We scanned 300 "European" SaaS tools. 70% depend on US infrastructure.
"Made in Europe" is becoming a buying criterion. We checked how deep it actually goes. Short version: the DNS records tell a different story than the marketing pages.
"Is your stack actually European?" now shows up in real procurement questionnaires. Sovereign-cloud spending is growing fast, the Data Act lands in September 2026, and buyers increasingly ask vendors to prove jurisdiction instead of taking their word for it.
We took 301 SaaS tools that market themselves as European (listed on the european-alternatives.eu directory) and mapped their public infrastructure the way a skeptical customer would: hosting, CDN, DNS and email. We classified each by the owner's jurisdiction, because a US company is exposed to the US CLOUD Act even when the server sits in Frankfurt. All numbers below come from public records anyone can re-check with dig.
Where the US shows up
Broken down by component (share of the 210 vendors that actively advertise "European / GDPR / EU" on their homepage):
The most common vendors behind "European" software: Cloudflare (129), Google (86), Amazon AWS (39), Microsoft (26). None of these names appear on the marketing pages. They only show up in the DNS records.
The categories where it matters most
Sorted by share of vendors carrying a US-jurisdiction dependency. E-signature, storage and identity score highest, which is uncomfortable, because those are the categories where jurisdiction matters most.
| Category | Vendors | US-dependent |
|---|---|---|
| Electronic signature | 8 | 100% |
| Object storage | 7 | 100% |
| Project management | 9 | 100% |
| Uptime monitoring | 5 | 100% |
| Survey tools | 10 | 90% |
| Email marketing | 8 | 87% |
| Identity & access management | 7 | 85% |
| Marketing automation | 6 | 83% |
| Team communication | 9 | 77% |
What this means (and what it doesn't)
Using Cloudflare or Google Workspace does not mean a vendor is lying about being European. Most of these are real EU companies. It means their stack carries US-jurisdiction exposure the buyer can't see: a German GmbH running on AWS is still reachable under the CLOUD Act.
The problem is that checking any of this requires reading NS, MX and CNAME records by hand, and no procurement team does that. So "we're European" keeps getting claimed, rarely verified, and, as the numbers above show, is often only half true.
Methodology
Purely external, public-signal analysis: apex A record → hosting ASN owner; NS records → DNS provider; MX records → email provider; response headers / CNAME → CDN. Jurisdiction is assigned by the provider's parent-company country, not the server location. Email and DNS figures are the most reliable (records are unambiguous); "hosting" can over-count vendors that sit behind a Cloudflare proxy, so we report components separately rather than as one score. This is a snapshot, not a live monitor.
Curious where your own stack stands?
We'll run the same scan on your domain and send you a plain report — free. See exactly what a sovereignty-conscious buyer would find.