PAM Vendor Comparison 2026: US vs EU — Architecture, Security, and Price
Enterprise PAM evaluation in Europe in 2026 is not the same decision it was in 2022. The EU NIS2 Directive has been in force since January 2023; Poland's national transposition (UKSC) entered into force in April 2026, with a compliance deadline of April 2027 for in-scope entities. GDPR enforcement is accelerating. The question is no longer just "which PAM has the best features" — it is "which PAM can I actually rely on for EU regulatory compliance, and which one keeps my data in Europe." This article compares five leading PAM platforms across four dimensions that matter most for European enterprise buyers: architecture, EU security posture, pricing model, and fit for RDP-heavy infrastructure.
The Five Vendors
Shortlisting PAM vendors in 2026 means navigating a market that spans US cloud-native startups, EU-regulated incumbents, and a new wave of EU-founded challengers built specifically for the NIS2 era. Here is where each of the five vendors in this comparison sits.
US-based Vendor A is a US-headquartered cloud-native PAM platform that built its reputation on SSH and Kubernetes access management. It has since expanded to Windows Desktop (RDP) and database access. Its pricing model is usage-based — Monthly Active Users plus protected resources — which makes it attractive for engineering-heavy organisations with predictable infrastructure. It does not publish EU-specific data residency guarantees on its public website.
US-based Vendor B is a US-headquartered multi-protocol PAM platform with broad coverage: databases (PostgreSQL, MySQL, MSSQL, MongoDB), servers (SSH, RDP), Kubernetes, and cloud services in a single proxy model. It was acquired by a major legacy PAM vendor in early 2026. Pricing is contact-sales only across all tiers. EU data residency is not documented publicly.
EU-based Vendor C is a French publicly-listed company with dual BSI and ANSSI certification — the only vendor in this comparison holding both German and French national security certifications. It targets multi-protocol PAM with both on-premises and cloud deployment options, and has a strong go-to-market presence in France and Germany, including procurement via French government framework agreements. Pricing is contact-sales.
EU-based Vendor D is a Polish company headquartered in Warsaw, Series A funded in 2025. It focuses on agentless PAM with RDP session recording and has positioned itself explicitly around NIS2 compliance. As a Warsaw-headquartered company, it shares the same jurisdiction as VaultPAM. Pricing is contact-sales.
EU-based Vendor E is a Finnish publicly-listed company (Nordic stock exchange) that takes a certificate-based, no-vault approach to PAM: ephemeral certificates replace stored credentials entirely, so there is no privileged credential vault to protect. It is SSH-primary with RDP support added. It is the only vendor in this comparison with online purchasing available at published tier prices.
How Each PAM Handles Your Traffic
Architecture is not an implementation detail — it determines what your audit trail looks like, whether an agent needs to be installed on every target server, and whether session recordings will satisfy a regulator who asks to see them.
| Dimension | VaultPAM | US-based Vendor A | US-based Vendor B | EU-based Vendor C | EU-based Vendor D | EU-based Vendor E |
|---|---|---|---|---|---|---|
| Deployment model | Cloud-native SaaS (GCP europe-central2) | Cloud-native SaaS (multi-region) | Cloud-native SaaS (multi-region) | On-prem + cloud hybrid | Cloud-native SaaS | Cloud-native SaaS |
| Protocol handling | Agentless — no agent on target server | Agent required on Windows targets (Windows Desktop Service); agentless for SSH/K8s | Agentless proxy for all protocols | Agent-based (on-prem) and agentless (cloud) | Agentless | Agentless |
| RDP approach | Native RDP proxy — full protocol-level recording, no jump host | RDP via Windows Desktop Service; smart card auth; screenshot-based recording documented | RDP proxy via agent; session recording included | RDP proxy; on-prem gateway or cloud relay | Native RDP proxy; session recording included | RDP supported via proxy; SSH-primary architecture |
| Credential model | Vault (AES-256-GCM, Vault Transit) + JIT time-bounded sessions | Certificate-based ephemeral (no stored credentials for SSH/K8s); vault used for Windows passwords | Vault — secrets stored and rotated; zero standing access | Vault — secrets stored and rotated | Vault + JIT | Certificate-based (no vault) |
| Session recording | Yes — stored in GCP europe-central2; BLAKE3 hash chain; WORM storage | Yes — recordings stored in vendor cloud; region not documented publicly | Yes — recordings stored in vendor cloud; region not documented publicly | Yes — on-prem storage option available; cloud region not documented publicly | Yes — region not documented publicly | Not documented publicly for RDP |
What the Architecture Differences Actually Mean
The credential model choice has compliance consequences that are easy to miss in a feature comparison.
Certificate-only (no vault) PAM eliminates the risk of stored credential compromise — there are no stored credentials to steal. EU-based Vendor E's architecture is genuinely innovative in this respect. However, it also means there is no credential access audit trail for some regulatory frameworks. If an auditor asks "who had access to the Windows Administrator password on this server between March 1 and March 31," the answer in a certificate-only model is a certificate issuance log — not a credential vault access log. Some regulators and audit frameworks accept this; others expect a traditional vault access audit trail. Know which your auditors expect before selecting this model.
Screenshot-based versus protocol-level RDP recording is a distinction that matters for NIS2 Article 21. Screenshot-based recording captures what a user saw but does not capture the underlying RDP command and control stream. Protocol-level recording captures the full session: keystrokes, clipboard transfers, file transfers, and display output at the protocol layer. The difference becomes significant when an incident response team needs to reconstruct exactly what happened in a privileged session — a screenshot sequence may not be sufficient. VaultPAM, EU-based Vendor C, and EU-based Vendor D all document protocol-level or equivalent recording; US-based Vendor A documents screenshot-based recording for Windows Desktop sessions specifically.
Agentless versus agent-based affects deployment overhead at scale. For organisations with hundreds of Windows servers, deploying and maintaining an agent on each target adds operational cost. Agentless models (VaultPAM, EU-based Vendor D, US-based Vendor B) connect through a central proxy without touching the target server's software stack.
Data Sovereignty, Certifications, and NIS2 Compliance Depth
EU security posture is increasingly a procurement gate — not a nice-to-have. For organisations subject to NIS2, GDPR, or sector-specific regulations (DORA, UKSC, Polish cybersecurity act), the vendor's jurisdiction and certification posture determine whether the tool is even on the shortlist.
| Dimension | VaultPAM | US-based Vendor A | US-based Vendor B | EU-based Vendor C | EU-based Vendor D | EU-based Vendor E |
|---|---|---|---|---|---|---|
| HQ jurisdiction | EU (Poland) | US | US | EU (France) | EU (Poland) | EU (Finland) |
| Data residency | GCP europe-central2 (Warsaw, Poland) | Not documented publicly | Not documented publicly | On-prem option; cloud region not documented publicly | Not documented publicly | Not documented publicly |
| Third-country transfer risk | None (EU company, EU data) | US CLOUD Act applies | US CLOUD Act applies | None (EU company) | None (EU company) | None (EU company) |
| Security certifications | SOC 2 Type II readiness; ISO 27001 readiness | SOC 2 Type II (documented publicly) | SOC 2 Type II (documented publicly) | BSI + ANSSI dual-certified | Not documented publicly | Not documented publicly |
| NIS2 compliance documentation | Published Article 21 control mapping | Not documented publicly | NIS2 content published (blog post level) | Not documented publicly | NIS2 focus documented; Article 21 mapping not publicly confirmed | Not documented publicly |
The CLOUD Act Problem for EU Buyers
US-headquartered companies — regardless of where they host their data — are subject to the US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018. Under CLOUD Act, a US company can be compelled by a US government order to disclose data it holds or controls, even when that data is stored in an EU data centre.
This is not a theoretical risk. For NIS2-scoped entities in critical infrastructure sectors (energy, transport, healthcare, financial infrastructure), procurement of cloud services from US-HQ vendors now routinely includes a legal review of CLOUD Act exposure. For organisations that have completed this review and accepted the risk, US-based vendors remain viable. For organisations where the legal or compliance team has flagged CLOUD Act as a procurement gate, only EU-HQ vendors pass.
EU-based Vendors C, D, and E are incorporated in EU member states and do not have direct CLOUD Act exposure as companies. VaultPAM is also EU-incorporated (Poland), but its cloud infrastructure runs on GCP europe-central2 — a product of Google LLC, a US company. Whether CLOUD Act could reach VaultPAM customer data via a request directed at Google is a legal question; procurement teams in critical infrastructure sectors should seek counsel. In practice, standard cloud data processing agreements and EU data protection frameworks provide significant procedural protections against such requests, and Google publishes a Government Requests Transparency Report documenting its challenge rate.
BSI and ANSSI Certification
EU-based Vendor C is the only vendor in this comparison with BSI (Bundesamt für Sicherheit in der Informationstechnik, Germany) and ANSSI (Agence nationale de la sécurité des systèmes d'information, France) dual certification. For procurement into German federal government infrastructure, critical national infrastructure in France, or any organisation that has a contractual requirement for BSI or ANSSI certification, EU-based Vendor C is the only option in this comparison that qualifies. No other vendor reviewed here has achieved this certification level.
NIS2 Article 21 Documentation
NIS2 Article 21 requires organisations to implement "appropriate and proportionate technical and organisational measures" including privileged access controls, multi-factor authentication, and session recording. Auditors increasingly ask vendors to provide a control mapping that shows how their product implements each Article 21 sub-requirement.
VaultPAM publishes an Article 21 control mapping as part of its product documentation. US-based Vendor B has published NIS2 content at the blog/marketing level. The remaining vendors in this comparison do not publicly document an Article 21 control mapping as of May 2026.
What You Actually Pay
Enterprise PAM pricing is almost universally opaque. The table below reflects what each vendor publicly documents.
| Vendor | Pricing model | Public pricing | Free tier |
|---|---|---|---|
| VaultPAM | Per managed target + users; monthly or annual | Yes — Starter €399/mo, Business €699/mo, Enterprise from €2,500/mo | 14-day free trial (Starter tier, no credit card required) |
| US-based Vendor A | Usage-based (MAU + protected resources) | Requires sales conversation; no public numbers | Community Edition (companies under 100 employees / $10M revenue) |
| US-based Vendor B | Contact sales; Essentials / Enterprise / GovCloud tiers | No public per-seat or per-resource pricing | Not documented publicly |
| EU-based Vendor C | Contact sales; French government framework pricing available | No public numbers | Not documented publicly |
| EU-based Vendor D | Contact sales | No public numbers | Not documented publicly |
| EU-based Vendor E | Scalable tiers with online purchasing | Yes — public tier pricing available on website | Free tier available |
VaultPAM and EU-based Vendor E are the only two vendors in this comparison that publish pricing on their public website and offer a path to start without a sales conversation. Every other vendor in this comparison requires procurement engagement before any pricing information is available.
The Real Cost Is Not the Licence Fee
List price is the least informative number in a PAM evaluation. The total cost of ownership depends on:
- Agent deployment and maintenance costs — for agent-based architectures, the ongoing cost of deploying, updating, and troubleshooting agents across all target servers is real operational overhead. For a 500-server environment, this can exceed the licence cost in staff time over a three-year contract.
- Session storage costs — session recordings at full fidelity generate significant storage volume. Vendors that include storage in the licence (VaultPAM Starter includes 50 GB) are easier to budget for than those that charge separately for recording storage.
- AD/LDAP integration effort — nearly all PAM platforms require integration with Active Directory for user identity. The integration complexity varies significantly between vendors, and poor integration design creates ongoing helpdesk burden.
- Support SLA costs — the difference between business-hours email support and 24/7 phone support is often a separate line item or tier upgrade. For PAM platforms protecting critical infrastructure, the support SLA is not optional.
The Right Tool for Your Situation
No single PAM platform is the right answer for every European enterprise. The architecture choices, jurisdiction, certification posture, and pricing model all create natural fits for specific buyer profiles.
Polish NIS2-scoped entity — particularly in critical infrastructure or essential services regulated under the Polish UKSC transposition. You need a hard EU data residency guarantee (not a contractual option that defaults elsewhere), a published Article 21 control mapping, RDP session recording with tamper-evident chain of custody, and support available in a compatible timezone. VaultPAM (Warsaw-headquartered, GCP europe-central2 data residency, Article 21 mapping published) and EU-based Vendor D (also Warsaw-headquartered, NIS2 focus) are the two vendors in this comparison that meet this profile. VaultPAM publishes pricing and offers a free trial; EU-based Vendor D requires a sales conversation.
French or German critical infrastructure with BSI or ANSSI contractual requirement. This narrows the field to one option: EU-based Vendor C. It is the only vendor in this comparison with dual BSI and ANSSI certification. If your procurement contract or sector regulator requires this certification level, no other vendor in this comparison qualifies. The trade-off is contact-sales-only pricing and a more complex on-prem deployment model.
Cloud-native technology company with SSH and Kubernetes as the primary access surface. If your infrastructure is Linux-heavy, Kubernetes-first, and hosted on a major cloud provider, US-based Vendor A's core product is genuinely strong. Its SSH and Kubernetes access management is more mature than its Windows/RDP stack. Accept the CLOUD Act risk if your legal team has cleared it, accept the usage-based pricing model, and verify the EU data residency position in writing before signing.
Security team that wants to eliminate stored credentials entirely — certificate-only PAM. If your security architecture rationale is "we do not want a credential vault because vaults are targets," EU-based Vendor E's certificate-based model is the only option in this comparison that matches this philosophy. It is SSH-primary, so verify RDP recording capability specifically before procurement. It is also the only EU vendor in this comparison with both public pricing and online purchasing — the fastest path to a proof of concept.
CTA
VaultPAM is built for European enterprises with RDP-heavy infrastructure and NIS2 obligations. Publicly documented pricing, a 14-day free trial, and GCP europe-central2 data residency — no standard contractual clauses required for EU data processing.