A new analysis from the Brussels-based Future of Technology Institute (FOTI) has revealed a startling and widespread vulnerability within European national defense. The study concludes that the vast majority of European militaries are critically dependent on cloud infrastructure provided by American technology giants—Microsoft, Amazon Web Services, Google, and Oracle. This reliance creates a strategic risk often termed a “kill switch,” where the United States government could, through legal subpoena or economic sanctions, compel these providers to cut off access to vital data and services. The legal mechanism enabling this is the U.S. CLOUD Act, which grants American authorities the power to demand data stored by U.S. companies, regardless of its physical location. This means that even data housed in European data centers is not beyond the reach of Washington, placing the operational continuity of allied militaries in a precarious position.
The FOTI report categorizes European nations based on their level of exposure. It identifies 16 countries at high risk, including major powers like Germany and the United Kingdom, as well as many Eastern European nations such as Poland and the Baltic states. These countries’ defense agencies directly utilize cloud services from U.S. providers. Even systems that are supposedly “air-gapped” or isolated are not fully secure, as they typically require regular updates and maintenance from the American provider, a lifeline that could be severed. A further seven nations, including France, Italy, and Spain, are deemed at medium risk. Their immediate defense cloud contractor may be a European company, but that firm’s infrastructure is itself built upon the technology of U.S. “hyperscalers,” creating an indirect but still potent vulnerability.
This threat is not merely theoretical. The report’s authors point to concrete precedents. They cite the 2025 incident where Microsoft, complying with U.S. sanctions, blocked the accounts of International Criminal Court prosecutors. Another example involves Maxar Technologies reportedly restricting Ukraine’s access to satellite imagery following a U.S. pause in intelligence sharing. As FOTI’s executive director, Cori Crider, starkly warned, “A kind of kill switch risk from the United States is no longer some sort of theoretical discussion… this is a genuine, imminent risk that Europe doesn’t have the luxury to ignore anymore.” The dependency is profound; the study found Microsoft systems in use by 19 European defense agencies, making it the predominant provider.
Amidst this landscape of dependency, one nation stands out as a notable exception: Austria. According to the study, Austria has embarked on a deliberate, government-wide shift away from proprietary U.S. cloud providers. Its defense ministry has reportedly migrated thousands of workstations from Microsoft Office to open-source alternatives like LibreOffice and adopted open-source cloud provider NextCloud. This strategic move towards technological sovereignty makes Austria uniquely insulated among European states. Meanwhile, the Netherlands, currently classified as medium risk, is flagged as a potential future leader. Its Ministry of Defence has partnered with Dutch telecom KPN and French contractor Thales to build a sovereign defense cloud explicitly designed to operate without U.S. providers, signaling a growing awareness of the strategic imperative.
In response to growing European concerns over data sovereignty, the major U.S. cloud providers have begun offering “sovereign cloud” solutions. These services, such as the AWS European Sovereign Cloud, promise to store data exclusively within the EU, operated by local personnel, and designed to comply with European regulations. Google and Microsoft have launched similar initiatives. However, FOTI researchers and critics like Crider dismiss these offerings as “sovereign-washing.” They argue that the core problem remains unchanged: the underlying software and intellectual property are still American. In the event of U.S. sanctions, these companies would be legally prohibited from providing updates, security patches, or technical support, rendering even a locally-hosted “sovereign” cloud effectively inoperable over time—a Swedish estimate suggested a grace period of just 30 days after sanctions before licenses would expire.
The FOTI analysis presents European policymakers with a clear and urgent dilemma. The efficiency, scalability, and advanced capabilities offered by American cloud technology are undeniable, but they come with an embedded strategic vulnerability. The report serves as a stark wake-up call, highlighting that true military and technological sovereignty cannot be leased from a foreign power, no matter how allied. The path forward, as exemplified by Austria’s embrace of open-source and the Netherlands’ bespoke partnerships, requires significant investment, political will, and a concerted pan-European effort to develop independent, interoperable capabilities. The question is no longer if such a risk exists, but whether Europe will act decisively to secure its own digital foundations before a moment of crisis forces the issue.
