Abstract
When the United States sanctioned officials at the International Criminal Court in 2025, access to cloud services, email, payment systems, and software licences was cut within hours. The infrastructure that failed them is the same infrastructure European public institutions run on every day. This report maps that exposure across eight technological layers, from identity management to artificial intelligence, and finds that for six of the eight, production-ready European alternatives exist today. It documents what breaks first under pressure, what can be switched and at what speed, and what requires years of preparation. Three disruption scenarios, four migration case studies with published cost data, and a prioritisation matrix give any European public organisation the tools to determine where it stands and what to do next. The report also identifies six European-level policy levers requiring no new legislation, and four decisions (with their institutional owners, blockers, and progress signals) that would change the structural conditions for every organisation simultaneously. First edition, March 2026. 137 pages. CC BY 4.0.
Changelog v1.0 → v1.1
European Digital Dependencies: Diagnosis and Priorities for Public Sector Decision-Makers
Version 1.1 is a rigorous revision of v1.0 published on Zenodo (DOI 10.5281/zenodo.19358628). The strategic conclusion of the report and its argumentative architecture remain unchanged. The revision involved systematic fact-checking against primary sources (EUR-Lex, Federal Register, Bundestag, Conseil d’État, Cour des comptes, corporate communications), integration of external feedback, and methodological consolidation. The accompanying summary note and cover letter transmitted with v1.1 are aligned with this revised version.
Structural revisions
Annex F Asterès figure. The €264 billion annual figure mentioned in v1.0 has been corrected: it represents purchases by European enterprises (private sector) from American cloud and software providers, not European public sector expenditure. The primary source is now correctly cited (Asterès study commissioned by Cigref and Numeum, April 2025). The structure of Annex F has been recalibrated to distinguish aggregated public expenditure from broader European economic exposure indicators.
Annex C - Criterion 1 on extraterritorial exposure. Version 1.0 primarily addressed the CLOUD Act as the vector of American legal exposure. Version 1.1 names and sources distinctly the four relevant instruments (CLOUD Act, FISA Section 702, Executive Orders under IEEPA, Foreign-Produced Direct Product Rule), with consolidated primary references. This revision strengthens the operational test proposed to public sector procurement officers and clarifies the scope of the strict posture toward any material American nexus.
Annex D UK post-Brexit rule. Systematic application of the “UK participation = non-EU flag” rule in the European alternatives table, with corresponding adjustments to affected entries (Bitdefender, Collabora, Element/Matrix). Addition of 3DS OUTSCALE among SecNumCloud-qualified IaaS providers. Revision of the European managed inference entry to reflect existing market offerings.
Section 6.3 removed and lightly integrated into 6.4. Reorganisation to remove a documentary redundancy identified during review.
Section 1.6 - recalibration of false equivalence objections. The three main objections (AI innovation speed, defence dependency, migration costs) have been reformulated with responses calibrated to what the report can demonstrate, with an explicit distinction between legitimate objections and their use as justifications for inaction.
Factual corrections
Microsoft / German federal administration: €481.4 million for fiscal year 2025 (source: response to written inquiry by Rebecca Lenhard MdB, Bundestag).
IAB Europe: €118.9 billion for the European digital advertising market in 2024.
ICC sanctions: dates clarified (Khan in February 2025, other judges and officials over the course of 2025).
Visa bans of 23 December 2025: only Breton linked to DSA enforcement; other cases addressed as distinct.
Roland Busch quote (Siemens, FT March 2026): reformulated to avoid overstating his position.
Section 3.3: removal of the paragraph on China’s semiconductor trajectory (10-year predictive claims not properly supportable).
Inteca: Poland. Stormshield: subsidiary of Airbus Defence and Space. Pleias and LightOn: distinct entities.
Claims removed or corrected: EV foreign subsidies instrument, TikTok DMA interim measure, Microsoft DMA non-compliance, EuroHPC supercomputer count, ICC migration timeline.
How to cite
Roux, N. (2026). European Digital Dependencies: A Diagnostic for Public Sector Decision-Makers. Independent policy report.
Zenodo DOI: https://doi.org/10.5281/zenodo.20076157