7 Best European Password Managers (2026): GDPR-Tested
Seven EU-hosted password managers tested over three months. Passkeys, zero-knowledge, no CLOUD Act. From €0 free, €22/year paid. Verified May 2026.
Free tier with unlimited passwords, email aliases, Swiss privacy
Try Proton Pass →A password manager holds the keys to your bank, your inbox, and whatever else you log into. Pick the wrong one and a breach exposes everything at once. Pick a US-hosted one and the FBI can compel access without telling you it happened.
The 2022 LastPass breach is the obvious reference point. Encrypted vaults for roughly 25 million users were lifted. The exact wording from LastPass at the time still reads like a hostage note: backups containing customer vault data had been copied. Two years later, password reuse from those vaults was still feeding credential-stuffing attacks.
This guide covers seven password managers based in the EU or Switzerland. None of them sit under US jurisdiction. Prices, encryption details, and feature support were rechecked on 2026-05-28.
Quick rankings
| Rank | Manager | Best For | Price |
|---|---|---|---|
| 1 |  🇨🇭Proton Pass | Privacy maximalists | Free / €24/yr |
| 2 |  🇱🇹NordPass | Balance of features | €22/yr |
| 3 |  🇨🇭pCloud Pass | pCloud users | €29/yr |
| 4 |  🇩🇪Padloc | Open source fans | Free / €35/yr |
| 5 |  🇱🇺Passbolt | Teams & self-hosters | Free / €49/yr |
| 6 |  🇧🇪Hypervault | Business compliance | €36/yr |
| 7 |  🇩🇪heylogin | Passwordless future | €60/yr |
Full feature comparison
| Feature | 🇨🇭Proton Pass | 🇱🇹NordPass | 🇨🇭pCloud Pass | 🇩🇪Padloc | 🇱🇺Passbolt | 🇧🇪Hypervault | 🇩🇪heylogin |
|---|---|---|---|---|---|---|---|
| Autofill | Yes | Yes | Yes | Paid | Yes | Yes | Yes |
| Passkey support | Yes | Yes | No | No | No | No | No |
| Email aliases | Yes (unlimited) | No | No | No | No | No | No |
| Breach scanner | No | Yes | No | No | No | No | No |
| Password generator | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| 2FA storage | Yes | Yes | No | Yes | Yes | Yes | No |
| Secure sharing | Yes | Yes | No | Yes | Yes (PGP) | Yes | No |
| Browser extension | Yes | Yes | Yes | Paid | Yes | Yes | Yes |
| Mobile apps | Yes | Yes | Yes | Yes | No | Yes | Yes |
| Self-hosting | No | No | No | Yes | Yes | No | No |
| Team features | Paid | Paid | No | Paid | Yes | Yes | Yes |
| Admin console | No | Paid | No | No | Yes | Yes | Yes |
| Audit logs | No | Paid | No | No | Yes | Yes | No |
| Open source | Yes | No | No | Yes | Yes | No | Partial |
Three tools dominate three different lanes. Proton Pass leads on privacy features (aliases, passkeys). NordPass leads on consumer polish (breach scanner, smoother UX). Passbolt leads on team security (PGP, self-hosting, audit logs). The others are situational.
Security and GDPR comparison
| Security | 🇨🇭Proton Pass | 🇱🇹NordPass | 🇨🇭pCloud Pass | 🇩🇪Padloc | 🇱🇺Passbolt | 🇧🇪Hypervault | 🇩🇪heylogin |
|---|---|---|---|---|---|---|---|
| HQ | Switzerland | Lithuania | Switzerland | Germany | Luxembourg | Belgium | Germany |
| Encryption | AES-256 + Argon2 | XChaCha20 | AES-256 | AES-256 | OpenPGP | AES-256 | Device-based |
| Zero-knowledge | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Data location | Switzerland | EU | Switzerland | Germany/EU | Self-host/EU | Belgium/EU | Germany |
| CLOUD Act risk | None | None | None | None | None | None | None |
| Independent audit | Yes (2023) | Yes (Cure53) | No | Partial | Yes | No | No |
| DPA available | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| SOC 2 | No | No | No | No | No | Yes | No |
| GDPR Article 28 | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Every tool here is zero-knowledge. The provider cannot read your vault, even if compelled. What changes between them is the legal envelope around that vault. All seven sit under EU or Swiss law. None are reachable through US National Security Letters or the CLOUD Act.
For regulated industries (finance, healthcare, government), the choice narrows. Hypervault offers SOC 2 attestation. Passbolt offers self-hosting, which removes the vendor from the threat model entirely.
Pricing
| Plan | 🇨🇭Proton Pass | 🇱🇹NordPass | 🇨🇭pCloud Pass | 🇩🇪Padloc | 🇱🇺Passbolt | 🇧🇪Hypervault | 🇩🇪heylogin |
|---|---|---|---|---|---|---|---|
| Free tier | Unlimited | 1 device | No | 50 items | Self-host | 14-day trial | Limited |
| Personal/year | €24 | €22 | €29 | €35 | €49 (cloud) | €36 | €60 |
| Family/year | €48 (6 users) | €44 (6 users) | — | — | — | — | — |
| Business/user/mo | €8 | €4 | — | — | €3 | €3 | €5 |
Proton Pass has the only genuinely useful free tier (unlimited passwords, unlimited devices, ten aliases). NordPass at €22 per year is the cheapest paid option. For teams, Passbolt and Hypervault at €3 per user per month undercut 1Password Business by half.
Passkeys
Passkeys replace passwords with a device-stored cryptographic keypair. There is nothing to phish, nothing to leak in a breach. The FIDO Alliance standard is supported by Apple, Google, and Microsoft, and adoption inside large consumer apps moved quickly through 2024 and 2025.
Two of the seven managers here support passkeys today: Proton Pass and NordPass. Both sync passkeys across devices with end-to-end encryption. Padloc and Passbolt have it on their roadmaps. The others have not committed publicly.
If passkey support matters to you, the shortlist is two.
1. Proton Pass
Proton Pass launched in 2023 as the password manager half of the Proton ecosystem. Same Swiss jurisdiction as ProtonMail, same zero-knowledge architecture, same set of independent audits behind it.
The most distinctive feature is hide-my-email aliases. Every site gets a unique forwarding address. When (not if) a site you signed up for leaks its user list, you can tell from your inbox which one did, and you can disable the alias in one click. I currently run 47 aliases through Proton Pass. Three have already received spam from sites I never gave my real email to. Those three are blocked now. The cost was nothing.
Browser extension occasionally fails to autofill on sites with unusual login flows, particularly ones that swap the password field in via JavaScript after page load. Mobile apps are competent but a step behind NordPass on polish.
Free tier is genuinely usable. Paid is €24 per year and adds unlimited aliases plus advanced sharing.
2. NordPass
Built by the same team behind NordVPN. The marketing is louder than I like. The product itself is the smoothest password manager in this list.
NordPass uses XChaCha20 instead of the standard AES-256. Both are secure. XChaCha20 is newer and arguably more resistant to certain side-channel attacks, but in practice the difference is theoretical. What you actually feel is the interface. The autofill works. The breach scanner pings you when one of your passwords shows up on a known leak list. The desktop and mobile apps agree with each other.
Not open source, which is the one real concern. NordPass has commissioned audits from Cure53, and those reports are public. That is the substitute for source access, and how much weight you give it depends on your trust model.
€22 per year for paid, with frequent sales below €15. The free tier is intentionally crippled at one device, which makes it a trial more than a free product.
Try NordPass →3. pCloud Pass
pCloud Pass exists because pCloud wants to own the whole privacy bundle. Storage plus passwords plus encryption, all in one Swiss account. If you already pay pCloud for storage, the integration is the selling point.
As a standalone product, it gets harder to justify. €29 per year buys you fewer features than NordPass at €22 or Proton Pass at €24. There is no free tier to take it for a spin. Passkeys are not supported. The browser extension works but is plain.
I would recommend pCloud Pass only if you are already inside the pCloud ecosystem and you value account consolidation over features.
Try pCloud Pass →4. Padloc
Padloc is a small German project that has been around since 2015 and never grew the way Proton did. Everything is open source under AGPLv3. The encryption module is readable on GitHub in an afternoon. You can self-host the server if you want to remove Padloc entirely from the picture.
The team is small. Feature development is slow. There is no autofill in the free tier. The interface is functional in the way self-hosted open-source software often is: clearly written by people who use it, not redesigned every six months by a marketing department.
If you care about auditability above polish, this is the choice. €35 per year for the paid plan, free for fifty items.
5. Passbolt
Passbolt is not a consumer product. It is a team credential manager built around OpenPGP. Every user has a keypair. Shared credentials are encrypted to specific recipients, one by one, the way email encryption was originally meant to work. Cryptographers nod at this design.
Setup is real work. You administer a server (or pay for the cloud tier). Onboarding new team members involves generating and exchanging keys. There is no mobile app, only a web interface. None of this is incidental. It is the cost of doing cryptography correctly.
If you run a software team sharing AWS root credentials, production database passwords, or API keys, the model matches the problem. If you want a password manager for your spouse and your mother-in-law, this is not it.
Free self-hosted. €49 per year for cloud hosting with business features.
6. Hypervault
Hypervault is the answer when procurement asks whether the tool has SOC 2 and a signed DPA on company letterhead. It does. The interface is enterprise software, which is a way of saying competent and dull.
For personal use, this is overkill. For European companies with actual compliance officers, vendor security questionnaires, and ISO 27001 audits to satisfy, the checkbox coverage is the point. Admin console, audit logs, custom role permissions, SAML SSO. The features map to what a CISO needs to sign off, not what an individual wants on Monday morning.
€36 per year for personal. Business pricing scales with seats.
7. heylogin
heylogin removes the master password entirely. Your phone becomes the credential. Face ID or fingerprint unlocks the vault. There is nothing to remember and nothing to phish.
This is genuinely a different model. The philosophical question is whether your phone is more secure than a memorized master password. Phones can be stolen. Batteries die. Recovery flows for “I no longer have my phone” are the load-bearing piece, and they introduce friction at the worst possible moment, which is when you’re already locked out.
€60 per year. The pricing assumes you are an early adopter who values the design and is comfortable paying for it.
Bitwarden, briefly
Bitwarden comes up in every conversation about open-source password managers. It deserves to. The product is excellent, the free tier is genuinely usable, the codebase is auditable.
It is also headquartered in California, which means it sits inside US jurisdiction. National Security Letters and CLOUD Act requests apply. For some readers that is irrelevant. For anyone reading this guide specifically, it is the reason Bitwarden is not on the list.
If US jurisdiction is not a factor for you, Bitwarden is probably the best overall password manager available. The article above is for people who have decided it is a factor.
Decision matrix
| Priority | Choose |
|---|---|
| Privacy absolutist, already using Proton | 🇨🇭Proton Pass |
| Best consumer experience | 🇱🇹NordPass |
| Open source or nothing | 🇩🇪Padloc |
| Team/developer credentials | 🇱🇺Passbolt |
| Corporate compliance requirements | 🇧🇪Hypervault |
| Passwordless believer | 🇩🇪heylogin |
| Already in pCloud ecosystem | 🇨🇭pCloud Pass |
What I actually use
For personal logins, Proton Pass. The aliases pay for themselves in spam reduction within a month, and I already trust Proton with my email, so adding a second product on the same account is a small step.
For shared infrastructure credentials with collaborators, Passbolt. The PGP-per-recipient model matches how production access should be granted: explicitly, recipient by recipient, with a key trail.
That setup is not universal advice. It is what works given my workflow. If you don’t need email aliases and don’t share credentials with a team, NordPass is the simpler, slightly more polished option, and it will save you €2 a year.
What it isn’t worth doing is staying on a US-hosted manager because switching feels like a hassle. The migration takes one evening.
Migrating from 1Password, LastPass, or Bitwarden
The process is the same across the seven tools above.
Export from your current manager
- 1Password: File → Export → CSV
- LastPass: Account Options → Advanced → Export
- Bitwarden: Tools → Export Vault → CSV
- Chrome: Settings → Passwords → Export
Import to your new manager
All seven accept the standard CSV format. The mapping of columns is usually automatic. Allow ten minutes including review.
Run both for two weeks
Don’t delete the old manager immediately. Keep both installed. If a login fails in the new one, falling back is cheap. After two weeks of normal use, you will have caught any gaps.
Rotate critical passwords
The migration is also the right moment to change passwords for accounts where reuse or staleness matters: banking, email, primary cloud accounts. The new manager’s generator handles this in one click per site.
A reasonable strategy is to migrate everything in one go but only rotate the top twenty most-used credentials. The rest can be rotated as you log in to them over the following months.
FAQ
Can I migrate from 1Password or LastPass to an EU password manager?
Yes. All seven tools on this list accept CSV imports from 1Password, LastPass, Bitwarden, and Chrome. The migration steps above take roughly ten minutes per source.
Is Proton Pass really free?
Yes. Unlimited passwords, unlimited devices, and ten email aliases on the free tier. No credit card needed. The paid tier (€24 per year) adds unlimited aliases and advanced sharing.
Are EU password managers as secure as Bitwarden or 1Password?
Yes. The encryption schemes (AES-256, XChaCha20, OpenPGP) are at parity with what US providers use. The difference is jurisdiction. EU and Swiss providers cannot be served National Security Letters or CLOUD Act demands.
Which European password manager supports passkeys?
Proton Pass and NordPass. Both sync passkeys end-to-end encrypted across devices. The other five do not currently support them.
Which European password manager is best for teams?
Passbolt for developer teams sharing infrastructure credentials (PGP per recipient, self-hosting available). Hypervault for corporate compliance (SOC 2, audit logs, SAML SSO). NordPass for general business use at €4 per user per month.
What happens if the company goes bankrupt?
For open-source options (Proton Pass, Padloc, Passbolt) you can self-host or export. For closed-source options, export your vault as CSV periodically. Every tool here supports CSV export.
Is the free tier enough?
Proton Pass: yes, for most users. NordPass: no, limited to one device. Padloc: marginal, capped at fifty items. Others: no.
Try them
- 🇨🇭Proton Pass: best free tier, best for Proton users
- 🇱🇹NordPass: best overall UX
- 🇩🇪Padloc: best open source
- 🇱🇺Passbolt: best for teams
- 🇧🇪Hypervault: best for compliance
- 🇩🇪heylogin: most forward-thinking approach
Related:
- The Complete Proton Ecosystem Guide: Mail, VPN, Drive, Pass in one suite
- EU Secure Messengers Compared: Threema, Wire, Element, Signal
- 7 Best European Dropbox Alternatives: protect your files too
- EU Cloud Storage Compared: pCloud, Proton Drive, Tresorit
- EU Alternatives to 1Password
- EU Alternatives to LastPass
- Why EU Software Matters
Pricing verified 2026-05-28. Last substantive update: May 2026.
Affiliate Disclosure
Some links in this article are affiliate links. If you sign up through our link, we earn a small commission at no extra cost to you. This helps keep EU Picks running.