Why this study? Europe’s growing digital dependency
Europe’s software and cybersecurity landscape is characterised by deep and systemic dependence on non-EU providers. Despite long-standing ambitions to build a competitive, resilient and sovereign digital ecosystem, US-based firms dominate almost every layer of Europe’s digital stack – from cloud infrastructure and operating systems to enterprise software, AI platforms and consumer digital services.
Today, roughly four-fifths of EU spending on cloud and software flows to non-European providers, resulting in significant economic outflows, exposure to foreign jurisdictions and growing innovation gaps. While the European Union has developed a far-reaching regulatory framework, it remains largely and increasingly an importer of digital technologies. In the current geopolitical climate, where digital interdependence is becoming weaponised, these dependencies carry strategic risks for Europe’s competitiveness, innovation capacity and technological sovereignty.
What this study set out to do
This study provides a comprehensive assessment of Europe’s dependence on non-EU software and cybersecurity technologies and explores strategies to mitigate the associated risks. It addresses three core questions:
- What is the degree and nature of Europe’s dependency on non-EU software and cyber ecosystems?
- What economic, security and sovereignty risks arise from these dependencies?
- What strengths can Europe leverage to improve its digital autonomy and how?
The analysis combines extensive desk research, EU public procurement data (TED) analysis, and expert interviews, examining dependencies across multiple layers of the digital value chain and identifying actionable directions for policy.
Key findings: a structurally dependent digital ecosystem
The study finds that non-EU actors (primarily US companies) control nearly all critical layers of Europe’s digital stack, with dependencies reinforced by vendor lock-in, proprietary standards, long-term contracts and strong network effects.
- Cloud infrastructure: AWS, Microsoft Azure and Google Cloud account for around 70% of the EU market, while European providers’ share has fallen to roughly 13%.
- Enterprise software: About 80% of European corporate software and cloud spending goes to US vendors, with SAP remaining the only major European player.
- Consumer platforms: US firms dominate mobile and desktop operating systems, web search, browsers and social media almost entirely.
- Cybersecurity: US and Israeli companies lead in key security tools, while EU firms are mainly active in services rather than core technologies.
- Government IT: Public administrations remain heavily reliant on non-EU productivity and cloud services, with only limited migration to open-source alternatives.
A case study of Europe’s energy infrastructure illustrates how digitalisation creates critical cyber dependencies, particularly in industrial control systems, grid management and market-trading software.
Sovereignty, security and economic risks
Heavy reliance on non-EU vendors exposes Europe to foreign legal and political control. US legislation such as the CLOUD Act and FISA gives American authorities jurisdictional reach over data hosted by US providers – even when data is stored in Europe. Recent service suspensions linked to sanctions demonstrate how decisions taken abroad can directly disrupt European operations.
At the same time, Europe’s technological position is weakened by chronic underinvestment in software R&D, limited venture capital and persistent talent outflows. While EU firms excel in applied and industrial innovations, they lag behind in foundational platform technologies such as cloud, operating systems and AI frameworks.
These dependencies come at a high macroeconomic cost:
- Europe runs a digital trade deficit exceeding EUR 100 billion annually.
- Around EUR 264 billion per year flows to foreign software and cloud providers – financing R&D and jobs elsewhere.
- Lock-in inflates long-term costs, suppresses innovation and weakens Europe’s negotiating power.
- Closing the productivity gap with the US digital sector could raise overall EU productivity by around 1.2%.
From vulnerability to strategic autonomy: pathways forward
The study concludes that Europe’s software and cyber dependencies have become a structural strategic liability. However, the EU retains significant strengths – its single market, research excellence, industrial base and regulatory capacity – that can be mobilised to rebuild technological autonomy.
While a fully European digital stack is not realistic in the short term, the study identifies several strategic pillars for a balanced approach that combines openness with autonomy:
- Sovereign cloud and AI infrastructure, including federated EU-controlled systems and AI computing capacity;
- Open-source and digital commons as strategic infrastructure, supported by sustainable funding and governance;
- Industrial alliances and public–private partnerships to pool R&D, set open standards and strengthen innovation ecosystems;
- Regulatory and procurement levers, including open standards, multisourcing and sovereignty criteria in public IT procurement;
- Investment in research, skills and international cooperation with like-minded partners.
Without decisive action, Europe risks becoming a “digital colony”, dependent on external platforms, standards and priorities for decades to come.
Interested in learning more?
Explore the full study findings and policy options here.
