Blog on Sovereign Shift

Why Replacing Zoom Is Easy but Replacing Google Workspace Is Not

Wed, 27 May 2026 00:00:00 +0000

When European organisations start thinking about reducing their US cloud dependency, the first instinct is to rank their tools by risk and start replacing them. This instinct is correct. The mistake is assuming that every replacement is roughly the same amount of work.

It is not. Replacing Zoom takes an afternoon. Replacing Google Workspace takes months. The difference is not about the quality of alternatives. Good alternatives exist for both. The difference is structural: it comes down to how deeply the tool has embedded itself into the way your organisation operates.

The Anatomy of a Google Workspace Dependency: What Keeps You Locked to Google

Wed, 20 May 2026 00:00:00 +0000

Google Workspace is often seen as the lighter-weight alternative to Microsoft 365. Fewer products, simpler licensing, less enterprise complexity. Organisations that chose Google early tend to believe they could switch to something else in a few weeks if they needed to.

That belief rarely survives contact with reality. Google Workspace creates dependencies that are structurally different from Microsoft’s, but just as deep. Some are harder to escape because they are less visible.

The Anatomy of a Microsoft 365 Dependency: What Actually Locks You In

Thu, 14 May 2026 00:00:00 +0000

When organisations talk about replacing Microsoft 365, the conversation usually starts with email and ends with “it’s too hard.” But the difficulty is rarely about email. The real lock-in lives in layers most teams never think about until they try to leave.

This post maps the actual anatomy of a Microsoft 365 dependency: the layers that make migration hard, the ones that make it easy, and the ones nobody documents until it is too late.

EU Alternatives to Microsoft 365: A Realistic Comparison for Organisations Ready to Switch

Fri, 08 May 2026 00:00:00 +0000

Organisations searching for European alternatives to Microsoft 365 usually find two kinds of content: vendor marketing pages that claim full feature parity, and Reddit threads from frustrated sysadmins who tried to switch and gave up. Neither is useful for making a real decision.

This post provides a service-by-service comparison of the most credible European alternatives to each component of Microsoft 365. For each one, we assess feature parity, maturity, hosting options, and the realistic effort required to switch. No affiliate links. No vendor partnerships.

A Realistic Migration Path Away from Google Workspace for a 10-Person Team

Fri, 01 May 2026 00:00:00 +0000

A 10-person team is the size where Google Workspace feels most natural and where leaving it feels most daunting. You are small enough that Google’s pricing is cheap (€12 to €14 per user per month for Business Standard). You are small enough that you do not have a dedicated IT person. And you are large enough that Google has become the invisible foundation of how your company operates.

This post walks through a realistic migration path for a company of this size. Not a theoretical framework, but specific steps with specific tools, timelines, and costs. The company we are describing is composited from several real engagements, anonymised and simplified.

NIS2, DORA, and the Regulatory Case for Knowing Your Dependencies

Wed, 22 Apr 2026 00:00:00 +0000

Two pieces of EU legislation, NIS2 and DORA, are fundamentally changing how European organisations must think about their technology suppliers. Neither regulation bans US cloud providers. But both make it legally necessary to understand, document, and manage the risks that come with depending on them.

Most organisations are not ready. Here is what the regulations actually require, and what compliance looks like in practice.

NIS2: Supply Chain Risk Is Now Mandatory

The Network and Information Security Directive 2 (NIS2), which EU member states were required to transpose into national law by October 2024, significantly expands the scope of cybersecurity obligations across Europe.

What a 15-Tool SaaS Stack Reveals About US Dependency

Wed, 15 Apr 2026 00:00:00 +0000

Take a typical European professional services firm. Twenty-five employees, two offices, founded six years ago. They chose their tools the way most companies do: whatever worked at the time, whatever the first hire already knew, whatever had a free tier that scaled with them.

Nobody sat down and decided to build the company on American infrastructure. It happened one tool at a time.

We mapped their full stack. Fifteen core tools. Here is what the dependency structure actually looks like.

What Happens If Your US Cloud Provider Cuts Access Tomorrow: A 72-Hour Scenario for European Businesses

Wed, 08 Apr 2026 00:00:00 +0000

This is not a prediction. It is a scenario exercise. We describe what would happen, hour by hour, if a typical 30-person European professional services firm lost access to its US cloud provider overnight. The firm runs on Microsoft 365 with Azure AD, Exchange Online, SharePoint, Teams, and OneDrive. It has no documented exit strategy.

The purpose is not to cause alarm. It is to make the dependency concrete, because most organisations cannot articulate what would actually break until they walk through it.

How to Build an ICT Third-Party Risk Register for NIS2 Compliance

Wed, 01 Apr 2026 00:00:00 +0000

NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement cybersecurity risk management measures that specifically address “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers” (Article 21(2)(d)).

This means you need a documented understanding of your ICT third-party dependencies, the risks they introduce, and the measures you have in place to manage those risks. Most organisations call this an ICT third-party risk register.

DORA Concentration Risk: How to Build an Exit Strategy Your Regulator Will Accept

Wed, 25 Mar 2026 00:00:00 +0000

The Digital Operational Resilience Act (Regulation 2022/2554), which applies from 17 January 2025, introduces a concept that no previous EU regulation stated so explicitly: financial entities must identify, assess, and manage the risk of depending too heavily on a single ICT provider. And they must have documented exit plans for their critical providers.

This is not optional. DORA applies to credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and virtually every other regulated financial entity in the EU. The European Supervisory Authorities (EBA, ESMA, EIOPA) are developing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to specify the details.

The True Cost of Migrating from Microsoft 365 to Nextcloud: A Detailed Breakdown

Wed, 18 Mar 2026 00:00:00 +0000

Nextcloud is the most frequently cited European alternative to Microsoft 365 for file storage and collaboration. It is open source, German-founded, self-hostable, and available through dozens of EU hosting providers. For organisations evaluating a move away from Microsoft, it is usually the first name on the list.

But “migrate to Nextcloud” is not a plan. It is a destination. The plan requires understanding what the migration actually involves, what it costs, what it does not replace, and where the surprises are. This post breaks down the true cost for a specific scenario: a 25-person European professional services firm migrating from Microsoft 365 Business Premium to a Nextcloud-centred stack.

The US CLOUD Act vs. GDPR: A Legal Collision European Businesses Cannot Patch with Contracts

Tue, 10 Mar 2026 00:00:00 +0000

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), signed into US law on 23 March 2018, creates a legal obligation that directly conflicts with the EU’s General Data Protection Regulation. This is not a matter of interpretation. The two laws impose contradictory requirements on the same data, and no contractual mechanism available today fully resolves the conflict.

European organisations using Microsoft 365, Google Workspace, AWS, or any service operated by a US-headquartered company need to understand this conflict in concrete terms, not as a theoretical privacy concern but as a legal exposure that affects their GDPR compliance posture.

NIS2 Third-Party Risk Mapping: A Practical Worksheet for Small and Mid-Market Companies

Thu, 05 Mar 2026 00:00:00 +0000

NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement supply chain risk management measures. Article 21(2)(d) is specific: you must address “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”

Most of the guidance available for implementing this requirement is written for large enterprises with dedicated compliance, legal, and IT security teams. If you are a 15-person professional services firm, a 30-person fintech, or a 40-person manufacturing company that supplies essential-sector clients, the guidance does not match your resources.

Is Your Organisation Ready to Leave Google Workspace? A 40-Point Readiness Checklist

Wed, 25 Feb 2026 00:00:00 +0000

Organisations considering a move away from Google Workspace tend to fall into two camps. The first assumes it is simple: export your email, copy your files, pick a new calendar. The second assumes it is impossible and does not start.

Neither is correct. Whether you are ready to leave Google Workspace depends on specific, measurable factors: how deeply your identity layer is embedded, how many Apps Scripts nobody documented, how much metadata you can afford to lose, and whether your team has the capacity to absorb the change.

EU vs US Vendor Exposure: A Scoring Checklist for European Organisations

Wed, 18 Feb 2026 00:00:00 +0000

European organisations tend to think about US vendor exposure in binary terms: either you use US cloud providers or you do not. The reality is more layered. Two organisations can both run on Microsoft 365 and have very different levels of exposure, depending on how identity is configured, who holds the encryption keys, where backups sit, and what integrations exist.

This post provides a structured checklist for scoring your organisation’s actual US vendor exposure. It is not a compliance form. It is a practical tool for understanding where your sovereignty risk concentrates and which areas you can address without a full migration.

How SaaS Vendor Lock-in Actually Works: Seven Structural Layers That Keep European Organisations Stuck

Fri, 06 Feb 2026 00:00:00 +0000

Most organisations think of vendor lock-in as a contractual problem: long-term agreements, steep renewal prices, early termination fees. That is the surface layer. The real lock-in operates through at least seven distinct structural mechanisms, most of which are invisible until someone tries to leave.

Understanding these layers matters because each one requires a different approach to undo. Treating lock-in as a single problem leads to migration plans that fail at the first unexpected obstacle.

How to Inventory Your SaaS Dependencies: A Practical Template for European Organisations

Wed, 28 Jan 2026 00:00:00 +0000

Ask any IT manager how many SaaS tools their organisation uses and you will get a number. It will be wrong. Usually by a factor of two or three.

The average European organisation with 20 to 50 employees uses between 40 and 120 SaaS applications. The IT department knows about perhaps half of them. The rest were adopted by individual teams, paid for on corporate credit cards, connected via OAuth, and never documented anywhere.

Eight Control Points US Cloud Providers Hold Over European Businesses (and Which Ones to Fix First)

Thu, 15 Jan 2026 00:00:00 +0000

European organisations that choose EU data centres for their Microsoft 365 or Google Workspace deployments often believe they have addressed their sovereignty exposure. The data is in the EU. The box is ticked.

But data location is only one of many control points a cloud provider holds over your organisation. Even with EU-hosted data, a US provider retains administrative access, controls the encryption keys, operates the identity layer, and can push updates or policy changes without your consent. The CLOUD Act (18 U.S.C. §2713) gives US law enforcement the legal authority to compel data disclosure regardless of where the data is physically stored.