A vast majority of EU countries rely on US cloud services for their national defence agencies, putting them at risk of a "kill switch" that shuts down service at any time.
Most European countries rely on US cloud providers for their military operations and are at risk of being exposed to a "kill switch," a new analysis found.
ADVERTISEMENT
ADVERTISEMENT
Brussels-based think tank Future of Technology Institute (FOTI) said that a vast majority of European countries depend on US tech companies for their national defence applications, either through direct partnerships or via European companies that use US cloud services.
These companies are at risk of a "kill switch," the idea that Washington will subpoena data stored in the cloud or impose sanctions on US cloud providers.
The US president can issue a subpoena for data under the CLOUD Act, passed during Donald Trump’s first term at the White House.
In particular, 16 European countries are at a high risk of being affected by a US kill switch: Croatia, the Czech Republic, Denmark, Estonia, Finland, Germany, Hungary, Ireland, Latvia, Lithuania, Poland, Portugal, Romania, Slovakia, Slovenia and the United Kingdom.
Seven more countries are at medium risk because they have indirect exposure to US cloud infrastructure through European contractors that built their cloud system: Belgium, France, Greece, Italy, Luxembourg, Spain and the Netherlands.
Cori Crider, executive director of FOTI, said the US used this kill switch in 2025 when Microsoft blocked the accounts of ICC chief prosecutor Karim Khan after Trump imposed sanctions.
In another example, Maxar Technologies reportedly restricted Ukraine’s access to its satellite imagery after the US paused intelligence sharing, Ukrainian media reported.
“A kind of kill switch risk from the United States is no longer some sort of theoretical discussion … this is a genuine, imminent risk that Europe doesn’t have the luxury to ignore anymore,” Crider said.
The researchers could not find enough data for Bulgaria, Cyprus, Malta and Sweden to determine how vulnerable their military cloud systems are.
Microsoft, Google and Oracle given most defence contracts
For its study, FOTI evaluated procurement notices for government contracts that are worth over 143,000 and checked national defence sites for references to “cloud,” “Microsoft,” “Google,” “Amazon Web Services,” and “Oracle”.
Microsoft is the largest cloud provider for European defence agencies, with its systems being used by 19 countries, the study found. Google and Oracle also received defence contracts.
The highest-risk countries are relying directly on services from US cloud companies that might not be “air gapped,” which means the system is physically disconnected from the global cloud infrastructure.
These systems remain vulnerable because they “require regular updates and depend on maintenance from the US service provider,” which puts them in jeopardy if sanctions are imposed, the study said.
One Swedish estimate said that US cloud software could be used for up to 30 days after sanctions, after which the licenses will expire, according to Tobias Bacherle, researcher with FOTI.
In the medium-risk countries, the immediate contractor for their cloud system is a European company that uses a US provider, the report said.
For example, Dutch parliamentary readings note that US hyperscaler technology built their current cloud, but that their cloud is not run directly by these companies.
FOTI’s analysis is a “conservative estimate” of where the Big Tech cloud providers are working, researchers said, because it is hard to identify every contract that implicates US technology, and many of the contracts are classified.
Austria the only one independent of US hyperscalers
Austria is the only country to have begun a government-wide shift away from proprietary cloud providers, according to the study.
The defence ministry has supposedly moved away from Big Tech companies towards NextCloud, an open-source provider, and LibreOffice, a Microsoft alternative.
Last year, the country’s armed forces also reportedly moved 16,000 workstations off of Microsoft Office.
“Austria seems to be the only case that is quite independent or as independent as it gets right now,” Bacherle said.
While the Netherlands is currently considered medium risk, the researchers flagged it as a potential leader for Europe’s sovereign military cloud solutions.
That’s because the Ministry of Defence has recently partnered with the Dutch telecom company KPN and French contractor Thales to build a sovereign defence cloud without US providers.
What do the US hyperscalers have in Europe?
Cloud providers Amazon, Google, and Microsoft have introduced “sovereign” cloud options within Europe.
Amazon created the AWS European Sovereign Cloud to “help customers meet their evolving sovereignty needs,” which stores data in the EU, is independent and is compliant with the bloc’s regulations.
Similar sovereign options from Google and Microsoft say that data will be stored and supervised locally to remain compliant with local laws.
Crider called these efforts by tech companies “sovereign-washing” because in the event of sanctions, the companies will be unable to update their software.
“These days, they know we want tech sovereignty, so there’s some kind of sovereign cloud on offer from basically every dominant player,” she said.
Euronews Next contacted Google, Microsoft, Oracle and Amazon about their sovereign cloud systems but did not receive an immediate reply.
