Pick a provider whose company — not just its servers — sits under EU jurisdiction, ideally zero-knowledge and open-source. Export your files, verify the copy, then bulk-move via CLI or WebDAV. You trade some integration convenience for real jurisdiction and no lock-in.
That's the answer. Everything below is me — a founder who builds one of these things — telling you the parts the marketing pages leave out, including the bits where the good EU option isn't us.
Why people are actually walking away in 2026
Three things shifted at the same moment, and they stacked on top of each other.
First, the law. The US CLOUD Act has been in force since 2018. It lets US authorities compel any US-incorporated company to produce data it controls — anywhere on earth, even where local law says no. Putting a datacentre in Frankfurt does not solve this. Jurisdiction follows the company, not the concrete. An AWS eu-central-1 region operated by a US company is not, on its own, out of reach of a US court. And if you want this from someone with no incentive to spin it: in June 2025, Microsoft's France legal chief told the French Senate he could not guarantee French data would never be handed to US authorities. That is the honest definition of \"sovereign,\" straight from the people selling it.
Second, the old escape hatch is closing. Schrems II killed Privacy Shield. The EU-US Data Privacy Framework that replaced it in 2023 is already back in court — the General Court dismissed the Latombe challenge on 3 September 2025, an appeal followed on 31 October 2025, and a Schrems III is being assembled. Most data-protection lawyers I talk to expect the framework to fall in two to four years. If your compliance story leans on it, you're renting time and the rent is due soon.
Third, momentum. France is moving large parts of its public sector off Microsoft — the national Gendarmerie and the city of Lyon among them. All 27 EU states signed a digital-sovereignty declaration in November 2025. The Commission presented its Tech Sovereignty Package on 27 May 2026. Gartner pegs worldwide sovereign-cloud spend at roughly $80 billion in 2026 — up about 36% year on year — with Europe growing fastest at roughly 83%. And then there's the quieter reason nobody puts on a slide: people don't want their documents and photos becoming training fuel for somebody's model. \"Buy European\" stopped being a bumper sticker and turned into a procurement line item.
The trap nobody warns you about: sovereignty washing
Here's where I'll plant a flag. In 2026 the bigger risk isn't picking the wrong honest provider. It's picking a dishonest \"sovereign\" one.
The hyperscalers can read a balance sheet. They know where the money is flowing, so they've shipped things that sound sovereign. AWS European Sovereign Cloud went live on 15 January 2026 in Brandenburg — German parent entity, EU-resident-only operations, roughly a 15% price premium, about 90 services against 240-plus in the normal regions, three availability zones at launch. Microsoft followed in February 2026 with M365 Local and Foundry Local, an EU Data Boundary and a European board. These are real engineering. Some of them genuinely cut your exposure.
But the category has a name now, and it's not a kind one: sovereignty washing. When the Commission blessed S3NS — a joint venture built on Google technology — as \"sovereign,\" CISPE secretary general Francisco Mingorance called it \"an own goal that institutionalises sovereignty washing.\" The Register, Network World and others tracked the fight through spring 2026. Who wins that particular row almost doesn't matter, because the underlying fact doesn't move: no law has repealed the CLOUD Act. A US provider with EU servers, an EU JV, or EU staff is still, when it counts, compellable.
So forget the marketing copy. The test is one question: if a US court issued an order tomorrow, could anyone be forced to comply? If the parent company answers to US law, the answer is yes — premium pricing or not. And to be clear, the enemy here is the category lie, the one the EU itself is now fighting. It is not Proton. It is not Tresorit. It is not the honest EU players. Those are the good guys.
What you actually give up
I'm not going to pretend this is free. Leaving costs you things, and you should know what.
You lose deep integration. Google Docs co-editing in the same tab as your files. iMessage and Photos continuity if your whole life lives inside Apple. The Office buttons wired straight into OneDrive. Some of that has solid equivalents elsewhere. Some of it you'll genuinely miss for a few weeks.
You lose the cheapest small tiers. iCloud at €0.99/month for 50 GB is tough to beat if your files aren't sensitive and you just want a camera-roll backup. Honest privacy-first storage rarely wins at the very bottom of the price ladder. The economics are simply different down there.
And — speaking only for us — you may be early. Beebeeb's web app is live and the CLI works today. Our mobile and desktop apps are still coming soon, and one-click cloud import is coming soon too. If a polished phone app on day one is non-negotiable, a more mature option fits you better right now. I'd rather say that here than have you discover it after you've signed up.
What you get back
Jurisdiction that actually means something. If the operating company sits under EU law — say a Dutch company storing in Falkenstein, Germany — there's no CLOUD Act lever for anyone to pull. The protection is structural, not a promise: with no US-incorporated entity anywhere in the chain, there's no company a US court can compel — you don't have to trust a provider to resist a subpoena, because the subpoena has nowhere to land.
Zero-knowledge, if you pick a provider that offers it. Your files get encrypted on your device before they ever leave it. The provider holds ciphertext it cannot read. No key escrow. No scanning. No \"trust us.\" And with open-source clients you can verify the claim instead of believing a brand page — which is the entire bet behind how our encryption works: verify, don't trust. For the record, our independent audit is planned, not finished. I won't call us \"audited\" until it actually is.
And this last one is new and badly underrated: no lock-in, now written into law. The EU Data Act became fully applicable on 12 September 2025. From 12 January 2027, egress and switching fees are banned outright, and you get a mandatory cloud-switching right, a two-month termination window, and a portability obligation. NIS2 — its national-transposition deadline was 17 October 2024, with enforcement now ramping across the bloc — pushes cryptographic agility and post-quantum readiness. DORA (in force since January 2025) forces exit procedures for regulated firms. For the first time, the regulatory wind is at the back of anyone trying to leave instead of in their face.
How to actually move
Here's the sequence I'd follow myself.
1. Export before you cancel anything
Pull a full copy first. Google Takeout for Drive. Dropbox's account export. iCloud's \"Download a copy of your data.\" OneDrive's bulk download. Get the data onto a disk you control before you so much as look at the subscription button. Never delete the source until the new copy is verified.
2. Verify the copy
This is the step everyone skips and everyone later regrets. Do not trust a green checkmark. Check that file counts and total size match. Open a handful of large files and confirm they actually open. If you're comfortable in a terminal, hash a sample on both sides and compare. A migration that quietly drops 200 files is worse than no migration, because you won't notice until you need one of them.
3. Bulk-move with a real tool
Dragging 400 GB through a browser tab is misery and you will resent it by gigabyte 30. Use a proper transfer path instead. A command-line tool — for us that's bb push, bb pull, bb sync — moves whole directories and scripts your backups without a browser anywhere in sight. A WebDAV mount makes the new cloud appear as an ordinary drive, so rsync, Finder or any file manager copies straight into it. For a one-off bulk load, both beat the web UI every single time.
4. Run both in parallel, then cut over
Keep the old account read-only for a month while the new one becomes muscle memory. Then export once more, verify once more, and only then hit delete. Cancelling is the last step, never the first.
A concrete one. A small accountancy practice I spoke to had about 600 GB of client files on OneDrive and a GDPR problem they weren't thrilled about — US processor, US jurisdiction. They Takeout-exported, let the count verification run overnight, rsync-ed into a WebDAV-mounted EU drive in a single afternoon, ran both systems side by side for three weeks, then cut over. No browser-upload marathon. No lost files. The hard part was making the decision. The move itself was a quiet Tuesday.
The realistic EU and encrypted options, compared
I'll be straight about the whole field, including where rivals beat us. Our side of it lives on the pricing page.
Proton Drive is genuinely good, full stop. End-to-end encrypted and zero-knowledge by default, open-source apps, encryption independently audited with published findings, a real 5 GB free tier carrying that same encryption. If you want a published audit today plus a mature phone app — or one bill that also covers VPN, Mail and Pass — Proton is a strong pick. The honest caveat is jurisdiction: it's Swiss, and it's publicly relocating infrastructure out of Switzerland in 2026 over a new surveillance law, so \"Swiss privacy\" isn't the clean line it used to be. More in our Beebeeb vs Proton Drive breakdown and the Proton alternative page.
Tresorit is the enterprise pick. Genuine zero-knowledge across files and metadata, EU regions you can select, deep HIPAA / ISO 27001 / TISAX compliance, polished desktop sync, a track record going back to 2011. The free Basic plan is 3 GB across two devices. It's closed source — you trust certificates rather than reading code — and there's no official CLI or WebDAV. If you run a regulated team that needs documented compliance right now, Tresorit earns its keep. The full picture is in Beebeeb vs Tresorit.
Beebeeb — that's us. Zero-knowledge by default, AES-256-GCM client-side encryption, with login protected by OPAQUE and an Argon2id key-stretch at 256 MiB. We hold ciphertext we cannot read. Operated by Initlabs B.V. in the Netherlands, stored in Falkenstein, Germany, outside the CLOUD Act. Open-source clients and encryption core; the server is private. Free 5 GB with the same encryption as the paid tiers, Basic at €10.99/month for 1 TB, scaling to 99 TB self-serve with a custom quote beyond. We will never write \"unlimited,\" because that word is a lie and you'll find the ceiling at the worst possible moment. Our edges: jurisdiction, openness, the CLI and WebDAV, and being one focused storage product rather than a tab inside a suite. Our honest gaps: mobile and desktop apps coming soon, import coming soon, audit planned.
The hyperscalers — Google Drive, Dropbox, iCloud, OneDrive — are still the convenience kings, and I won't pretend otherwise. Most aren't zero-knowledge (iCloud's Advanced Data Protection is end-to-end but opt-in, off by default). All ultimately answer to US jurisdiction. All are closed. That's the trade sitting in front of you.
Who should pick what
Live entirely inside Apple, files aren't sensitive, want it invisible? iCloud, and that's a perfectly fine answer. Need a published audit and a mature mobile app this week, plus a VPN/Mail bundle? Proton. Run a regulated team that needs documented HIPAA/ISO compliance today? Tresorit. Want EU/German jurisdiction with no Swiss question mark, open source you can actually verify, a real CLI and WebDAV, room to scale — and you can live with the mobile apps landing soon? That's the gap we built Beebeeb to fill.
Pick the honest one that fits how you actually work. Just don't pick the one that only sounds sovereign.