Across the EU economy, the “platform layer” has become as fundamental as electricity: cloud hosting, identity management, workplace collaboration, payments, customer data platforms, cybersecurity tooling, and now AI model access. Much of that layer is provided by US-headquartered firms. The result is a multi-dimensional exposure: concentration risk, legal jurisdiction risk, policy and geopolitical risk, and switching cost risk.
A key supply chain question for all buyers and suppliers in the EU is the degree to which they are locked into effects that COULD crystallise should EU/US trade tensions worsen. What would 150% tariffs do to your business? How would you cope if Visa and Mastercard stopped processing EU transactions? If you think this latter point is fanciful, it happened after Russia invaded Ukraine to Russia. This is a key driver behind the digital euro project so there is an EU alternative to Visa/Mastercard.
Has you business assessed similar critical areas of potential weakness and could they be mitigated through supplier reviews?
Where dependency is most acute
Cloud infrastructure and platform services (IaaS/PaaS) For many organisations, hyperscale clouds are now the default for hosting, data platforms, analytics, and AI workloads. The European cloud market has grown rapidly, but European providers’ share has not kept pace. Synergy Research reports European providers’ share fell sharply from 2017 to 2022 and has held at roughly 15% since, while the main beneficiaries of growth have been Amazon, Microsoft and Google. That matters because cloud is the foundation that other dependencies stack on top of.
Productivity and collaboration suite Email, calendaring, file collaboration, document creation, video meetings, and workplace identity management sit at the centre of daily operations. Even where EU organisations use European hosting partners, the underlying software ecosystem can remain US-controlled.
Customer, commerce and marketing platforms CRMs, marketing automation, ad tech, e-commerce tooling, and app ecosystems can lock firms into proprietary data models and integrations, raising switching costs and creating commercial dependency.
Financial services ICT concentration Banks, insurers, and market infrastructure entities increasingly outsource critical functions to a small number of ICT providers. The EU has explicitly flagged systemic and concentration risk here, moving towards direct oversight of “critical” ICT third-party providers under DORA.
AI and “model access” dependency A newer layer is dependency on model providers, AI developer platforms, and GPU-backed cloud services. The risk profile is similar to cloud: concentration, pricing power, and potential policy constraints. Even when EU firms build applications locally, they may remain dependent on US platforms for training, inference, or proprietary model updates.
Why it matters: four exposure channels
A) Jurisdiction and lawful access risk
A recurring concern is that a provider’s corporate nexus can matter as much as where data is stored. The US CLOUD Act clarifies that US authorities can compel certain US service providers to produce data within their “possession, custody, or control”, including data stored outside the US, subject to legal process and avenues for challenge.
For EU firms, this creates a tension between:
- data protection and confidentiality obligations, and
- the legal obligations and control structures of a non-EU headquartered supplier.
This does not mean “all EU cloud use is unlawful”. It means the risk needs to be assessed as part of governance, procurement, and incident planning rather than treated as a purely technical hosting decision.
B) Transatlantic data transfer fragility
EU-US personal data transfers have been repeatedly contested in court, creating an unstable compliance landscape.
- In Schrems II (16 July 2020), the Court of Justice of the EU invalidated the Privacy Shield adequacy decision.
- The EU later adopted the EU-US Data Privacy Framework adequacy decision (10 July 2023).
- In September 2025, the EU General Court upheld the 2023 framework in Latombe v Commission (T-553/23), though the debate about appeals and durability continues.
For businesses, the practical point is operational risk. If a transfer mechanism becomes constrained, firms may face re-engineering costs, contract renegotiations, and potential enforcement exposure at speed.
C) Concentration and outage risk
When a small number of providers underpin large slices of national and sectoral activity, outages are no longer an “IT issue”. They become a macroeconomic and public safety concern. This is one reason EU financial regulators are now empowered to directly oversee certain critical ICT providers under DORA.
D) Commercial lock-in and switching costs
Lock-in is rarely created by one contract clause. It is created by cumulative design choices: proprietary APIs, native security tooling, data egress patterns, skills and certifications, and application architectures optimised around one environment.
This is precisely why the EU Data Act includes provisions intended to make switching cloud and data processing services easier and to reduce obstacles to portability. The Commission explicitly frames this as enabling switching between cloud providers.
What the EU is doing: regulation plus industrial policy
Data portability and switching
The Data Act aims to facilitate switching and reduce barriers in cloud and data processing services, including an approach that phases out certain switching charges over time.
Market power constraints on gatekeeper platforms
The Digital Markets Act (DMA) imposes obligations on designated “gatekeepers” to reduce unfair self-preferencing and improve contestability, with compliance deadlines following designation decisions. This targets structural platform power and dependency dynamics in core platform services.
Cybersecurity baseline and supply chain risk.
- NIS2 expands cybersecurity risk management and incident reporting obligations across critical sectors.
- The EU is also evolving its cybersecurity certification architecture, including discussion around cloud service certification (EUCS), although this has been politically complex and slow-moving.
Financial sector resilience and concentration oversight
DORA creates an EU-wide oversight framework for “critical ICT third-party providers”, explicitly addressing concentration risk from reliance on a limited number of providers.
Industrial policy for European cloud and edge capability
The Commission launched the European Alliance for Industrial Data, Edge and Cloud to help shape secure and interoperable cloud-edge services and coordinate roadmaps and procurement approaches. Separately, the Commission approved an IPCEI on Next Generation Cloud Infrastructure and Services, with participating Member States providing up to €1.2 billion in public funding expected to unlock additional private investment.
The “sovereign cloud” market response
A notable recent development is the hyperscalers’ push for “sovereign cloud” offers designed to reassure European customers. For example, Reuters reported that AWS has launched a European Sovereign Cloud concept, with governance and operational separation designed to respond to European data sovereignty concerns, alongside significant planned investment in Germany. These initiatives may reduce some operational and compliance risks for European customers, but they do not change the fact that AWS is ultimately an American company, subject to US legal and corporate control.
Sector lens: what “dependency” looks like in practice
Manufacturing and industrials
The dependency is increasingly about industrial data platforms, digital twins, predictive maintenance, and supply chain visibility. These workloads often sit on hyperscale cloud platforms due to their ability to scale infrastructure resources on demand and integrate data processing and analytics tools at scale.
The risk is going beyond hosting, but whether the factory’s data model, integration stack, and analytics environment become effectively non-portable.
Finance Banks and insurers face a double exposure: operational resilience (outage and cyber) and regulatory scrutiny. DORA’s oversight regime reflects the view that concentration in ICT providers can create systemic risk.
Tech and scale-ups Start-ups and SMEs optimise for speed and global reach, which often means defaulting to the dominant platforms. The trade-off is that unit economics, compliance posture, and negotiating leverage can become tied to a single vendor’s roadmap and pricing.
What EU firms can do now: a realistic resilience playbook
This is the part that matters to operators and procurement teams: actions that reduce exposure without fantasy.
Map platform dependencies like you map financial risk
Create a dependency inventory that covers:
core workloads, identity, key SaaS, payment rails, customer acquisition channels, and AI model access. Include who controls keys, who can access logs, and where critical data flows cross borders.
Contract for exit, not just service
Insist on:
- clear data export formats and timelines,
- assistance obligations for transition,
- transparency on sub-processors and locations,
- measurable resilience requirements and incident cooperation.
Architect for portability where it matters most. Not every workload needs to be portable. Prioritise:
- crown-jewel data and regulated workloads,
- workloads with high operational criticality,
- systems where the marginal cost of portability is low early and very high later.
Use multi-provider strategies selectively. Multi-cloud for everything is expensive and complex. Instead:
- use multi-region and strong recovery designs,
- avoid single points of identity failure,
- consider “dual sourcing” only for the most critical services.
Exploit the regulatory tailwinds If you are renegotiating cloud or SaaS contracts, align requirements with:
- Data Act switching/portability direction,
- NIS2 risk management obligations,
- and, for financial entities, DORA expectations.
Evaluate sovereign and EU-based options with a hard-nosed lens
“Sovereign cloud” can reduce some governance concerns but does not automatically eliminate all jurisdiction and dependency risks. Treat it as a design choice with explicit threat modelling, not a marketing label. For EU providers, evaluate maturity, scalability, ecosystem tooling, and contractual guarantees, not only geography.
The strategic conclusion
EU exposure to US digital platforms is a strategic one. The economic upside of global platforms is real: scale, innovation velocity, and integrated tooling. But the risk profile has changed because digital platforms have become critical infrastructure for entire sectors.
The emerging EU approach is pragmatic: reduce switching barriers (Data Act), constrain gatekeeper behaviour (DMA), raise resilience baselines (NIS2), directly supervise systemic ICT concentration in finance (DORA), and invest in European cloud-edge capability (Alliance, IPCEI).
For EU firms, the winning strategy is governed optionality: knowing where you are dependent, where you can switch, and what it would cost and take to do so under stress.
Background Reading and Additional Sources:
Synergy Research Group, European cloud providers’ local market share https://www.srgresearch.com/articles/european-cloud-providers-local-market-share-now-holds-steady-at-15
European Commission, European Alliance for Industrial Data, Edge and Cloud https://digital-strategy.ec.europa.eu/en/policies/cloud-alliance
European Commission, Cloud computing policy page https://digital-strategy.ec.europa.eu/en/policies/cloud-computing
European Commission, Data Act policy page https://digital-strategy.ec.europa.eu/en/policies/data-act
EIOPA, DORA overview and oversight framework https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
Reuters, EU designates critical ICT third-party providers for finance under DORA (Nov 2025) https://www.reuters.com/sustainability/boards-policy-regulation/amazon-google-named-by-eu-among-critical-tech-providers-finance-industry-2025-11-18
ESMA, ESAs designate critical ICT third-party providers (Nov 2025) https://www.esma.europa.eu/press-news/esma-news/european-supervisory-authorities-designate-critical-ict-third-party-providers
CJEU press release, Schrems II (16 July 2020) https://curia.europa.eu/site/upload/docs/application/pdf/2020-07/cp200091en.pdf
EUR-Lex, Commission Implementing Decision (EU) 2023/1795 on EU-US Data Privacy Framework https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj/eng
