Moving away from the US cloud: Find European alternatives to Google and Microsoft
Europe imports the majority of its digital infrastructure. Email, cloud, AI – in most cases, they run on the servers of US corporations, under US jurisdiction and on the corporations' terms. Due to a lack of awareness and visibility of digitally sovereign alternatives, the recourse to big tech often seems unavoidable for public authorities, private individuals and companies.
Changing geopolitical circumstances and rising costs are prompting a necessary rethink. But how do you recognise whether a European alternative really delivers what it promises? What is the best way to go about switching? And how do labels and catalogues help you?
96 % digital imports: How dependent German companies really are on US tech
In most cases, anyone who sends an email, saves a document in the cloud or starts a video conference uses Microsoft 365, Google Workspace and co. That is: infrastructure from US corporations. This is convenient – and at the same time a digital policy problem that has preoccupied Europe for years.
As part of the "Digital Sovereignty" study in 2025, the German association Bitkom asked over 600 companies from all sectors in Germany with 20 or more employees how dependent they are on digital imports. According to the study, 96 % of the companies surveyed source digital services and technologies from abroad. 90 % of them consider themselves to be "heavily" or "somewhat" dependent on foreign partners.
60 % of the companies surveyed expect Germany to become increasingly dependent on imports. At 87 %, the USA is one of the most important regions of origin for German companies.
Google and Microsoft for companies: US CLOUD Act, GDPR and the data protection risk
Email is the most widely used digital communication medium. At the same time, it is the least scrutinised when it comes to digital sovereignty. Yet the starting point for Google, Microsoft 365 and the like is clear: the mailboxes of most Europeans run on US infrastructure and are located on US servers. They are subject to US law and are financed in part through data analysis.
US authorities are allowed to access data stored by US companies via the CLOUD Act, even if the server location is in Europe. For European companies and authorities, this means that the location of the data centre alone is not enough. It depends on the ownership structure, the jurisdiction and the actual control structure.
This is where the danger of dependence on digital imports becomes apparent. And this is precisely the core problem of many supposedly European alternatives that are advertised by Microsoft and Amazon Web Services (AWS), for example.
Real European alternatives instead of sovereignty-washing
It is important to take a closer look, because supposedly sovereign solutions run on European servers but belong to US corporations or are dependent on their infrastructure: The so-called European Sovereign Cloud from AWS is the product of a US corporation. The German company SAP works with Microsoft, Amazon and Google for its cloud services. The Delos Cloud – a subsidiary of SAP – is based on Microsoft 365 and Microsoft Azure and is therefore dependent on US companies for its infrastructure.
The brand names or corporate structures of these solutions suggest European data security or sovereignty. However, this does not protect European users from US law if the parent company is based in the US or the infrastructure of US corporations is used. On the other hand, choosing a German email provider or cloud service with servers and its own infrastructure exclusively in Germany structurally excludes access by US authorities.
NIS-2, GDPR, CLOUD Act: Why the choice of provider becomes a compliance issue
The question of whose servers and on which infrastructure your company communication runs and who has access in case of doubt is not a theoretical one. Whether The German NIS-2 Directive Implementation Act (NIS-2-UmsuCG), geopolitical risks, cyber attacks: Virtually all companies and organisations process personal data that needs to be protected from access. The choice of provider is therefore a compliance and security issue with practical implications.
Digital sovereignty has been a buzzword in Brussels for years. This is not about symbolism or protectionism, but about tangible issues of legal security, data control and critical infrastructure. Decisions on digital sovereignty are increasingly having political and economic consequences for more and more organisations. For example, companies that have to demonstrate GDPR compliance are affected, or authorities that need to secure their communication infrastructure in accordance with NIS-2. They all need offers that they can choose from without compromising on control and trust.
Parent company, cloud infrastructure, server location: 3 questions to ask before switching software
Email, cloud storage, video conferencing and collaboration tools are part of everyday digital life. If you are evaluating a digital tool as an option or as a European alternative, three key questions can help:
1. Where is the parent company legally based?
A location in Germany or the EU says little if the company is part of a US corporation. The decisive factor is the question of the control structure: who ultimately decides on data access, who is obliged to provide information to authorities in case of doubt?
2. Where is the data located – and on whose infrastructure?
The decisive factor is not the server location, but on whose infrastructure and under whose jurisdiction the service runs. For example, US law ultimately applies to capacity rented from US companies such as AWS, Microsoft Azure or Google Cloud.
3. Is there verifiable evidence?
Own statements on legal security are not independent confirmation. Look for certificates and labels that are based on an external audit.
Tech Sovereignty Catalogue: Europe's verified list for digital sovereignty
The Tech Sovereignty Catalogue helps organisations and individuals to identify genuine European alternatives to Google, Microsoft and Amazon. It brings together European technology providers who can prove that they are genuine alternatives. What's behind it, why it's more than just a directory and how the listing process works:
What is the Tech Sovereignty Catalogue?
The Tech Sovereignty Catalogue is a European initiative that has been making trustworthy digital solutions from the EU and EFTA visible since the end of 2025. It is not a classic industry directory, but rather sees itself as a political instrument: the catalogue is a showcase for European technology sovereignty and is intended to connect decision-makers in companies, public authorities and politics with concrete alternatives to Google, Microsoft 365 and other big tech products.
The catalogue is backed by a high-ranking advisory board from research, civil society and digital policy. The catalogue is based on seven core principles:
- Sovereignty & Security
- De-Proprietarisation & Interoperability
- Sustainability
- Data as a Common Good
- Decentralised Sovereign Infrastructure
- Inclusive Governance
- Strong Democracy
Those who want to be included in the catalogue must show that they actually fulfil these principles.
How the admission process works
The path to the Tech Sovereignty Catalogue follows a clearly structured, multi-stage process. It is deliberately more demanding than a classic listing process:
1. Submission
European technology providers apply via a form on the catalogue website. Basic requirement: The provider must be headquartered in the EU or an EFTA country.
2. Eligibility check
The submitted solution is checked for market maturity, European origin and actual control over the technology. Those who do not pass here do not enter the procedure.
3. Expert evaluation
Independent experts evaluate the submitted solution based on the catalogue criteria. This involves not only technical features, but also the business model, data protection architecture and actual independence from non-European providers.
4. Decision
If the result is positive, the solution is added to the catalogue and made publicly visible.
What inclusion in the Tech Sovereignty Catalogue means for mailbox
For mailbox, inclusion in the Tech Sovereignty Catalogue is an external confirmation of the principles we live by:
- Company headquarters and parent company in the EU: We are a German-owned company founded in Germany.
- Our servers are located exclusively in German data centres.
- We do not pass on any data to third parties, we are ad-free, we do not use data-driven tracking and our service is GDPR-compliant.
- At mailbox, sovereignty, information security and data protection are externally audited and confirmed: ISO 27001 and BSI C5 certificate, BSI IT Security label and BSI Gold status for email security, Software Hosted and Made in Germany seal of approval, holder of the Cybersecurity Made in Europe label and part of the Tech Sovereignty Catalogue
This is not a matter of course in a market where European services are regularly taken over by US corporations.
What we particularly like about the Tech Sovereignty Catalogue is that it sees sovereignty as a European project. The catalogue brings together providers that are linked by common values and a common legal framework. After all, digital self-determination is the result of conscious decisions – for infrastructure that can be trusted, for providers that can be held accountable and for an ecosystem that is committed to democratic principles.
Switching to European providers: 3 steps to digital independence
The Tech Sovereignty Catalogue makes it easier for organisations and private individuals to find truly European sovereign solutions. It thus helps organisations and individuals take an important step towards digital sovereignty.
Digital sovereignty is not a one-off project, but an ongoing decision. Take these three concrete steps on the path to your digital self-determination:
1. Determine the current status
Which digital services do you use every day? Where is the data stored? Who owns the provider? Even if the findings can be sobering: An honest inventory is the first step.
2. Identify software made in Europe
Use the Tech Sovereignty Catalogue as a starting point. On the website you will find verified European providers in categories such as cybersecurity, cloud, platform services, data and AI: techsov-catalogue.eu
3. Migrate according to priorities
A complete change of digital infrastructure in a short space of time is unrealistic. It makes more sense to prioritise according to sensitivity: Which services process particularly sensitive data? That's where it's worth switching first.
