The phrase "EU-built" used to be a footnote in hosting panel marketing materials. In 2026, it has become a line item in compliance audits, board-level risk reviews, and DPA correspondence. EU hosting companies that spent the past decade evaluating panels on feature count and monthly price are now adding a third column to that spreadsheet: vendor jurisdiction.
This is not a sentiment shift. It is the direct consequence of three overlapping regulatory developments — NIS2, the ongoing Schrems litigation, and the US CLOUD Act — arriving in the same window. This article breaks down each one, explains how they interact with your choice of hosting panel vendor, and provides a practical framework for thinking through the compliance calculus before your next audit rather than during it.
A note on scope: this article frames a compliance question, not a vendor judgment. Every operator's situation is different. The goal is to give you the right questions, not a predetermined answer.
The three regulatory shifts hitting hosting providers in 2026
Three distinct but intersecting regulatory pressures have converged on EU hosting operators in the 2024-2026 window. Understanding each one separately, and then how they interact, is the prerequisite for any meaningful vendor evaluation.
These four dates are not isolated policy events. They form a compounding compliance stack. DORA tightened ICT third-party oversight for financial sector operators. GDPR enforcement reached a sustained plateau of roughly 1.2 billion EUR in annual fines, making enforcement no longer theoretical. Schrems III introduced legal uncertainty over the EU-US Data Privacy Framework. NIS2 brings all of it together under a single supply-chain audit obligation with June 2026 as the hard deadline for in-scope entities.
NIS2 in plain language: what hosting providers actually have to do
The Network and Information Security Directive 2 (NIS2) replaces the original NIS Directive and significantly expands both scope and enforcement teeth. For hosting operators specifically, the most important change is classification: hosting providers, data centers, CDN operators, DNS providers, and managed service providers are explicitly listed as "essential entities" in the digital infrastructure tier.
What that classification means in practice:
- Supply chain security assessment — NIS2 Article 21 requires essential entities to assess and manage security risks in supply chains, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. Your hosting panel vendor is, under this definition, a supplier. Vendor jurisdiction is an explicit input to that assessment.
- 24-hour incident notification — Significant incidents must be reported to national competent authorities within 24 hours of detection. Incidents that affect the confidentiality, integrity, or availability of your customer data through a vendor's software could trigger this clock.
- Board-level accountability — Management bodies of essential entities are personally liable for compliance failures. This is no longer a question for the IT department alone.
- Fines up to 10M EUR or 2% of global turnover — Whichever is higher. These are the NIS2 maximum penalties, not theoretical ceilings that regulators ignore.
- Member state variance — NIS2 sets minimum requirements. Individual member states have implemented varying national frameworks, which means operators with customers or infrastructure across multiple EU countries may face layered obligations.
The June 2026 audit deadline is the convergence point. If you are running an EU hosting operation and have not yet mapped your vendor supply chain against NIS2 requirements, that mapping is overdue.
The Schrems III question: why 2026 may invalidate DPF
In February 2024, Max Schrems received approval to participate in cases challenging EU-US data transfers on behalf of noyb. Two cases connected to Meta were already working toward CJEU review, and the broader legal pattern has precedent: Schrems I invalidated Safe Harbor in 2015, Schrems II invalidated Privacy Shield in 2020, and the EU-US Data Privacy Framework (DPF) — which replaced Privacy Shield — was adopted in July 2023 on terms that many data protection advocates consider structurally similar to its predecessors.
The risk to hosting operators is specific: if the CJEU invalidates DPF in a Schrems III ruling, any data transfer mechanism that relies solely on DPF becomes legally void. Operators who transferred customer data to US-headquartered vendors under DPF-only terms would face the same emergency situation that followed Schrems II — urgent need to either implement Standard Contractual Clauses (SCCs), complete Transfer Impact Assessments (TIAs), or suspend transfers entirely.
The important word here is "relies solely." The recommended safeguard posture, consistent with EDPB guidance post-Schrems II, is layered: SCCs as the legal mechanism, TIAs as the factual underpinning, and — where operationally feasible — architectural choices that reduce or eliminate third-country data flows entirely.
For hosting companies, the cleanest architectural answer to Schrems III risk is the one that requires no emergency response: choosing software that generates no third-country data flows in the first place. That is not always possible, but for the hosting panel layer specifically — the software through which all customer data passes — it is worth asking the question before the ruling lands.
The US CLOUD Act: extra-territorial reach EU operators cannot opt out of
The Clarifying Lawful Overseas Use of Data Act (US CLOUD Act, 2018) allows US authorities to demand data from companies that are headquartered in, incorporated in, or otherwise subject to US jurisdiction — regardless of where the data physically resides. A US-headquartered software company with servers in Frankfurt is still subject to US CLOUD Act demands for data those servers hold.
This creates a structural legal tension for EU hosting operators that is distinct from GDPR compliance. The issue is not whether the vendor is following GDPR. The issue is that a US-headquartered vendor operating in your EU infrastructure stack has a legal obligation — under US law — to comply with US government data demands, and that obligation does not have an EU override mechanism.
GDPR Article 48 explicitly states that judgments and decisions by third-country authorities requiring personal data transfers shall only be recognised or enforceable if based on an international agreement. No such EU-US agreement currently covers CLOUD Act demands comprehensively. This means a US-headquartered panel vendor receiving a CLOUD Act demand for data on your EU customers faces a genuine conflict-of-laws situation — and EU operators whose infrastructure runs that vendor's software are one step removed from that conflict but not outside it.
Under NIS2's supply chain assessment requirement, vendor jurisdiction is now explicitly on the audit table. The CLOUD Act exposure of a US-headquartered vendor is a factual input to that assessment. Not a reason to automatically disqualify a vendor — but a documented item that auditors will expect you to have evaluated.
How NIS2 makes your vendor's jurisdiction your problem
This is the connection that changes the compliance calculus: NIS2 supply chain provisions mean that your vendor's regulatory exposure becomes your documented risk item. You are the NIS2 essential entity. Your vendor is your supplier. The audit asks what you know about your supplier's jurisdiction, and what you did with that knowledge.
The diagram above illustrates why vendor jurisdiction is not an abstract legal concern. It sits in your supply chain between you and your customers. NIS2 Article 21 requires you to document it. Your data protection officer and board are accountable for the assessment. The question is not whether you are comfortable with a particular vendor's practices — it is whether you have a documented answer when the auditor asks.
The 7-question audit checklist for any panel vendor
Whether you are evaluating your current panel vendor before a NIS2 audit, assessing a potential cPanel alternative, or reviewing a migration decision, these seven questions produce the factual inputs your compliance team needs. They are written as questions you ask of the vendor — and questions your auditor will ask of you.
If you answer No to any of these, NIS2 audit time is when you explain why -- not the time to find out.
- Is the vendor's primary jurisdiction outside the US CLOUD Act scope? This determines whether US authorities can lawfully compel the vendor to disclose your customers' data.
- Does the vendor commit in writing to a "no third-country data transfer" architecture? Verbal assurances are not Article 28-compliant. Look for a published processor agreement.
- Is the panel source code reviewable for telemetry behavior? Closed-source panels cannot be independently audited for undisclosed data outflows. NIS2 supply chain assessment assumes you have evaluated this.
- Does the vendor publish a GDPR Article 28 processor agreement template? If your panel vendor processes personal data on your behalf, Article 28 requires a signed contract. "We are a software vendor" is not an exemption if the software actively phones home.
- Does the panel operate without mandatory cloud or SaaS dependency? License validation servers, telemetry endpoints, update channels -- each one is a potential cross-border data flow that needs to be mapped and assessed.
- Can the operator self-host all panel data inside the EU? This is distinct from question 5. Even if the panel does not require SaaS, some vendors tie features (monitoring, backups, DNS) to vendor-controlled infrastructure.
- Does the vendor have a documented incident-response SLA that matches NIS2's 24-hour notification requirement? If a security incident occurs in the panel software, your 24-hour clock starts at detection. Does your vendor have an obligation to notify you -- and within what timeframe?
Where your panel vendor actually lives
Before evaluating any panel against the checklist above, it helps to establish the factual baseline: where is each vendor's primary jurisdiction, and what does that mean for CLOUD Act exposure? The table below reflects publicly available information on vendor headquarters and corporate structure as of 2026.
| Panel | Vendor / HQ | CLOUD Act Exposure |
|---|---|---|
| cPanel / WHM | US (Houston, TX -- WebPros) | Direct |
| Plesk | US-led, WebPros International | Direct |
| Virtualmin | US (Virtualmin Inc) | Direct |
| DirectAdmin | Netherlands (EU -- DirectAdmin BV) | None |
| HestiaCP | Open-source, no central commercial entity | None |
| CyberPanel | Mixed / GitHub community | Limited |
| aaPanel | China (aapanel.com / BT Panel) | Different framework (PIPL, MLPS) |
| CWP | Georgia, Tbilisi (LINANTO LLC) | Non-EU, non-US |
| RunCloud | Singapore (SaaS) | Third-country transfer required |
| Coolify | Hungary (EU developer) | None |
| EasyPanel | Brazil (community) | Non-EU, non-US |
| Panelica | Turkiye (GDPR-aligned KVKK framework) | None |
Two caveats are worth stating explicitly. First, CLOUD Act exposure is a function of vendor corporate structure, not server location. A US-headquartered vendor hosting EU data on Frankfurt servers is still subject to CLOUD Act jurisdiction for that data. Second, "None" in the CLOUD Act column does not mean a vendor is automatically compliant with GDPR or NIS2 -- it means that particular legal vector is not present. Compliance is a multi-factor question, and jurisdiction is one factor.
On Panelica specifically: Turkiye is not an EU member state and does not currently hold an EU adequacy decision for data transfers. However, Turkiye operates under the KVKK (Personal Data Protection Law), which is structurally modeled on GDPR. More importantly for EU hosting operators, Panelica is a fully self-hosted panel -- no vendor SaaS dependency, no mandatory telemetry to vendor infrastructure, and all data remains on the operator's EU-located servers. The data stays where the operator puts it.
What "EU-aligned" actually requires from a hosting panel
Jurisdiction is necessary but not sufficient. A panel vendor could be headquartered in France and still create compliance problems through architectural decisions that route customer data through external systems. "EU-aligned" as a meaningful compliance posture requires evaluating the technical architecture alongside the legal domicile.
The architectural requirements that matter for NIS2 and GDPR compliance:
- No mandatory vendor telemetry -- Panel activity, customer data, and usage patterns should not be transmitted to vendor-controlled infrastructure unless the operator explicitly opts in. This is both a GDPR Article 5(1)(c) data minimisation requirement and a NIS2 supply chain risk factor.
- Fully self-hosted operation -- The panel should run entirely within the operator's infrastructure. License validation that requires periodic vendor server contact creates a dependency and a potential data flow that needs to be mapped and assessed under NIS2.
- Source visibility for telemetry audit -- Operators conducting NIS2 supply chain assessments need to be able to verify vendor claims about data flows. A panel whose source code is not reviewable requires you to take the vendor's word for it. For compliance purposes, that is a weaker position than independent verification.
- Kernel-level tenant isolation -- For hosting companies running multi-tenant infrastructure, per-customer isolation at the OS level (cgroups, namespaces, PHP-FPM pools, Unix UID separation) is a data protection measure that maps directly to GDPR's security of processing requirement under Article 32. One customer's data should be technically incapable of reaching another customer's files, not just policy-prohibited from doing so.
- Article 28 processor agreement availability -- If the panel vendor processes any personal data on the operator's behalf -- even through license validation or error reporting -- an Article 28 processor agreement is legally required. Vendors who have not prepared this document have not completed the GDPR compliance baseline for commercial software.
Panelica's architecture addresses several of these by design: self-hosted only, no SaaS dependency, zero mandatory vendor telemetry, kernel-level per-user isolation, and Go source code visible for audit. This does not mean Panelica solves every compliance question -- your data protection officer still needs to complete the Article 28 documentation and TIA for your specific context -- but the architecture does not create the problems that the checklist above is designed to catch.
The migration calculus: when to plan a panel switch ahead of the next regulatory shock
Panel migrations are disruptive. Any honest assessment has to start there. Moving DNS, email, databases, SSL certificates, and PHP configurations for hundreds of customer domains takes planning, testing, and downtime coordination. The question is not whether migration is easy -- it is whether the compliance risk of staying on a jurisdiction-exposed platform is larger than the operational cost of switching.
The timing argument for planning ahead: regulatory shocks create emergency migration scenarios, and emergency migrations are significantly more expensive and risky than planned ones. Schrems II, when it invalidated Privacy Shield in 2020, forced thousands of operators into emergency data transfer reviews with no clear timeline. A Schrems III ruling invalidating DPF -- if it comes -- would replay that scenario for operators who had not built in the architectural buffer.
The practical migration planning calculus involves three variables: the compliance exposure of your current vendor (from the 7-question audit above), the operational cost of migration (number of domains, customer count, service complexity), and the regulatory timeline pressure (NIS2 June 2026 audit obligation, DPF legal risk window). For operators whose current panel vendor creates a documented NIS2 supply chain risk item and whose customer base is in the range where migration is manageable, the time to plan is before the next regulatory event, not during it.
If you are evaluating a switch, migration from cPanel and Plesk to Panelica preserves MySQL password hashes, imports DNS zones, email accounts, and SSL certificates, and handles the database schema differences between platforms. The import pipeline supports cPanel, Plesk, DirectAdmin, CyberPanel, HestiaCP, and CWP. A detailed walkthrough of the cPanel migration path is available at panelica.com/blog/migrating-from-cpanel-to-panelica-step-by-step and the Plesk migration guide is at panelica.com/blog/migrating-from-plesk-to-panelica-step-by-step-walkthrough.
Why this is not a vendor-blame article: every operator's situation is different
US-headquartered vendors are not bad actors. cPanel and Plesk are mature, feature-rich platforms that have powered the hosting industry for decades. The CLOUD Act is a US law -- it exists because the US government decided it should, and US companies are obligated to comply with it. That is a fact about US corporate law, not a moral judgment about any vendor's intentions.
Similarly, not every EU hosting operator faces the same NIS2 risk profile. A small hosting company with fewer than 50 employees and 10M EUR annual revenue may fall below the NIS2 essential entity threshold for their member state's implementation. A hosting company processing sensitive data categories under GDPR faces a different risk surface than one hosting only static business websites. An operator whose customers are exclusively in one member state faces different NIS2 implementation variance than one serving customers across eight countries.
The point of the regulatory framework analysis in this article is not that all EU hosting companies must switch panels immediately. It is that the vendor jurisdiction question now belongs in the compliance conversation, and operators who have not had that conversation are behind the documentation curve for a June 2026 audit deadline.
For some operators, the right answer after completing the 7-question audit may be: their current vendor creates a documented risk item, they have accepted it with specific mitigating controls, and here is the written record of that assessment. That is a defensible compliance posture. Having no documented evaluation is not.
Choosing a cPanel alternative with compliance in the priority stack
The market for a capable cPanel alternative is larger and more mature than it was even two years ago. EU hosting companies that spent 2023 and 2024 evaluating alternatives primarily on feature completeness, price, and migration complexity now have a fourth dimension to assess: regulatory alignment.
The vendor jurisdiction table above gives you the factual baseline. The 7-question audit gives you the compliance test. The architectural requirements section gives you the technical criteria. Put together, they define what "EU-aligned" actually means as a requirement -- not a marketing label.
For hosting companies evaluating Panelica as a cPanel alternative in this context: the platform ships with multi-tenant isolation at the kernel level as a standard feature on every plan, not a premium add-on. Per-user cgroup resource limits, Linux namespace separation, SSH chroot jails, dedicated PHP-FPM pools per user per PHP version, and Unix UID isolation are all active by default. This is specifically relevant for EU hosting companies whose GDPR Article 32 obligations include technical measures to prevent unauthorized access to customer data. The 14-day free trial requires no credit card and gives you full platform access to evaluate the architecture directly. Details at panelica.com/compare/cpanel and the broader panel comparison at panelica.com/compare.
Whether the right cPanel alternative for your operation is Panelica, DirectAdmin, HestiaCP, or something else depends on your specific infrastructure, customer base, and compliance context. What has changed in 2026 is that vendor jurisdiction is now a documented input to that decision -- and the regulators will expect the documentation.
If you are evaluating alternatives to US-built panels specifically for the reasons covered in this article, the complete cPanel alternatives comparison, the Plesk alternatives guide, and the aaPanel vs Panelica jurisdiction analysis cover the adjacent landscape from different angles. The free panel comparison is worth reading if budget is a constraint alongside compliance. And for the security context that makes the regulatory timing urgent, the cPanel 30-day security storm analysis and the CVE-2026-41940 architecture lesson are relevant background.
Regulatory references in this article are verified as of 2026-05-24 from European Commission digital strategy publications, GDPR enforcement statistics, and public Schrems case filings. This article frames a compliance question, not a vendor judgment. Operators should consult their data protection officer and legal counsel for binding compliance advice.