- Replatforming to managed databases (RDS, Azure SQL) reduces migration downtime to 2-6 hours compared to 4-8 hours for basic rehosting while inheriting SOC 2 and ISO 27001 certifications from cloud providers.
- Refactoring legacy applications to cloud-native architectures costs €50,000-€200,000 and takes 6-18 months but enables zero-downtime deployments using strangler fig patterns and passes ISO 27001 audits through immutable infrastructure.
- Hybrid migrations spanning 12-24 months increase infrastructure costs 40-60% during parallel operation phases but reduce risk by validating cloud operations on non-production environments before migrating business-critical systems.
Why This List Matters
European SMBs with 50 to 500 employees typically run 5 to 15 business-critical applications built between 2005 and 2015. These legacy systems were designed for on-premise deployment or early cloud infrastructure (pre-containerization, pre-compliance frameworks). Today, these same applications block vendor security reviews, cause production reliability issues, and create compliance gaps that procurement teams reject.
Migration pressure comes from three sources:
Vendor security reviews stalling deals. Enterprise buyers now require ISO 27001 or SOC 2 certification before signing contracts. Legacy on-premise infrastructure cannot demonstrate the audit trails, encryption standards, and disaster recovery documentation these reviews demand. According to Gartner's 2025 research on public cloud migration strategies, organizations cite security and compliance as primary drivers for cloud adoption.
Rising infrastructure costs without scalability. On-premise datacenters or ad-hoc cloud deployments prevent horizontal scaling, geographic expansion, and cost optimization. Teams spend 20+ hours per month on manual patching, backup management, and incident response instead of product development.
Regulatory compliance requirements. GDPR Article 32 mandates encryption and access controls. NIS2 expands cybersecurity requirements to supply chains.
1. Rehosting (Lift and Shift)
Best for: SMBs with datacenter contracts expiring within 60 days or facing urgent compliance audit deadlines requiring cloud infrastructure.
What it is: Rehosting moves applications to cloud infrastructure with zero code changes. Virtual machines or physical servers migrate directly to AWS EC2, Azure VMs, or GCP Compute Engine with identical operating systems, middleware, and application stacks. According to Gartner's 2025 cloud migration analysis, rehosting remains the most common initial strategy for European SMBs moving regulated workloads.
Why it ranks here: Rehosting ranks first because it delivers the fastest migration path when time constraints override optimization benefits. If your compliance audit is scheduled in 45 days or your colocation contract terminates in 8 weeks, rehosting is your only viable option. However, this speed comes at a cost. You inherit all existing architectural limitations and typically see 20 to 40 percent higher monthly infrastructure costs versus on-premise setups.
Implementation Reality
Timeline: 4 to 8 weeks from planning to cutover for a single mid-sized application (200GB database, 3 to 5 application servers).
Team effort: 120 to 200 hours total (infrastructure setup, data migration testing, cutover execution).
Ongoing maintenance: Identical to current on-premise burden. No reduction in patching, monitoring, or scaling effort.
Clear Limitations
- Compliance gap: Rehosting alone does NOT achieve ISO 27001 or SOC 2 compliance. You must configure encrypted storage (AWS EBS encryption, Azure disk encryption), access logging (CloudTrail, Azure Monitor), and network isolation (VPCs, security groups) separately.
- No architectural improvement: Monolithic applications remain monolithic. Scaling limitations and single points of failure transfer to cloud infrastructure unchanged.
- Higher costs without efficiency gains: Cloud infrastructure costs 20 to 40 percent more than on-premise for equivalent compute, but you gain no auto-scaling or managed service benefits.
GDPR consideration: Under GDPR Article 32, you must select EU-West (Ireland), EU-Central (Frankfurt), or EU-North (Stockholm) regions for applications processing EU personal data. Cross-region replication to non-EU regions violates data residency requirements.
Downtime expectation: Plan for 4 to 8 hours of scheduled downtime during final cutover (DNS changes, database synchronization).
2. Replatforming (Lift, Tinker, and Shift)
Best for: SMBs with 50-250 employees running standard database workloads (PostgreSQL, MySQL, SQL Server) where manual scaling and backup procedures cause reliability issues or block vendor security reviews.
What it is: Replatforming migrates applications to cloud infrastructure with targeted component replacements. You move application code with minimal changes but swap self-hosted infrastructure for cloud-managed services: RDS for databases, S3 for file storage, ElastiCache for Redis. No application architecture redesign required.
Why it ranks here: Replatforming delivers faster time-to-value than refactoring (6-12 weeks vs 6-18 months) while providing compliance capabilities lift-and-shift cannot achieve. Managed databases inherit cloud provider certifications (SOC 2, ISO 27001) and provide built-in audit logging, automated backups, and encryption at rest. According to Gartner, platform services are the fastest-growing cloud adoption category for European SMBs prioritizing compliance over infrastructure control.
Implementation Reality
Timeline: 6-12 weeks for single application migration (includes database migration testing and cutover validation)
Team effort: 120-200 hours split between cloud engineers (infrastructure configuration, managed service setup) and application developers (connection string updates, testing)
Ongoing maintenance: 8-12 hours per month (monitoring review, security patching handled by cloud provider reduces operational burden by 60-70% vs self-hosted databases)
Clear Limitations
- Managed service constraints: RDS does not support all PostgreSQL extensions or MySQL plugins. Proprietary database features may require code changes or eliminate replatforming as viable strategy.
- Vendor lock-in risk: Managed services use provider-specific APIs and configurations. Migrating from AWS RDS to Azure SQL Database requires re-engineering, not simple cutover.
- Cost premium without optimization: Managed services cost 40-60% more than equivalent self-hosted infrastructure. Without rightsizing (selecting appropriate instance types) and reserved instance purchasing, replatforming increases monthly costs without operational savings.
- Limited architectural flexibility: Replatforming does not solve horizontal scaling issues or stateful application constraints. Applications requiring microservices decomposition need refactoring instead.
When it stops being the right choice: If application uses proprietary databases (Oracle RAC, IBM Db2 with custom extensions) or tightly coupled file system dependencies that managed services cannot replicate, replatforming fails technical feasibility assessment. Refactor or retain becomes necessary.
Choose This Option If:
3. Repurchasing (Move to SaaS)
Repurchasing replaces legacy custom applications with commercial SaaS products, eliminating infrastructure management entirely but requiring business process changes and data migration.
Best for: Organizations running commodity business functions (CRM, HR, accounting) where custom builds no longer justify maintenance costs and SaaS alternatives provide ISO 27001 or SOC 2 certification.
What it is:
- Replace custom-built applications with commercial SaaS platforms (Salesforce for CRM, Workday for HR, NetSuite for ERP)
- Migrate data from legacy system to vendor-hosted platform
- Retire custom application code and on-premise infrastructure
Why it ranks here: Repurchasing ranks third because it removes infrastructure burden but introduces vendor dependency and process constraints. Unlike rehosting or replatforming, this strategy eliminates technical debt permanently but sacrifices customization control.
Implementation Reality
Timeline: 30 to 90 days for data migration, user training, and parallel operation before cutover.
Team effort: 150 to 300 hours (data export/transform, API integration, user acceptance testing).
Ongoing maintenance: Zero infrastructure management. SaaS vendor handles patching, scaling, and disaster recovery.
Clear Limitations
- Vendor lock-in: Data portability varies. Some platforms use proprietary export formats that complicate future migrations.
- Process constraints: SaaS products enforce standardized workflows. Highly customized business processes require adaptation or workarounds.
- Compliance transfer risk: Vendor must provide GDPR Data Processing Agreements (DPAs) and maintain EU data residency. According to Gartner's research on public cloud migration, organizations must verify vendor certifications match regulatory requirements before migration.
Choose this option if:
- Application serves fewer than 50 users and provides commodity functionality available in mature SaaS products
- Custom application maintenance consumes more than 20 hours per month of engineering time
- Business is willing to adapt processes to SaaS vendor's standardized workflows rather than maintaining custom code
4. Refactoring/Re-architecting
Refactoring rebuilds applications using cloud-native architectures (containers, microservices, serverless). Provides highest compliance and scalability benefits but requires longest migration timeline and highest cost.
Best for: Applications where performance/scalability issues block revenue growth or legacy security architecture prevents passing vendor audits.
What it is:
Decompose monolithic applications into microservices, containerize using Docker/Kubernetes, implement serverless components (AWS Lambda, Azure Functions) for event-driven workloads, replace synchronous calls with asynchronous messaging (SQS, EventBridge, Service Bus).
Why it ranks here:
Refactoring delivers maximum long-term value but requires 6-18 month timelines and mature DevOps capabilities most SMBs lack. Lower-ranked strategies (rehosting, replatforming) provide faster compliance gains. According to Forrester's Application Modernization and Multicloud Managed Services Wave, client references preferred a single supplier across modernization and operations on a four-to-one basis, indicating most organizations lack internal capacity for cloud-native architecture transitions.
Implementation Reality
Timeline: 6-18 months (architecture redesign, microservices decomposition, testing)
Team effort: 2,000-5,000 engineering hours depending on application complexity
Ongoing maintenance: Containerized applications require mature DevOps practices including CI/CD pipelines, observability (logs/metrics/traces), and incident response. Expect 40-60 hours/month ongoing maintenance for production Kubernetes clusters.
Compliance implications:
Containerized applications simplify ISO 27001 compliance through infrastructure-as-code (IaC). Immutable infrastructure prevents configuration drift, allowing auditors to verify deployed configurations match approved baselines. Kubernetes security requires pod security policies, network policies, and RBAC (role-based access control) to meet ISO 27001 access control requirements. Container registry scanning (AWS ECR, Azure ACR, Google Artifact Registry) provides vulnerability tracking required for vendor security reviews.
NIST Application Container Security Guide (SP 800-190) and CIS Kubernetes Benchmarks define security baselines for containerized workloads. According to Gartner's cloud migration research, organizations adopting cloud-native architectures report 40-60% reduction in deployment lead times but face 12-24 month learning curves for teams without prior container experience.
Cutover approach: Strangler fig pattern enables zero-downtime migration by routing traffic incrementally to new architecture.
Clear Limitations
- Requires 6-18 months minimum, unsuitable for urgent compliance deadlines
- Development cost ranges €50,000-€200,000 for mid-sized applications
- Container orchestration (EKS, AKS, GKE) adds €150-€500/month base infrastructure cost plus per-pod costs
- Operational risk if team lacks Kubernetes/microservices production experience
- Refactoring without mature DevOps practices creates post-launch performance and security issues
When it stops being the right choice: If application has stable load patterns, no horizontal scaling requirements, and less than 5 years remaining business lifespan, refactoring cost exceeds value.
5. Retire (Decommission Redundant Applications)
Retiring decommissions applications no longer providing business value. This is the fastest path to reducing infrastructure costs and compliance scope.
Best for: SMBs with 15+ legacy applications where 20-30% are redundant, unused, or replaced by newer systems.
What it is: Identify applications with fewer than 10 active users per month or functionality duplicated by newer systems. Archive historical data for compliance retention requirements. Shut down infrastructure and decommission supporting services.
Why it ranks here: Retirement eliminates migration complexity entirely but requires careful verification of regulatory data retention rules. Applications subject to GDPR Article 32 – Security of Processing or financial regulations cannot be deleted without documented retention procedures. Shadow IT applications, deprecated products, and redundant development environments are typical retirement candidates.
Implementation Reality
Timeline: 2-4 weeks per application (dependency verification, data archival, decommissioning)
Team effort: 20-40 hours per application (inventory dependencies, export data, update documentation)
Ongoing maintenance: Zero (application no longer exists)
Clear Limitations
- Cannot retire applications with regulatory data retention requirements without archival procedures
- Requires thorough dependency analysis (API integrations, data feeds, authentication systems)
- GDPR Article 17 (Right to Erasure) mandates documented deletion procedures for personal data
Choose this option if:
- Application has fewer than 10 active users per month
- Functionality is fully replaced by newer systems or SaaS products
- Retiring reduces ISO/IEC 27001:2022 audit scope by eliminating systems requiring security controls
6. Retain (Postpone Migration)
Retaining keeps applications on existing infrastructure when migration risks exceed benefits. This is a valid strategy for stable legacy systems with unclear cloud ROI.
Best for: Stable applications nearing end of life (fewer than 5 years remaining business lifespan) where migration cost exceeds three times annual infrastructure cost.
What it is:
Retention means explicitly deciding NOT to migrate specific applications. You document the decision rationale for audit purposes and maintain existing infrastructure with improved security controls. This is not procrastination. It is a conscious strategic choice based on risk/benefit analysis.
Why it ranks here:
Retention ranks lower because it does not reduce operational burden or improve compliance posture. However, it avoids migration costs and prevents unnecessary disruption to stable systems. Gartner's cloud migration research recognizes retention as a legitimate strategy when business justification for migration is weak.
Implementation Reality
- Timeline: Immediate decision, no migration work required
- Team effort: 20-40 hours documenting retention rationale and implementing compensating controls
- Ongoing maintenance: Unchanged from current state (patching, backup, monitoring continue as-is)
Clear Limitations
- Retained on-premise applications still require compliance controls (encryption, access logging, patching, backup) to meet ISO 27001 requirements
- Hybrid cloud environments complicate audits because you maintain two security control frameworks (on-premise plus cloud)
- Vendor review risk increases as some enterprise buyers reject vendors with ANY on-premise infrastructure (cloud-only procurement policies)
- Stranded capacity costs occur when you cannot decommission datacenters due to one or two retained applications
Risk mitigation for retained applications:
- Implement compensating controls: VPN access, MFA, encrypted backups to cloud storage
- Document retention decision with business justification for auditors
- Schedule annual retention review to re-evaluate cloud migration business case
Choose this option if:
- Application has fewer than 5 years remaining business lifespan AND migration cost exceeds €30,000
- Application is stable with fewer than 5 production incidents per year
- Migration complexity (proprietary dependencies, undocumented architecture) creates unacceptable failure risk
- You are retaining a maximum of 2-3 applications (retaining entire portfolio delays inevitable migration and increases future technical debt)
7. Hybrid Migration (Gradual Multi-Phase Approach)
Best for: Organizations with 10+ applications lacking cloud operational experience who need to validate capabilities before migrating business-critical systems.
What it is: Hybrid migration sequences applications across 12-24 months using multiple strategies per phase. Non-production environments migrate first (rehosting), followed by internal tools (replatforming), then customer-facing systems (selective refactoring). Organizations maintain parallel on-premise and cloud infrastructure during transition, building operational maturity incrementally.
Why it ranks here: This strategy ranks last because it requires the longest timeline and highest total cost (dual infrastructure during transition). However, it provides the lowest migration risk for organizations without production cloud experience. According to Gartner's 2025 cloud migration research, phased approaches reduce migration failure rates by validating compliance controls and operational processes before migrating revenue-generating systems.
Implementation Reality
Timeline: 12-24 months across four phases (non-production → internal tools → customer-facing → decommissioning)
Team effort: 400-800 hours total (50-100 hours per application plus cross-phase infrastructure setup)
Ongoing maintenance: Dual security controls required during hybrid period (on-premise + cloud frameworks)
Clear Limitations
- Peak infrastructure costs occur months 6-18 when running parallel environments (40-60% cost increase vs on-premise baseline)
- ISO 27001 audits assess both environments until decommissioning complete, increasing audit scope and cost
- Hybrid networking complexity (VPNs, firewalls, routing) creates operational burden until on-premise shutdown
- Team knowledge transfer takes 9-12 months minimum, delaying full cloud-native capability
Choose this option if:
- Your organization manages more than 10 business-critical applications requiring migration
- Internal team has never operated production cloud infrastructure and failure risk is unacceptable
- Business continuity requirements prevent extended downtime windows (2+ hours) for simultaneous migration
When Lower-Ranked Options Are Better
Rehosting (#1) stops being optimal when applications require horizontal scaling. If customer growth patterns are unpredictable or seasonal traffic spikes exceed 3x baseline load, refactoring (#4) to containerized architectures provides auto-scaling capabilities that lift-and-shift VMs cannot match. Example: A fintech SaaS platform experiencing 400% traffic growth during quarter-end processing periods needs Kubernetes-based scaling, not larger EC2 instances.
Replatforming (#2) becomes insufficient when vendor security reviews require immutable infrastructure. According to Gartner's analysis of cloud migration strategies, enterprises increasingly mandate infrastructure-as-code deployments to prevent configuration drift. If procurement teams reject manual database configurations, refactoring (#4) with IaC and container registries satisfies ISO/IEC 27001:2022 change management controls that replatforming alone cannot demonstrate.
Repurchasing (#3) fails when SaaS vendors lack EU data residency options. If application processes personal data under GDPR Article 32 and available SaaS products store data in US-only regions, retaining (#6) on-premise infrastructure with enhanced security controls becomes the compliant choice until EU-hosted alternatives emerge.
Hybrid migration (#7) introduces unnecessary complexity for single-application migrations. If organization operates only one business-critical system and internal team has cloud operational experience, direct refactoring (#4) or replatforming (#2) completes migration faster than multi-phase approaches designed for portfolio-scale transitions.
Real-World Decision Scenarios
Scenario 1: Fintech Platform (Payment Processing)
Profile:
- Company size: 85 employees
- Revenue: €12M annually
- Target market: EU B2B payments
- Current state: On-premise PostgreSQL database, monolithic Java application, no disaster recovery
- Growth stage: Series A funded, targeting enterprise customers
Recommendation: Replatforming (Strategy #2)
Rationale: Enterprise procurement teams require SOC 2 certification and documented disaster recovery procedures. Migrating to AWS RDS PostgreSQL with automated backups and multi-AZ deployment provides immediate compliance benefits without rewriting application code. According to Gartner's cloud migration research, replatforming delivers 40% faster time-to-compliance compared to refactoring while maintaining application stability. Migration timeline: 8-12 weeks with 4-hour planned downtime.
Expected outcome: Pass SOC 2 audit within 6 months, unblock €2M pipeline stalled at vendor security reviews.
Scenario 2: Healthcare SaaS (Patient Records Management)
Profile:
- Company size: 120 employees
- Revenue: €8M annually
- Target market: EU medical clinics (Ireland, Netherlands, Germany)
- Current state: Containerized microservices on self-managed Kubernetes, frequent performance issues
- Growth stage: Scaling to 500+ clinic customers
Recommendation: Refactoring to managed Kubernetes (Strategy #4)
Rationale: Self-managed Kubernetes lacks production-grade security controls required for medical data (GDPR Article 32 mandates encrypted storage, access logging, audit trails). Migrating to AWS EKS or Azure AKS implements CIS Kubernetes Security Benchmarks through managed control plane, automated patching, and integrated logging (CloudTrail/Azure Monitor).
