EU vs US Vendor Exposure: A Scoring Checklist for European Organisations
A practical checklist for scoring your organisation's exposure to US-jurisdictional vendors. Covers CLOUD Act applicability, data residency, encryption control, and more. Assign a score, see where you stand, know what to fix first.
European organisations tend to think about US vendor exposure in binary terms: either you use US cloud providers or you do not. The reality is more layered. Two organisations can both run on Microsoft 365 and have very different levels of exposure, depending on how identity is configured, who holds the encryption keys, where backups sit, and what integrations exist.
This post provides a structured checklist for scoring your organisation’s actual US vendor exposure. It is not a compliance form. It is a practical tool for understanding where your sovereignty risk concentrates and which areas you can address without a full migration.
How the Checklist Works
The checklist covers 10 exposure areas. For each area, you answer a series of yes/no questions. Each “yes” adds points to your exposure score. At the end, you have a total score that places your organisation in one of four exposure bands:
- 0 to 15 points: Low exposure. Your stack is largely EU-controlled.
- 16 to 30 points: Moderate exposure. Some significant US dependencies exist.
- 31 to 45 points: High exposure. Critical functions depend on US-jurisdictional providers.
- 46 to 60 points: Very high exposure. Your organisation has deep, structural dependency on US infrastructure with limited contingency.
The score is not a compliance rating. It is a conversation starter: a way to make the abstract concept of “US vendor exposure” concrete and measurable.
The Checklist
Area 1: Identity and Authentication (max 8 points)
| # | Question | Yes = points |
|---|---|---|
| 1.1 | Is your primary identity provider a US-headquartered company (Microsoft Entra ID, Google, Okta, Auth0)? | 3 |
| 1.2 | Does your identity provider serve as the SSO hub for more than 5 third-party applications? | 2 |
| 1.3 | Is MFA administered through a US provider (Microsoft Authenticator, Google prompts, Duo)? | 1 |
| 1.4 | Are conditional access policies (device trust, location restrictions) managed in the US provider’s console? | 1 |
| 1.5 | If the identity provider went offline, would employees be locked out of all work applications within minutes? | 1 |
Your score: ___ / 8
Identity is the deepest exposure area because every other system depends on it. An organisation that scores 6 or above here has a structural dependency that no other change can fully offset.
Area 2: Email (max 6 points)
| # | Question | Yes = points |
|---|---|---|
| 2.1 | Is your email hosted by a US-headquartered provider (Microsoft Exchange Online, Gmail)? | 2 |
| 2.2 | Does the provider hold the encryption keys for email at rest? (Default for both Exchange and Gmail.) | 2 |
| 2.3 | Are mail flow rules, DLP policies, or retention policies configured in the US provider’s admin console? | 1 |
| 2.4 | Do you lack a tested backup of your email archive on non-US infrastructure? | 1 |
Your score: ___ / 6
Area 3: File Storage (max 6 points)
| # | Question | Yes = points |
|---|---|---|
| 3.1 | Is your primary file storage a US-controlled service (SharePoint, OneDrive, Google Drive, Dropbox)? | 2 |
| 3.2 | Does your file storage contain contracts, financial records, or client personal data? | 1 |
| 3.3 | Are sharing permissions and folder structures only documented within the US provider’s system? | 1 |
| 3.4 | Would it take more than one week to restore your files from backup if the provider revoked access? | 1 |
| 3.5 | Are there more than 10,000 files with no local or EU-hosted backup? | 1 |
Your score: ___ / 6
Area 4: Communication (max 5 points)
| # | Question | Yes = points |
|---|---|---|
| 4.1 | Is your primary internal communication tool US-controlled (Teams, Slack, Zoom, Google Meet)? | 2 |
| 4.2 | Does chat history in that tool contain sensitive business information (strategy, personnel, legal)? | 1 |
| 4.3 | Is the communication tool tightly integrated with your file storage and identity provider (e.g., Teams + SharePoint + Entra ID)? | 1 |
| 4.4 | Do you lack a fallback communication channel that all employees know how to use? | 1 |
Your score: ___ / 5
Area 5: DNS and Domain Infrastructure (max 4 points)
| # | Question | Yes = points |
|---|---|---|
| 5.1 | Is your DNS hosted by a US provider (Cloudflare, AWS Route 53, Google Cloud DNS)? | 2 |
| 5.2 | Is your domain registrar US-based? | 1 |
| 5.3 | Do you lack a tested procedure for migrating DNS to an alternative provider within 24 hours? | 1 |
Your score: ___ / 4
DNS is the easiest exposure area to fix. Moving DNS to a European provider (Hetzner, deSEC, Gcore) takes hours, costs nothing or nearly nothing, and has zero impact on end users.
Area 6: Cloud Infrastructure (max 6 points)
| # | Question | Yes = points |
|---|---|---|
| 6.1 | Does your organisation run workloads on US-controlled cloud infrastructure (AWS, Azure, GCP)? | 2 |
| 6.2 | Is your production database hosted on US-controlled infrastructure? | 2 |
| 6.3 | Are backups stored exclusively on the same US provider? | 1 |
| 6.4 | Do you lack documented procedures for migrating workloads to an EU cloud provider? | 1 |
Your score: ___ / 6
Area 7: Development Tools (max 5 points)
| # | Question | Yes = points |
|---|---|---|
| 7.1 | Is your source code stored on a US-controlled platform (GitHub, GitLab.com SaaS, Bitbucket)? | 2 |
| 7.2 | Does your CI/CD pipeline run on US-controlled infrastructure? | 1 |
| 7.3 | Are deployment secrets or API keys stored in the US provider’s secrets manager? | 1 |
| 7.4 | Is your container registry hosted by a US provider? | 1 |
Your score: ___ / 5
Area 8: Payment and Financial Tools (max 4 points)
| # | Question | Yes = points |
|---|---|---|
| 8.1 | Is your primary payment processor US-controlled (Stripe, PayPal, Braintree)? | 2 |
| 8.2 | Could a payment processor account freeze halt your revenue collection? | 1 |
| 8.3 | Do you lack a backup payment processing option? | 1 |
Your score: ___ / 4
Area 9: Automation and Integration Layer (max 6 points)
| # | Question | Yes = points |
|---|---|---|
| 9.1 | Are business-critical automations built on a US provider’s platform (Power Automate, Google Apps Script, Zapier)? | 2 |
| 9.2 | Do you have more than 5 active automations with no documentation or inventory? | 2 |
| 9.3 | Would the loss of your automation platform break processes that employees rely on daily? | 1 |
| 9.4 | Are integration credentials (API keys, OAuth tokens) stored exclusively in US-controlled vaults? | 1 |
Your score: ___ / 6
Area 10: Compliance and Audit Infrastructure (max 4 points)
| # | Question | Yes = points |
|---|---|---|
| 10.1 | Are audit logs, DLP policies, or retention rules managed in a US provider’s compliance console (Microsoft Purview, Google Vault)? | 2 |
| 10.2 | Would losing access to the compliance console prevent you from responding to a regulatory inquiry? | 1 |
| 10.3 | Do you lack an independent copy of audit logs on EU infrastructure? | 1 |
Your score: ___ / 4
Total Score
| Area | Your Score | Max |
|---|---|---|
| 1. Identity | ___ | 8 |
| 2. Email | ___ | 6 |
| 3. File Storage | ___ | 6 |
| 4. Communication | ___ | 5 |
| 5. DNS | ___ | 4 |
| 6. Cloud Infrastructure | ___ | 6 |
| 7. Development Tools | ___ | 5 |
| 8. Payment | ___ | 4 |
| 9. Automation | ___ | 6 |
| 10. Compliance | ___ | 4 |
| Total | ___ | 54 |
Interpreting Your Score
0 to 15: Low exposure. Your organisation has made deliberate choices to limit US vendor dependency. Focus on maintaining what you have and documenting it for NIS2/DORA compliance.
16 to 30: Moderate exposure. Typical of organisations that have started thinking about sovereignty but have not yet made structural changes. You likely have quick wins available in DNS, email backup, and payment processing.
31 to 45: High exposure. Critical business functions depend on US-jurisdictional providers. A sudden access revocation or sanctions event would cause significant disruption. Prioritise identity independence and data backup.
46 to 54: Very high exposure. Your organisation operates almost entirely on US-controlled infrastructure. The risk is structural and concentrated. A dependency audit should be a near-term priority, followed by a phased migration plan for the highest-risk areas.
What to Do Next
The checklist highlights where your exposure concentrates. For most organisations, three areas account for the majority of the score:
1. Identity. If your identity provider is US-controlled and serves as the SSO hub, it is your single largest exposure. The fix is not quick, but starting a parallel identity provider (Keycloak, Authentik) alongside your existing one is a practical first step.
2. Email and files. These are the areas where CLOUD Act exposure is most tangible: US law enforcement can compel disclosure of your correspondence and documents. EU-hosted backups reduce the operational risk. EU-jurisdictional alternatives (Proton for email, Nextcloud for files) address the legal risk.
3. DNS. The quickest win. Move to a European DNS provider this week. Zero downtime, minimal cost, measurable reduction in exposure.
The checklist is a snapshot. Revisit it quarterly, after any vendor change, or before any contract renewal. Track the score over time. Even modest improvements, five or ten points over a year, represent meaningful risk reduction.
Sovereign Shift scores your full stack across all ten areas and delivers a detailed action plan for reducing exposure. Learn about our dependency audit →