The question EU hosting operators are actually asking in 2026
If you run a hosting business in Europe — or manage infrastructure for clients subject to GDPR — you are not simply shopping for a panel with good benchmarks and a reasonable price. You are asking a different set of questions: Where was this software built? What does it call home? Can I demonstrate to an auditor that the tools processing my customers' data meet the accountability standard in Article 5(2)?
aaPanel has grown to a 3.6 million-install base globally. It is free, capable, and ships with a large one-click app library. For operators in Southeast Asia, Latin America, and general-purpose hosting contexts, it is a reasonable choice. But for EU operators specifically, its origin story introduces due-diligence questions that do not exist with other panels. This article addresses those questions objectively — with verified facts and zero speculation about vendor intent.
If you are also evaluating the broader market, our panel comparison overview and the cPanel alternatives roundup cover the full landscape. This post focuses specifically on the aaPanel-Panelica axis and why it matters for compliance-aware operators.
Where aaPanel comes from: btpanel, BT.cn, and the international fork
aaPanel is the international English-language distribution of BT panel — the Chinese-branded hosting panel known domestically as Baota. The parent product is operated by the Guangdong BT Cloud Computing Co. Ltd. and maintains its primary install base, documentation, and community forum at bt.cn. aaPanel was created as an English-language rebranding targeting non-Chinese markets, hosted at aapanel.com.
This is not a secret. The vendor makes no effort to conceal the relationship. The Chinese documentation is far more extensive than the English equivalent, and the majority of community troubleshooting content is written in Mandarin. The core codebase is shared between the two distributions.
What this means practically: the software you install on a Frankfurt or Dublin server originates from a Chinese company, was primarily designed for a Chinese regulatory environment, and is maintained by a team whose compliance obligations are governed by PRC law rather than EU law.
That is a factual observation. It is also the starting point for the compliance analysis that follows.
What "EU-built" actually means for a hosting panel
A panel is not just software sitting idle on your server. It reads filesystem paths. It stores database credentials. It handles SSL private keys. For panels with telemetry or update-check features, it initiates outbound connections. For panels with billing integrations, it may touch customer contact data.
The question is not whether the panel has a vulnerability — that framing is inflammatory and unverifiable. The question EU operators should ask is: can I document the complete data flow of this software to satisfy an Article 28 audit? That is a documentation problem as much as a technical one.
The following diagram shows the relevant distinction:
The diagram above is not an accusation. It maps what is and is not documented. For a GDPR Article 28 compliance assessment, "destination unclear" is itself a gap — regardless of what the actual behavior is.
How the two panels are built differently
Beyond the origin question, the two panels have genuinely different technical architectures. Understanding that difference helps operators make an informed evaluation.
- - Origin: China (BT panel / BT.cn)
- - Backend language: Python
- - Isolation: PHP-FPM pools + Unix permissions
- - No cgroups v2 or Linux namespaces
- - Multi-user / Docker: Pro-only
- - Code partially obfuscated
- - Telemetry: limited English documentation
- - Multiple RCE CVEs disclosed 2023-2024
- + Origin: EU / Turkiye, GDPR-aligned design
- + Backend language: Go 1.24
- + 5-layer kernel isolation (default, all tiers)
- + cgroups v2 + namespaces + SSH chroot
- + Multi-user / Docker: all tiers
- + Code reviewable (Go source, not obfuscated)
- + No outbound telemetry; all data on your server
- + Zero public CVEs 2024-2025
The Go versus Python distinction is worth noting from an operational standpoint. Go compiles to a single static binary with a low memory footprint. Python panels typically run as interpreted services with more runtime surface area and external library dependencies. This matters for security patching cadence and attack surface management.
The GDPR Article 5(2) and Article 28 documentation problem
Two GDPR articles are directly relevant when an EU operator chooses hosting panel software:
Article 5(2) — Accountability principle. The data controller (your hosting business) must be able to demonstrate compliance with data protection principles. This is not passive compliance — it requires active documentation of how personal data is processed and by what tools.
Article 28 — Processor obligations. When a third-party tool processes personal data on behalf of a controller, it becomes a data processor. The relationship must be governed by a data processing agreement with specific contractual safeguards.
A hosting panel is in a structurally ambiguous position. It does not directly process customer personal data in the way a CRM does. But it manages the server infrastructure where that data lives. It can read files, initiate network connections, and execute code. Whether a DPA is strictly required depends on your specific use case and your legal counsel's interpretation.
What is not ambiguous is this: if an auditor asks you to demonstrate that the panel software running on your EU servers has no undocumented outbound data flows, you need to be able to answer that question. For Panelica, that answer is straightforward — the software is self-contained, makes no third-party calls during normal operation, and the source code is available for review. For aaPanel, the answer requires deeper investigation. The English-language documentation on telemetry behavior is limited, and the code obfuscation makes independent auditing harder.
This is not a characterization of aaPanel's intent. It is a documentation gap. And for compliance-due-diligence purposes, a documentation gap is itself a finding.
What is free in aaPanel versus what is free in Panelica
One of aaPanel's strongest selling points is its free tier. Before accepting that framing at face value, it is worth understanding what the free tier actually includes — because for most hosting operators, the free version of aaPanel is functionally incomplete.
| Feature | aaPanel Free | aaPanel Pro | Panelica Pro |
|---|---|---|---|
| Multi-user / multi-tenant | No | Yes | Yes (full) |
| Docker management | No | Yes | Yes (160+ templates) |
| Traffic analytics | No | Yes | Yes |
| Resource monitoring | No | Yes | Yes (Prometheus + Grafana) |
| File protection | No | Yes | Yes |
| 5-layer kernel isolation | No | No (FPM only) | Yes (default, all tiers) |
| AI co-pilot | N/A | N/A | Yes (OpsAI, all tiers) |
| Native mobile apps | N/A | N/A | Yes (iOS + Android) |
| Migration pipeline (cross-panel) | Limited | Limited | 7-step (aaPanel as source) |
aaPanel Pro is priced at $15 per month per the vendor's pricing page as of May 2026, with promotional lifetime options available. That pricing is reasonable in isolation. But the baseline assumption — aaPanel is free, so it wins on cost — does not hold for operators who need multi-tenant functionality, Docker, or meaningful monitoring. Those operators are paying $15/month for a panel that starts from a compliance-uncertain origin. Panelica Pro, by comparison, is $9.99/month and includes all of those features without paywalls.
The Pro paywall: why aaPanel's free tier may not be free enough for hosting
Let us be concrete about what aaPanel's Free tier cannot do:
You cannot create separate user accounts for separate clients. You cannot deploy Docker containers through the panel. You cannot see resource usage per domain. You cannot set per-user file access restrictions. These are not edge cases — they are table-stakes features for anyone running more than one client on a server.
The result is that aaPanel Free is functionally a single-operator development panel. The moment you add a second client, you are either running Pro, or you are running without any meaningful access control. That is not a free product — it is a loss leader for the Pro subscription.
Panelica takes a different position. Multi-tenant management, Docker, monitoring, and isolation are included in every paid tier from day one. The free Starter tier limits domain count to one domain, not feature depth. This distinction matters for small hosting resellers who need real isolation before they have fifty clients.
Why kernel isolation matters for multi-tenant hosting
The gap between "PHP-FPM isolation" and "5-layer kernel isolation" is not marketing language. It maps to specific, auditable kernel-level protections.
In practical terms, the cgroups and namespace layers prevent one tenant's process from escaping into another tenant's filesystem or consuming the full server's CPU in a burst. PHP-FPM pools and Unix permissions provide a good baseline, but they do not prevent a compromised process from attempting to exhaust system resources or read files it should not access via symlink attacks and timing-based side channels.
For a single-tenant VPS, these extra layers are less critical — you are the only user. But for any multi-tenant shared hosting scenario, the additional kernel-level controls are the difference between an incident that affects one account and one that cascades across the server.
See our free panel comparison for a broader analysis of how aaPanel, HestiaCP, and CyberPanel handle multi-tenant security relative to one another.
The 2023-2024 aaPanel CVE history and what it implies architecturally
aaPanel had multiple Remote Code Execution vulnerabilities disclosed publicly between 2023 and 2024. This is not a unique situation — most mature panels have CVEs in their history. cPanel has an extensive CVE record. The question is not whether vulnerabilities exist, but what the pattern of vulnerability classes reveals about underlying architecture.
The aaPanel RCEs from that period fell predominantly into categories consistent with insufficient input validation, path traversal, and privilege escalation through web-exposed administrative functions. These classes of vulnerability are more common in panels that rely heavily on web-based process execution and Python string interpolation for OS commands — a pattern that Python panels have historically been more susceptible to than compiled-language alternatives.
Panelica has zero public CVEs in the 2024-2025 window. This is partly a function of being newer and less heavily targeted. It is also a function of the Go runtime providing stronger memory safety guarantees and the panel's architecture minimizing the web-to-OS command execution surface. The cPanel 2026 security analysis and our free panel security comparison cover this architectural pattern in more depth.
The lesson is straightforward: panels built before modern kernel isolation primitives were mature tend to rely more heavily on application-layer controls. Application-layer controls are bypassed by RCE. Kernel-level controls are not.
Migration: how to move from aaPanel to Panelica today
If you have an existing aaPanel setup and are evaluating a move, the practical barrier is lower than most operators expect. Panelica's migration pipeline includes aaPanel as a recognized source panel. The 7-step process handles user account creation, domain provisioning, file transfer via rsync, database import with MySQL password hash preservation, email account migration, SSL re-issuance, and post-migration verification. You do not need to manually reconstruct sites.
The detailed walkthrough for comparable migrations is covered in our cPanel migration guide — the pipeline steps are analogous for aaPanel sources. The key practical consideration is ensuring the source server remains accessible over SSH during the transfer window, typically 20-60 minutes depending on database and file volume.
When aaPanel still fits and when it does not
A fair comparison acknowledges where aaPanel genuinely works well:
aaPanel fits when: You are running a single-operator development or personal server with no multi-tenant requirements. You are in a region where GDPR compliance is not a legal obligation. You primarily need the 400+ one-click app library for quick deployments. Your team already has Mandarin-language capability to access the more comprehensive Chinese documentation and community.
aaPanel does not fit when: You are an EU hosting provider with GDPR Article 28 documentation obligations. You need multi-tenant isolation for paying clients on the Free tier. You need Docker management without a Pro subscription. You need kernel-level isolation to satisfy security audit requirements. You are a compliance-driven operator who needs to answer "where does this panel connect" with a documented, auditable answer.
The use-case split is not a value judgment. It is geography and scale. aaPanel built its 3.6 million install base in markets where its current architecture is an entirely reasonable fit. The EU compliance question is a structural one that would require architectural changes to resolve — not a configuration setting.
Choosing a cPanel alternative when EU compliance is non-negotiable
For EU operators who have been evaluating cPanel alternatives for pricing reasons — cPanel's per-account licensing model has made shared hosting economics increasingly difficult since 2019 — aaPanel often appears on shortlists because of its zero-dollar entry point. But the total cost of ownership analysis changes when you factor in the Pro tier requirement for production hosting scenarios, and the compliance analysis changes entirely when GDPR accountability is a hard requirement.
Panelica is a cPanel alternative designed specifically for the operator who needs the full feature set — multi-tenant isolation, Docker, monitoring, native SSL — without the per-account pricing model and without the compliance uncertainty that comes with a panel originating outside the EU regulatory jurisdiction. It is not the only cPanel alternative worth considering; our cPanel vs Panelica comparison and the full panel comparison matrix cover the broader field. But for EU operators who have disqualified aaPanel on compliance grounds, the evaluation path is clear.
The 14-day free trial requires no credit card and covers the full feature set. If you are currently running aaPanel and want to test migration before committing, that is the lowest-friction evaluation path available.