The necessity for a digitally Self-Dependent Europe
Some examples will be utilized below to indicate how digital dependency on non-EU Digital Goods can have negative impact on EU Citizens, EU Public and Private Sector
At first, it is a fact that Europe’s cloud market is highly concentrated. I can refer to Synergy Research that says Amazon, Microsoft and Google account for about 70% of the European cloud infrastructure market, while European providers hold about 15%.
Also a 2025 European Parliament study points that US firms dominate critical layers of Europe’s digital stack, including cloud, operating systems, enterprise software, identity tools and cybersecurity tools; it adds that storing data in European data centres does not by itself remove exposure to foreign laws such as the US CLOUD Act and FISA.
US CLOUD Act potentially can be used as the magic carpet to compromise/survail our personal data and internet activity. Because US CLOUD Act requires covered providers to preserve or disclose data within their “possession, custody, or control” regardless of whether the data is stored inside or outside the United States. The EDPB/EDPS legal assessment warns that this can create conflicts with EU data-protection law and may bypass normal EU-US mutual legal assistance routes. Thus directly or indirectly US institutions can access and use data from EU physical and legal entities, for any lawful or as proven in the past (Snowden case) unlawful purpose.
The cosequences are not theoretical. Even in Schrems II, the Court of Justice invalidated the EU-US Privacy Shield and stressed that EU personal data sent to a third country must receive protection essentially equivalent to EU law, including when public authorities may access the data. In addition, the EU Data Act also recognizes related risks by aiming to facilitate cloud switching and safeguard against unlawful third-country government access to non-personal data.
Real World Examples
Part A. Negative Impact on EU Citizens
A citizen can assume “My hospital data is stored in Europe, so it is safe”
No, not always.
A hospital may store patient files in an EU data centre, but the cloud provider’s parent company, admin tools, support teams, encryption-key system, logs, telemetry, or identity login may still be controlled from outside the EU. The risk is not only “where is the server?”
The real question is: who can technically and legally control the service?
Even a secure service can still be dependent
A service may pass normal cybersecurity checks and still rely on foreign-controlled DNS, CDN, cloud hosting, authentication, remote administration, security updates or software supply chains.
For a normal user this means: “The website works today, but I have no way to know whether one hidden supplier can break access tomorrow.”
A real world example: How a software update from one vendor can disrupt daily life in EU.
The CrowdStrike incident in July 2024 affected an estimated 8.5 million Windows devices, and Microsoft said the broad impact reflected the use of CrowdStrike by enterprises running critical services. EUROCONTROL said the CrowdStrike bug had knock-on effects on airlines and airports and contributed to major delays and disruption across Europe.
It can be easily understood that when too many critical services depend on the same foreign-controlled software layer, one bad update can become a society-wide event.
Public access to services can depend on app stores and mobile operating systems.
For example, if an EU digital identity wallet, public transport app, banking app, school app, or health app, etc. depends entirely on Apple/Google mobile ecosystems, then citizens’ access to public and private services depends on rules, fees, technical conditions and store policies set mainly outside the EU. This does not mean banning those systems. It means critical public services should be assessed for dependency risk.
Part B. Potential dangers for public authorities
A city/municipality may own the data, but not the control panel
A municipality in EU may use a foreign cloud provider for email, files, citizen portals and emergency communications. Even if the data is hosted in the EU, the login system, administrator console, support escalation, audit logs and encryption keys may depend on systems controlled elsewhere. If the account is frozen, admin access fails, or a third-country order creates conflict, the municipality may not be able to guarantee continuity.
Even EU institutions have struggled with cloud compliance
In 2024, the European Data Protection Supervisor found that the European Commission’s use of Microsoft 365 infringed several data-protection rules, including rules on transfers outside the EU/EEA. In 2025, the EDPS said the Commission had remedied those specific infringements after additional contractual, technical and organisational measures.
If critical institutions like the EU Commission can face data leakage from non-EU platforms and needs to utilize a long legal and technical correction process in order to mitigate this, what the negative consequences would be on ordinary schools, hospitals and municipalities. This points the necessity for a clearer Digital Goods certification signal.
Sanctions and foreign political decisions can affect digital access.
AP reported that US sanctions against ICC officials disrupted the court’s work and that ICC staff said Microsoft cancelled the chief prosecutor’s email address; Microsoft later denied suspending services to the ICC and said services were maintained.
Maybe the exact facts are disputed, but the case shows the risk: when a public-interest institution depends heavily on foreign-controlled digital services, sanctions or foreign legal pressure can create uncertainty about continuity.
Public procurement can become locked in
A ministry, hospital group, or city may build systems around one provider’s cloud, virtualisation software, identity platform or office suite. But later, prices, licensing terms, partner programmes, or technical rules change.
CISPE was forced to file a competition complaint (2026) against Broadcom over VMware licensing, alleging price hikes, bundling and termination of partner access that harmed European cloud providers and their customers. Of course, Broadcom disputes the allegations.
What does this show? Dependency is not only a privacy issue. It can become a budget, (and again) continuity and bargaining-power issue.
Part C. Potential negative impact for Private Companies
A European SME may not know who really touches its business secrets
A manufacturing company may use US cloud, AI tools, email, CRM, cybersecurity monitoring and remote support. Its drawings, customer lists, logs, employee accounts, telemetry and incident reports may pass through many suppliers. The company may be legally compliant, but still unable to answer: “Who can access the admin layer? Who controls the encryption keys? Which foreign laws apply? Which subcontractors are critical?”
Switching away can become too expensive to be realistic.
Once a business has built software around one cloud provider’s databases, identity tools, storage formats, APIs and monitoring systems, switching may take years. The EU Data Act’s cloud-switching provisions exist because lock-in is a real market problem.
The ECI target on this potential issue is not about forcing companies to choose EU providers. It is about giving them a reliable label before they become trapped.
Cybersecurity tools themselves can become critical dependencies.
For example, a company may buy a top-tier endpoint security or identity product to become safer. But, at the same time, if that tool has deep access to every laptop and server, then the supplier’s update process, telemetry, remote-control ability and incident-response access become part of the company’s critical infrastructure. This indicates a pure, possibly undesired dependency on non-EU tech entities.