Pseudo Random Noise

Map of Europe showing mail dependency on Microsoft

European critical dependencies

TLDR; Multiple countries in Europe are critically dependent on services provided by Microsoft. Querying mail-servers teaches that in some countries, over 70% of all public services rely on this American provider. Europe needs to build its own infrastructure, and open source is the most robust solution.

What we tried…

Insight 1: Every self-respecting municipality has a website and online services.
Insight 2: DNS records show us how mail is being sent for a domain.

Using these two simple concepts (which in the end weren’t always that simple, but that’s a different rabbit hole), we started a small project collecting the municipal website of as much local governments in Europe as we could collect. For that domain name, we then looked for the MX-servers (mail exchange-servers, that are responsible for sending mail). Next we started mapping those MX-servers into a few categories. First off, we gave the two biggest global players its own place on the stage. For the other servers, we grouped them per continent and for Europe made a distinction between EU-servers and non-EU servers (as this is relevant for GDPR). In a final step, we tried to visualize these records in such a way that they were easily inspectable. The result is this map.

If you’re interested in further examining the method used, or looking into the CSV files containing the MX-records for a specific country, you can find these in the git repository.

What we discovered…

Europe has been promoting interoperability and open standards for decades. They have also been encouraging the use of local services and products. For e-mail for example there is a gigantic difference between the priorities countries choose. Yet, in practice a lot of cities and governmental services got persuaded to use zero-hassle, zero-insight solutions like the ones Microsoft and Google seem to offer.

This means that many public services rely on Microsoft for their daily operations – going from document storage to automation and integration with the office tools. For this research, we’re focusing on e-mail. Especially in Scandinavia and the Benelux, Microsoft has established a strong prevalence. Purely based on the MX-records, we learn that 72% of Belgian municipalities run Microsoft mail servers and 60% of the Dutch municipalities. For Scandinavia, it’s 64% in Norway and 57% in Sweden. In Finland, it’s a whopping 77% if the cities that are being served by Microsoft.

At the same time, countries like Germany – known for its strong hacker culture and cybersecurity awareness – land at mearly 4% running Microsoft. In Hungary too, they land on hardly 3% and in Bulgaria they are surpassed by Google, together only having 4% of the mail-share.

Lessons from the political climate

Dutch municipalities raise concerns of dependency

In research conducted by Binnenlands Bestuur, published on February 13, 2025, we can read growing concerns among Dutch municipalities about their deep reliance on Microsoft’s products. Nearly every municipality uses Microsoft’s software for daily operations, from Office 365 to Azure, making a switch both expensive and technically challenging. This dependency has raised alarms over vendor lock-in, potential price hikes, and the risks posed by U.S. legislation—such as the Cloud Act—which could force Microsoft to share European data with American authorities. While many local governments wish for a robust European alternative, none currently exists, prompting calls for a strategic approach to boost digital autonomy rather than an abrupt break with Big Tech.

International Criminal Court acknowledges critical dependency

A Guardian article, published on January 20, 2025, reports on escalating tensions around international legal actions and sanctions. The piece explains that the International Criminal Court (ICC) is preparing for significant repercussions as it faces potential swift U.S. sanctions from President Trump. These sanctions are a response to recent Israeli arrest warrants issued against individuals involved in alleged war crimes. The situation has raised alarm over the ICC’s ability to operate independently, with critics arguing that political and economic pressures—especially from the U.S.—could undermine its judicial authority. In this volatile climate, legal experts warn that the unfolding events could set a dangerous precedent for international justice and the enforcement of accountability for alleged crimes.

Unpredictable pricing

Once a country is locked in to a closed system, vendors can easily raise prices at random, as transition cost is often even higher. This for example happened in Finland, where over 75% of the municipalities already depend on MS services. From a Pirha regional government meeting in November of ’24, we learn prices would go up with roughly 25% in 2025, compared to 2024.

Despite the Finnish government already changing policy in 2023, aiming to prioritize European services, it appears that in 2024 still a big majority of the public services are running the MS suite. Proving exactly how vendor lock-in can stronghold our whole infrastructure.

In Sweden too, experts have expressed their concerns about dependency on US based technology for their critical infrastructure. “The protection mechanisms that would ensure that European data do not end up in the hands of US authorities are effectively dismantled,” Heath said. He believes that Sweden must take control of its own infrastructure and not lean on the American one.

Norway is likewise uneasy about heavy reliance on U.S. cloud providers. A recent commentary noted that Norwegian public institutions are completely at the mercy of Microsoft’s cloud services today​. It warns American cloud services might even become illegal in Norway if the EU–US data deal falters​, raising doubts about the legality of using Microsoft, Google, etc. The author argues Norway faces a crossroads: become more dependent on a “crumbling American democracy” or dare to pursue new paths​. This reflects growing concern in Norway over digital sovereignty and security, urging investment in European or domestic alternatives to give authorities better control of their data.

Not only municipalities, also public services

In Denmark, the Data Protection Authority took action over public sector use of Google services. In 2022 it banned Helsingør Municipality from using Google Chromebooks and Workspace in schools due to GDPR violations​, judging that the data transfer risks were too high. Some 50 municipalities were ordered to fix their Google Workspace use to comply with the law​. The ban was later suspended while Google and authorities work on remedies, allowing Helsingør and others to temporarily continue using Google Workspace​. This controversy underscores Danish concerns about data sovereignty, security risks, and vendor lock-in, prompting consideration of alternative solutions or stricter agreements to protect citizen data.

The schizophrenia needed to solve the issues, is clearly documented in the Google story. While Google achieved to set clear guidelines for using Google Classroom, these don’t apply when using other Google products like Google Maps, Youtube or Google Search. Three year later, it seems clear that Google hasn’t succeeded in setting a clear framework, this article by Sivon from 2025 teaches us.

Pie chart showing distribution of Mail servers in Belgian Fire Departments

This critical dependency also creates situations like in Belgium, where 100% of the police force uses Microsoft for their mail service, and 57% of the fire departments run Microsoft or Google. Similar figures can be for Belgian hospitals. If Microsoft would become unavailable in Belgium, this would cause a critical chaos and cost lives.

Prioritize local economies

While Europe has a strong policy when it comes to prioritizing local economy in the context of an interoperable Europe, policy makers all around seem to be susceptible to prefer the trodden paths of MS and Google.

Obviously, companies like Microsoft also feel the heat and are scrambling to procure nice infographics and promises, they even throw in some AI candy… but in the end, they still remain a US company. So they are susceptible to US law – which can affect both our privacy and our dependence: “U.S. laws such as the CLOUD Act continue to grant the U.S. government the authority to access this data,” warned the analyst. The question therefore is whether European governments can actually restrict this kind of access. “Can a single US disposition override these obligations,” the expert wonders. “In this case, residence does not necessarily mean control.”

And while president Trump with its Department of Governmental Efficiency (DOGE) is currently pushing the boundaries of the legal frameworks quite openly, the Snowden revelations have taught us that the US services have been monitoring EU citizens for over a decade through these international companies.

Are we willing to hand over our data and operations to a country that could pull the plug with the flick of a presidential finger?

Futureproofing our digital society

While it’s an important step to run applications from within Europe, it’s also important to realize that international relationships change. Furthermore, on the IT-market – a very international and competitive market – it’s not uncommon for companies to be bought up by bigger partners. What once was a local company, can quickly turn into a branch of a huge multinational. If this happens, both data and know-how often exchange hands and become part of a foreign entity, possibly no longer aligned with the priorities initially outlined when collaborations started.

By staying in control of the software used in your government, you eliminate the need to trust a company. In the Open Source ecosystem, there is already a long tradition of safeguarding knowledge and code to be accessible to all.

Sharing code between municipalities and governments, is also a very pragmatic way of cutting costs – allowing different partners to also tweak applications to tailor to local needs. Through the use of a strong open source license (e.g. GPL), you also protect other companies from profiting off your investment without contributing back for the betterment of the community.

Let me quote Johan Linåker in this article on the website of the French government:

The surveyed countries exhibit diverse policies, emphasizing interoperability, digital sovereignty, transparency, and cost efficiency. While cost efficiency interoperability and transparency were commonly referred to, much less attention was paid to digital sovereignty and even less to cyber security and sustainability aspects related to FOSS. The latter is rather surprising but can potentially be explained by the relatively recent uprise of these topics in public debates. We hope and strongly recommend that these topics be considered explicitly in upcoming policies.

Local talent

Europe has some of the greatest minds in the field of cybersecurity and IT. Given the job-market is ever-expanding in the US and merely on life support in Europe, it is obvious that our biggest talents cross the pond to fully harvest their potential. Now is the time to invest in our local talent, to safeguard our companies from being bought up by US investors.

Hacker communities and FOSS movements have been bringing the message for decades. Europe must decide whether to remain dependent on foreign tech giants or to invest in its own future. We have the expertise, the resources, and the legal frameworks to support a shift toward European digital sovereignty. What we need now is action from policymakers and pressure from the public to ensure that the infrastructure of tomorrow serves European interests, not those of a foreign power.

And now…

The longer we wait, the harder it will be to break free. The reliance on a single vendor is not just a matter of cost but of sovereignty, security, and resilience. If European governments do not act now, they risk facing an even greater crisis when pricing becomes unsustainable, when services are withdrawn, or when geopolitical tensions escalate. The alternative is clear: build European infrastructure, promote open standards, and foster a thriving FOSS ecosystem that guarantees long-term independence.

Are you a local or national politician? Don’t quietly make deals with the established companies because it’s the easiest deal and they have the best marketeers.

Are you an engaged citizen? Reach out to your local municipality or government and question their choices.

Further reading

Please add other articles in the comments!

Posted

in

by

jurgen

Tags:

,

Comments

21 responses to “European critical dependencies”

  1. jurgen Avatar
    jurgen

    Amsterdam is also moving:
    https://www.binnenlandsbestuur.nl/digitaal/amsterdam-presenteert-plan-voor-digitale-autonomie

    Reply
  2. Phil Pennock Avatar
    Phil Pennock

    @me You write:

    At the same time, countries like Germany – known for its strong hacker culture and cybersecurity awareness – land at mearly 4% running Microsoft.

    AFAIK, in Germany, the advent of requirements to use TLS-by-default and pushes for DANE in email accelerated the existing trend to put an open source mail-server in front of an MS Exchange install. Usually Exim or Postfix in front. Not so much for hosted mail platforms but very much so for local installs of MS Exchange.

    What did you do to identify the underlying mail-platform which stores and handles the mail, as opposed to the perimeter mail-system used for routing messages in and out with more flexible security options?

    1. jurgen Avatar
      jurgen

      Hi, unfortunately I haven’t taken that step yet… I’m looking into a few possible approaches though… (1) check the SPF records (in the TXT of the DNS). Often also there’s a “MS=something” token in the TXT records. Also not ironclad but most certainly an indication that at some point (in the past, possibly up to present) some MS involvement was there. So I’m very aware that my analysis is very conservative. If you have any suggestions to improve the query process… please elaborate!

      Reply
      1. Phil Pennock Avatar
        Phil Pennock

        @me You can often get hints about which services are registered as mail origins by probing for the existence of DKIM signing key selectors in DNS. Some services use fixed selectors, others let you use freeform.

        So Google is easy, selector google and you can use dig -t txt google._domainkey.example.eu and if you get a result, odds are good they’re using hosted Google Mail.

        I’ve had cause to look into a few services providers, but before today I’d never looked at what Exchange uses.

        Self-hosted Exchange appears to be freeform, but suggests a default of s1024 and it seems likely many would use that? Found at https://www.emailarchitect.net/domainkeys/kb/dkim_exchange_2007_2010_2013.aspx

        Cloud Microsoft 365 appears to be much more freeform and harder to pin down. On the bright side, they’ve designed to allow for rotation, which puts them several steps ahead of Google, who are screwing all their customers with a chunk of tech debt here.

        1. jurgen Avatar
          jurgen

          Thanks, those are a few interesting insights. But all who are using DKIM, will most likely already have a tell-tale SPF record too. At least, that’s my assumption. But DKIM indeed could reveal other third party services they could be using for their spam management (which effectively means they also go through all their mail – allowing them to also become a potential target for GDPR-issues)

          Reply
          1. Phil Pennock Avatar
            Phil Pennock

            @me The SPF record only needs to include those hosts which route mail to other organizations. If you have an outbound mail-server which handles implementing DANE/TLS and other such things, then its IP is the only thing which needs to appear.

            So if you have an MS Exchange server on-premises, it does not need to appear in SPF. If you have various external services which can generate mail but which route through a compliance gateway, then the compliance gateway is the only thing which needs to appear in SPF.

            Thus the value of DKIM lookups, in identifying message generators. It’s fraught to DKIM sign at the edge, because a mistake in ACLs will have you DKIM-signing spam. Most systems I’ve seen have the generating system do the original signing there.

    2. Jyrgen N Avatar
      Jyrgen N

      @philpennock @me While indeed a lot in Germany have Exim or Postfix as outer mail gateway, internally it is very often MS Exchange (on prem), like at my employer's. Microsoft has already announced they will at some not-so-far-in-the-future point no longer support Exchange on prem, but as a cloud service only. (1/2)

  3. Olivier Leroy Avatar
    Olivier Leroy

    @me it seems France is not doing that bad. I remember my local sys admin (University) saying that doing mail stuff was their core business and no one was going to touch that.

    1. jurgen Avatar
      jurgen

      Hey there, thanks for engaging! Yes, France it pretty good going! I think movements like #aprilorg and @Framasoft are having a very good influence there! Kudos to them and all the great communities who raise awareness in France

      Reply
  4. errorbody Avatar
    errorbody

    @me

    Very interesting read. Thank you very much for writing this post. Just today I was listening to an episode of @DasWissen about #FOSS vs #Microsoft in municipalities. Link to episode: https://ard.social/@DasWissen/114142377910986099

    1. jurgen Avatar
      jurgen

      Thanks… As I use to say to my German speaking friends: Meinen Deutsch ist ein bitchen Krank. (and I assume I messed up the capitalisation in there too). I really don’t speak German. But happy there’s a movement happening here.

      Reply
  5. Digital Freedom Foundation Avatar
    Digital Freedom Foundation

    @me thanks for sharing my post! And thanks for all your whitty and insightful messages too!

  6. Digitale Zaken 16 – STORYmin.es

    […] In het geval van de meeste Nederlandse gemeenten: Microsoft. Jurgen Gaeremyn maakte de kaart en in dit artikel legt hij meer uit over het onderzoek en waarom de afhankelijkheid echt wel een probleem […]

    Reply
  7. Jonny Avatar
    Jonny

    @me
    Microsoft was perfected 20 years ago. Go be a faggot in Europe.

    1. jurgen Avatar
      jurgen

      lol! I was wondering when I was going to see the first person to insult me with non-arguments.
      This isn’t about MS Office being a great tool (it might be), it’s about having a single company being able to shut down (at least) 75% if European critical infrastructure if they want to or are required to.

      For others… I’m open for discussions (and actually appreciate them). But please bring real arguments to the table. Further trolls will just be blocked.

      Reply
  8. Michael Avatar
    Michael

    @me When choosing a solution, provider, whatever, the first priority should be: Open Standards. If they're not operating with open standards, cross them off your list. That instantly rules out Microsoft and all their proprietary (buggy, unstable, insecure, overpriced) applications and services.

    1. jurgen Avatar
      jurgen

      While I agree, I disagree that their software is more buggy, unstable or insecure than open source solutions. I won’t go into pricing either, as I do agree that we should pay our developers well. I fully agree though with your stance that Open Standards are a starter. But in my opinion, they’re not even enough. You’ll also need to know – especially in cloud services – what happens under the hood. And you have to be able to move your stuff (not only the data, but also the processes/code) to a different service provider if the need occurs. Open Standards have been the default for roughly the last decade. But the legal shitstorm the LLMs have taught us, is that it’s not enough to have access to our data – it’s equally important to know what happens with that data. (typically a license agreement or EULA will tell you what they don’t do… the sneaky part is to figure out what they omitted to mention… e.g. use it as training data)

      Reply
      1. Michael Avatar
        Michael

        @me oh I have nothing against commercial solutions , btw. There are just almost always better options than Microsoft

        1. jurgen Avatar
          jurgen

          That kind of discussion actually leads nowhere – as it will be a discussion about subjective priorities. While I disagree, I think it’s important to acknowledge change aversity, legacy cost and existing integrations as a reality. Some people also prefer “legal guarantees” over “technical guarantees”. Last one I heard, was: “that interface looks so 20th century”… They prefer not having to care about servers and configuration and just want someone to yell at if things go south. Those are also things I won’t engage in discussing.

          What I will do: try to debunk myths (lower quality,unreliable, no service models, not viable, naive)

          Reply
          1. Michael Avatar
            Michael

            @me fair enough, agree to disagree (c:

  9. Messagerie et autonomie stratégique dans les communes – France Numérique Libre

    […] un intéressant article de mars 2025 (en anglais), Jurgen Gaeremyn cartographie les communes européennes selon les serveurs de […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.