Blog

Why Replacing Zoom Is Easy but Replacing Google Workspace Is Not

When European organisations start thinking about reducing their US cloud dependency, the first instinct is to rank their tools by risk and start replacing them. This instinct is correct. The mistake is assuming that every replacement is roughly the same amount of work.

It is not. Replacing Zoom takes an afternoon. Replacing Google Workspace takes months. The difference is not about the quality of alternatives. Good alternatives exist for both. The difference is structural: it comes down to how deeply the tool has embedded itself into the way your organisation operates.

The Anatomy of a Google Workspace Dependency: What Keeps You Locked to Google

Google Workspace is often seen as the lighter-weight alternative to Microsoft 365. Fewer products, simpler licensing, less enterprise complexity. Organisations that chose Google early tend to believe they could switch to something else in a few weeks if they needed to.

That belief rarely survives contact with reality. Google Workspace creates dependencies that are structurally different from Microsoft’s, but just as deep. Some are harder to escape because they are less visible.

The Anatomy of a Microsoft 365 Dependency: What Actually Locks You In

When organisations talk about replacing Microsoft 365, the conversation usually starts with email and ends with “it’s too hard.” But the difficulty is rarely about email. The real lock-in lives in layers most teams never think about until they try to leave.

This post maps the actual anatomy of a Microsoft 365 dependency: the layers that make migration hard, the ones that make it easy, and the ones nobody documents until it is too late.

EU Alternatives to Microsoft 365: A Realistic Comparison for Organisations Ready to Switch

Organisations searching for European alternatives to Microsoft 365 usually find two kinds of content: vendor marketing pages that claim full feature parity, and Reddit threads from frustrated sysadmins who tried to switch and gave up. Neither is useful for making a real decision.

This post provides a service-by-service comparison of the most credible European alternatives to each component of Microsoft 365. For each one, we assess feature parity, maturity, hosting options, and the realistic effort required to switch. No affiliate links. No vendor partnerships.

A Realistic Migration Path Away from Google Workspace for a 10-Person Team

A 10-person team is the size where Google Workspace feels most natural and where leaving it feels most daunting. You are small enough that Google’s pricing is cheap (€12 to €14 per user per month for Business Standard). You are small enough that you do not have a dedicated IT person. And you are large enough that Google has become the invisible foundation of how your company operates.

This post walks through a realistic migration path for a company of this size. Not a theoretical framework, but specific steps with specific tools, timelines, and costs. The company we are describing is composited from several real engagements, anonymised and simplified.

NIS2, DORA, and the Regulatory Case for Knowing Your Dependencies

Two pieces of EU legislation, NIS2 and DORA, are fundamentally changing how European organisations must think about their technology suppliers. Neither regulation bans US cloud providers. But both make it legally necessary to understand, document, and manage the risks that come with depending on them.

Most organisations are not ready. Here is what the regulations actually require, and what compliance looks like in practice.

NIS2: Supply Chain Risk Is Now Mandatory

The Network and Information Security Directive 2 (NIS2), which EU member states were required to transpose into national law by October 2024, significantly expands the scope of cybersecurity obligations across Europe.

What a 15-Tool SaaS Stack Reveals About US Dependency

Take a typical European professional services firm. Twenty-five employees, two offices, founded six years ago. They chose their tools the way most companies do: whatever worked at the time, whatever the first hire already knew, whatever had a free tier that scaled with them.

Nobody sat down and decided to build the company on American infrastructure. It happened one tool at a time.

We mapped their full stack. Fifteen core tools. Here is what the dependency structure actually looks like.

What Happens If Your US Cloud Provider Cuts Access Tomorrow: A 72-Hour Scenario for European Businesses

This is not a prediction. It is a scenario exercise. We describe what would happen, hour by hour, if a typical 30-person European professional services firm lost access to its US cloud provider overnight. The firm runs on Microsoft 365 with Azure AD, Exchange Online, SharePoint, Teams, and OneDrive. It has no documented exit strategy.

The purpose is not to cause alarm. It is to make the dependency concrete, because most organisations cannot articulate what would actually break until they walk through it.

How to Build an ICT Third-Party Risk Register for NIS2 Compliance

NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement cybersecurity risk management measures that specifically address “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers” (Article 21(2)(d)).

This means you need a documented understanding of your ICT third-party dependencies, the risks they introduce, and the measures you have in place to manage those risks. Most organisations call this an ICT third-party risk register.

DORA Concentration Risk: How to Build an Exit Strategy Your Regulator Will Accept

The Digital Operational Resilience Act (Regulation 2022/2554), which applies from 17 January 2025, introduces a concept that no previous EU regulation stated so explicitly: financial entities must identify, assess, and manage the risk of depending too heavily on a single ICT provider. And they must have documented exit plans for their critical providers.

This is not optional. DORA applies to credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and virtually every other regulated financial entity in the EU. The European Supervisory Authorities (EBA, ESMA, EIOPA) are developing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to specify the details.