30 Years of Shortsightedness - The Cost of Digital Naivety

In early 2025, Microsoft suspended email services for Karim Khan, the chief prosecutor of the International Criminal Court, after a U.S. executive order targeted the ICC. The prosecutor of an international court, based in The Hague, found his communications cut off because his institution relied on an American company subject to American law.

Bart Groothuis, a Dutch member of the European Parliament and former head of cybersecurity at the Ministry of Defence, admitted he had done a "180-degree flip-flop" on his trust in U.S. technology. "The I.C.C. showed this can happen," he said. "It's not just fantasy."

It was never fantasy. It was the logical consequence of 30 years of European procurement decisions.

The numbers tell a stark story. The European cloud market reached €61 billion in 2024. American companies control 70% of it. European providers have watched their market share collapse from 29% in 2017 to just 15% today. That's €8.5 billion in annual revenue that has shifted from European to American hands in just seven years.

This article traces how Europe traded digital sovereignty for short-term savings, how warnings were ignored, and why the ICC incident was not an aberration but an inevitability. The pattern is consistent across Germany, France, and the Netherlands: choose the cheapest option, accept the dependency, ignore the strategic cost.

The question is no longer whether Europe is digitally colonized. The question is whether it will do anything about it.

The Cost of Convenience

30 Years of Shortsighted Procurement

The Cost of Digital Naivety

Europe’s procurement decisions have followed a predictable pattern over the past 30 years: seek the cheapest solution, accept the short-term benefits, and ignore the long-term consequences. This approach has been consistent across sectors and governments, with each decision contributing to a broader dependency on U.S. and Chinese tech providers.

The European Tech Coalition, a group of industry leaders, has issued a stark warning: “For 30 years, European governments and companies have made the shortsighted decision to procure technology from the U.S. and China for short-term cost savings.” This decision, they argue, has led to a “strategic dependence” that undermines Europe’s digital sovereignty.

Market Growth and the Rise of U.S. Tech

Between 2017 and 2024, the European cloud market grew sixfold. Yet despite this growth trajectory, the European share of the market has collapsed. This growth is not a sign of European strength but of its vulnerability. The market is substantially controlled by U.S. tech giants, with the majority of revenue flowing to American providers. The full financial picture is detailed in the Financial Impact Assessment below.

The Procurement Pattern

Europe’s procurement decisions have followed a clear, predictable trajectory:

• 1990s: Microsoft dominated government desktops, offering cost-effective licensing in exchange for long-term lock-in.
• 2000s: Google Search became the default for public services, further embedding U.S. tech into the European digital infrastructure.
• 2010s: AWS won government cloud contracts, cementing the U.S. presence in public sector IT.
• 2020s: Microsoft 365 became the default suite for public institutions, further entrenching dependency.

Each of these decisions offered 10-20% cost savings, but collectively, they have led to a strategic dependence that is difficult to reverse. The cumulative effect of these choices is not just financial. It's political, social, and cultural.

The Budget Cycle Trap

The annual budget cycles in Europe often prioritize short-term savings, leading to long-term strategic dependencies. Budgets are driven by CFO priorities rather than CIO concerns, focusing on immediate cost reductions without accounting for the long-term implications of strategic decisions. Political cycles incentivize quick wins, while long-term planning is often sidelined in favor of quarterly results.

This creates a "budget cycle trap," where the true cost of procurement decisions is never fully considered. The total cost of ownership (including switching costs, data sovereignty risks, and the potential for foreign government access) is often ignored in favor of the immediate purchase price.

Case Studies of Shortsighted Decisions

Germany: The LiMux Saga

Munich's LiMux project, launched in 2004, became the poster child for European digital sovereignty before turning into its cautionary tale. By 2012, the city had successfully migrated 12,600 of its 15,500 desktops to Linux, saving €11.7 million compared to Microsoft licensing costs.

Then politics intervened. In 2017, Munich City Council voted to reverse course and return to Microsoft Windows. The stated reason? Compatibility issues. Project leader Karl-Heinz Schneider disagreed: "We do not see any compelling technical reasons for a change to Windows and Microsoft Office." The unstated reason, according to Schneider: Microsoft was negotiating to move its European headquarters to Munich. Initial cost estimates for the return to Windows were €49.3 million, but actual costs ballooned to approximately €100 million.

Despite this expensive lesson, Germany continues to deepen its dependency. In 2024, the German government reportedly committed $3 billion to Oracle Cloud Infrastructure. However, some German states are now reversing course again: Schleswig-Holstein announced in April 2024 that it would migrate 30,000 government workers from Windows to Linux.

State officials explained their reasoning bluntly: "We have no influence on the operating processes of such solutions and the handling of data. As a state, we have a great responsibility towards our citizens." They drew a direct parallel to recent crises: "The war in Ukraine revealed our energy dependencies, and now we see there are also digital dependencies."

France: Sovereign Cloud Failures

France has repeatedly attempted to build sovereign cloud alternatives, and repeatedly failed. In 2012, the French government invested a combined $200 million into two cloud consortia called Numergy and Cloudwatt. Both failed. On 31 January 2020, Orange closed Cloudwatt entirely, making it "a symbol of the failure to create a hosting service for sensitive data in France."

OVHcloud, Europe's largest cloud provider, continues to struggle against U.S. hyperscalers despite being a founding member of the Gaia-X initiative. Launched in 2019 with 22 member companies including Atos, Bosch, Orange, and Safran, Gaia-X was championed by German minister Peter Altmaier and French minister Bruno Le Maire as Europe's answer to AWS, Azure, and Alibaba.

Five years later, critics say the initiative has been "diluted" and "sabotaged from within by the hyperscalers themselves." Others blame excessive bureaucracy. The result: despite years of sovereignty rhetoric, European governments continue spending billions with U.S. providers while European alternatives remain underfunded.

Netherlands: From Privacy Warnings to Wake-Up Call

The Netherlands has conducted some of Europe's most rigorous privacy assessments of U.S. tech, and then largely ignored its own findings. In 2018, the Dutch Ministry of Justice and Security commissioned a Data Protection Impact Assessment (DPIA) on Microsoft services used by 300,000 government employees.

The findings were alarming: "high risk related to unencrypted streaming and stored special categories of data" and "a high data protection risk related to the possible access by US law enforcement and secret services to very sensitive and special categories of personal data." The Dutch government's response? Continue using Microsoft while requesting mitigations.

Then came the ICC incident described in the opening of this article. What had been a theoretical risk became a concrete reality. Dutch lawmakers responded by petitioning the government to use 30 percent Dutch or European cloud services by 2029. The question now: will this crisis finally translate into changed procurement practices, or will it become another ignored warning?

The Total Cost Accounting Failure

One of the most significant failures in European procurement has been the lack of proper cost accounting. The purchase price is often the only metric considered, while total cost of ownership (including switching costs, data sovereignty, and strategic autonomy) is overlooked.

The cost of data sovereignty, for instance, is not priced into procurement decisions. Strategic autonomy is treated as a free commodity, while the risk of U.S. government orders is not factored into the decision-making process. This has led to a situation where European institutions are not just spending money, they are spending their own sovereignty.

Financial Impact Assessment

The financial toll of Europe's procurement decisions is staggering. The numbers below tell the story of a continent that has systematically transferred its digital economy to foreign hands.

The Market at a Glance

Who Controls the Market

The three US hyperscalers (Amazon, Microsoft, and Google) control 70% of the European cloud infrastructure market. European providers have watched their share collapse from 29% in 2017 to just 15% today, where it has flatlined since 2022.

The leading European providers tell the story of this imbalance:

• SAP (German): 2% market share
• Deutsche Telekom (German): 2% market share
• OVHcloud (French), Telecom Italia, Orange (French): smaller shares

If European providers had maintained their 2017 market share of 29%, they would control roughly €17.7 billion of today's €61 billion market instead of €9.2 billion. That's €8.5 billion in annual revenue that has shifted to US providers in just seven years.

The Services Layer: Dependency Runs Deeper

The dependency extends far beyond infrastructure. The European cloud professional services market, currently valued at €6.5 billion, is projected to reach €21.4 billion by 2032, growing at 16% annually. This market covers consulting, implementation, migration, and managed services. The companies dominating this layer are almost exclusively American.

The key players controlling European cloud services include Accenture (US), IBM (US), Deloitte (US), Microsoft (US), AWS (US), Google Cloud (US), and Oracle (US). The only major European players are Capgemini and Atos, both French. Even Germany and the UK, the largest cloud markets in Europe, rely primarily on American consultancies to implement American infrastructure.

This means European organizations are not just renting American servers. They are paying American consultants to help them do it. Every euro spent on U.S. cloud infrastructure generates additional spending on implementation, migration, and management, nearly all of which flows back to the same US-dominated ecosystem.

The Acceleration Problem

The 16% annual growth rate in professional services means this dependency is accelerating, not stabilizing. Western Europe (Germany, France, UK) represents approximately 60% of this market. These are precisely the economies that should be building sovereign alternatives. Instead, they are deepening their reliance on foreign providers at an increasing rate.

This is not just lost revenue. It is capital that could have funded European innovation, European jobs, and European strategic autonomy. Instead, it funds Silicon Valley.

The Warnings Europe Ignored

Europe has long been aware of the surveillance capabilities of U.S. tech companies. The Snowden revelations in 2013 exposed how U.S. intelligence agencies had access to data from major tech platforms, including Microsoft, Google, and Facebook through the PRISM program. Despite this, Europe continued to rely on these companies, often without adequate safeguards or oversight.

The Schrems II case in 2020 further exposed the limitations of European data protection laws. The European Court of Justice invalidated the EU–U.S. Privacy Shield, citing concerns about U.S. surveillance practices. Yet, even after this ruling, procurement decisions continued to favor U.S. providers, with little change in approach. We examine the full legal implications in [[Why Europe Can't Trust US Tech The Legal Framework of Surveillance|Part 3: Why Europe Can't Trust US Tech]].

The CLOUD Act and European Data Sovereignty

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed by the U.S. Congress in 2018, allows U.S. law enforcement agencies to access data held by U.S. companies, even if that data is stored in foreign countries. This law has direct implications for European data sovereignty, with concrete impacts on European institutions:

• Healthcare Data: European hospitals using Microsoft 365 or AWS for patient records could be compelled to provide data to U.S. authorities, potentially violating GDPR and patient confidentiality protections.
• Government Communications: Sensitive government communications stored on U.S. cloud platforms remain accessible to U.S. intelligence agencies, as demonstrated by concerns around the ICC prosecutor case.
• Financial Services: European banks and financial institutions using U.S. cloud infrastructure face the risk of their customer data being accessed without European judicial oversight.
• Research Data: Academic and scientific research data, including potentially sensitive information about European citizens, could be subject to U.S. government requests.

In January 2024, Microsoft announced an EU Data Boundary, which was presented as a solution to these concerns. However, the boundary is not a true safeguard. It is a legal construct that does not prevent access to data by U.S. agencies under the CLOUD Act. The boundary primarily addresses data residency (where data is physically stored) but cannot override U.S. legal jurisdiction over U.S. companies.

The Trust Deficit

Europe's trust in U.S. tech companies has eroded over time, but not enough to change procurement practices. The repeated failures to protect European data, combined with the lack of accountability, have created a trust deficit that is difficult to repair. This deficit is not just about data. It's about sovereignty, control, and the future of Europe's digital infrastructure.

The Strategic Reckoning

Europe's procurement decisions have led to a form of competitive suicide. By choosing the cheapest solutions, European institutions have inadvertently strengthened the position of U.S. tech giants. This has created a cycle where European companies are left behind, unable to compete with the scale and resources of their U.S. counterparts.

The result is a digital landscape where European institutions are not just dependent; they are vulnerable. The strategic dependencies are not just financial; they are existential. Without control over their own data, their own infrastructure, and their own digital future, Europe risks losing its place in the global digital economy.

The 2024 State of the Digital Decade Report from the European Commission has acknowledged the growing threat of strategic dependencies. "The EU remains dependent on external providers for AI and cloud services, often used in public services, as well as the production of semiconductors and quantum infrastructure components," the report states. This dependency is not just a risk. It is a vulnerability. For a deeper analysis of the semiconductor dimension, see [[Taiwan's Silicon Shield - The Semiconductor Strategy for Survival|Part 13: Taiwan's Silicon Shield]].

Initiatives exist. Gaia-X, launched in 2019, was supposed to be Europe's answer. But five years later, critics say it has been "diluted" and even "sabotaged from within by the hyperscalers themselves." The gap between strategic vision and tactical execution remains Europe's critical failure. The concepts exist. The procurement decisions do not follow.

For a vision of what Europe could build, see The Third Way - Building European Tech Independence|Part 15: The Third Way later in this series.

Bart Groothuis, the Dutch MEP who admitted to his "180-degree flip-flop," is now pushing for European governments to use 30% European cloud services by 2029. Dutch lawmakers have petitioned their government to make it happen.

But here is the pattern that should concern every European: The Snowden revelations came in 2013. Europe kept buying. The Schrems II ruling came in 2020. Europe kept buying. The CLOUD Act passed in 2018. Europe kept buying. Now the ICC prosecutor's email has been suspended, and European leaders are once again expressing shock and promising change.

The €61 billion European cloud market grows larger every year. American providers take 70% of it. Each percentage point is worth €600 million annually. And every euro that flows to U.S. providers is a euro that does not fund European alternatives, European jobs, or European strategic autonomy.

Karim Khan's suspended email was not an anomaly. It was a preview. The CLOUD Act means any European institution using American cloud services operates at the pleasure of American law. The only question is who will be next.

Understanding the problem is the first step. In the next article, we examine how Silicon Valley built the surveillance infrastructure that makes European data so vulnerable, and why the relationship between Big Tech and U.S. intelligence agencies runs far deeper than most Europeans realize.