A few things that didn’t fit in the post: The hardest part wasn’t finding EU tools. It was going through the sub-processor lists. Plenty of vendors publish a nice “hosted in the EU” page, then quietly list a US analytics, support, or infrastructure provider in the DPA annex. That’s why I treat the sub-processor list as more telling than the hosting claim itself.

So a question for you: which category do you most wish had a genuinely clean option? And which tool are you still stuck using? That’s exactly the gap I want to fill next.

Switched a few tools myself this year and the annoying part was never deciding to - it was checking each option actually held up. Hosting region is the easy bit; the sub-processor list is where the US services tend to hide. Took way longer than it should. The intent in these surveys is real, the tooling to act on it just isn’t there yet.

Russian neo-nazi divisions that took part or currently actively taking part in Russian offensive campaign:

• Task Force Rusich / DShRG Rusich — https://home.treasury.gov/news/press-releases/jy0954
• Russian Imperial Movement / Russian Imperial Legion — https://ctc.westpoint.edu/the-russian-imperial-movement-in-the-ukraine-wars-2014-2023/
• Russian Imperial Movement — U.S. sanctions page — https://home.treasury.gov/news/press-releases/jy0817
• Espanola / Española Brigade — https://jamestown.org/mikhail-pitbull-turkanov-the-rise-of-russian-soccer-hooligan-unit-espanola-in-ukraine/
• Rusich, Varyag, Svarozhich — overview of Russian neo-Nazis fighting in Ukraine — https://www.rferl.org/a/russian-neo-nazis-fighting-ukraine/31871760.html
• Varyag / Svarozhich / Rusich — overview of Russian separatist forces — https://en.wikipedia.org/wiki/Russian_separatist_forces_in_Ukraine

Then there is **Dmitry Rogozin **is a Russian politician, former head of Roscosmos, and former leader of the ultra-nationalist Rodina party; it is more accurate to describe him as an ultra-nationalist figure with racist and xenophobic rhetoric than as a proven neo-Nazi. Reuters reported on his participation in an ultra-nationalist rally where Nazi-style salutes were made: https://www.reuters.com/article/economy/russian-ultra-nationalists-rally-as-police-watch-idUSL28511451/

And there are many more cases of attacks and harassment by Russian citizens against Yakuts and other ethnic minorities who are also citizens of the Russian Federation.

Russia is not fighting Nazism - it is exporting it, funding it, tolerating it in its own armed formations, and using it as propaganda against others.

Meanwhile the “not enemy of Britain” threatens with nuclear strike on their official television (pure friendly) https://www.businessinsider.com/russian-propagandist-threatens-uk-ireland-with-nuclear-strike-2022-5

The “build, not buy” point is right, but only for core mission software: the systems an agency’s actual purpose depends on. If that capability is bought from a foreign vendor, the agency is effectively renting its own muscle.

For everything else, building in-house is not sovereignty. It is usually waste. Agencies should not be writing their own analytics tools, email servers, or generic back-office software just to feel independent.

That layer should be bought, but bought carefully: European or open-source where possible, with open formats, export rights, and the ability to fork or self-host if the vendor changes direction.

So it is not one rule. It is two layers: build the software that is your core capability, and procure the rest in a way that avoids lock-in. Both are part of keeping capability in Europe.

The four-tier procurement model is the most concrete part here, but probably also the hardest to implement well, because “European provider” is not a simple yes/no category.

From reviewing around 180 EU and privacy-focused tools, I saw the same pattern repeatedly: a vendor can be EU-headquartered but US-funded, EU-owned but hosted on AWS or GCP, or open source but still using US sub-processors. Any of these can bring back the same “kill switch” or CLOUD Act exposure the top tier is meant to avoid.

So the model depends heavily on the definition of “sovereign.” If it only means “EU-registered company,” many providers in the top tier may still have US ownership, funding, or infrastructure underneath.

If it means ownership, hosting, and sub-processors all need to check out, then the real pool of qualifying providers is much smaller than it looks. But it’s totally possible to build using complete sovereign providers, it’s just in some cases the quality is a bit behind. I’m curious where the final criteria will land.

The tricky part is that “reducing reliance on non-EU providers” is often not visible from the outside.

A tool may be headquartered in the EU but predominantly funded from the US, or hosted in the EU but owned by a US parent company. In such cases, it may still fall within the reach of the US CLOUD Act.

When I reviewed around 180 “European” SaaS alternatives, roughly one in six turned out to be EU-headquartered but mostly US-funded. That means sovereignty needs to be assessed at the ownership and sub-processor level, not only by looking at where the service is hosted.