Blog

Practical insights on digital sovereignty, GDPR compliance, and migrating European businesses to independent infrastructure.

The True Cost of Migrating from Microsoft 365 to Nextcloud: A Detailed Breakdown

Nextcloud is the most frequently cited European alternative to Microsoft 365 for file storage and collaboration. It is open source, German-founded, self-hostable, and available through dozens of EU hosting providers. For organisations evaluating a move away from Microsoft, it is usually the first name on the list.

But “migrate to Nextcloud” is not a plan. It is a destination. The plan requires understanding what the migration actually involves, what it costs, what it does not replace, and where the surprises are. This post breaks down the true cost for a specific scenario: a 25-person European professional services firm migrating from Microsoft 365 Business Premium to a Nextcloud-centred stack.

The US CLOUD Act vs. GDPR: A Legal Collision European Businesses Cannot Patch with Contracts

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), signed into US law on 23 March 2018, creates a legal obligation that directly conflicts with the EU’s General Data Protection Regulation. This is not a matter of interpretation. The two laws impose contradictory requirements on the same data, and no contractual mechanism available today fully resolves the conflict.

European organisations using Microsoft 365, Google Workspace, AWS, or any service operated by a US-headquartered company need to understand this conflict in concrete terms, not as a theoretical privacy concern but as a legal exposure that affects their GDPR compliance posture.

NIS2 Third-Party Risk Mapping: A Practical Worksheet for Small and Mid-Market Companies

NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement supply chain risk management measures. Article 21(2)(d) is specific: you must address “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”

Most of the guidance available for implementing this requirement is written for large enterprises with dedicated compliance, legal, and IT security teams. If you are a 15-person professional services firm, a 30-person fintech, or a 40-person manufacturing company that supplies essential-sector clients, the guidance does not match your resources.

Digital Sovereignty Briefing

Insights on EU cloud regulation, migration strategies, and digital independence. No spam. Unsubscribe anytime.

EU-hosted. No tracking. Unsubscribe in one click. Privacy policy.

Is Your Organisation Ready to Leave Google Workspace? A 40-Point Readiness Checklist

Organisations considering a move away from Google Workspace tend to fall into two camps. The first assumes it is simple: export your email, copy your files, pick a new calendar. The second assumes it is impossible and does not start.

Neither is correct. Whether you are ready to leave Google Workspace depends on specific, measurable factors: how deeply your identity layer is embedded, how many Apps Scripts nobody documented, how much metadata you can afford to lose, and whether your team has the capacity to absorb the change.

EU vs US Vendor Exposure: A Scoring Checklist for European Organisations

European organisations tend to think about US vendor exposure in binary terms: either you use US cloud providers or you do not. The reality is more layered. Two organisations can both run on Microsoft 365 and have very different levels of exposure, depending on how identity is configured, who holds the encryption keys, where backups sit, and what integrations exist.

This post provides a structured checklist for scoring your organisation’s actual US vendor exposure. It is not a compliance form. It is a practical tool for understanding where your sovereignty risk concentrates and which areas you can address without a full migration.

How SaaS Vendor Lock-in Actually Works: Seven Structural Layers That Keep European Organisations Stuck

Most organisations think of vendor lock-in as a contractual problem: long-term agreements, steep renewal prices, early termination fees. That is the surface layer. The real lock-in operates through at least seven distinct structural mechanisms, most of which are invisible until someone tries to leave.

Understanding these layers matters because each one requires a different approach to undo. Treating lock-in as a single problem leads to migration plans that fail at the first unexpected obstacle.

How to Inventory Your SaaS Dependencies: A Practical Template for European Organisations

Ask any IT manager how many SaaS tools their organisation uses and you will get a number. It will be wrong. Usually by a factor of two or three.

The average European organisation with 20 to 50 employees uses between 40 and 120 SaaS applications. The IT department knows about perhaps half of them. The rest were adopted by individual teams, paid for on corporate credit cards, connected via OAuth, and never documented anywhere.

Eight Control Points US Cloud Providers Hold Over European Businesses (and Which Ones to Fix First)

European organisations that choose EU data centres for their Microsoft 365 or Google Workspace deployments often believe they have addressed their sovereignty exposure. The data is in the EU. The box is ticked.

But data location is only one of many control points a cloud provider holds over your organisation. Even with EU-hosted data, a US provider retains administrative access, controls the encryption keys, operates the identity layer, and can push updates or policy changes without your consent. The CLOUD Act (18 U.S.C. §2713) gives US law enforcement the legal authority to compel data disclosure regardless of where the data is physically stored.