Verify your stack →
field report · july 2026

We scanned 300 "European" SaaS tools. 70% depend on US infrastructure.

"Made in Europe" is becoming a buying criterion. We checked how deep it actually goes. Short version: the DNS records tell a different story than the marketing pages.

"Is your stack actually European?" now shows up in real procurement questionnaires. Sovereign-cloud spending is growing fast, the Data Act lands in September 2026, and buyers increasingly ask vendors to prove jurisdiction instead of taking their word for it.

We took 301 SaaS tools that market themselves as European (listed on the european-alternatives.eu directory) and mapped their public infrastructure the way a skeptical customer would: hosting, CDN, DNS and email. We classified each by the owner's jurisdiction, because a US company is exposed to the US CLOUD Act even when the server sits in Frankfurt. All numbers below come from public records anyone can re-check with dig.

72%
have at least one US-jurisdiction dependency
70%
route email or DNS through a US company
56%
run corporate email on Google or Microsoft

Where the US shows up

Broken down by component (share of the 210 vendors that actively advertise "European / GDPR / EU" on their homepage):

Email provider is US-owned (Google 80 · Microsoft 26)56%
DNS provider is US-owned (Cloudflare 66)54%
Served through a US CDN39%
Hosting ASN owned by a US company44%

The most common vendors behind "European" software: Cloudflare (129), Google (86), Amazon AWS (39), Microsoft (26). None of these names appear on the marketing pages. They only show up in the DNS records.

The categories where it matters most

Sorted by share of vendors carrying a US-jurisdiction dependency. E-signature, storage and identity score highest, which is uncomfortable, because those are the categories where jurisdiction matters most.

CategoryVendorsUS-dependent
Electronic signature8100%
Object storage7100%
Project management9100%
Uptime monitoring5100%
Survey tools1090%
Email marketing887%
Identity & access management785%
Marketing automation683%
Team communication977%

What this means (and what it doesn't)

Using Cloudflare or Google Workspace does not mean a vendor is lying about being European. Most of these are real EU companies. It means their stack carries US-jurisdiction exposure the buyer can't see: a German GmbH running on AWS is still reachable under the CLOUD Act.

The problem is that checking any of this requires reading NS, MX and CNAME records by hand, and no procurement team does that. So "we're European" keeps getting claimed, rarely verified, and, as the numbers above show, is often only half true.

Methodology

Purely external, public-signal analysis: apex A record → hosting ASN owner; NS records → DNS provider; MX records → email provider; response headers / CNAME → CDN. Jurisdiction is assigned by the provider's parent-company country, not the server location. Email and DNS figures are the most reliable (records are unambiguous); "hosting" can over-count vendors that sit behind a Cloudflare proxy, so we report components separately rather than as one score. This is a snapshot, not a live monitor.

Curious where your own stack stands?

We'll run the same scan on your domain and send you a plain report — free. See exactly what a sovereignty-conscious buyer would find.