A Brussels-based think tank has warned that the vast majority of European Union member states depend on American cloud services for their national defence operations, leaving them exposed to a potential US-imposed 'kill switch' that could cut off access at any time.
The Future of Technology Institute (FOTI) analysed procurement notices and defence websites across the continent, finding that 16 countries are at high risk because they rely directly on US hyperscalers such as Microsoft, Google, and Oracle for military cloud infrastructure. These nations include Croatia, the Czech Republic, Denmark, Estonia, Finland, Germany, Hungary, Ireland, Latvia, Lithuania, Poland, Portugal, Romania, Slovakia, Slovenia, and the United Kingdom.
Another seven countries—Belgium, France, Greece, Italy, Luxembourg, Spain, and the Netherlands—are classified as medium risk because their defence cloud systems are built by European contractors that in turn depend on US providers. The researchers could not obtain sufficient data for Bulgaria, Cyprus, Malta, and Sweden to assess their vulnerability.
How the 'kill switch' works
The risk stems from the US CLOUD Act, passed during Donald Trump's first term, which allows the US president to subpoena data stored on American cloud servers or impose sanctions on US tech companies. FOTI executive director Cori Crider pointed to a concrete precedent: in 2025, Microsoft blocked the accounts of the International Criminal Court's chief prosecutor, Karim Khan, after Trump imposed sanctions. Similarly, Maxar Technologies reportedly restricted Ukraine's access to satellite imagery following a US pause on intelligence sharing.
“A kind of kill switch risk from the United States is no longer some sort of theoretical discussion … this is a genuine, imminent risk that Europe doesn’t have the luxury to ignore anymore,” Crider said.
Microsoft emerged as the dominant provider, with its systems used by 19 European defence agencies. Google and Oracle also hold significant contracts. The highest-risk countries use systems that are not 'air gapped'—physically disconnected from the global cloud—and therefore require regular updates and maintenance from the US provider, making them vulnerable if sanctions are imposed. A Swedish estimate cited in the report suggests that US cloud software could function for up to 30 days after sanctions, after which licences expire.
Austria leads, Netherlands may follow
According to FOTI, Austria is the only European country to have begun a government-wide shift away from proprietary cloud providers. The defence ministry has moved to open-source alternatives such as NextCloud and LibreOffice, and last year the Austrian armed forces migrated 16,000 workstations off Microsoft Office. “Austria seems to be the only case that is quite independent or as independent as it gets right now,” said FOTI researcher Tobias Bacherle.
The Netherlands, currently classified as medium risk, is flagged as a potential leader for sovereign military cloud solutions. The Dutch Ministry of Defence has partnered with telecom company KPN and French contractor Thales to build a defence cloud without US providers.
Amazon, Google, and Microsoft have all introduced 'sovereign' cloud options within Europe, promising that data will be stored locally and comply with EU regulations. But Crider dismissed these as “sovereign-washing,” arguing that in the event of sanctions, the companies would be unable to update their software. “These days, they know we want tech sovereignty, so there’s some kind of sovereign cloud on offer from basically every dominant player,” she said.
The report's authors describe their analysis as a “conservative estimate,” noting that many defence contracts are classified and that the true extent of US cloud penetration is likely higher. The findings come as European leaders gather for crisis talks on defence and energy, and as Ukraine's drone innovation exposes Europe's slow defence adaptation. The vulnerability also echoes broader concerns about France moving its health data hub from Microsoft Azure to a domestic provider, highlighting a growing push for digital sovereignty across sectors.
