European organisations tend to think about US vendor exposure in binary terms: either you use US cloud providers or you do not. The reality is more layered. Two organisations can both run on Microsoft 365 and have very different levels of exposure, depending on how identity is configured, who holds the encryption keys, where backups sit, and what integrations exist.
This post provides a structured checklist for scoring your organisation’s actual US vendor exposure. It is not a compliance form. It is a practical tool for understanding where your sovereignty risk concentrates and which areas you can address without a full migration.