European Alternatives to Let's Encrypt (ISRG)
Let's Encrypt is a free, automated certificate authority run by ISRG, a US nonprofit. While the service is excellent and open, it is subject to US law โ including the CLOUD Act and court-ordered certificate revocation โ and cannot issue certificates to US-sanctioned entities.
Why switch from Let's Encrypt?
- ISRG is a US entity subject to the CLOUD Act โ US courts can compel certificate revocation for any domain
- Let's Encrypt cannot issue certificates to organisations on the US sanctions list, creating a geopolitical dependency
- EU eIDAS 2.0 requires Qualified Web Authentication Certificates (QWACs) from EU-based Qualified Trust Service Providers
- Diversifying away from a single US-based CA reduces concentration risk for European web infrastructure
Best European Alternatives to Let's Encrypt
Actalis
๐ฎ๐น Italy, Ponte San PietroEurope's leading ACME certificate authority โ free unlimited DV certificates, part of Aruba S.p.A. (Italy's largest hosting provider)
- Free unlimited DV certificates via ACME protocol โ 90-day validity, same workflow as Let's Encrypt
- Full ACME support: works with certbot, acme.sh, and all standard ACME clients
- eIDAS Qualified Trust Service Provider โ also offers OV, EV, QWAC, and code signing certificates
Buypass
๐ณ๐ด Norway, OsloNorwegian certificate authority with ACME support โ transitioning from GoSSL to GoTLS with free and paid tiers
- GoTLS service: free DV certificates via ACME protocol with volume-based paid tiers for wildcard and high-volume use
- Trusted in all major browser root stores โ established CA since 2001
- Norwegian company (EEA member) โ subject to GDPR, outside US CLOUD Act jurisdiction
D-Trust
๐ฉ๐ช Germany, BerlinGerman government-backed CA โ subsidiary of Bundesdruckerei (Federal Printing Office), the sovereign choice for EU PKI
- Owned by Bundesdruckerei GmbH (German Federal Printing Office) โ maximum sovereignty and trust
- eIDAS Qualified Trust Service Provider since 2016 โ DV, OV, EV, and QWAC certificates
- QWAC-PSD2 certificates for financial services under the EU Payment Services Directive
HARICA
๐ฌ๐ท Greece, AthensGreek academic CA expanding into commercial services โ eIDAS-qualified, trusted in all major browsers
- The only Greek Root CA trusted in all major browser root stores (Adobe, Apple, Google, Microsoft, Mozilla)
- eIDAS Qualified Trust Service Provider โ DV, OV, EV, QWAC, and QWAC-PSD2 certificates
- Free certificates for academic and research institutions via the GEANT TCS programme
How They Compare to Let's Encrypt
| Product | Country | Open Source | Free Tier | Founded |
|---|---|---|---|---|
| Let's Encrypt | US | No | Varies | โ |
| Actalis | ๐ฎ๐น Italy | No | Yes | 2002 |
| Buypass | ๐ณ๐ด Norway | No | Yes | 2001 |
| D-Trust | ๐ฉ๐ช Germany | No | No | 2016 |
| HARICA | ๐ฌ๐ท Greece | No | No | 2011 |
Frequently Asked Questions
What is the best European alternative to Let's Encrypt?
Actalis (Italy) is the closest equivalent โ free, unlimited DV certificates via ACME with 90-day validity. It's part of Aruba S.p.A., Italy's largest hosting provider, and is an eIDAS Qualified Trust Service Provider.
Can I use certbot with European CAs?
Yes โ Actalis and Buypass both support the ACME protocol. You can use certbot, acme.sh, or any standard ACME client. Switching typically just requires changing the ACME directory URL in your configuration.
Is Let's Encrypt actually a security risk?
Let's Encrypt is technically excellent and transparent. The concern is jurisdictional, not technical: as a US entity, it is legally obligated to comply with US court orders including certificate revocation. For most users this is low risk, but for organisations in regulated sectors or pursuing EU digital sovereignty, an EU-based CA removes this dependency.
What are QWACs under eIDAS 2.0?
Qualified Web Authentication Certificates (QWACs) are a new certificate type under the EU's revised eIDAS regulation. They must be issued by EU-based Qualified Trust Service Providers and will be recognised by browsers. Actalis, D-Trust, and HARICA are all eIDAS-qualified and can issue QWACs.
Migration guide coming soon
We're building a step-by-step guide for migrating from Let's Encrypt (ISRG) to European alternatives. Sign up to be notified when it's ready.
Back to homepage