .

I'm looking forward to our joint project.

Xpert.Digital is a hub for industry with a focus on digitalization, mechanical engineering, logistics/intralogistics and photovoltaics.

With our 360° business development solution, we support well-known companies from new business to after sales.

Market intelligence, smarketing, marketing automation, content development, PR, mail campaigns, personalized social media and lead nurturing are part of our digital tools.

You can find out more at: www.xpert.digital - www.xpert.solar - www.xpert.plus