So we’re using Microsoft at the Belgian government? So what, that’s not a bad thing, is it? I mean, it does a great job and everybody uses it. Right? After all, it’s the safe option. “Nobody ever got fired for choosing IBM Microsoft.

“Hey US, I thought we were friends?” This question isn’t rhetorical anymore. As tariff threats escalate, wars redraw geopolitical alliances, and digital infrastructure becomes the backbone of every critical service, Europe faces an uncomfortable truth: we’ve outsourced control of our digital future to a handful of American corporations.

The US spying on us through Google, Microsoft and other major American tech companies, isn’t a new story. When Edward Snowden revealed in 2013 that the NSA’s PRISM program was tapping directly into the servers of Facebook, Google, Microsoft, and Yahoo, collecting vast amounts of data on non-US citizens, European leaders expressed outrage. The European Parliament launched inquiries. But structurally, little changed. More than a decade later, the dependency has only deepened. Europe now pays US tech giants €264 billion annually for cloud and software services, equivalent to 1.5% of EU GDP. Eighty-three percent of European enterprise cloud spending flows to American providers, sustaining 1.95 million US jobs while European alternatives struggle. And Belgium is at the forefront. Even today. News just broke that the Belgian Army will go full monty Microsoft, and half a year ago, the whole Flemish government also not only renewed their contract, but also deepened the ties.

The question is no longer whether this dependency exists, but whether we can function independently when the geopolitical winds shift. Or are we heading at our next too-big-to-fail situation?

The sovereignty gap nobody talks about

Digital sovereignty sounds abstract, something for policy nerds and regulators to debate in Brussels conference rooms. But strip away the jargon, and it’s simple: the capacity to decide, independently, how a society manages and governs its digital infrastructure, data, and intelligence. It’s about control, resilience, and the ability to operate according to local laws and values when external actors have other priorities.

Right now, Europe lacks that capacity. The GAFAM giants (Google (Alphabet), Apple, Facebook (Meta), Amazon, and Microsoft) control over 60% of the global cloud market. In Europe, the concentration is even starker: Amazon, Microsoft, and Google dominate 70% of the cloud infrastructure market. Microsoft alone holds between 73% and 92% market share in EU public sector productivity software, depending on the category. An estimated 90% of Western data passes through US-controlled servers.

This market dominance has grown into a structural dependency. When the US CLOUD Act (passed in 2018) grants American authorities the legal power to access data stored by US companies anywhere in the world, regardless of local privacy laws, European sovereignty becomes a legal fiction. When Microsoft admits to the French Senate that it cannot guarantee French citizen data won’t be transmitted to US authorities without French authorization, the illusion shatters.

The European Union has tried to respond. The Digital Markets Act designated six companies (Alphabet, Amazon, Apple, Bytedance, Meta, and Microsoft) as “gatekeepers” requiring special oversight. But regulation without alternatives is just theater. Most European organizations, public and private, operate at what the EU Cloud Sovereignty Framework calls SEAL-0 or SEAL-1: completely dependent on third-party providers with no contractual guarantees of data location, processing sovereignty, or immunity from foreign jurisdiction.

Down the DNS rabbit hole

If you’re really not into the techy details, but just want the juicy details? The DNS records show us who handles incoming mail, and gives a strong indication of who handles outgoing mail for a webdomain. Based on this info, we can figure out if the domain is using MSO365, the Google ecosystem or something else.

So I started wondering… is there any public data out there that can help me figure out the extent of this reality? And I landed on the DNS records, the public record of the internet. A lot of us already know the DNS as the phonebook of the internet - telling users what IP-address a domain name should lead to. But the DNS contains a lot more than only that. It also tells your mail client who accepts the mail for a certain domain.

If you’re a bit nerdy, you could use this command (and you’ll get that response):

$ dig MX  +short vilvoorde.be
0 vilvoorde-be.mail.protection.outlook.com.

So this clearly tells us that all mail going to somebody@vilvoorde.be will be handled by outlook.com (thus: Microsoft). If you not that technical, you can also visit a website like dnschecker.org and see the same result. Now, this rabbit hole is way deeper, but for now, that’s enough.

With this knowledge, I started investigating how Belgian munipipalities handled their mail, by just checking every official domain name for the 285 municipalities in Belgium. The results were mildly shocking, but lower than I expected actually. For example, according to that map, Leuven was using its own MX records (<mx.leuven.be>). But reality taught us that this municipality is using Microsoft infrastructure for their operations (including mail). So we would have to dig into that…

I expanded my search and tried to create a map for all European municipalities and noticed how certain countries had very low numbers with regards to foreign (non-EU) dependency. Germany for example only showed roughly 66% of municipalities had domestic MX-records, and in Poland it was even 90%. Again… when talking to local people, it seemed that regularly people had Outlook and MSO365 in places that didn’t show up on the map. So… what’s going on here?

And… what was the problem? Apparently there are two possible situations where the usage that our solution doesn’t map:

1. (less common) The domain holder has an on premise server and is running Exchange or different non-sovereign mail server software on this.
2. (quite common) A mail proxy is being used that is placed in front of the actual mail server. This is typically done for security or to intercept spam or malware before it enters the network.

So now we’d like to figure out who is sending mails for a given domain, as that’s at least equally important. While this isn’t directly visible in the DNS records, we can take advantage of good practices for mail deliverability and take another dive in the DNS records, but this time in the TXT-records. This basically is the trash-can of the DNS record. Here, we find the Sender Policy Framework (SPF) record. This line in the DNS tells us who is allowed to send mail in name of a certain domain.

You can again use something like dnschecker.org or again use a terminal command:

$ dig TXT  +short leuven.be | grep v=spf
"v=spf1 ip4:52.148.198.154 ip4:195.234.45.71/32 ip4:31.193.181.122/32 ip4:193.190.220.214/32 ip4:193.191.179.0/27 ip4:193.190.220.192/27 ip4:93.94.106.167 ip4:213.224.57.64/29 ip4:109.68.162." "57/32 ip4:193.191.179.11/32 ip4:167.89.72.195/32 include:spf.protection.outlook.com include:spf.wearehostingyou.com include:prezlymail.com include:spf.mandrillapp.com include:carerix.net  include:spf.icontroller.eu include:spf.ciport.be -all"

As you can see in the above example: there can be multiple sending services authorized. In the above example, we see a bunch of domains and IP-ranges. Let’s go through some of them:

• ip4:52.148.198.154 <– this IP-address directs to a server in Amsterdam, hosted by Microsoft.
• ip4:195.234.45.71/32 <– this subnet/range goes to a local Belgian Telecom Engineer - looks like there is a fall-back in case of emergency
• there are a few more IP-ranges that direct to Belgian companies
• include:… <– the TXT record for domains being included, contain another set of IP-addresses or include domains that may allow sending. While the domain name typically tells us something about the company, it’s not a guarantee (and the content of these includes can also quietly change)
• include:spf.protection.outlook.com <– pointing to Microsoft owned IP-ranges used by the MS exchange servers managing mail sending
• include:spf.wearehostingyou.com <– (and other) IP ranges pointing to local EU companies and services

For the sake of practicality, we’ll just look at the include domains, all checked domains reflect the company behind it reliably. Anyone interested in diving even deeper into this rabbit hole… be my guest!

Investigating public services

So given these insights, we can have a look at the domains of different public services (incl. some businesses). Looking into MX and SPF records, teaches us this:

My conclusion: Belgium cannot afford for Microsoft to go down. Neither can the Netherlands, nor many other EU countries. And the trajectory is accelerating. In January 2025, Flanders signed a 10,000-user Microsoft Copilot deal, Europe’s largest public sector AI contract. In 2024, Microsoft won 89-100% of public IT tenders in major EU countries.

In April 2025, the Defense Minister announced a €61 million cybersecurity investment, including a “transition to cloud services.” Luxembourg and Belgium have partnered on a sovereign cloud for defense and critical infrastructure. With Microsoft entering the field of defence and intelligence solutions, and the threat of US economic sanctions, it won’t come as a surprise to hear that the Belgian Military is also pulling the Microsoft card. Concerns rise that this places us vulnerable on the geopolitical level.

BeLibre: A grassroots response

Next thing, I started looking around for Belgian movements that worked on raising awareness around the importance of digital sovereignty. Living near to Brussels, I was already member of Hackerspace Brussels, where I found many like minded and tech-curious people. There’s also the BXLug, who gather people using Linux and organize regular install parties all around Brussels. The great people at Abelli take big effort to promote Free Software in Belgium, but are mainly French speaking and focus ond specific topics. But none of these movements interacted with the political level or spoke on public events. There were movements like APPELL, the European Open Source Software Business Association and movements like EDRI but while they are located in Brussels, they focus on the European level.

This research led me to found BeLibre in April 2025. BeLibre is a Belgian grassroots movement trying to gather tech enthusiasts with a deep understanding of how stuff works. We try to gather experts from academia, business and the general tech community.

We coordinate via Matrix (for online community discussion), where we have multiple channels:

• Be Libre - Main
• Be Libre - News & Actua

For public outreach, we mainly use Mastodon.

This isn’t FUD or protectionism

Inevitably, some will dismiss this as fear, uncertainty, and doubt. “US tech is simply better. Why handicap ourselves?” others will argue. “Isn’t this just protectionism dressed up as sovereignty?”

Let’s be clear: this is about risk management, not ideology. Organizations routinely assess supply chain risks for physical goods: geographic concentration, single points of failure, geopolitical exposure. Why should digital infrastructure be exempt? When Microsoft holds 80% of the EU public sector productivity market, a prolonged outage, a pricing change, or a unilateral policy shift becomes an existential threat.

When the US CLOUD Act allows American law enforcement to access European data stored on US company servers (regardless of where those servers are physically located), European data protection law becomes unenforceable. When tariffs, sanctions, or export controls can be weaponized (as we’ve seen with semiconductors, energy, and now potentially cloud services), dependency becomes leverage.

Open source and interoperability are the antidotes to both US lock-in and European protectionism. Tools like LibreOffice, Nextcloud, Matrix, and Mastodon are globally developed, transparently governed, and immune to unilateral corporate or national control. Strategic autonomy doesn’t mean isolation, it means retaining the capacity to operate independently when necessary.

The stakes are higher than you think

Belgium and much of Europe have outsourced digital sovereignty to a handful of US corporations. This creates systemic risk: outages that paralyze public services, legal frameworks that contradict European values, pricing power that extracts billions annually, and geopolitical leverage that undermines European autonomy.

The trajectory is accelerating. AI integration (Copilot, Gemini, ChatGPT Enterprise) deepens the lock-in. Cloud-native architectures make migration harder. Shadow IT proliferates faster than governance can track it.

But solutions exist. In the next article, I’ll walk through the specific risks that make this dependency dangerous: outages, legal conflicts, market abuse, and governance failures. In the third, I’ll provide a practical roadmap for organizations to assess, plan, and gradually reduce their exposure without breaking everything.

For now, the first step is awareness. Map your dependencies. Ask where your email is hosted, who controls your DNS, where your data is stored, and who has legal access to it. Because the question isn’t whether you’re dependent. It’s whether you can afford not to know.

Additional resources

• (2009) The US surveillance programmes and their impact on EU citizens’ fundamental rights
• (2014) Edward Snowden: Leaks that exposed US spy programme
• (2015) SURVEILLANCE, PRIVACY, AND SECURITY: EUROPE’S CONFUSED RESPONSE TO SNOWDEN
• (2025) Technological dependence on American software and cloud services : an assessment of the economic consequences in Europe
• (2025) Digital Sovereignty: Why leaving the GAFAM is an absolute urgency (and what to replace them with)
• (2025) Digital Sovereignty in the Age of AI
• (2025) Nextcloud Digital Sovergnty Index
• (2025) Europe’s cloud market poised for 24% growth
• (2025) Microsoft beheerst 80 procent van publieke sector EU met software
• (2025) Europe’s Digital Sovereignty at Risk: The Microsoft Dependency
• (2025) The Growing Demand for a Sovereign Cloud
• (2023) The Key to Confidentiality in the Cloud
• (2019) The Untold Story of Edward Snowden’s Impact on the GDPR
• Can Europe create a technology company to compete with Amazon, Google or Apple?
• (2025) Your Country’s Digital Sovereignty Index Score - and Why It Matters
• (2025) Flemish authorities close big AI deal: 10,000 civil servants will get access to Microsoft Copilot
• (2025) Flanders secures Europe’s largest Microsoft Copilot contract to improve government efficiency
• (2015) TWO YEARS AFTER SNOWDEN

• (2025) Belgian government invests millions in army switch to cloud services

• (2025) Cloud sovereignty: Can Europe rise to the challenge?
• (2025) Digital sovereignty: should we turn to EU providers?