From email servers to video conferencing tools and document collaboration platforms, Europe’s digital infrastructure is deeply entwined with American tech companies—most of all Microsoft. Microsoft 365 dominates public sector deployments across EU institutions, while Teams has become the default internal communication tool in many government agencies and hospitals. The Open Cloud Coalition (OCC) report estimates Microsoft’s overall market share at 77% for EU public sector productivity software, with even higher shares—up to 84% in collaboration tools and 90–92% in office productivity software across specific Member States.
At the EU public institution level, procurement data from Tenders Electronic Daily (TED) includes notices that often name specific vendors—typically when a supplier wins a contract, or is referenced in technical specifications or compatibility requirements. This data allowed OCC researchers to calculate an 'incidence share' by measuring how often vendors like Microsoft are mentioned compared to others. The findings show that Microsoft is cited far more frequently than any competitor, with incidence shares ranging from 72% to 91% in 2023 and rising to 89% to 100% in 2024.
This creates a paradox: while European institutions are bound by the GDPR and expected to uphold the highest standards of data protection, the cloud infrastructure they depend on is often controlled by US providers, and therefore subject to American legal frameworks—not European ones. Thanks to the EU–US Data Privacy Framework (DPF), the current transatlantic agreement, these US providers are—for now—recognised as offering an “adequate level” of protection under GDPR. This legitimises their use by European institutions in a formal legal sense.
However, the practical implications raise serious sovereignty concerns. Under laws like the US CLOUD Act, American authorities can compel providers such as Microsoft, Google, or Amazon to hand over data, even when that data is physically stored in Europe. As a result, critical European data—ranging from court proceedings to citizen records—can still be accessed or governed under foreign legal regimes.
Looking at this data and the legal framework, one can conclude that Europe’s increasing reliance on US cloud vendors directly undermines its digital sovereignty—its ability to independently control, store, and protect its own data. In essence, GDPR compliance may be preserved on paper, but true control over infrastructure and access decisions often lies in Washington or Redmond, not Brussels.
To summarize, the OCC study shows that Microsoft holds a dominant position in EU public sector IT procurement, with market shares reaching up to 90% for office productivity software and 84% for collaboration tools with the adjusted market share (here the researchers used the public data to proxy the impact of Microsoft’s and Google’s partner ecosystems).
This dominance is reinforced by procurement practices such as repeat purchasing by existing customers, compatibility requirements, and bundled software offerings, which make it increasingly difficult for institutions to switch to alternative providers. As Computer Weekly notes, this concentration raises concerns about the depth of institutional reliance on a single foreign vendor and the risks it poses to Europe’s digital autonomy and resilience.
When it comes to collaboration and conferencing software—tools designed to facilitate communication and teamwork across individuals and groups, including products like Google Meet, Google Chat, Slack, and Zoom—the market paints a similar picture, with the total market share of US companies in the EU exceeding 88%:
The OCC researchers also looked into the data that show the frequency of vendor mentions in TED, which helped them identify which providers are most commonly referenced in public procurement tenders. For the sake of providing a more comparable view, they also presented incidence shares, i.e., each vendor’s share of total mentions in the relevant geography for the years 2023 and 2024:
But how vulnerable is Europe actually? One of the examples that shows how big tech companies can assert US laws over European public institutions happened in May 2025. According to the Associated Press report, Microsoft came under scrutiny after the company blocked the email account of Karim Khan, Chief Prosecutor of the International Criminal Court (ICC), in compliance with US sanctions on the ICC over investigations of Israel imposed by the Trump administration in February.
While this ban was widely reported, Microsoft strongly denied this action, arguing that ICC moved Khan’s email to the Proton service. So far, there has been no response from the ICC.
While Microsoft denied fully suspending services, the company acknowledged compliance with U.S. legal obligations, raising serious concerns about the vulnerability of European institutions relying on infrastructure governed by non-EU laws.
This incident did not just raise eyebrows; it triggered a wave of backlash from privacy advocates, legal scholars, and policymakers across Europe. As Computer Weekly reported, the episode reignited fears over the lack of democratic oversight and control when essential services are outsourced to companies operating under foreign jurisdictions.
What’s especially troubling is not only what Microsoft did, but what it demonstrated: that a US corporation can, with the flip of a switch, deactivate a sovereign international court’s communication systems—without judicial process, transparency, or recourse.
The incident reinforces the argument that Europe cannot achieve strategic autonomy while its essential services are reliant on foreign-controlled platforms. It also casts serious doubt on the notion that cloud services from US providers—even when hosted in European data centres—can ever be truly under EU jurisdiction.
Microsoft and other US-based cloud providers often claim full compliance with the EU’s General Data Protection Regulation (GDPR). On the surface, they meet many of the formal requirements: data processing agreements, EU-based data centres, and standard contractual clauses. But a deeper look reveals a critical legal tension that calls these assurances into question.
The core issue is the extraterritorial scope of US law, particularly the Clarifying Lawful Overseas Use of Data Act—better known as the CLOUD Act. Passed in 2018, the CLOUD Act compels US tech companies to hand over data to American authorities upon request, regardless of where the data is physically stored. This means that even if European data is held in a server in Frankfurt or Paris, Microsoft, Google, or Amazon must comply if a US court order is issued.
This directly undermines key principles of the GDPR, including data minimisation, purpose limitation, and—most crucially—the right of European citizens to have their data protected from unlawful or disproportionate surveillance.
To bridge this transatlantic legal gap, the EU and US introduced the Data Privacy Framework (DPF) in July 2023, aiming to re-establish a legal mechanism for transferring personal data across the Atlantic. But history offers little reassurance.
The DPF follows two previous attempts—Safe Harbour (struck down in 2015) and Privacy Shield (annulled in 2020 by the Court of Justice of the European Union in the Schrems II case). Both were invalidated because they failed to provide adequate protection against US government surveillance. Critics argue that the DPF suffers from many of the same structural flaws, offering only superficial improvements and lacking robust enforcement mechanisms.
Prominent voices in the privacy community, including Max Schrems and the organisation NOYB, have already warned that the DPF is likely to face legal challenges and could be annulled yet again—potentially plunging EU-US data transfers into further legal uncertainty.
In practical terms, this means that data stored with US cloud providers, even if hosted in European data centres, remains vulnerable to foreign access—and may not meet the legal standard of “adequate protection” under EU law.
European data protection authorities, such as Germany’s Datenschutzkonferenz (DSK), have echoed this concern. Some German states and municipalities have already banned Microsoft 365 in schools and government offices due to unresolved compliance questions.
The studies show European institutions and public administrations continue to buy from American tech companies, overwhelmingly favouring providers like Microsoft, Google, and Amazon in procurement processes. These decisions are not just technical or financial—they are also political.
The Open Cloud Coalition report reveals the depth of this dependency, and as Computer Weekly put it, warns that Europe is “sleepwalking into deeper dependency on Microsoft cloud technologies.” OCC findings show that in nearly all EU member states, Microsoft holds a market share of almost 80% in the public sector productivity software space—often reaching over 90% in national ministries, courts, schools, and hospitals.
This systemic overreliance creates a self-reinforcing vicious cycle. Because Microsoft’s tools are ubiquitous, organisations increasingly standardise their IT systems around its ecosystem—Outlook, Teams, SharePoint, OneDrive, and Azure become default choices. This dominance enables Microsoft to reinvest heavily in feature development, integration layers, and enterprise support—funded in large part by European tax money.
Meanwhile, European software companies are crowded out—not due to a lack of technological capability or innovation, but because they lack institutional backing. Without significant public procurement contracts or visibility in public tenders, local vendors struggle to scale. This undermines the very digital autonomy the EU professes to champion.
The OCC report shows that tender design aspects such as bundling, repeat procurement, compatibility etc., significantly contributed to Microsoft’s high share and dependency, thus excluding European alternatives.
Ironically, while the EU speaks loudly about digital sovereignty, cybersecurity, and innovation through frameworks like GAIA-X and the European Data Strategy, its day-to-day procurement practices often contradict these ambitions. As a Financial Times article reports, while the European Commission publicly champions its digital sovereignty agenda, public sector procurement continues to prioritise American tech giants, making it harder for homegrown firms to gain traction. This creates a policy paradox: SMEs and European innovators are supported in word—but neglected in practice. This attitude makes European vendors being caught in a policy contradiction: encouraged to innovate, but rarely rewarded.
Without a serious shift in mindset and procurement strategy, Europe risks permanently outsourcing its digital backbone to foreign powers, leaving it vulnerable not only to legal overreach but also to strategic dependency in times of crisis.
In a market dominated by US-based platforms, Digital Samba stands out as one of the few fully European-built video conferencing solutions purposefully designed to meet the needs of modern teams, telehealth providers, educational institutions, and public sector organisations.
But it’s not just the features that set it apart—it’s the foundational principles it’s built upon.
Unlike American providers, Digital Samba guarantees full data jurisdiction within the EU. All data—whether it's video, audio, chat logs, or user metadata—is securely stored in European data centres, managed in compliance with GDPR and European data protection authorities, not influenced by foreign laws like the US CLOUD Act.
What does this mean in practice?
Digital Samba is more than just a privacy-compliant alternative. It’s proof that European innovation can deliver world-class communication infrastructure—without compromise.
And yet, platforms like Digital Samba often face an uphill battle. Despite delivering security, flexibility, and regulatory peace of mind, they are too often overlooked in favour of default choices from abroad. All the sources collectively support the view that the dominance of U.S. providers in the EU public sector reflects not just market forces, but a systemic policy failure to support European alternatives.
If the European Union is serious about achieving true digital sovereignty, it must go beyond declarations and fund the alternatives it claims to support. This means rethinking procurement processes, ending vendor lock-in, and prioritising vendors that comply not only with GDPR, but also with Europe’s long-term strategic interests.
If the EU is serious about achieving digital sovereignty, it must go beyond rhetoric and begin actively supporting privacy-first, homegrown alternatives like Digital Samba—not only through funding innovation, but also through structural change in procurement and regulation.
Even the European Commission acknowledges that building systematic challengers to the US cloud giants from scratch may no longer be realistic, given the massive investment required and the risk of diverting resources from areas where Europe is already competitive. However, the Commission emphasises that for reasons of sovereignty, Europe must maintain a viable domestic cloud industry capable of delivering secure, trusted “sovereign cloud” solutions.
To achieve this, the EU should adopt EU-wide data security policies that enable collaboration between EU and non-EU cloud providers, while preserving encryption and protected services for EU vendors. It must also introduce mandatory standards for public sector procurement, ensuring a fairer playing field where European companies like Digital Samba can compete against dominant non-EU players. At the same time, the EU should pursue the creation of a low-barrier digital transatlantic marketplace, where small and medium-sized enterprises—on both sides of the Atlantic—can benefit from reduced regulatory burdens and improved access to global tech supply chains.
Without such policy changes, Europe will continue outsourcing its digital infrastructure—and with it, its autonomy.
Sources