European businesses face a strategic decision that goes far beyond choosing a hosting provider. Every time an organization places its data and applications on a third-party cloud or SaaS platform, it accepts a dependency: on someone else’s jurisdiction, on opaque pricing models, on a vendor’s roadmap it cannot influence and on that vendor’s ability or willingness to access, monetize, or hand over your data. This applies to US hyperscalers like AWS, Azure and Google Cloud, but equally to Chinese providers like Alibaba Cloud, Russian platforms like Yandex Cloud, or even European SaaS vendors that lock you into proprietary ecosystems. At Innoframe, we chose a different path. We build private cloud infrastructure on Incus, the open source Linux container platform, deployed exclusively on European hosting providers. This article explains why.
The Problem with the Default Choice
The default for most SMEs today is to move everything to AWS, Azure, or Google Cloud. It’s the path of least resistance. The marketing is persuasive, the onboarding is smooth, and the initial costs seem reasonable.
But the hidden costs accumulate quickly. Data transfer fees that weren’t in the original estimate. Reserved instance commitments that lock you into capacity you may not need. API call charges that scale unpredictably with usage. And underneath all of it, a fundamental dependency on a provider whose priorities are shaped by a market, a regulatory environment, and a legal jurisdiction that are not yours.
For European businesses, this carries specific risks. The US CLOUD Act grants American authorities the ability to compel US-based cloud providers to hand over data stored anywhere in the world, regardless of local data protection laws. GDPR compliance on a US hyperscaler is not impossible, but it requires constant vigilance and legal scaffolding that many SMEs are not equipped to maintain. And as geopolitical tensions reshape trade and technology relationships, the assumption that US cloud services will always be freely available to European businesses on favorable terms is no longer guaranteed.
What Sovereign Cloud Actually Means
Sovereignty in cloud computing is not just about where your data physically sits. It means control: over the software stack, over the provider relationship, over the ability to move your workloads if circumstances change.
A sovereign cloud approach, the way we practice it at Innoframe, rests on three pillars.
European infrastructure. Your servers run in European data centers, operated by European providers, subject to European law. We work with providers like Hetzner, Netcup, and Scaleway, companies with strong track records, transparent pricing, and no exposure to extraterritorial data access claims.
Open source software. Every layer of the stack, from the operating system to the container runtime to the applications, uses open source software. No proprietary lock-in, no licensing surprises, no vendor holding the keys to your own infrastructure. If we disappear tomorrow, another competent Linux administrator can pick up exactly where we left off. That’s not a weakness in our business model; it’s a promise to our clients.
Operational independence. You can inspect, modify, migrate, or replace any component at any time. Your infrastructure is not entangled with a proprietary ecosystem that makes leaving expensive or technically impractical.
Why Incus
Incus is a system container and virtual machine manager, forked from Canonical’s LXD after Canonical moved LXD from a community-governed open source project into a proprietary product under its corporate umbrella. The community responded by forking LXD into Incus under the Linux Containers project, preserving the open governance model.
That origin story matters. It demonstrates exactly the kind of vendor risk that a sovereign approach is designed to avoid. One company’s strategic decision could have left thousands of deployments dependent on proprietary software overnight. The community fork ensured continuity and independence. It’s a textbook example of why open source governance matters.
But we don’t use Incus for ideological reasons alone. We use it because, after more than 25 years of building and operating Linux infrastructure, it is the best tool for the job.
System containers that behave like servers. Incus system containers run a full init system, which means they look and feel like dedicated servers. You can SSH into them, run systemd services, install packages, configure firewalls. Each container is a complete, isolated Linux environment. For an SME that needs a mail server, a file sharing platform, a CRM, and a web server, each of these runs in its own container with its own resources, its own security boundary, and its own lifecycle, all on a single physical host.
Efficiency without complexity. Unlike virtual machines, Incus containers share the host kernel, which means near-zero overhead. You get the isolation benefits of separate environments without paying the performance tax of full hardware virtualization. A server that might run three or four virtual machines can comfortably host fifteen or twenty Incus containers, each running production workloads.
No Kubernetes, no Docker, no unnecessary abstraction. The container orchestration world has become enormously complex. Kubernetes is a powerful system designed for organizations running hundreds or thousands of microservices across global infrastructure. For an SME running ten to twenty well-defined services, it is a sledgehammer where a scalpel will do. Docker adds a layer of abstraction that, in our experience, creates more operational complexity than it solves for long-lived infrastructure services. Incus gives us containerization without the baggage: clean, manageable, and transparent.
VM support when you need it. For workloads that genuinely require a full virtual machine, such as a Windows Server instance, Incus handles that too. The same management interface, the same networking model, the same backup and migration tooling. One platform for everything.
Live migration and zero-downtime maintenance. Containers can be moved between physical hosts without interruption. Hardware maintenance, host OS upgrades, or capacity rebalancing happen transparently, without your users noticing a thing.
Our Stack in Practice
We don’t just recommend this approach; we run it ourselves, and we run it for our clients. Our production stack is built on proven, well-understood components:
Debian as the base operating system, chosen for its stability, security track record, and independence from any single corporate sponsor. Incus for container and VM management. Btrfs or ZFS for storage, providing snapshots, compression, and data integrity verification. Nginx as the reverse proxy and web server. nftables for host-level firewalling. CrowdSec for collaborative, real-time threat detection, including web application firewall capabilities. acme.sh for automated TLS certificate management via Let’s Encrypt. Kopia for encrypted, deduplicated backups to European object storage. PowerDNS for authoritative DNS. Postfix and Dovecot for email, fully self-hosted.
Every component is open source. Every component can be replaced independently. Every component is well-documented and supported by an active community. There are no black boxes.
What This Looks Like for an SME
A typical Innoframe deployment for a small or medium-sized business might include the following, all running on a single dedicated server or a small cluster:
A file sharing and collaboration platform (OpenCloud or Nextcloud) with office document editing via Collabora Online. A self-hosted email environment with spam filtering, antivirus scanning, and webmail. An ERP system (ERPNext) for business operations. A company website on WordPress, behind a caching reverse proxy. A VPN endpoint (WireGuard) for secure remote access. Monitoring and alerting for all services.
Each service runs in its own Incus container. Each container has defined resource limits, its own firewall rules, and its own backup schedule. Containers are isolated from each other: a vulnerability in one service cannot directly compromise another.
The entire environment is managed through standard Linux administration tools. There is no proprietary control panel, no web GUI that hides what’s happening underneath. Everything is scriptable, auditable, and reproducible.
The Cost Argument
Public cloud pricing is designed to look attractive at small scale and become expensive at production scale. A modest setup on AWS or Azure, a few virtual machines, some storage, a managed database, outbound data transfer, quickly reaches €500 to €1,000 per month or more.
The equivalent workload on a dedicated European server with Incus containers typically costs a fraction of that. A capable dedicated server from Hetzner or Netcup, sufficient to run fifteen or twenty production containers, starts at €50 to €100 per month. Add backup storage, DNS hosting, and monitoring, and you’re looking at a total infrastructure cost that’s dramatically lower than the public cloud equivalent.
The trade-off is expertise. Someone needs to build, secure, and maintain this infrastructure. That’s where Innoframe comes in. But even with professional management fees included, the total cost of ownership is typically well below what an equivalent public cloud deployment would cost, with better performance, more control, and full data sovereignty as additional benefits.
When This Approach Isn’t the Right Fit
We believe in being transparent about limitations. A private cloud with Incus is not the right solution for every scenario.
If your workload is highly variable with extreme peaks and valleys, the elastic scaling of a public cloud may genuinely be more cost-effective. If you need a global CDN with edge locations on every continent, that’s what hyperscalers are built for. If you’re a startup that needs to move fast and doesn’t yet know what your infrastructure requirements will look like in six months, managed services can buy you time.
But for the vast majority of European SMEs, businesses with stable, well-understood workloads, regulatory obligations around data handling, and a preference for predictable costs, a sovereign private cloud is not just viable; it’s the smarter choice.
Getting Started
If you’re considering this approach for your organization, the first step is an honest assessment of your current infrastructure: what you’re running, where it lives, what it costs, and what risks it carries. We offer a strategic advisory service that maps your current landscape and designs a migration path that makes technical and financial sense.
The transition doesn’t have to happen overnight. Most of our engagements begin with migrating one or two non-critical services to prove the concept, then expanding from there as confidence grows.
Your infrastructure should work for your business, not for someone else’s shareholders. That’s the principle behind everything we build at Innoframe.