Europe is increasingly talking about digital sovereignty, but a highly visible part of its public infrastructure still relies on U.S.-based providers. We’re not necessarily talking about where a server is physically hosted, but something just as relevant for security, procurement, and resilience: which provider appears in the first layer serving a company’s main website.
A CipherCue analysis of 19,450 business entities across seven European markets shows that providers headquartered in the United States serve a significant portion of their main corporate websites. In the UK and the Netherlands, they are the majority; in Italy, Spain, and France, they make up the largest group; and only in Germany and Poland is there a stronger domestic presence. Cloudflare emerges as the leading visible provider in all studied countries, ahead of any local, regional, or alternative U.S. providers.
This data should not be interpreted as proof that websites are physically hosted in the U.S. CipherCue emphasizes that this is not an IP geolocation study but an attribution of provider based on DNS A/AAAA records and autonomous system numbers. In the case of a CDN or reverse proxy like Cloudflare, it identifies who is serving the visible internet layer, not necessarily where the origin server is located.
Cloudflare dominates the visible first layer
The most striking figure in the report is Cloudflare’s presence. In all seven countries analyzed, the company is the internet-facing infrastructure provider with the largest share. In the UK, it appears in 31.6% of the websites studied; in the Netherlands, 36.8%; in Italy and France, 28.2%; in Spain, 23.1%; in Germany, 17.9%; and in Poland, 15.2%.
This has a technical explanation. Cloudflare offers DDoS mitigation, CDN, reverse proxy, perimeter security, DNS, and global edge presence at a scale hard for many European providers to match. CipherCue’s own analysis avoids oversimplification: it does not say that European companies should abandon U.S. providers tomorrow or that there are no technical reasons to use them. The point is different: many conversations about digital sovereignty are happening too late, once dependence is already embedded in the exposed public layer.
| Country | Entities Analyzed | US-Based Providers | Cloudflare | Amazon | Other US | Other/Regional |
|---|---|---|---|---|---|---|
| UK | 918 | 620 (67.5%) | 290 | 115 | 215 | 298 |
| Netherlands | 2,241 | 1,201 (53.6%) | 825 | 150 | 226 | 1,040 |
| Italy | 2,350 | 1,138 (48.4%) | 663 | 227 | 248 | 1,212 |
| Spain | 1,427 | 637 (44.6%) | 329 | 128 | 180 | 790 |
| France | 2,504 | 1,107 (44.2%) | 706 | 173 | 228 | 1,397 |
| Germany | 5,679 | 1,763 (31.0%) | 1,017 | 390 | 356 | 3,916 |
| Poland | 4,331 | 813 (18.8%) | 660 | 69 | 84 | 3,518 |
Spain holds a relatively high position. Out of 1,427 analyzed entities, 637 use U.S.-based providers in the observed layer, accounting for 44.6%. Cloudflare appears in 329 cases, Amazon in 128, and other U.S. providers in 180. It’s not an absolute majority, but it’s a dependency significant enough to be included in any serious tech risk inventory.
Sovereignty doesn’t only mean cloud region
For years, many companies have reduced digital sovereignty to a simple question: “What cloud region are my data in?” While the answer matters, it’s incomplete. The public exposure layer also counts. DNS, CDN, WAF, reverse proxy, load balancing, DDoS protection, certificates, logs, management dashboards, and control planes can introduce dependencies on providers, jurisdictions, and operational models that are not always visible in internal infrastructure maps.
CipherCue articulates this precisely: the geography of the physical package is only part of the problem. For procurement, regulation, and continuity, it also matters which provider is fronting the public website and the nature of the contractual, technical, and operational relationship the organization maintains with them.
The European Commission has prioritized technological sovereignty as a political goal. In June 2026, it presented a tech sovereignty package focused on semiconductors, AI, cloud, and open-source, with measures to strengthen digital autonomy and resilience. Among them, the upcoming Cloud and AI Development Act aims to support cloud and AI technologies, facilitate data center deployment, and establish a European framework to assess cloud and AI sovereignty.
This debate aligns with other ongoing regulations. DORA, in the financial sector, focuses on digital operational resilience, ICT risk management, critical external providers, and risks related to dependency on a limited number of providers. ENISA also reminds us that NIS2 broadens the scope to essential and important sectors, including digital infrastructure, cloud services, data centers, internet exchange points, and content delivery networks.
Germany and Poland present an alternative path
The report highlights two exceptions: Germany and Poland. Both markets have a more visible local hosting and infrastructure industry in the data. In Germany, names like Hetzner, IONOS, STRATO, and Mittwald appear; in Poland, Home.pl, NetArt, ATMAN, and Beyond. As a result, the share of U.S. providers drops to 31.0% in Germany and 18.8% in Poland.
This does not mean these countries do not use U.S. technology in other layers. The study itself does not measure email, identity, EDR, SIEM, SaaS, endpoints, or internal tools. But it suggests that a strong local base shifts the distribution in the public web layer.
For Europe, this difference is significant. Digital sovereignty is not achieved solely through regulation; it also requires competitive offerings, scale, support, reasonable pricing, geographic presence, technical excellence, and buyer trust. If local providers cannot match certain security, performance, or ease-of-adoption services, many companies will continue choosing big U.S. players, even if their political preferences are different.
Inventory as the first step
The CipherCue data should not provoke a defensive reaction like “we need to get rid of all things American.” That’s unrealistic and often technically counterproductive. The practical takeaway is simple: before discussing sovereignty, you need to know what you’re using.
Many organizations lack a complete inventory of who serves their website, what DNS they use, which CDN is in front, who manages certificates, what WAF filters traffic, where logs are stored, which providers can modify configurations, and what dependencies exist in case of incident or contractual conflict.
This inventory should answer specific questions:
| Layer | Minimum Question |
|---|---|
| DNS | Who resolves and manages critical domains? |
| CDN/WAF | Which provider sits in front of the website, and what traffic do they see? |
| Origin | Where is the server or application actually hosted? |
| Control plane | From which country and under what entity is the service managed? |
| Logs | Where are logs stored, and who can access them? |
| Support | What happens if the provider changes terms or suspends service? |
| Exit strategy | Is there a realistic migration or rollback plan? |
That last question is often the most uncomfortable. Dependence is not only about using a dominant provider; it appears when there is no prepared alternative, changing would take weeks under urgency, contracts are renewed with little margin, or the technical team has not tested an exit architecture.
Europe will not regain digital sovereignty solely by moving servers. It must build strong providers, purchase more selectively, demand portability, strengthen internal capabilities, and measure dependencies from the most visible to the deepest layers. CipherCue’s study helps by grounding the debate in something verifiable: who is currently fronting the main websites of thousands of European companies.
In many cases, the answer still points to a U.S. headquarters.
Frequently Asked Questions
Does the study say that European websites are physically hosted in the U.S.?
No. CipherCue measures provider attribution based on DNS and autonomous systems, not physical geolocation or origin servers.
Why does Cloudflare appear so much?
Because many companies use it as a CDN, proxy, DNS, WAF, or DDoS protection layer. This places it in front of the website even if the origin server is with another provider.
What stands out about Spain?
Of 1,427 analyzed Spanish entities, 637 use U.S.-based providers in the observed layer, which is 44.6%. Cloudflare appears in 329 cases.
Does this mean companies should stop using U.S. providers?
Not necessarily. The key is to understand dependence, assess risks, and have alternatives or exit plans when the layer becomes critical.
Why does this matter for European digital sovereignty?
Because sovereignty isn’t only about the cloud region. DNS, CDN, WAF, control plane, support, jurisdiction, concentration, and actual migration capacity all matter.

