We looked at the primary website apex and www records for 19,450 European company entities and asked a narrow question: which infrastructure vendor is serving the company's main web presence?
Across seven European markets, US-headquartered vendors serve the majority of primary company websites in two of them (the United Kingdom at 67.5% and the Netherlands at 53.6%), and the plurality in three more (Italy, Spain, and France, each between 44% and 49%). Cloudflare is the single largest internet-facing infrastructure vendor in every one of the seven countries we sampled, ahead of every other US vendor, every European hosting company, and every domestic ISP.
This is not an IP-geolocation study. It is a vendor attribution study. For each apex domain, we resolved DNS A/AAAA records and mapped the answering IPs to their announcing autonomous system. For CDN and proxy providers such as Cloudflare, that identifies the internet-facing serving vendor, not necessarily the origin host.
Vendor share by country
Each bar shows the percentage of primary company websites in that country served by a US-headquartered infrastructure vendor. The remainder is the "Other / regional" bucket, which includes European hosting companies, domestic ISPs, in-house infrastructure, and international vendors not matched by our keyword rules.
Germany and Poland are the exceptions. Both have a dense domestic hosting industry (Hetzner, IONOS, STRATO, Mittwald in Germany; Home.pl, NetArt, ATMAN, Beyond in Poland) that shows up clearly in the observations. Everywhere else, US-headquartered vendors are either the plurality (Italy, Spain, France) or the majority (the UK, the Netherlands).
One vendor, in every country
The single largest internet-facing infrastructure vendor in every one of the seven markets is Cloudflare. Not the largest of the US-headquartered vendors, the largest of all vendors, foreign and domestic.
Amazon is the second-largest US vendor in most markets. Google, Microsoft, Fastly, Akamai, and Squarespace round out the classified set.
The full numbers
| Country | Entities | US-HQ vendors | Cloudflare | Amazon | Other US-HQ | Other / regional |
|---|---|---|---|---|---|---|
| United Kingdom | 918 | 620 (67.5%) | 290 | 115 | 215 | 298 |
| Netherlands | 2,241 | 1,201 (53.6%) | 825 | 150 | 226 | 1,040 |
| Italy | 2,350 | 1,138 (48.4%) | 663 | 227 | 248 | 1,212 |
| Spain | 1,427 | 637 (44.6%) | 329 | 128 | 180 | 790 |
| France | 2,504 | 1,107 (44.2%) | 706 | 173 | 228 | 1,397 |
| Germany | 5,679 | 1,763 (31.0%) | 1,017 | 390 | 356 | 3,916 |
| Poland | 4,331 | 813 (18.8%) | 660 | 69 | 84 | 3,518 |
What this measures, and what it does not
This is a vendor question, not a geography question. It has to be, because the geography question is harder than it looks.
Every Cloudflare-served website in every country is served from a Cloudflare edge POP that is likely to be geographically close to the visitor. A French visitor to a French site behind Cloudflare is almost certainly served from a Cloudflare edge in France. That does not mean the site is French-hosted. It means the site is Cloudflare-fronted, and Cloudflare is a US company. The origin server behind the Cloudflare edge could be anywhere, including the customer's own datacentre or a European provider.
That distinction matters for policy and procurement. EU regulatory regimes increasingly focus on ICT supply chains, processor relationships, third-country exposure, operational resilience, switching, and concentration risk. Physical packet geography is only one part of that picture. The more basic question is: which vendor is the organisation relying on at the internet-facing layer?
What this study does not measure:
- physical data-centre location
- origin hosting provider behind a CDN or reverse proxy
- EU sub-processor arrangements the customer has in place
- regional data-plane isolation offered by the vendor
- customer-specific product configuration and tenancy model
- US-only versus EU-based administration and control-plane arrangements
What this does not say
We are not saying European companies should not use US-headquartered vendors. Cloudflare has DDoS mitigation and edge presence that European competitors have not matched at scale. There are reasonable technical reasons to end up where the market has ended up.
We are not saying this is the whole cybersecurity picture. The internet-facing layer is one variable. Email security, IAM, EDR, SIEM, DNS, and endpoint management are separate stacks and each carries its own vendor geography, which we will look at in follow-up pieces.
The practical point is not that every European company should leave US infrastructure tomorrow. The point is that sovereignty discussions often start too late in the stack. Before organisations debate cloud regions, subprocessors, or contractual controls, they should know which vendors already sit in front of their public web estate.
For European infrastructure vendors, this is the market map. For policymakers, it is the base rate. For buyers, it is the inventory problem.
Method note
- Data source: CipherCue's
hosting_attributionobservations. For every apex domain, we resolve DNS A/AAAA records and look up the announcing autonomous system via iptoasn.com (Routeviews-derived BGP data). Vendor classification is by AS operator name, not by IP geolocation. - What "vendor attribution" identifies: the operator of the AS that answers the DNS query for the apex or
wwwrecord. For CDN and proxy vendors such as Cloudflare, this identifies the internet-facing serving vendor, not necessarily the origin hosting provider. - Scope: 19,450 European company entities in the CipherCue directory across DE, PL, FR, IT, NL, ES, GB. Filtered to apex domain and
wwwsubdomain only. Records for arbitrary subdomains (SaaS endpoints, jobs boards, CDN-fronted static assets) are excluded because those measure SaaS geography, not the entity's own vendor choice. - Snapshot window: 2026-04-28 to 2026-06-29.
- Deduplication: each entity is counted once per vendor. An entity served by Cloudflare on both an IPv4 and an IPv6 address counts as one Cloudflare observation for that entity.
- Vendor classification: AS operator description matched by keyword (Cloudflare, Amazon, Google, Microsoft, Fastly, Akamai, Squarespace, Wix, Shopify). Everything else falls into the "Other / regional" bucket. This bucket should not be read as "European". It includes European hosting companies, domestic ISPs, in-house infrastructure, and international vendors not matched by the keyword rules.
- "US-headquartered": the eight vendors named above are all incorporated in the United States. This is the vendor's country of incorporation, not the country of the IP that answers.
- Entity country: the country field on the entity record, sourced from the company's registered address in the country registrar it was seeded from (Companies House for GB, KRS for PL, HRB for DE, and so on).
- Not counted: entities with no successful apex resolution during the window; entities without a country field; anything below the apex or
wwwlevel.
CipherCue tracks observed infrastructure across European company entities and lets you slice by country, vendor, and category. Request a demo.