What Recent Cyber Incidents Reveal About Europe’s Software Dependencies

Within this blog post, we summarize some of the key findings of the European Software and Cyber Dependencies study report, requested by the European Parliament's Committee on Industry, Research and Energy (ITRE). The report, published in December 2025, provides insights on the dependency of Europe's digital ecosystem on non-EU software and hardware providers. Some of the key findings of the study report are as follows:

Europe’s digital ecosystem remains heavily dependent on non-EU software and cloud providers.

US firms dominate almost every layer of Europe’s digital stack, exposing Europe to strategic vulnerabilities.

Despite the EU’s ambitions to foster a competitive, resilient, and sovereign digital ecosystem, Europe remains largely and increasingly an importer of digital technologies.

Roughly four-fifths of EU cloud and software spending goes to non-European providers.

The associated economic outflows, jurisdictional exposure, and innovation gaps pose long-term risks to the EU’s technological autonomy, particularly as digital interdependence becomes weaponised in the current geopolitical climate .

Software dependencies and strategic vulnerabilities.

Dependency on software technologies and ecosystems is a situation in which organisations, sectors, or regions rely on specific software products, platforms, or vendors to an extent that they become essential for operational continuity, security, or innovation.

Such dependencies become strategic when their disruption could significantly impact economic stability, national security, or societal well-being.

Non-EU companies control most of the critical layers of the European digital stack.

US firms hold the intellectual property “choke points” for operating systems, cloud platforms, chip architectures, and machine learning frameworks.

Across business-to-consumer, business-to-business, and public-sector markets, US vendors dominate, while European and open-source products occupy niche positions.

These dependencies are reinforced by vendor lock-in, long-term contracts, proprietary formats, and network effects that limit switching and suppress market entry for European innovators.

Cybersecurity and critical infrastructure.

A case study of the EU’s energy infrastructure illustrates how digitalisation creates critical cyber dependencies.

Industrial control, grid management, and market-trading software increasingly rely on non-EU vendors and cloud platforms.

The energy sector relies on industrial control and process management systems, grid and energy management systems, customer and retail systems, and trading and market platforms.

Cybersecurity software solutions in the energy sector include network and perimeter security, endpoint and device security, identity and access management, monitoring and incident response, and data protection and recovery.

Most cybersecurity tools used in Europe — firewalls, identity management systems, SIEM/XDR platforms — come from US and Israeli vendors, while EU firms specialise mainly in services.

Supply-chain and jurisdictional exposure.

Europe’s dependence extends across the supply chain — from chips and hardware to developer tools and standards.

Most EU software developers rely on US-controlled cloud platforms for hosting, storage, and AI workloads, meaning even EU-native applications are deployed on non-EU infrastructure.

Few organisations have a complete map of their software dependencies.

Only 53% of professionals in critical infrastructure are confident that their organisation has full visibility of the cybersecurity vulnerabilities exposed by their supply chain.

Because most cloud providers are headquartered outside the EU, data stored in European data centres can still be accessed under foreign laws such as the US CLOUD Act and FISA.

Data localisation alone does not resolve exposure: under the US CLOUD Act, data stored in Europe by US companies remains subject to US jurisdiction.

Instances such as Microsoft’s suspension of services to sanctioned users demonstrate how political decisions abroad can directly disrupt European operations.

Risks and Policy Responses.

Europe’s software and cyber dependencies are becoming a structural strategic liability.

These dependencies entail major macro-economic costs, erode Europe’s long-term economic performance, and diminish Europe’s leverage in trade and security negotiations.

The report outlines policy options to strengthen Europe’s technological autonomy and resilience, including sovereign cloud and AI, open source and European digital commons, industrial alliances and public-private partnerships, and regulatory frameworks and procurement levers.

Reducing dependency will mean creating interoperable, trustworthy, and open infrastructures that anchor Europe’s autonomy within an interconnected world.

The transition will be costly and gradual, but without decisive action, Europe risks becoming a “digital colony” — dependent on others’ platforms, standards, and priorities for decades to come.