European critical dependencies
TLDR; Multiple countries in Europe are critically dependent on services provided by Microsoft. Querying mail-servers teaches that in some countries, over 70% of all public services rely on this American provider. Europe needs to build its own infrastructure, and open source is the most robust solution.
What we tried…
Insight 1: Every self-respecting municipality has a website and online services.
Insight 2: DNS records show us how mail is being sent for a domain.
Using these two simple concepts (which in the end weren’t always that simple, but that’s a different rabbit hole), we started a small project collecting the municipal website of as much local governments in Europe as we could collect. For that domain name, we then looked for the MX-servers (mail exchange-servers, that are responsible for sending mail). Next we started mapping those MX-servers into a few categories. First off, we gave the two biggest global players its own place on the stage. For the other servers, we grouped them per continent and for Europe made a distinction between EU-servers and non-EU servers (as this is relevant for GDPR). In a final step, we tried to visualize these records in such a way that they were easily inspectable. The result is this map.
If you’re interested in further examining the method used, or looking into the CSV files containing the MX-records for a specific country, you can find these in the git repository.
What we discovered…
Europe has been promoting interoperability and open standards for decades. They have also been encouraging the use of local services and products. For e-mail for example there is a gigantic difference between the priorities countries choose. Yet, in practice a lot of cities and governmental services got persuaded to use zero-hassle, zero-insight solutions like the ones Microsoft and Google seem to offer.
This means that many public services rely on Microsoft for their daily operations – going from document storage to automation and integration with the office tools. For this research, we’re focusing on e-mail. Especially in Scandinavia and the Benelux, Microsoft has established a strong prevalence. Purely based on the MX-records, we learn that 72% of Belgian municipalities run Microsoft mail servers and 60% of the Dutch municipalities. For Scandinavia, it’s 64% in Norway and 57% in Sweden. In Finland, it’s a whopping 77% if the cities that are being served by Microsoft.
At the same time, countries like Germany – known for its strong hacker culture and cybersecurity awareness – land at mearly 4% running Microsoft. In Hungary too, they land on hardly 3% and in Bulgaria they are surpassed by Google, together only having 4% of the mail-share.
Lessons from the political climate
Dutch municipalities raise concerns of dependency
In research conducted by Binnenlands Bestuur, published on February 13, 2025, we can read growing concerns among Dutch municipalities about their deep reliance on Microsoft’s products. Nearly every municipality uses Microsoft’s software for daily operations, from Office 365 to Azure, making a switch both expensive and technically challenging. This dependency has raised alarms over vendor lock-in, potential price hikes, and the risks posed by U.S. legislation—such as the Cloud Act—which could force Microsoft to share European data with American authorities. While many local governments wish for a robust European alternative, none currently exists, prompting calls for a strategic approach to boost digital autonomy rather than an abrupt break with Big Tech.
International Criminal Court acknowledges critical dependency
A Guardian article, published on January 20, 2025, reports on escalating tensions around international legal actions and sanctions. The piece explains that the International Criminal Court (ICC) is preparing for significant repercussions as it faces potential swift U.S. sanctions from President Trump. These sanctions are a response to recent Israeli arrest warrants issued against individuals involved in alleged war crimes. The situation has raised alarm over the ICC’s ability to operate independently, with critics arguing that political and economic pressures—especially from the U.S.—could undermine its judicial authority. In this volatile climate, legal experts warn that the unfolding events could set a dangerous precedent for international justice and the enforcement of accountability for alleged crimes.
Unpredictable pricing
Once a country is locked in to a closed system, vendors can easily raise prices at random, as transition cost is often even higher. This for example happened in Finland, where over 75% of the municipalities already depend on MS services. From a Pirha regional government meeting in November of ’24, we learn prices would go up with roughly 25% in 2025, compared to 2024.
Despite the Finnish government already changing policy in 2023, aiming to prioritize European services, it appears that in 2024 still a big majority of the public services are running the MS suite. Proving exactly how vendor lock-in can stronghold our whole infrastructure.
In Sweden too, experts have expressed their concerns about dependency on US based technology for their critical infrastructure. “The protection mechanisms that would ensure that European data do not end up in the hands of US authorities are effectively dismantled,” Heath said. He believes that Sweden must take control of its own infrastructure and not lean on the American one.
Norway is likewise uneasy about heavy reliance on U.S. cloud providers. A recent commentary noted that Norwegian public institutions are completely at the mercy of Microsoft’s cloud services today. It warns American cloud services might even become illegal in Norway if the EU–US data deal falters, raising doubts about the legality of using Microsoft, Google, etc. The author argues Norway faces a crossroads: become more dependent on a “crumbling American democracy” or dare to pursue new paths. This reflects growing concern in Norway over digital sovereignty and security, urging investment in European or domestic alternatives to give authorities better control of their data.
Not only municipalities, also public services
In Denmark, the Data Protection Authority took action over public sector use of Google services. In 2022 it banned Helsingør Municipality from using Google Chromebooks and Workspace in schools due to GDPR violations, judging that the data transfer risks were too high. Some 50 municipalities were ordered to fix their Google Workspace use to comply with the law. The ban was later suspended while Google and authorities work on remedies, allowing Helsingør and others to temporarily continue using Google Workspace. This controversy underscores Danish concerns about data sovereignty, security risks, and vendor lock-in, prompting consideration of alternative solutions or stricter agreements to protect citizen data.
The schizophrenia needed to solve the issues, is clearly documented in the Google story. While Google achieved to set clear guidelines for using Google Classroom, these don’t apply when using other Google products like Google Maps, Youtube or Google Search. Three year later, it seems clear that Google hasn’t succeeded in setting a clear framework, this article by Sivon from 2025 teaches us.
This critical dependency also creates situations like in Belgium, where 100% of the police force uses Microsoft for their mail service, and 57% of the fire departments run Microsoft or Google. Similar figures can be for Belgian hospitals. If Microsoft would become unavailable in Belgium, this would cause a critical chaos and cost lives.
Prioritize local economies
While Europe has a strong policy when it comes to prioritizing local economy in the context of an interoperable Europe, policy makers all around seem to be susceptible to prefer the trodden paths of MS and Google.
Obviously, companies like Microsoft also feel the heat and are scrambling to procure nice infographics and promises, they even throw in some AI candy… but in the end, they still remain a US company. So they are susceptible to US law – which can affect both our privacy and our dependence: “U.S. laws such as the CLOUD Act continue to grant the U.S. government the authority to access this data,” warned the analyst. The question therefore is whether European governments can actually restrict this kind of access. “Can a single US disposition override these obligations,” the expert wonders. “In this case, residence does not necessarily mean control.”
And while president Trump with its Department of Governmental Efficiency (DOGE) is currently pushing the boundaries of the legal frameworks quite openly, the Snowden revelations have taught us that the US services have been monitoring EU citizens for over a decade through these international companies.
Are we willing to hand over our data and operations to a country that could pull the plug with the flick of a presidential finger?
Futureproofing our digital society
While it’s an important step to run applications from within Europe, it’s also important to realize that international relationships change. Furthermore, on the IT-market – a very international and competitive market – it’s not uncommon for companies to be bought up by bigger partners. What once was a local company, can quickly turn into a branch of a huge multinational. If this happens, both data and know-how often exchange hands and become part of a foreign entity, possibly no longer aligned with the priorities initially outlined when collaborations started.
By staying in control of the software used in your government, you eliminate the need to trust a company. In the Open Source ecosystem, there is already a long tradition of safeguarding knowledge and code to be accessible to all.
Sharing code between municipalities and governments, is also a very pragmatic way of cutting costs – allowing different partners to also tweak applications to tailor to local needs. Through the use of a strong open source license (e.g. GPL), you also protect other companies from profiting off your investment without contributing back for the betterment of the community.
Let me quote Johan Linåker in this article on the website of the French government:
The surveyed countries exhibit diverse policies, emphasizing interoperability, digital sovereignty, transparency, and cost efficiency. While cost efficiency interoperability and transparency were commonly referred to, much less attention was paid to digital sovereignty and even less to cyber security and sustainability aspects related to FOSS. The latter is rather surprising but can potentially be explained by the relatively recent uprise of these topics in public debates. We hope and strongly recommend that these topics be considered explicitly in upcoming policies.
Local talent
Europe has some of the greatest minds in the field of cybersecurity and IT. Given the job-market is ever-expanding in the US and merely on life support in Europe, it is obvious that our biggest talents cross the pond to fully harvest their potential. Now is the time to invest in our local talent, to safeguard our companies from being bought up by US investors.
Hacker communities and FOSS movements have been bringing the message for decades. Europe must decide whether to remain dependent on foreign tech giants or to invest in its own future. We have the expertise, the resources, and the legal frameworks to support a shift toward European digital sovereignty. What we need now is action from policymakers and pressure from the public to ensure that the infrastructure of tomorrow serves European interests, not those of a foreign power.
And now…
The longer we wait, the harder it will be to break free. The reliance on a single vendor is not just a matter of cost but of sovereignty, security, and resilience. If European governments do not act now, they risk facing an even greater crisis when pricing becomes unsustainable, when services are withdrawn, or when geopolitical tensions escalate. The alternative is clear: build European infrastructure, promote open standards, and foster a thriving FOSS ecosystem that guarantees long-term independence.
Are you a local or national politician? Don’t quietly make deals with the established companies because it’s the easiest deal and they have the best marketeers.
Are you an engaged citizen? Reach out to your local municipality or government and question their choices.
Further reading
Please add other articles in the comments!
#DigitalSovereignty #FOSS
