If you run a European small business and you’re using Zapier or Make to move customer data between apps, you’ve probably had a quiet moment where you wondered whether the audit would go well. The honest answer in 2026 is: probably less well than it would have a year ago.
Three regulations are converging this year, and they each tighten the screw on cloud-hosted workflow tools.
- GDPR has been in force since 2018, but the Schrems II ruling in 2020 made transferring personal data to US-based cloud services much harder to justify. AWS, Google Cloud, and Microsoft Azure are still subject to US law including the Cloud Act, even when their data centers are physically in the EU.
- The EU AI Act became fully applicable in 2026. It adds obligations around transparency, logging, and risk classification for any system that uses AI, including the AI features baked into modern workflow tools.
- NIS2 is the security directive that EU member states had to transpose into national law by late 2024. By 2026 most enforcement is live. It requires documented security controls for “essential and important entities,” a category that quietly catches more SMEs than people expect.
Each one on its own is manageable. Together, they make a strong case for getting your automation stack out of US-hosted SaaS and onto European infrastructure you control. The cleanest way to do that for most small businesses is a self-hosted n8n instance on a Hetzner VPS, costing roughly $5 to $20 per month.
This post walks through why each regulation matters, what cloud workflow tools struggle with, and what a defensible n8n setup looks like.
The fine ceilings are stated in the GDPR text Article 83 and the NIS2 directive Article 34. In practice most fines for SMEs are far smaller, but the reputational damage and the cost of remediation usually exceed the fine itself.
The Schrems II problem isn’t theoretical
When you push customer data through Zapier or Make, that data passes through US-controlled infrastructure. Both companies are headquartered in the United States, which means they fall under US law including the Cloud Act, which obliges them to hand over data to US authorities on request, regardless of where the data physically sits.
Data residency in the EU is not the same as data sovereignty. A US-owned cloud provider running servers in Frankfurt still has to obey US subpoenas. Schrems II was the Court of Justice of the European Union saying clearly: this gap matters, and standard contractual clauses are not enough to close it on their own.
For a US-hosted workflow tool to be defensibly GDPR-compliant for an EU SME today, it needs:
- A documented Data Processing Agreement
- Standard Contractual Clauses with supplementary technical measures (encryption with EU-held keys)
- A demonstrable assessment of the “essentially equivalent” protection level
Some tools do this well. Most small businesses don’t have the appetite to read the legal architecture and decide whether their specific use case is covered. Self-hosting on EU infrastructure removes the question from the table entirely.
Transparency and logging on any AI step
If your workflow tool calls OpenAI or Anthropic for a classification, summary, or draft, you’re using AI under the EU AI Act’s definition. Most use cases (writing follow-ups, classifying invoices, drafting replies) fall under “limited risk” or “minimal risk” tiers, which means the obligations are bounded but not zero.
Specifically, you need to be able to:
- Document which AI features are used and for what purpose
- Log AI inputs and outputs in a way that supports audit
- Disclose to users when they’re interacting with an AI-generated output (e.g., a chatbot reply)
- Assess whether your specific application slips into a higher-risk tier (HR decisions, credit scoring, education)
Self-hosted n8n makes this much easier than a cloud workflow tool. You control the logs. You control retention. You can include the AI Act audit trail in your existing GDPR records of processing activities. Cloud tools sometimes provide audit logs, sometimes don’t, and almost never let you set retention policies that match your legal team’s preferences.
Security obligations that surprise smaller companies
NIS2 expanded the set of “essential and important entities” significantly compared to the original NIS directive. The categories now include digital infrastructure, ICT service management, public administration, postal and courier services, waste management, food production and distribution, manufacturing, digital services, and research.
If your business falls into one of those categories and you have more than 50 employees or €10M in turnover, NIS2 applies. Many small B2B service companies that thought they were too small turn out to be in scope.
What NIS2 requires that’s relevant to workflow automation:
- Documented incident response. When an automation fails or leaks data, who is notified, in what timeframe, with what evidence?
- Access controls and logging for systems that process customer or operational data.
- Supply chain security. Your workflow tool counts as part of your supply chain. If it’s a US SaaS, you need documentation of their security posture.
- Recoverability. Backups, disaster recovery plans, and the ability to demonstrate them.
The supply chain piece is the one that hits hardest. If your workflow tool is Zapier, you inherit Zapier’s risk profile. With self-hosted n8n on infrastructure you control, the supply chain is shorter and the documentation is simpler.
The n8n configuration I deploy for EU clients
Here is the stack I deploy for European clients who care about all three regulations:
| Component | Choice | Why |
|---|---|---|
| Hosting provider | Hetzner (Germany or Finland) | European-owned, GDPR-native, no Cloud Act exposure |
| Server | CX22 or CPX21 VPS | $5-$10/mo, plenty for small business workload |
| n8n license | Community Edition (self-hosted) | Free, full feature set for SMEs, source-available |
| Database | PostgreSQL on the same VPS or Hetzner managed DB | Encrypted at rest, EU-resident, your control |
| Backup | Hetzner Storage Box, daily snapshots | EU-resident, encrypted, NIS2-friendly recovery story |
| Reverse proxy | Caddy with Let's Encrypt | HTTPS by default, easy access logging |
| AI calls | Mistral (France) or self-hosted Llama for sensitive flows | Keeps the AI Act audit trail in EU jurisdiction |
This setup gives you data residency (everything is in the EU), data sovereignty (no US parent company can compel access), full audit logs (you control retention), and disaster recovery (daily backups you can restore in minutes). Total cost for a small business: $5 to $20 per month, plus an hour or two of administrative work each month.
Important nuance: "self-hosted on EU infrastructure" doesn't make you GDPR-compliant by itself. It removes one big category of risk (extraterritorial data transfer). You still need the rest: lawful basis, purpose limitation, retention policies, data subject rights, breach notification, and records of processing activities. n8n makes the technical side easy. The legal documentation is its own work.
How to actually deploy this
The full Docker setup walkthrough lives in the dedicated guide, How to Self-Host n8n with Docker. Short version:
- Spin up a Hetzner CX22 in Nuremberg or Helsinki.
- Install Docker and Docker Compose.
- Drop in the n8n + PostgreSQL compose file.
- Point a subdomain at the VPS, let Caddy handle TLS.
- Configure daily backups to Hetzner Storage Box.
- Document the setup in your records of processing activities.
The whole sequence takes about an hour for someone comfortable with the Linux command line, and a half-day if you’re learning as you go.
If you want a setup that matches the table above without learning the ops side, I do this as part of my engagement scope. Roughly $1,500 to $3,000 covers the deploy, the documentation pack (RoPA, DPA, basic NIS2 controls), and a 30-day handover. Maintenance from there is $200 to $500 per month depending on workflow volume.
The cases where I’d recommend cloud instead
I’m not a self-hosting evangelist. There are situations where the cloud option is fine:
- You don’t process personal data. If your automations only touch business logic (internal notifications, public website data, generic API plumbing), GDPR isn’t really in scope. Use whatever tool is easiest.
- You’re under 5 employees and the workflow is one-off. The legal documentation overhead might exceed the value of a properly compliant setup. A cloud tool with a signed DPA and minimal personal data is often the pragmatic choice until the business grows.
- Your data is already in a US-hosted CRM. If your customer data already lives in HubSpot or Salesforce (both US-headquartered), self-hosting your workflow tool only solves part of the problem. You’d need a wider compliance review.
The decision pivots on three questions: do you process personal data of EU residents, are you in a NIS2-relevant sector, and do you want the legal narrative to be simple or complicated. If two of those answers are yes, self-hosted n8n on EU infrastructure is the path of least resistance.
How I scope GDPR-aware engagements
The “compliance-flavored” engagement looks like a normal automation build plus three add-ons: a GDPR records of processing activities entry for each workflow, a DPA template for any third-party services the workflow calls, and a basic NIS2 controls document covering access, logging, backup, and incident response.
If that sounds like overkill for your business, it probably is. If it sounds about right, send me an email and we’ll spend a call figuring out which workflows justify the extra documentation and which don’t.
Related reading: n8n Pricing covers what self-hosting actually costs in 2026, How to Self-Host n8n with Docker covers the technical setup, and Workflow Automation Tools explains where n8n fits relative to Zapier and Make for non-EU workloads.