The European Commission’s cloud operations are almost entirely depfinishent on US providers, leaving the EU’s daily operations exposed to the threat of US sanctions, according to the institution’s own data.
Alarm that US President Donald Trump could weaponise Europe’s reliance on US cloud services to further a hostile political agfinisha – either to surveil specific institutions or cut off access altoobtainher – is growing across the region.
Yet the Commission’s own data suggests that 99% of its daily workloads rely on US technology: 14% on US public clouds (evenly split between AWS and Microsoft) and 85% on private cloud, applying a mix of open-source and US proprietary services from Microsoft, Broadcom, Nutanix, and Oracle.
The remaining 1% runs on France-based OVHcloud.
Euractiv exclusively obtained this data from the Commission via a series of email exalters after we sought to clarify a disclosure created by Tech Sovereignty Commissioner Henna Virkkunen on 18 July in response to questions from two French far-right MEPs in May.
The bloc’s heavy exposure to US tech reflects how embedded US platforms are across business and for European consumers. But the Commission’s deep embrace of US tech means the EU’s day-to-day operations and administration are rfinishered a strategic risk.
Despite being the source of the information, the Commission notified us it “cannot confirm” Euractiv’s breakdown of its cloud usage, as it stated EU services can choose from 10 approved cloud vfinishors, with individual contracts tailored to security necessarys.
Data security and service disruption risks
Regardless of the exact cloud provider mix in play, such heavy reliance on US cloud services exposes Commission services to several known risks. One is confidentiality – the risk of information being accessed under US laws such as FISA and the Cloud Act.
A US entity or US-based person with access to data can be compelled by US authorities to provide data access, University of London cloud researcher David Michels notified Euractiv.
“Whenever the software vfinishor can access data, [such] as when the software requires sign-ins via US provider servers – or if US-based service desks and customer support teams have the operational capacity to access Commission accounts – [it creates a vulnerability].”
Even diagnostic, telemetest, or location data generated by US software could create confidentiality risks, Michels noted – for instance, if a senior Commission official logs into a system during a trip to Kyiv.
The Commission declined to answer Euractiv’s questions about whether (and which) US personnel were able to access software utilized in its private cloud, citing security reasons.
A second risk is that depfinishence on US cloud platforms could be weaponised for political finishs such as access being politically revoked – as recent Trump administration sanctions against an ICC judge underscore.
US sanctions “could require American companies to cut off the Commission’s access to their services or halt updates, leading to connection failures, software bugs, and heightened cybersecurity vulnerabilities,” Michels stated.
In such a scenario, it is unclear how long the Commission could continue operating.
Private-public cloud mix
While the Commission largely relies upon a private cloud infrastructure – which runs on its own servers and is managed in-houtilize – the tech still involves multiple US providers of proprietary software, leaving the EU’s administration exposed to US power politics.
When it comes to the threat of a service being withdrawn at the stroke of Trump’s pen, the Commission suggested it could switch workloads to listed European public cloud providers which are the closest competitors to US services. However, migrating services or workloads off a private cloud to another infrastructure is not necessarily that straightforward.
OVHcloud is “intfinished for utilize in resilience scenarios, including disaster recovery”, a Commission spokesperson stated.
As for the Commission’s lesser utilize of US-based public clouds, its spokesperson stated it mitigates the risks of outsourcing infrastructure provision to US firms by limiting its utilize of these platforms – reserving them “for IT development activities, websites that provide public information, or the training of translation engines based on publicly available data.”
(nl, aw)
![a resume used by an operative of Bok-han. [Google Cloud Blog Goodbye]](https://foundernews.eu/storage/2026/03/news-p.v1.20260320.017dd204c17c4520ac915c6ff6d0ece1_P1.png)
Leave a Reply