Map of Europe showing mail dependency on Microsoft

European critical dependencies

TLDR; Multiple countries in Europe are critically dependent on services provided by Microsoft. Querying mail-servers teaches that in some countries, over 70% of all public services rely on this American provider. Europe needs to build its own infrastructure, and open source is the most robust solution.

What we tried…

Insight 1: Every self-respecting municipality has a website and online services.
Insight 2: DNS records show us how mail is being sent for a domain.

Using these two simple concepts (which in the end weren’t always that simple, but that’s a different rabbit hole), we started a small project collecting the municipal website of as much local governments in Europe as we could collect. For that domain name, we then looked for the MX-servers (mail exchange-servers, that are responsible for sending mail). Next we started mapping those MX-servers into a few categories. First off, we gave the two biggest global players its own place on the stage. For the other servers, we grouped them per continent and for Europe made a distinction between EU-servers and non-EU servers (as this is relevant for GDPR). In a final step, we tried to visualize these records in such a way that they were easily inspectable. The result is this map.

If you’re interested in further examining the method used, or looking into the CSV files containing the MX-records for a specific country, you can find these in the git repository.

What we discovered…

Europe has been promoting interoperability and open standards for decades. They have also been encouraging the use of local services and products. For e-mail for example there is a gigantic difference between the priorities countries choose. Yet, in practice a lot of cities and governmental services got persuaded to use zero-hassle, zero-insight solutions like the ones Microsoft and Google seem to offer.

This means that many public services rely on Microsoft for their daily operations – going from document storage to automation and integration with the office tools. For this research, we’re focusing on e-mail. Especially in Scandinavia and the Benelux, Microsoft has established a strong prevalence. Purely based on the MX-records, we learn that 72% of Belgian municipalities run Microsoft mail servers and 60% of the Dutch municipalities. For Scandinavia, it’s 64% in Norway and 57% in Sweden. In Finland, it’s a whopping 77% if the cities that are being served by Microsoft.

At the same time, countries like Germany – known for its strong hacker culture and cybersecurity awareness – land at mearly 4% running Microsoft. In Hungary too, they land on hardly 3% and in Bulgaria they are surpassed by Google, together only having 4% of the mail-share.

Lessons from the political climate

Dutch municipalities raise concerns of dependency

In research conducted by Binnenlands Bestuur, published on February 13, 2025, we can read growing concerns among Dutch municipalities about their deep reliance on Microsoft’s products. Nearly every municipality uses Microsoft’s software for daily operations, from Office 365 to Azure, making a switch both expensive and technically challenging. This dependency has raised alarms over vendor lock-in, potential price hikes, and the risks posed by U.S. legislation—such as the Cloud Act—which could force Microsoft to share European data with American authorities. While many local governments wish for a robust European alternative, none currently exists, prompting calls for a strategic approach to boost digital autonomy rather than an abrupt break with Big Tech.

International Criminal Court acknowledges critical dependency

A Guardian article, published on January 20, 2025, reports on escalating tensions around international legal actions and sanctions. The piece explains that the International Criminal Court (ICC) is preparing for significant repercussions as it faces potential swift U.S. sanctions from President Trump. These sanctions are a response to recent Israeli arrest warrants issued against individuals involved in alleged war crimes. The situation has raised alarm over the ICC’s ability to operate independently, with critics arguing that political and economic pressures—especially from the U.S.—could undermine its judicial authority. In this volatile climate, legal experts warn that the unfolding events could set a dangerous precedent for international justice and the enforcement of accountability for alleged crimes.

Unpredictable pricing

Once a country is locked in to a closed system, vendors can easily raise prices at random, as transition cost is often even higher. This for example happened in Finland, where over 75% of the municipalities already depend on MS services. From a Pirha regional government meeting in November of ’24, we learn prices would go up with roughly 25% in 2025, compared to 2024.

Despite the Finnish government already changing policy in 2023, aiming to prioritize European services, it appears that in 2024 still a big majority of the public services are running the MS suite. Proving exactly how vendor lock-in can stronghold our whole infrastructure.

In Sweden too, experts have expressed their concerns about dependency on US based technology for their critical infrastructure. “The protection mechanisms that would ensure that European data do not end up in the hands of US authorities are effectively dismantled,” Heath said. He believes that Sweden must take control of its own infrastructure and not lean on the American one.

Norway is likewise uneasy about heavy reliance on U.S. cloud providers. A recent commentary noted that Norwegian public institutions are completely at the mercy of Microsoft’s cloud services today​. It warns American cloud services might even become illegal in Norway if the EU–US data deal falters​, raising doubts about the legality of using Microsoft, Google, etc. The author argues Norway faces a crossroads: become more dependent on a “crumbling American democracy” or dare to pursue new paths​. This reflects growing concern in Norway over digital sovereignty and security, urging investment in European or domestic alternatives to give authorities better control of their data.

Not only municipalities, also public services

In Denmark, the Data Protection Authority took action over public sector use of Google services. In 2022 it banned Helsingør Municipality from using Google Chromebooks and Workspace in schools due to GDPR violations​, judging that the data transfer risks were too high. Some 50 municipalities were ordered to fix their Google Workspace use to comply with the law​. The ban was later suspended while Google and authorities work on remedies, allowing Helsingør and others to temporarily continue using Google Workspace​. This controversy underscores Danish concerns about data sovereignty, security risks, and vendor lock-in, prompting consideration of alternative solutions or stricter agreements to protect citizen data.

The schizophrenia needed to solve the issues, is clearly documented in the Google story. While Google achieved to set clear guidelines for using Google Classroom, these don’t apply when using other Google products like Google Maps, Youtube or Google Search. Three year later, it seems clear that Google hasn’t succeeded in setting a clear framework, this article by Sivon from 2025 teaches us.

Pie chart showing distribution of Mail servers in Belgian Fire Departments

This critical dependency also creates situations like in Belgium, where 100% of the police force uses Microsoft for their mail service, and 57% of the fire departments run Microsoft or Google. Similar figures can be for Belgian hospitals. If Microsoft would become unavailable in Belgium, this would cause a critical chaos and cost lives.

Prioritize local economies

While Europe has a strong policy when it comes to prioritizing local economy in the context of an interoperable Europe, policy makers all around seem to be susceptible to prefer the trodden paths of MS and Google.

Obviously, companies like Microsoft also feel the heat and are scrambling to procure nice infographics and promises, they even throw in some AI candy… but in the end, they still remain a US company. So they are susceptible to US law – which can affect both our privacy and our dependence: “U.S. laws such as the CLOUD Act continue to grant the U.S. government the authority to access this data,” warned the analyst. The question therefore is whether European governments can actually restrict this kind of access. “Can a single US disposition override these obligations,” the expert wonders. “In this case, residence does not necessarily mean control.”

And while president Trump with its Department of Governmental Efficiency (DOGE) is currently pushing the boundaries of the legal frameworks quite openly, the Snowden revelations have taught us that the US services have been monitoring EU citizens for over a decade through these international companies.

Are we willing to hand over our data and operations to a country that could pull the plug with the flick of a presidential finger?

Futureproofing our digital society

While it’s an important step to run applications from within Europe, it’s also important to realize that international relationships change. Furthermore, on the IT-market – a very international and competitive market – it’s not uncommon for companies to be bought up by bigger partners. What once was a local company, can quickly turn into a branch of a huge multinational. If this happens, both data and know-how often exchange hands and become part of a foreign entity, possibly no longer aligned with the priorities initially outlined when collaborations started.

By staying in control of the software used in your government, you eliminate the need to trust a company. In the Open Source ecosystem, there is already a long tradition of safeguarding knowledge and code to be accessible to all.

Sharing code between municipalities and governments, is also a very pragmatic way of cutting costs – allowing different partners to also tweak applications to tailor to local needs. Through the use of a strong open source license (e.g. GPL), you also protect other companies from profiting off your investment without contributing back for the betterment of the community.

Let me quote Johan Linåker in this article on the website of the French government:

The surveyed countries exhibit diverse policies, emphasizing interoperability, digital sovereignty, transparency, and cost efficiency. While cost efficiency interoperability and transparency were commonly referred to, much less attention was paid to digital sovereignty and even less to cyber security and sustainability aspects related to FOSS. The latter is rather surprising but can potentially be explained by the relatively recent uprise of these topics in public debates. We hope and strongly recommend that these topics be considered explicitly in upcoming policies.

Local talent

Europe has some of the greatest minds in the field of cybersecurity and IT. Given the job-market is ever-expanding in the US and merely on life support in Europe, it is obvious that our biggest talents cross the pond to fully harvest their potential. Now is the time to invest in our local talent, to safeguard our companies from being bought up by US investors.

Hacker communities and FOSS movements have been bringing the message for decades. Europe must decide whether to remain dependent on foreign tech giants or to invest in its own future. We have the expertise, the resources, and the legal frameworks to support a shift toward European digital sovereignty. What we need now is action from policymakers and pressure from the public to ensure that the infrastructure of tomorrow serves European interests, not those of a foreign power.

And now…

The longer we wait, the harder it will be to break free. The reliance on a single vendor is not just a matter of cost but of sovereignty, security, and resilience. If European governments do not act now, they risk facing an even greater crisis when pricing becomes unsustainable, when services are withdrawn, or when geopolitical tensions escalate. The alternative is clear: build European infrastructure, promote open standards, and foster a thriving FOSS ecosystem that guarantees long-term independence.

Are you a local or national politician? Don’t quietly make deals with the established companies because it’s the easiest deal and they have the best marketeers.

Are you an engaged citizen? Reach out to your local municipality or government and question their choices.

Further reading

Please add other articles in the comments!


Posted

in

by

Comments

33 responses to “European critical dependencies”

  1. Phil Pennock Avatar

    @me You write:

    At the same time, countries like Germany – known for its strong hacker culture and cybersecurity awareness – land at mearly 4% running Microsoft.

    AFAIK, in Germany, the advent of requirements to use TLS-by-default and pushes for DANE in email accelerated the existing trend to put an open source mail-server in front of an MS Exchange install. Usually Exim or Postfix in front. Not so much for hosted mail platforms but very much so for local installs of MS Exchange.

    What did you do to identify the underlying mail-platform which stores and handles the mail, as opposed to the perimeter mail-system used for routing messages in and out with more flexible security options?

    1. jurgen Avatar

      Hi, unfortunately I haven’t taken that step yet… I’m looking into a few possible approaches though… (1) check the SPF records (in the TXT of the DNS). Often also there’s a “MS=something” token in the TXT records. Also not ironclad but most certainly an indication that at some point (in the past, possibly up to present) some MS involvement was there. So I’m very aware that my analysis is very conservative. If you have any suggestions to improve the query process… please elaborate!

      1. Phil Pennock Avatar

        @me You can often get hints about which services are registered as mail origins by probing for the existence of DKIM signing key selectors in DNS. Some services use fixed selectors, others let you use freeform.

        So Google is easy, selector google and you can use dig -t txt google._domainkey.example.eu and if you get a result, odds are good they’re using hosted Google Mail.

        I’ve had cause to look into a few services providers, but before today I’d never looked at what Exchange uses.

        Self-hosted Exchange appears to be freeform, but suggests a default of s1024 and it seems likely many would use that? Found at https://www.emailarchitect.net/domainkeys/kb/dkim_exchange_2007_2010_2013.aspx

        Cloud Microsoft 365 appears to be much more freeform and harder to pin down. On the bright side, they’ve designed to allow for rotation, which puts them several steps ahead of Google, who are screwing all their customers with a chunk of tech debt here.

        1. jurgen Avatar

          Thanks, those are a few interesting insights. But all who are using DKIM, will most likely already have a tell-tale SPF record too. At least, that’s my assumption. But DKIM indeed could reveal other third party services they could be using for their spam management (which effectively means they also go through all their mail – allowing them to also become a potential target for GDPR-issues)

          1. Phil Pennock Avatar

            @me The SPF record only needs to include those hosts which route mail to other organizations. If you have an outbound mail-server which handles implementing DANE/TLS and other such things, then its IP is the only thing which needs to appear.

            So if you have an MS Exchange server on-premises, it does not need to appear in SPF. If you have various external services which can generate mail but which route through a compliance gateway, then the compliance gateway is the only thing which needs to appear in SPF.

            Thus the value of DKIM lookups, in identifying message generators. It’s fraught to DKIM sign at the edge, because a mistake in ACLs will have you DKIM-signing spam. Most systems I’ve seen have the generating system do the original signing there.

      2. Daniel Avatar
        Daniel

        The MS=….. TXT is only needed if you register a domain you own within M365 so you can receive or send email from EXO directly. If you use a relay in front or behind, than this may not be needed. So it is merely indicative, but not proof that Exchange is used or not used behind the scenes. Same with SPF records.

        Another indication could be provided by checking email headers for Microsoft-specific properties.

        Get in touch with me, if there’s anything I could help with. If that’s a field where you are qualified, please excuse me. It’s hard to guess and I did not intent to step on any toes.

    2. Jyrgen N Avatar

      @philpennock @me While indeed a lot in Germany have Exim or Postfix as outer mail gateway, internally it is very often MS Exchange (on prem), like at my employer's. Microsoft has already announced they will at some not-so-far-in-the-future point no longer support Exchange on prem, but as a cloud service only. (1/2)

  2. Olivier Leroy Avatar

    @me it seems France is not doing that bad. I remember my local sys admin (University) saying that doing mail stuff was their core business and no one was going to touch that.

    1. jurgen Avatar

      Hey there, thanks for engaging! Yes, France it pretty good going! I think movements like #aprilorg and @Framasoft are having a very good influence there! Kudos to them and all the great communities who raise awareness in France

  3. errorbody Avatar

    @me

    Very interesting read. Thank you very much for writing this post. Just today I was listening to an episode of @DasWissen about #FOSS vs #Microsoft in municipalities. Link to episode: https://ard.social/@DasWissen/114142377910986099

    1. jurgen Avatar

      Thanks… As I use to say to my German speaking friends: Meinen Deutsch ist ein bitchen Krank. (and I assume I messed up the capitalisation in there too). I really don’t speak German. But happy there’s a movement happening here.

  4. Digital Freedom Foundation Avatar

    @me thanks for sharing my post! And thanks for all your whitty and insightful messages too!

  5. […] In het geval van de meeste Nederlandse gemeenten: Microsoft. Jurgen Gaeremyn maakte de kaart en in dit artikel legt hij meer uit over het onderzoek en waarom de afhankelijkheid echt wel een probleem […]

  6. Jonny Avatar

    @me
    Microsoft was perfected 20 years ago. Go be a faggot in Europe.

    1. jurgen Avatar

      lol! I was wondering when I was going to see the first person to insult me with non-arguments.
      This isn’t about MS Office being a great tool (it might be), it’s about having a single company being able to shut down (at least) 75% if European critical infrastructure if they want to or are required to.

      For others… I’m open for discussions (and actually appreciate them). But please bring real arguments to the table. Further trolls will just be blocked.

  7. Michael Avatar

    @me When choosing a solution, provider, whatever, the first priority should be: Open Standards. If they're not operating with open standards, cross them off your list. That instantly rules out Microsoft and all their proprietary (buggy, unstable, insecure, overpriced) applications and services.

    1. jurgen Avatar

      While I agree, I disagree that their software is more buggy, unstable or insecure than open source solutions. I won’t go into pricing either, as I do agree that we should pay our developers well. I fully agree though with your stance that Open Standards are a starter. But in my opinion, they’re not even enough. You’ll also need to know – especially in cloud services – what happens under the hood. And you have to be able to move your stuff (not only the data, but also the processes/code) to a different service provider if the need occurs. Open Standards have been the default for roughly the last decade. But the legal shitstorm the LLMs have taught us, is that it’s not enough to have access to our data – it’s equally important to know what happens with that data. (typically a license agreement or EULA will tell you what they don’t do… the sneaky part is to figure out what they omitted to mention… e.g. use it as training data)

      1. Michael Avatar

        @me oh I have nothing against commercial solutions , btw. There are just almost always better options than Microsoft

        1. jurgen Avatar

          That kind of discussion actually leads nowhere – as it will be a discussion about subjective priorities. While I disagree, I think it’s important to acknowledge change aversity, legacy cost and existing integrations as a reality. Some people also prefer “legal guarantees” over “technical guarantees”. Last one I heard, was: “that interface looks so 20th century”… They prefer not having to care about servers and configuration and just want someone to yell at if things go south. Those are also things I won’t engage in discussing.

          What I will do: try to debunk myths (lower quality,unreliable, no service models, not viable, naive)

          1. Michael Avatar

            @me fair enough, agree to disagree (c:

  8. […] un intéressant article de mars 2025 (en anglais), Jurgen Gaeremyn cartographie les communes européennes selon les serveurs de […]

  9. Alex Avatar
    Alex

    I wrote a short read about Belgian Digital Sovereignty http://mikhailian.mova.org/node/297

    Hope you’ll like its different perspective.

    1. jurgen Avatar

      Interesting complementary view indeed… wasn’t aware we had our own cloud system. What is it based on? (oh, and do you mean the Belgian government, the Flemish government or the provinces?) Who owns the code to that platform? Is this a private company? If so… what happens when these get bought up by e.g. Microsoft? Actually having the same question about ItsMe – what if they get bought?

      1. Alex Avatar
        Alex

        By Belgian cloud I mean https://www.gcloud.belgium.be/

        It’s not what you think a cloud is, but it does the job of keeping the infrastructure in Belgium.

        Mostly used by federal institutions, but open to any public institution. The platform is a partnership of several federal institutions.

        Itsme is private, but but it is a thin layer around the ForgeRock Identity Platform instance run by BOSA, a federal organization.

        There was an attempt to displace Itsme recently by MyId.be, but it spectacularly failled.

        There could be others.

  10. […] a previous article, I raised concerns regarding Europe’s deep reliance on non-European IT services, particularly […]

  11. iiska Avatar

    @me Interesting and important research, however I believe Finland's reliance on MS could be even worse than 77%.

    Eg. my home town heavily relying on MS is marked using domestic service provider – maybe due to reason that their MX records pointed to the company managing the MS infra for them?

    What do you think would checking for SPF records as additional step help sorting these out? In this case retrieving TXT records for ouka.fi would include SPF for spf.protection.outlook.com.

    1. jurgen Avatar

      Absolutely underestimated numbers. These are the numbers based on MX records. There are also servers hidden behind a proxy, and local installations of Exchange servers. These are hard to find though. Working on it though … My guess is that it will be somewhere between 90% and 95%

  12. Audun Avatar

    @me The data for Norway is faulty. Lots of non-official domains and even some that aren't cities at all (like Sandvika). Probably a whole lot missing as well, as there 357 muncipalites and 15 counties.
    You can probably clean up by deleting all entries that aren't a subdomain of kommune.no.
    Though, I guess that the Microsoft rate will be much higher with correct data.

  13. […] European critical dependencies (jurgen.gaeremyn.be) […]

  14. Raf Lefever Avatar

    IMHO, the problem with dependency on US-controlled services runs deeper.

    There is not just the matter of services and to some extend, licenses: ever more EU organizations embrace the cloud infrastructure offering of Big Tech and though good practice dictates geographical distribution, most will distribute their solutions over just a handful of data centers inside Europe.

    This presents a risk, given the current geopolitical reality. A huge data center is a juicy target for an Iskander missile. Perhaps the hyperscale model, which works for the geographically isolated US, is not the best fit for Europe, having Russia in the backyard? Maybe we should think about a completely different model?

    We have been brainwashed into believing that scalability (elasticity) and centralization are the solution to all problems, but those are profit-aligned drivers. Given the European Reality: a linguistically and culturally diverse landscape, a relatively small area, few globally relevant businesses, an aggressive neighbor,…wouldn’t Europe be better served with a highly decentralized internet? Smaller (even tiny) data centers but tons of them, to such extend that it would become indestructible? Europe would not just benefit strategically, we would also evolve a unique know-how and offer an alternative to the Big Tech prison.

    The technology allows it, the political will is there and so is the money. This is a once-in-a-lifetime opportunity!

    1. jurgen Avatar

      I’ll personally a firm believer of the federated model, e.g. NextCloud. This way, every province could have it’s own server (or even every big municipality). Support and tech expertise could be centralized as that is expensive (hard to find, too specialized for a full time job on such a small scale). But independent of my personal opinion (I’m not a technical expert), doing the risk assessment is a necessity.

  15. Tariq Avatar

    @me

    about 15 years I worked in central government in the uk

    as a newbie I was surprised at the scale of dependence on Microsoft and other powerful US tech companies

    in theory, every procurement should take into account data and service portability (lockin) and also the wider issue of "all legs in one basket' risk.

    in reality there seemed to be an unspoken rule that because we were the UK, depending on the USA was ok

    as I said, it was never spoken or written, but understood

    strategic error

Leave a Reply to Digitale Zaken 16 – STORYmin.es Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.